cas+spring security issue

[userio]

I don't undestand how CAS would recognize such customized token... can u describe in more details?

[jleleu]

Hi,

Let's take an easy example :
1. Authentication in your web app
2. Click on a login to go to the CAS server
3. For the login, generate a token (by using StringRandomUtils from commons-lang3 for example)
4. Store in database with an expiration date (now + 10 seconds)
5. Call the cas/login?token=xxxx&service=yyyy
6. In the NonInteractiveAuthenticationHandler defined in the CAS server, get the token, verify the associated login in database and check the expiration date
7. If everything is ok, authenticate the user with login.

It's just an example. It can certainly be improved.

Best regards,
Jérôme

[userio]

Jérôme,
I've found such topic:
https://lists.wisc.edu/read/messages?id=18278497
but when I follow the instructions, I don't get the needed result.
I make all needed changes(but there are no changes in config files) and then I access the login page just by typing it. When I enter the credentials, it goes to the CAS server and again asks for authentication.
Then I noticed, that in a such case requestParameterMap.service is null.
Also I watched what is requestParameterMap.service in case of old-type CAS logging in(without mine login page, accessing the protectred page) and requestParameterMap.service equals the URL where it came from(which I entered in spring security config)

[userio]

UPD: After performing some actions, I got such page
Capture.PNG

the steps are next:
1. type login page
2. enter credentials
3. got this page (it doesn't redirect me back to my service