Failure to remove trailing ticket= parameter in URL sent to app, after auth with mod-auth-cas

Olivier Berger olivier.berger at it-sudparis.eu
Tue Aug 12 08:29:02 EDT 2008 

Le mardi 12 août 2008 à 13:10 +0200, Olivier Berger a écrit :
> Hi.
> 
> Sorry again if this a FAQ.
> 
> I am trying to CAS-ify a TWiki installation behind mod-auth-cas.
> 
> After authentication by the CAS server, the URL displayed in TWiki looks
> like :
> http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
> 
> I would have expected the removal of the
> "&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas" part by mod_auth_cas (looking
> at the code : removeCASParams() which seems to do that)
> 
> Unfortunately, it won't please TWiki to have this trailing "ticket"
> param when saving page contents later on :(
> 
> Maybe removeCASParams() ain't called when it should be, or it fails
> parsing the params ?
> 
> Any hints ?
> 

I've looked at the code and I think I identified what happens. It's a
problem with the Web browser not knowing the "ticket" parameter was
removed when the page contains POST forms.

A URL like
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas is invoked.

But the perl script is actually called as
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240 once authentified by mod-auth-cas (which removes the "ticket" param before invoking it) directly, without a redirection (HTTP 200/ OK success code).

So the web browser still thinks it's displaying
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
So when trying to edit a wiki page, a POST is issued to
"edit/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas" (which fails).

I think that an aditional redirect should be necessary in
cas_authenticate() whenever the params are changed by removeCASParams(),
for additional consistency, then.

In the code, in "if(ticket != NULL)" block, if "isValidCASTicket()",
then not return OK directly but a redirect to the same script without
the ticket= parameter, then.

Here's a proposed patch, that I think will solve this issue.

Comments welcome.

Best regards,
-- 
Olivier BERGER <olivier.berger at it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: redirect.patch
Type: text/x-patch
Size: 2899 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080812/3f53a97f/attachment.bin

More information about the cas mailing list