I have a Spring Boot application and use the Java Apereo CAS Client (version 3.6.2) to use an CAS server for authentication. In other words, I want to turn my app into a CAS client, I didn't set up the CAS server myself.
I checked the list of calls made to CAS server:
The first call to the CAS server is made, but I don't see the second call to the server for ticket validation (i.e., a call to https://cas-server-address/cas/serviceValidate
URL) that will return an XML document with user
and authtype
attributes that I want to extract to store in the database.
I have 2 questions:
user
and authtype
attributes from the XML document and store them in the database?Why there is no second call for the CAS server for ticket validation?
There is. The second call is a back-channel call from your application server over to the CAS server. By definition, this is not something you would see in your browser. This call goes over to the CAS server behind the scenes to validate the service ticket received in the first leg (i.e. ST-xyz
). The Java CAS client library should be automatically doing this for you, and you can verify this in the logs.
If you don't see this happening, your configuration is not set correctly or there is an error along the process.
Is it hidden?
Hidden from the browser, as it's a back-channel call. For additional details on what happens and why, please study the CAS protocol.
How do I extract user and authtype attributes from the XML document and store them in the database?
The Java CAS client library typically extracts the user id and other attributes. Then, the user-id would be available under the REMOTE-USER header that can be fetched via the http request object. If you have access to the http session, you can also fetch the final Assertion from the session which contains the CAS payload:
var assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
For a more practical example, see this.