We have some REST-ful web services that have always been using HTTP Basic Authentication to authenticate clients. We're working on deploying single sign-on using Jasig CAS single sign-on service. The SSO handshake that CAS uses requires unauthenticated clients to be redirected to CAS login with a 302 redirect.
Unfortunately HTTP Basic Auth requires a 401 response to unauthenticated requests, so we have a conflict where Basic Auth requires a 401 response and CAS requires a 302 response. Is there a way to get around this issue with CAS and still support basic auth?
The right way to go with stateless REST services is to use CAS' proxy authentication. The REST service looks for a ticket query parameter on requests and validates it as a proxy ticket. Since REST services don't typically have sessions, you usually have to implement a storage mechanism to accept the same proxy ticket for multiple requests without validating with CAS more than once (if you attempt to validate more than once, you'll likely get rejected by CAS depending on your configured number of validations per ticket in CAS). If the ticket query parameter is missing we return a
401 Missing Authresponse and never return a 302 redirect. This method can coexist with basic authentication.