When redirecting from the https CAS application back to an http service after authenticating successfully, IE6 presents the user with a security dialog saying "you are about to be redirected to a connection that is not secure, do you really want to do this?". We can avoid this by using javascript to perform the redirection in the client browser, instead of a server side redirect. This approach works fine for web pages, but does not work for protected image content, which will not execute the returned javascript, so we revert to a serverside redirect for this type of content.
1. Create WEB-INF/view/jsp/default/ui/redirect.jsp to perform the redirection using javascript
<%@page import="org.jasig.cas.authentication.principal.WebApplicationService" %> <%@page import="org.jasig.cas.web.support.WebUtils" %> <%@page import="java.net.URL" %> <% WebApplicationService service = (WebApplicationService) request.getAttribute("service"); String ticket = (String) request.getAttribute("serviceTicketId"); String redirectURL = service.getResponse(ticket).getUrl(); boolean serverSideRedirect = false; // if redirect is for an image, js or css file URL url = new URL(redirectURL); String path = url.getPath(); int dotPos = path.lastIndexOf("."); // returns -1 if not found if( dotPos != -1 ) { String ext = path.substring(dotPos).toLowerCase(); serverSideRedirect = ".gif".equals(ext) || ".jpg".equals(ext) || ".png".equals(ext) || ".js".equals(ext) || ".css".equals(ext); } if( serverSideRedirect ) { // Serverside redirect using HTTP 302 response.sendRedirect(redirectURL); } else { // Client side redirect using javascript %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <script type="text/javascript" language="javascript"> <!-- window.location.replace ("<%=redirectURL%>"); --> </script> <title>Redirect</title> </head> <body></body> </html> <% } %>
2. Make a redirect view available to CAS by adding it to WEB-INF/classes/default_view.properties
### Redirect view (logged in, javascript redirect to service) redirectView.(class)=org.springframework.web.servlet.view.JstlView redirectView.url=/WEB-INF/view/jsp/default/ui/redirect.jsp
3. Modify WEB-INF/login-webflow.xml to make the redirect end state use the new view
<end-state id="redirect" view="redirectView" />