Hi everyone.
I've been struggling with the integration of the OpenId support module into
a CAS server. The Jasig CASUM page was not clear enough to me, and it's not
correct.
I also found two bugs (well i think they are bugs) in the openid support
module.
First, there is a problem with the openid parameters sent by the CAS server
to the client application. The openid.sig parameter value ends with "\r\n",
which is not compliant with the OpenId sepcification. The OpenId client (in
my cas the spring security openid module) is complaining about this and
rejects the authentication answer. I had to add a filter cleaning these
parameters to make it work. I didn't look into the code to check where this
characters are added.
Second, the OpenIdCredentialsAuthenticationHandler is retrieving the
ticketGrantingTicketId from the ticket registry, and use it (t.isExpired())
immediatly, without checking if it's null. But I actually have a null
pointer exception during the authentication process, because it IS null. I
fixed that this way :
public final class OpenIdCredentialsAuthenticationHandler implements
AuthenticationHandler {
@NotNull
private TicketRegistry ticketRegistry;
public boolean authenticate(final Credentials credentials)
throws AuthenticationException {
final OpenIdCredentials c = (OpenIdCredentials) credentials;
final TicketGrantingTicket t = (TicketGrantingTicket)
this.ticketRegistry
.getTicket(c.getTicketGrantingTicketId(),
TicketGrantingTicket.class);
*<<<<< Code before the fix*
if (t.isExpired()) {
*========*
if (t == null || t.isExpired()) {
*Fixed code >>>>>>>*
return false;
}
return t.getAuthentication().getPrincipal().getId().equals(
c.getUsername());
}
public boolean supports(final Credentials credentials) {
return credentials instanceof OpenIdCredentials;
}
public void setTicketRegistry(final TicketRegistry ticketRegistry) {
this.ticketRegistry = ticketRegistry;
}
}
After fixing the parameters and the NPE, one last problem remained. I was
not able to validate the authentication success, because the /login mapping
to the OpenIdSingleSignOnAction was not used. Instead, the verification
request was handled by the FlowHandler, returning the login page html
instead of an OpenId answer. This is because the handler mappings are
ordered, with a default value set to Integer.MAX_VALLUE, except for the
FlowHandler which is given an order value of 2, hence being processed
first, mapping the /login url to the login action. To allow the OpenId
action to be processed first, I had to give it an order property of 1.
And to finish, i added an HOWTO page describing the process of enabling
OpenId in CAS, making it clearer (for me at least), and referencing the
ordering problem. This page is located here :
https://wiki.jasig.org/pages/viewpage.action?pageId=52955068
I didn't want to update hte OpenId protocol page without asking you first.
Frederic
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
