Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
lemonldap-ng
lemonldap-ng
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 244
    • Issues 244
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 2
    • Merge Requests 2
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2137

Closed
Open
Opened Apr 08, 2020 by Andreas Deschka@adeschka

Redirecting in CAS with post method

Hello,

as far as I understand, it would be good for CASv3, if the redirect can be done with POST, because of javascript cross site scripting danger in the client.

(It would be also good for OIDC implicit flow, but there is the alternative of the code flow.)

What I tried (for CAS), both did not work:

  • added a method parameter with POST in the CAS URL as documented in the CASv3 specification ( https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#211-parameters )
  • set in lemonldap manager: redirectFormMethod = "POST"

But maybe it is also a bug (version 2.0.7)?

In the autoRedirect method it seems it will always be a GET request in the end: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/3b1b1b1997b4c7967cc452194aa92f77c512d0a8/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm#L352

By manually setting $req->data->{redirectFormMethod} = "post" it was possible to do the redirecting with POST.

Maybe I also have overlooked something...

Greetings Andreas Deschka

Assignee
Assign to
3.0.0
Milestone
3.0.0
Assign milestone
Time tracking
None
Due date
None
Reference: lemonldap-ng/lemonldap-ng#2137