[cas-dev] Mismatched Service URLs
Scott Battaglia
scott.battaglia at gmail.com
Thu Sep 4 15:07:17 EDT 2008
On Thu, Sep 4, 2008 at 2:52 PM, Lawrence Andreutti <
Lawrence.Andreutti at activenetwork.com> wrote:
> Hi Scott,
>
>
>
> The service validates do insist that the services match with both CAS
> 3.0.6 and CAS 3.3. The messages I see seem to be generated when a service
> ticket is created from the TGT (ticket granting ticket) that is stored in a
> cookie with the users browser. I'm still trying to reproduce it but it does
> look like the generated service ticket is validated using the
> CentralAuthenticationServiceImpl (instead of ServiceValidate) class which
> does seem to behave differently in CAS 3.0.6 and 3.3. Hopefully, that makes
> sense to you. Thanks.
>
Hi,
Tickets are always validated with the CentralAuthenticationServiceImpl
class, no matter which version of CAS you are using.
-Scott
>
>
> *Larry Andreutti*
>
> Tel 604.438.7361 ext. 1482
>
>
> ------------------------------
>
> *From: *Scott Battaglia <scott.battaglia at gmail.com>
> *Date: *Thu, 4 Sep 2008 12:59:52 -0400
> *To: *Mailing list for CAS developers <cas-dev at tp.its.yale.edu>
> *Cc: *Steven Carroll <Steve.Carroll at activenetwork.com>, Elizabeth Allen <
> Elizabeth.Allen at activenetwork.com>, Kevin Burke <
> Kevin.Burke at activenetwork.com>, Doug Johnson <
> Doug.Johnson at activenetwork.com>
> *Subject: *Re: [cas-dev] Mismatched Service URLs
>
> Regardless of what the logging level was, it should have always rejected it
> when it validated the ticket. I don't believe that code has changed at all,
> except for maybe the logging level. But we always matched URLs exactly and
> rejected if they didn't match (the only exception was removing jsessions)
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Sep 4, 2008 at 12:23 PM, Lawrence Andreutti <
> Lawrence.Andreutti at activenetwork.com> wrote:
>
> Hi,
>
>
>
> We are in the process of trying to upgrade from CAS 3.0.6 to CAS 3.3. One
> thing we have noticed is that CAS 3.3 (and other CAS versions older than
> 3.0.6) is much stricter that service URLs exactly match the service that
> created the service ticket. For example, with CAS 3.0.6 I would see entries
> in the logs like this:
>
>
>
> 2008-09-03 00:03:00,920 DEBUG
> [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket
> [ST-466628-ODF0WfzIpJzLOSOQ3lwiNYUheLH3mTf69qb-sso1] does not match supplied
> service:
> http://www.active.com/event_detail.cfm?EVENT_ID=1537452&CHECKSSO=0
>
>
>
> However, this is essentially just a warning and authentication would still
> continue. With CAS 3.3, I see entries in the logs like this:
>
>
>
> 2008-08-27 14:22:51,897 ERROR
> [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket [
> ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com <
> http://ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com> ] with service [
> http://a2aus.active.com/NonACM/login/A2LoginHome.aspx does not match
> supplied service [http://a2aus.active.com/NonACM/Login/A2LoginHome.aspx]
>
>
>
> The big difference is that this condition is now an ERROR (not a DEBUG
> warning) and the authentication is rejected. Unfortunately, we seem to have
> a lot of applications with mismatching service URLs like this and we would
> like to move to CAS 3.3 in a month or so. At least for the short term until
> we get all these service URLs lined up, is there some way to configure CAS
> 3.3 so it acts more like CAS 3.0.6 (it still logs the mismatch but allows
> processing to continue)? Thanks.
>
>
>
> *Larry Andreutti
> *
> Software Engineer
>
> Active Network, Ltd.
>
>
>
> Lawrence.Andreutti at ActiveNetwork.com
>
> Tel 604.438.7361 ext. 1482
>
> Fax 604.432.9708
>
> 6400 Roberts Street, Suite 160
>
> Burnaby, BC Canada V5G 4C9
>
> www.ActiveNetwork.com <http://www.activenetwork.com/>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
>
>
> ------ End of Forwarded Message
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080904/519bd857/attachment.html
More information about the cas
mailing list