Skip to end of metadata
Go to start of metadata
Table of Contents


New CAS documentation site

Icon

CAS documentation has moved over to jasig.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.


Anchors/fragments are lost across redirects, as the server-side handler of the form post ignores the client-side anchor, unless appended to the form POST url. See https://jira.springsource.org/browse/SEC-1067 for more details. This feature is needed if you want a CAS-authenticated application to be able to use anchors/fragments when bookmarking. If the user has a bookmark with an anchor/fragment in it and is redirected to the login page when attempting to navigate to the link with the anchor, the anchor will be lost upon redirect without this patch.


Let's assume you go to www.example.com/index#someAnchor, but you have not been authenticated. The container will automatically redirect you to your login page, but the browser will maintain the anchor/fragment from the original link: www.example.com/login#someAnchor. With the change demonstrated below, it is ensured that the anchor is not lost upon the form post so that it can be re-applied by the browser to the redirect URL issued by the server upon successful login. Because anchors/fragments are client-side pieces maintained by the browser and NEVER transmitted as part of the HTTP POST to the server, this is the only way to maintain the anchor/fragment (without putting it in the POST data and modifying the server to restore it).

 

Browser Support

Icon

Note that this will only help FireFox/Chrome/Opera/IE 10 and not Safari and IE 9 and below: http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx. This has nothing to do with the code itself and more to do with how the browsers handle persisting fragments/anchors across 302 redirect responses from servers.

Changes to cas.js:

 

Changes to casLoginView.jsp:

  • No labels