Resolution: Not A Bug
Affects Version/s: 10.10-HF44
Fix Version/s: None
Currently REST call with CAS auth are stateless: the consequence is that no Cookie is set in the response and therefore an authentication needs to be done for any REST call.
Steps to observe the problem:
- use the attached configuration and start Nuxeo
- in a private window, navigate to http://localhost:8080/nuxeo/site/api/v1/user/casuser
- observe that you're redirected to CAS
- use casuser/casuser for the credentials and submit the form
- observe that you're redirected to the REST URL with a "ticket" parameter and the result of the request is displayed as expected
- now remove the "ticket" parameter from the URL and submit it again
- observe that you're again redirected to CAS whereas you would expect to see the result immediately thanks to the previous authentication
If you open the Developer tools during this scenario and look at the response headers of the request to http://localhost:8080/nuxeo/site/api/v1/user/casuser?ticket=XXX you'll see that there is no "Set-Cookie: JSESSIONID=yyy", which is the reason why a new authentication is required.
Expected behavior: at least having a parameter to indicate that we want a stateful result when using CAS authentication in this context. It was the purpose of "needStartingURLSaving" but we had to set it to "false" to have a HTTP 302 redirection and not the default HTTP 401 with JS redirection.
- is related to
NXP-30083 Fix CAS authentication anonymous client change of behavior introduced with NXP-23246