[cas-dev] case sensitivity for RegisteredService matching

Thu Nov 29 19:38:49 EST 2007

Hopefully someone else will jump in with a yay or nay -- but I am all for going forward and getting it done the simple way.  If case-comparison actually becomes an issue for me later, I'll come up with a patch.

-Matt

-----Original Message-----
From: cas-dev-bounces at tp.its.yale.edu on behalf of Scott Battaglia
Sent: Thu 2007-11-29 17:14
To: Mailing list for CAS developers
Subject: Re: [cas-dev] case sensitivity for RegisteredService matching

The accidental matching could happen anyway.  The specification doesn't say
you MUST match with case-sensitivity.  It says it should, which to me would
mean that there are no guarantees anyone will.

I'm trying to keep the comparison as simple as possible.  If I have to do
part of it with case sensitivity  and part without, I will, but I'd prefer
not too ;-)  Apparently, we're the only two with an opinion on this though
:-)

On Nov 28, 2007 2:26 PM, Smith, Matt <matt.smith at uconn.edu> wrote:

> Hmmm ... reviewing CAS-600 further, I realize I forgot about the
> wildcarding ... which may make this a bit trickier.
>
> But, just for thought, could the Service impl
> (AbstractWebApplicationService ?) simply normalize the Service ID at
> construction?  Or perhaps a new getNormalizedId(), made for easy
> comparison? Essentially, normalization would follow these rules:
>
> * the scheme and host would be made lowercase
> * path left mixed case as entered
> * an empty path becomes "/"
> * an empty port becomes ':80' or ':443', dependent on the scheme
>
> My concern is accidental match of two unique paths with the same
> case-insensitive value.  Rare, sure, but why take the chance when the
> HTTP URI spec clearly defines how to avoid the issue.
>
> HTH
> -Matt
>
> On Wed, 2007-11-28 at 14:03 -0500, Smith, Matt wrote:
> > Just for consistency and compliance with other specs, I'd recommend
> > following RFC 2616, section 3.2.3 [1].  This defines how HTTP URIs
> > should be compared.  Here is the relevant part:
> >
> > ------------------------------------------------------------------------
> > When comparing two URIs to decide if they match or not, a client SHOULD
> > use a case-sensitive octet-by-octet comparison of the entire URIs, with
> > these exceptions:
> >
> > - A port that is empty or not given is equivalent to the default
> >         port for that URI-reference;
> > - Comparisons of host names MUST be case-insensitive;
> > - Comparisons of scheme names MUST be case-insensitive;
> > - An empty abs_path is equivalent to an abs_path of "/".
> >
> > Characters other than those in the "reserved" and "unsafe" sets (see RFC
> > 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.
> >
> > For example, the following three URIs are equivalent:
> >
> > http://abc.com:80/~smith/home.html<http://abc.com:80/%7Esmith/home.html>
> >       http://ABC.com/%7Esmith/home.html
> >       http://ABC.com:/%7esmith/home.html
> > ------------------------------------------------------------------------
> >
> > Essentially, the host and scheme should be compared case-insensitive,
> > but the path should be case-sensitive.
> >
> > HTH,
> > -Matt
> >
> > [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.3
> >
> >
> >
> > On Wed, 2007-11-28 at 12:54 -0500, Scott Battaglia wrote:
> > > Right now name matching for RegisteredServices is case-sensitive.
> > >
> > > Anyone have any objections to make it case-insensitive as per JIRA
> > > issue: http://www.ja-sig.org/issues/browse/CAS-600
> > >
> > > -Scott
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> --
> Matt Smith
> matt.smith at uconn.edu
> University Information Technology Services (UITS)
> University of Connecticut
> PGP Key ID: 0xE9C5244E
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia