[cas-dev] Mismatched Service URLs

Thu Sep 4 12:23:25 EDT 2008

Hi,

  We are in the process of trying to upgrade from CAS 3.0.6 to CAS 3.3.
One thing we have noticed is that CAS 3.3 (and other CAS versions older
than 3.0.6) is much stricter that service URLs exactly match the service
that created the service ticket.  For example, with CAS 3.0.6 I would
see entries in the logs like this:

2008-09-03 00:03:00,920 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket
[ST-466628-ODF0WfzIpJzLOSOQ3lwiNYUheLH3mTf69qb-sso1] does not match
supplied service:
http://www.active.com/event_detail.cfm?EVENT_ID=1537452&CHECKSSO=0

However, this is essentially just a warning and authentication would
still continue.  With CAS 3.3, I see entries in the logs like this:

2008-08-27 14:22:51,897 ERROR
[org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket
[ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com] with service
[http://a2aus.active.com/NonACM/login/A2LoginHome.aspx does not match
supplied service [http://a2aus.active.com/NonACM/Login/A2LoginHome.aspx]

The big difference is that this condition is now an ERROR (not a DEBUG
warning) and the authentication is rejected.  Unfortunately, we seem to
have a lot of applications with mismatching service URLs like this and
we would like to move to CAS 3.3 in a month or so.  At least for the
short term until we get all these service URLs lined up, is there some
way to configure CAS 3.3 so it acts more like CAS 3.0.6 (it still logs
the mismatch but allows processing to continue)?  Thanks.

Larry Andreutti

Software Engineer

Active Network, Ltd.

Lawrence.Andreutti at ActiveNetwork.com

Tel 604.438.7361 ext. 1482

Fax 604.432.9708

6400 Roberts Street, Suite 160

Burnaby, BC Canada V5G 4C9

www.ActiveNetwork.com <http://www.activenetwork.com/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080904/948b36e0/attachment.html 