How to reproduce:
- Install nuxeo 10.10 (+HFs) + nuxeo-jsf-ui/nuxeo-web-ui/ cas2-authentication
- configure CAS with the provided contribution sample
- invoke http://localhost:8080/nuxeo => you are logged in as Anonymous user
- logout -> You are redirected to CAS
- invoke the command:
=> You get HTTP 401 and not a redirection to CAS
Notice that you get the answer:
which is due to
However, in TL-233, it is stated
our authentication filter handles a redirection to the login page when authentication is required.
The snippet of JS code included in the HTTP 401 answer might be understood by WebUI, but not by a third-party CAS client.
NXP-23246 was introduced (so, in 8.10-HF16 and earlier versions), a HTTP 302 was sent, instead of a HTTP 401, and this worked fine with CAS.
Request is that the former HTTP 302 behavior can be retrieved in the corner case of unauthenticated CAS client when an anonymous user is declared and a direct link is invoked.