POSTing with a CAS proxy ticket

[Bryan Larsen]

The instructions for proxying in the rubycas-client README.rdoc have
several errors in them.

Quoting:

service_uri = "http://some-other-application.example.foo"
proxy_granting_ticket = session[:cas_pgt]
ticket =
CASClient::Frameworks::Rails::Filter.client.request_proxy_ticket
(service_uri, proxy_granting_ticket).ticket

ticket should now contain a valid service ticket. You can use it to
authenticate other services by sending it and the service URI as
parameters to your target application:

http://some-other-application.example.foo?service=#{CGI.encode(ticket.target_service)}&ticket=#{ticket.proxy_ticket}

Comments:

The ticket variable above contains a string, so obviously it doesn't
have target_service or proxy_ticket methods. The object that
request_proxy_ticket returns doesn't have these methods either.
CGI.encode isn't a method -- you're probably looking for CGI::escape.

Here's some code that did work for me:

service_uri = "http://localhost:3333/some/service"
proxy_granting_ticket = session[:cas_pgt]
ticket =
CASClient::Frameworks::Rails::Filter.client.request_proxy_ticket
(proxy_granting_ticket, service_uri)
response, data = Net::HTTP.new("localhost", 3333).get("/some/
service?ticket=#{ticket.ticket}")

Now I want to do a POST instead of a get. I've tried a bunch of
variants on the above formula, but nothing works -- I always get a
302. Help?

thanks,
Bryan

[Bryan Larsen]

I'm not sure what I'm doing wrong with my POSTs. Some help would be
appreciated. At the moment I'm doing POSTs by doing a GET with my
proxy ticket, and then doing a POST without any ticket but sending the
session cookie. It works, but it's two requests instead of one.

thanks for any help,
Bryan

[Bryan Larsen]

I finally figured out my problem after shelving it for a while.

When POSTing, parameters are part of the service_uri. This is crazy,
because parameters aren't part of the URI when POSTing. I'm not sure
what the heck you're supposed to do if you're not sending x-www-
urlencoded.

Here's a code fragment that works for me:

path = "/some/path?_method=PUT"
service_uri = "http://bryan-larsen.is-a-geek.org:3333#{path}"

proxy_granting_ticket = session[:cas_pgt]
ticket =
CASClient::Frameworks::Rails::Filter.client.request_proxy_ticket
(proxy_granting_ticket, service_uri)

http = Net::HTTP.new("bryan-larsen.is-a-geek.org", 3333)
headers = { 'Accept' => 'application/json', 'Content-Type' =>
'application/x-www-form-urlencoded' }
response, data = http.post(path, "_method=PUT&ticket=#
{ticket.ticket}", headers)

cheers,
Bryan

[Matt Zukowski]

Thanks for catching the errors in the README. Those have been
corrected.

Regarding the parameters being in the service_uri, I think you're
right, the server should probably strip off the parameters in the URL
when deciding whether the service URL that the proxy ticket was issued
for is the same as the URL being accessed. I can see cases however
when you wouldn't want the parameters to be erased: http://example.com/person?id=1
and http://example.com/person?id=2 probably refer to two different
resources, and access granted to one shouldn't necessarily imply
access to another. However I'd say that this is probably a mistake on
the part of whoever did the routing at the app level (and in any case,
it's still the same service, just different resources within the same
service).....

What I'll probably do is make it strip out the parameters by default,
but I'll add an option where the admin can enable strict URL matching
if desired. See: http://github.com/gunark/rubycas-server/issues#issue/5

How does that sound?