I wish to use CAS as my authentication provider across a suite of cooperating server applications. I need to make server-to-server web-service calls, some of which will be WS-* style and others will be RESTful. I would like to use the same authentication mechanism (CAS proxy tickets) for both. Using the solution proposed by Scott, may work for RESTful web-services, using something like Spring's RestTemplate and ensuring that the ClientHttpRequest follows redirects and saves cookies, but I'm not sure if the various SOAP clients will cooperate as easily. Plus, the client-side redirect just adds more overhead I'd rather avoid.
I would prefer if the ticket could be tacked on to any URL either as a query parameter or perhaps in the path after the semi-colon (like jsessionid). This would also enable me redirect back to the original URL after login through CAS as well and avoid yet another redirect after landing on j_spring_security_cas.
From my cursory analysis of the code, it appears that the filters provided by CAS work as I described (but I haven't actually tried this). However, if I'm to use them with Spring Security, it appears I will need to write a custom security filter to build the UsernamePasswordAuthenticationToken from the Assertion placed in the request context. Is that a viable solution?