[cas-dev] Mismatched Service URLs

Scott Battaglia scott.battaglia at gmail.com
Thu Sep 4 12:59:52 EDT 2008 

Regardless of what the logging level was, it should have always rejected it
when it validated the ticket.  I don't believe that code has changed at all,
except for maybe the logging level.  But we always matched URLs exactly and
rejected if they didn't match (the only exception was removing jsessions)

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Thu, Sep 4, 2008 at 12:23 PM, Lawrence Andreutti <
Lawrence.Andreutti at activenetwork.com> wrote:

>  Hi,
>
>
>
>   We are in the process of trying to upgrade from CAS 3.0.6 to CAS 3.3.
> One thing we have noticed is that CAS 3.3 (and other CAS versions older than
> 3.0.6) is much stricter that service URLs exactly match the service that
> created the service ticket.  For example, with CAS 3.0.6 I would see entries
> in the logs like this:
>
>
>
> 2008-09-03 00:03:00,920 DEBUG
> [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket
> [ST-466628-ODF0WfzIpJzLOSOQ3lwiNYUheLH3mTf69qb-sso1] does not match supplied
> service:
> http://www.active.com/event_detail.cfm?EVENT_ID=1537452&CHECKSSO=0
>
>
>
> However, this is essentially just a warning and authentication would still
> continue.  With CAS 3.3, I see entries in the logs like this:
>
>
>
> 2008-08-27 14:22:51,897 ERROR
> [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket [
> ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com] with service [
> http://a2aus.active.com/NonACM/login/A2LoginHome.aspx does not match
> supplied service [http://a2aus.active.com/NonACM/Login/A2LoginHome.aspx]
>
>
>
> The big difference is that this condition is now an ERROR (not a DEBUG
> warning) and the authentication is rejected.  Unfortunately, we seem to have
> a lot of applications with mismatching service URLs like this and we would
> like to move to CAS 3.3 in a month or so.  At least for the short term until
> we get all these service URLs lined up, is there some way to configure CAS
> 3.3 so it acts more like CAS 3.0.6 (it still logs the mismatch but allows
> processing to continue)?  Thanks.
>
>
>
> *Larry Andreutti*
>
> Software Engineer
>
> Active Network, Ltd.
>
>
>
> Lawrence.Andreutti at ActiveNetwork.com
>
> Tel 604.438.7361 ext. 1482
>
> Fax 604.432.9708
>
> 6400 Roberts Street, Suite 160
>
> Burnaby, BC Canada V5G 4C9
>
> www.ActiveNetwork.com <http://www.activenetwork.com/>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080904/ba15f548/attachment.html

More information about the cas-dev mailing list