[cas-dev] case sensitivity for RegisteredService matching

Smith, Matt matt.smith at uconn.edu
Wed Nov 28 14:26:52 EST 2007 

Hmmm ... reviewing CAS-600 further, I realize I forgot about the
wildcarding ... which may make this a bit trickier.

But, just for thought, could the Service impl
(AbstractWebApplicationService ?) simply normalize the Service ID at
construction?  Or perhaps a new getNormalizedId(), made for easy
comparison? Essentially, normalization would follow these rules:

* the scheme and host would be made lowercase
* path left mixed case as entered
* an empty path becomes "/"
* an empty port becomes ':80' or ':443', dependent on the scheme

My concern is accidental match of two unique paths with the same
case-insensitive value.  Rare, sure, but why take the chance when the
HTTP URI spec clearly defines how to avoid the issue.

HTH
-Matt

On Wed, 2007-11-28 at 14:03 -0500, Smith, Matt wrote:
> Just for consistency and compliance with other specs, I'd recommend
> following RFC 2616, section 3.2.3 [1].  This defines how HTTP URIs
> should be compared.  Here is the relevant part:
> 
> ------------------------------------------------------------------------
> When comparing two URIs to decide if they match or not, a client SHOULD
> use a case-sensitive octet-by-octet comparison of the entire URIs, with
> these exceptions:
> 
> - A port that is empty or not given is equivalent to the default
>         port for that URI-reference;
> - Comparisons of host names MUST be case-insensitive;
> - Comparisons of scheme names MUST be case-insensitive;
> - An empty abs_path is equivalent to an abs_path of "/".
> 
> Characters other than those in the "reserved" and "unsafe" sets (see RFC
> 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.
> 
> For example, the following three URIs are equivalent:
> 
> http://abc.com:80/~smith/home.html
>       http://ABC.com/%7Esmith/home.html
>       http://ABC.com:/%7esmith/home.html
> ------------------------------------------------------------------------
> 
> Essentially, the host and scheme should be compared case-insensitive,
> but the path should be case-sensitive.
> 
> HTH,
> -Matt
> 
> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.3
> 
> 
> 
> On Wed, 2007-11-28 at 12:54 -0500, Scott Battaglia wrote:
> > Right now name matching for RegisteredServices is case-sensitive.
> > 
> > Anyone have any objections to make it case-insensitive as per JIRA
> > issue: http://www.ja-sig.org/issues/browse/CAS-600
> > 
> > -Scott
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
-- 
Matt Smith
matt.smith at uconn.edu
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071128/e4c776e0/attachment.bin

More information about the cas-dev mailing list