[cas-dev] Unauthorized Service Handling
Marvin S. Addison
serac at exchange.vt.edu
Mon Aug 13 10:53:20 EDT 2007
A colleague of mine pointed out what seems to be a violation of the CAS
protocol spec in the behavior of CAS server 3.0.7. In the case where an
unauthorized service attempts to contact serviceValidate, a text/html
response can be returned instead of the expected CAS protocol 2.0
text/xml. An example case:
1. A user with a valid TGT attempts to use service
https://foo.com/stuff, which is configured to request proxy tickets.
2. Requests a service ticket from CAS:
https://cas.server/serviceValidate?service=https://foo.com/stuff&pgtUrl=https://foo.com/proxy.
3. ServiceAllowedToProxyMethodBeforeAdvice checks the service to
determine whether it's allowed to request proxy tickets.
4. Proxy not allowed for given service, throw
UnauthorizedServiceException.
5. The following line in login-webflow.xml causes serviceErrorView.jsp
to display:
<transition to="viewServiceErrorView"
on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
So we have a case where serviceValidate ends up returning HTML instead
of XML according to the CAS 2.0 protocol spec. This seems problematic.
ServiceAllowedToProxyMethodBeforeAdvice is gone in 3.1, and it's not
clear to me by cursory code review whether it would behave similarly.
Does this issue affect 3.1 as well? I'm curious in any case whether
other folks consider this a real issue.
Thanks,
Marvin Addison
--
Application Developer
Middleware Services
Virginia Tech
More information about the cas-dev
mailing list