--
You received this message because you are subscribed to the Google Groups "ozoneplatform-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ozoneplatform-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Technically, it doesn't require CAS authentication, but I think you're saying a line like the below in the securityContext.xml file would cause the system to bounce back and forth back to CAS to verify that someone has one of ROLE_USER, etc... that that's what you're seeing in your environment.
<sec:intercept-url pattern="/**" access="ROLE_USER,ROLE_ORG_STEWARD,ROLE_ADMIN" requires-channel="https" />
So, you'd suggest that the SecurityContext.xml file might have a pattern above the /** which doesn't require a role-based access for the receptor endpoint, but do require https...
Try it - see if it works (or just indicate that you've already done so...) I will say, OWF has used CAS both in cert-based and in non-cert based scenarios and not run into the issue you're describing. The out-of-the-box scenario for OWF for a long-time would use certs if they were available, and fail over to a login screen deployed in the CAS war. Historically, the securityContext file mostly ignored that CAS was doing the handshake, except to include the beans needed for CAS at the bottom. Meaning, the interceptors at the top didn't truly have knowledge of...
FYI: the ozp-security project (https://github.com/ozoneplatform/ozp-security) shows the original configuration files, but you have to dig back through the commit history. The team supporting the GOSS efforts has cleaned things up a bit since the open-source OWF release, and CAS is no longer directly supported in the bean configurations. Can still be added as an auth/auth mechanism, of course, but no longer provided directly as an example.