[cas-dev] Decoupling CAS' AuthN and Ticketing (Was Re: SPNEGO)
Arnaud Lesueur
alesueur+cas at octo.com
Thu Jun 15 10:32:47 EDT 2006
Le Jeu 15 juin 2006 14:24, Stephen A. Cochran a écrit :
> On Jun 15, 2006, at 5:20 AM, Velpi wrote:
>
>
>> It is certainly possible to do a fallback to BASIC
>> authententication. (these people do that I think: http://www.it-practice.dk/en/4/products/) I also think IIS+IE
uses it
>> automatically, but I don't have any experience with IIS.
>>
>>
>> I'm not sure that it's possible to do a fallback to a form, but I
>> think I read that the protocol supports it...
>
> A fallback to a form is fairly easy becuse the client is always
> directed to a error page if auth fails. So you just put the form on that page. I *think* that will work inside cas when
> CAS does spnego
> natively, try spnego, if fail to go other views.
>
> With apache doing the spnego, I can set up spnego auth on /login. If
> it fails, redirect to /cas/login. But if it's succesful I can't redirect to /cas/login and maintain the environment
> variables, at least not that I've figured out how.
>
> Steve
Yes, this is true about the fallback which may happen in 2 cases :
- the client doesn't know how to deal with SPNEGO. In that case, the browser will not answer to the HTTP 401 with
"WWW-Authenticate Negotiate" in the header and will display the content of the page which was send by the server (here
the login form)
- the client didn't provide a valid SPNEGO Token. In this case, we just have to deal with this error in the webflow.
Arnaud Lesueur
More information about the cas
mailing list