Getting 403 when POST to /cas endpoint
30 views
Skip to first unread message
Yan Zhou
Jan 21, 2021, 6:27:44 PM1/21/21
to CAS Community
Hello,
i am using CAS 5.3.X, but I think the same would apply to CAS4 or CA5.
<form method="POST" action="https://.....MyCASEndPoint,,,,,,>/cas/login">
<input type="submit" name="submit" value="submit"></input>
In browser, when I submit this form, I get 403,
But, when I use PostMan, it returns CAS login page.
I do not understand why in browser (FF and Chrome), I am getting 403, is that because of CSRF? I tried to put in "execution" as hidden value, but that did not help).
Why does Postman return a different result as Chrome/FF?
Thanks,
Yan
Richard Frovarp
Jan 21, 2021, 7:09:35 PM1/21/21
to cas-...@apereo.org
Why are you trying to POST to the login URL? It looks like this isn't
the POST from the login page? What do the CAS logs say?
the POST from the login page? What do the CAS logs say?
Yan Zhou
Jan 21, 2021, 8:09:29 PM1/21/21
to CAS Community, richard.frovarp
Hi,
Try to implement this: people logged into their app (that does not use CAS), they click a link in their webapp, that triggers a POST to CAS /login endpoint, with SAML Assertion in POST body. My CAS implementation will detect the payload and then follow a different route of validating SAML, etc. (the CAS login page does not show up, instead, we are validating SAML Assertion). I thought the non-interactive type of login also comes in through the /login endpoint. Because we still want it to go through service validation, TGT/ST generation, etc., so it has to go through CAS login flow.
But we noticed that such POST made by another Webapp on /cas endpoint fails in FF and Chrome, it works in IE.
CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see anything in CAS or Tomcat logs (after turn on DEBUG). My guess is there is some kind of CSRF type of protection in CAS preventing such post? I placed "executionKey" in the form post, made no difference, still 403.
How would such non-interactive flow work? If CAS indeed has something prevent such POST, why does IE work and what that is?
Thanks,
Yan
Richard Frovarp
Jan 22, 2021, 10:28:46 AM1/22/21
to cas-...@apereo.org
So you want to turn CAS into a SAML 2 SP? You'll need to follow this
documentation:
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html
documentation:
https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html
Reply all
Reply to author
Forward
0 new messages