RE: RE:[cas-user] problem with POST requests
Thanks. I will try to list the steps in our case. The following steps work fine for GET since it does not contain any “body”; 1.In our case, we are making a call to the CAS server to get a ST as the first step. 2.Attach the ST to the URL of the actual POST service. So essentially avoids the redirect 302 step. 3. Call the POST. 4.the SAM module of JASPIC validates the ST with CAS server. 5.The validation is successful. However, when the SAM module now tries to call the actual service, the POST data is lost. 6. The call fails. The trick is to save and restore the POST payload. I am not a JASPIC expert. I am thinking it could probably help to have a session and associate the POST data with that session before the validation call. Post validation, re-associate the post data with the actual request. Hope I am making sense here. Any input is appreciated. Regards Prasad From: Carl Waldbieser [mailto:cwaldbie...@gmail.com] Sent: Saturday, August 22, 2015 4:13 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] problem with POST requests In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edumailto:mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.netmailto:mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mor...@orst.edumailto:mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: cwaldbie...@gmail.commailto:cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] problem with POST requests
Thanks for the pointers. Finally what we did was invoke a GET service [which does not do any heavy duty work]. This sends back the session cookie in the response. The POST call is then called by setting the JSESSIONID cookie in the request. This seems to work fine for now. Regards, Prasad From: Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Sent: Saturday, August 22, 2015 4:13 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] problem with POST requests What CAS really needs is the true, stateless JWT implementation - that would solve the problem of authentication for RESTful resources once and for all, but that's a discussion for another day :-) Cheers, D. Sent from my iPhone On Aug 21, 2015, at 18:42, Carl Waldbieser cwaldbie...@gmail.commailto:cwaldbie...@gmail.com wrote: In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edumailto:mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.netmailto:mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mor...@orst.edumailto:mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: cwaldbie...@gmail.commailto:cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: dkopyle...@unicon.netmailto:dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] problem with POST requests
What CAS really needs is the true, stateless JWT implementation - that would solve the problem of authentication for RESTful resources once and for all, but that's a discussion for another day :-) Cheers, D. Sent from my iPhone On Aug 21, 2015, at 18:42, Carl Waldbieser cwaldbie...@gmail.com wrote: In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] problem with POST requests
Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] problem with POST requests
If you could go into more detail, that would probably help. Do you have a link or docs for the web service you are trying to use? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Mahantesh Prasad Katti mahantesh.ka...@indecomm.net To: cas-user cas-user@lists.jasig.org Sent: Friday, August 21, 2015 12:58:33 PM Subject: RE:[cas-user] problem with POST requests Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] problem with POST requests
Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] problem with POST requests
In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
