Thanks for you feedback as well. I have the tried the solution described at
https://wiki.jasig.org/display/CAS/Using+CAS+from+external+link+or+custom+external+form and this works fine. As others noted one still has to figure out how to handle errors and also it might be a bit irritating that while CAS is doing the login process the browser screen becomes / stays "white" for some time, until it finally does the redirect back to the content management system. Thanks Am 08.11.13 23:26, schrieb KaTeLmE: > Sorry i forgot the wiki link lol > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > > 2013/11/8 KaTeLmE <kate...@gmail.com <mailto:kate...@gmail.com>> > > Seems like this to increase the security and avoid CSRF attacks. > It forces to any application to submit the credentials by POST > method in CAS server app. > > See my comment in CAS wiki > > If you need avoid that behaviour, for example to submit via > ajax...., you should create a non-interactive authentication > action > (org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction) > like SPNEGO, X509 Certificates or remote trusted client are doing, > and modify the login-webflow to handle you behaviour. > > I hope that this helps you!! > > > 2013/11/8 Michael Wechner <michael.wech...@wyona.com > <mailto:michael.wech...@wyona.com>> > > Hi > > I am still working on generating the login screen by the > content management system instead CAS, > whereas I have read > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > I understand that one wants to prevent that credentials are > being sent to the content management system, > but having the action pointing to the CAS Server directly > > <form > action="https://127.0.0.1:7070/cas-server-webapp-3.5.2/login"; > method="POST"> > > does not seem to me like violating in security issues. > > But of course this does not work because of the required Login > Ticket. > > I have been reading > > http://www.jasig.org/cas/protocol > > but I still don't really understand what's the purpose of the > Login Ticket. > Does somebody have some more hints on this? > > I am currently considering to disable the login ticket > validation inside > > > cas-server-3.5.2/cas-server-core/src/main/java/org/jasig/cas/web/flow/AuthenticationViaFormAction.java > > but I guess this is not really considered best practice :-) > > Thanks > > Michael > > -- > You are currently subscribed to cas-user@lists.jasig.org > <mailto:cas-user@lists.jasig.org> as: kate...@gmail.com > <mailto:kate...@gmail.com> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > michael.wech...@wyona.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
