[cas-dev] Unauthorized Service Handling

Scott Battaglia scott.battaglia at gmail.com
Mon Aug 13 14:10:00 EDT 2007 

CAS 3.1 returns a server 500 error.  I've added a JIRA issue to return that
as the XML response (even though we're not officially adding another error
code to the specification).

We won't add that to the CAS 3.0.7 server because service authorization is
not explicitly supported in CAS 3.0.x (the code is an example of a possible
way of doing it) [though if anyone supplied a patch we would consider a
3.0.8 release to update the example code].  CAS 3.1 has built-in support.

-Scott

On 8/13/07, Marvin S. Addison <serac at exchange.vt.edu> wrote:
>
> A colleague of mine pointed out what seems to be a violation of the CAS
> protocol spec in the behavior of CAS server 3.0.7.  In the case where an
> unauthorized service attempts to contact serviceValidate, a text/html
> response can be returned instead of the expected CAS protocol 2.0
> text/xml.  An example case:
>
> 1. A user with a valid TGT attempts to use service
> https://foo.com/stuff, which is configured to request proxy tickets.
> 2. Requests a service ticket from CAS:
>
> https://cas.server/serviceValidate?service=https://foo.com/stuff&pgtUrl=https://foo.com/proxy
> .
> 3. ServiceAllowedToProxyMethodBeforeAdvice checks the service to
> determine whether it's allowed to request proxy tickets.
> 4. Proxy not allowed for given service, throw
> UnauthorizedServiceException.
> 5. The following line in login-webflow.xml causes serviceErrorView.jsp
> to display:
> <transition to="viewServiceErrorView"
> on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
>
> So we have a case where serviceValidate ends up returning HTML instead
> of XML according to the CAS 2.0 protocol spec.  This seems problematic.
>
> ServiceAllowedToProxyMethodBeforeAdvice is gone in 3.1, and it's not
> clear to me by cursory code review whether it would behave similarly.
> Does this issue affect 3.1 as well?  I'm curious in any case whether
> other folks consider this a real issue.
>
> Thanks,
> Marvin Addison
> --
> Application Developer
> Middleware Services
> Virginia Tech
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070813/f53e2c70/attachment.html

More information about the cas-dev mailing list