We wanted to be more flexible in the use of the login UI, so e.g. wanted to embed it in several places as a small panel. Moreover, we wanted to understand CAS as a pure service, not having to maintain layout information twice. Also, we wanted to support both, login postings from another site and direct login at the CAS server as a fallback.
Other proposed solutions
- 'Using CAS without the Login Screen' page
- 'Using CAS without the CAS login screen' page
- A google group discussion
The solution is to bypass the login form in case we post a "auto" HTTP parameter with value "true".
In that case, an auto-posting form will be rendered and posted to CAS as if a user had been authenticating himself.
As even without that modification, anybody can create a site whit a login / password form which would then post it from that server to the CAS server with 2 request (first one to retrieve the values of
execution, second one to post it & redirect the final user to the CAS server with the session retrieved from that second request), there is no security regression here.
Modification to CAS war
You just have to edit the
casLoginView.jsp file and add those modification at the head and the tail of the file :
With that modification done, you can create external links such as this one :
You can also create some custom external form such as this one :