Your diagnosis certainly is correct, and this points to a possible bug. The 
renew flag that is passed along once seems to stay around for subsequent 
requests on the validator, and it should not. Trivial fix really.

Not that it matters, I don’t think, but let me ask: when you authn into app A 
once and login successfully, is it the same app A that fails to receive 
validated tickets next such that you log out of app A and attempt to try again 
via SSO? Or is it an entirely different app trying to take advantage of SSO? 

-- 
Misagh

From: Baron Fujimoto <ba...@hawaii.edu>
Reply: Baron Fujimoto <ba...@hawaii.edu>
Date: October 13, 2016 at 12:29:15 AM
To: CAS Users <cas-user@apereo.org>
Subject:  [cas-user] CAS 5 RC4: /serviceValidate, /samlValidate fail after 
initial success  

We're seeing the following errors with our RC4 regression tests. Initially,  
after starting or reloading CAS, /serviceValidate and samlValidate succeed.  

Shortly thereafter however, they fail subsequent runs of the same tests.  
The failures appear to occur when the the app is accessed via SSO. An ST
is granted to the app, and it looks like it is successfully validated in  
the logs, but the app gets back "Ticket not recognized" responses.  

It looks like it may be trying to enforce a renew on the *Validate even  
when it's not specified as a parameter?  

Logs:  

DEBUG [org.apereo.cas.CentralAuthenticationServiceImpl] - <Publishing 
org.apereo.cas.support.events.CasServiceTicketGrantedEvent@312bfa23[ticketGrantingTicket=TGT-**********************************************s5BTJTGdYr-cas75,serviceTicket=ST-46-uItdXfm5YblKsGwcCMfB-cas]>
  
DEBUG [org.apereo.cas.CentralAuthenticationServiceImpl] - <Publishing 
org.apereo.cas.support.events.CasServiceTicketValidatedEvent@2fca4214[assertion=org.apereo.cas.authentication.DefaultAuthentication@67d43765:https://www.example.com/app2,serviceTicket=ST-46-uItdXfm5YblKsGwcCMfB-cas]>
  
DEBUG [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - 
<Number of chained authentications in the assertion 1>  
WARN [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - 
<Cas20WithoutProxyingValidationSpecification is to enforce the [renew] CAS 
protocol behavior, yet the assertion is not issued from a new login>  
WARN [org.apereo.cas.web.ServiceValidateController] - <Service ticket 
[ST-46-uItdXfm5YblKsGwcCMfB-cas] does not satisfy validation specification.>  

Aloha,  
-baron  
--  
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services  
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum  

--  
CAS gitter chatroom: https://gitter.im/apereo/cas  
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html  
CAS documentation website: https://apereo.github.io/cas  
CAS project website: https://github.com/apereo/cas  
---  
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.  
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.  
To post to this group, send email to cas-user@apereo.org.  
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.  
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012205856.GB23083%40praenomen.mgt.hawaii.edu.
  
For more options, visit https://groups.google.com/a/apereo.org/d/optout.  

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57feb2a2.220f5b53.5303%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Reply via email to