Hello everyone,
We have configured "JWT as service ticket" to get JWTs in our apps. We have
tried successfully the flow using REDIRECT and POST.
Some cas clients need to get the ticket as http header. We tried method=
HEADER in our flow but we get an error.
As far as I have tried It works fine on normal service ticket flow.
I am not sure if method=HEADER is supported for "JWT as service" flow or it
is a bug. Is this flow supported by CAS ? Has somebody had the same issue?
*INSTALATION CONTEXT*
- cas version: 5.3.9
- ticket registry: redis
- service registry: mysql
- user DB: openldap
*ANALYSIS*
I debug CAS to get some extra information.
When method is HEADER, CAS is trying to validate twice the service ticket.
First time it is validated according to jwt as service flow. But second one
it seems to be non necessary. it fails because service ticket can be just
used once on our configuration.
*ERROR*
org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing
org.apereo.cas.web.flow.actions.InjectResponseHeadersAction@507c30ed in state
'headerView' of flow 'login' -- action execution attributes were 'map[[empty]]'
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at
org.springframework.webflow.engine.Transition.execute(Transition.java:228)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
at
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
............
............
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.generateToken(TokenWebApplicationServiceResponseBuilder.java:70)
at
org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.buildInternal(TokenWebApplicationServiceResponseBuilder.java:49)
at
org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder.build(WebApplicationServiceResponseBuilder.java:43)
at
org.apereo.cas.web.flow.actions.RedirectToServiceAction.doExecute(RedirectToServiceAction.java:41)
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at sun.reflect.GeneratedMethodAccessor292.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy197.execute(Unknown Source)
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
... 145 more
Caused by: org.jasig.cas.client.validation.TicketValidationException: No se ha
reconocido el tique 'ST-515-Zy-tXl2RHia9ID96k83AZgk-YYsDSSO01'
at
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198)
at
ar.gov.santafe.stg.sso.jwt.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:54)
at sun.reflect.GeneratedMethodAccessor546.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
... 163 more
Thanks in advance, Facundo
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/deb11c54-9baf-46c9-955a-327160f4f6af%40apereo.org.
