Is CAS (Central Authentication Service) CORS enabled by default?

Question

The documentation makes it clear that CAS provides first-class support for enabling HTTP access control (CORS). However, is it enabled by default or the setup needs to be done? I am working on a web application where client side Angular code is trying to access a server api on another domain. The server itself has CORS enabled. The communication was working fine without any security. As soon as I introduced CAS single sign-on into the mix, I got the following error:

Failed to load https://myCasServer.com/?service=http%3A%2F%2Flocalhost%3A8080%2Fauthenticate: Redirect from 'https://myCasServer.com/?service=http%3A%2F%2Flocalhost%3A8080%2Fauthenticate' to 'http://myCasServer.com/login?service=http%3A%2F%2Flocalhost%3A8080%2Fauthenticate' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

There are NO Access-Control-Allow-Origin headers in the response. I am using Cas 2.0

Jac Jac · Accepted Answer · 2018-11-21T01:29:09

CORS is not enabled by default in CAS. You need to add the config settings listed at https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests. e.g

cas.httpWebRequest.cors.enabled: true
cas.httpWebRequest.cors.allowCredentials=false
cas.httpWebRequest.cors.allowOrigins[0]=*
cas.httpWebRequest.cors.allowMethods[0]=*
cas.httpWebRequest.cors.allowHeaders[0]=*

Is CAS (Central Authentication Service) CORS enabled by default?

1 Answers