Pol,
It is based on configuration (I should have looked more closely at your
original request). In my java demo app, there is this part in web.xml
<filter-mapping>
<filter-name>CAS Validation Filter Proxy</filter-name>
<url-pattern>/proxy/proxyClient</url-pattern>
<url-pattern>/proxy/pgtCallback</url-pattern>
</filter-mapping>
All calls to those paths will be directed to proxyValidate (filter-name is what
I called it).
>From the logs below, CAS returns a ST first and the client calls
>proxyValidate. This is at step 4 in this description
>https://apereo.github.io/cas/6.1.x/installation/Configuring-Proxy-Authentication.html.
> Thus you can not make your decision on ST or PT, nor can it depend on
>presence of PGT.
This is tomcat access logs for a proxy app:
127.0.0.1 - - [15/Nov/2019:10:07:01 -0800] "GET
/cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient
HTTP/1.1" 200 19800
127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "POST
/cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient
HTTP/1.1" 302 -
127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET
/cas/proxyValidate?pgtUrl=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FpgtCallback&ticket=ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient
HTTP/1.1" 200 1546
127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET
/cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 212
127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET
/cas/proxyValidate?ticket=PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 1538
127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET
/cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 212
127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET
/cas/proxyValidate?ticket=PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 1539
127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET
/cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 213
127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET
/cas/proxyValidate?ticket=PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft
HTTP/1.1" 200 1539
and this is CAS audit log for the same:
2019-11-15 10:07:01,446 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:01 PST 2019|CAS|[event=success,timestamp=Fri Nov 15 10:07:01 PST
2019,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]|AUTHENTICATION_EVENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,436 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|Supplied credentials:
[RememberMeUsernamePasswordCredential(super=UsernamePasswordCredential(username=rbon,
source=null, customFields={}),
rememberMe=false)]|AUTHENTICATION_SUCCESS|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,438 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasc
lientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
mail=[[email protected]<mailto:[email protected]>],
uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc],
eduPersonNickname=[Ray], cn=[Ray Bon],
sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,444 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
mail=[[email protected]<mailto:[email protected]>],
uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc],
eduPersonNickname=[Ray], cn=[Ray Bon],
sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,446 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST
2019|CAS|TGT-4-*****9y2hvjd40o-tomt|TICKET_GRANTING_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,458 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,461 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt for
https://democasclientlocal.uvic.ca/proxy/proxyClient|SERVICE_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,502 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|Supplied credentials:
[AbstractCredential()]|AUTHENTICATION_SUCCESS|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,505 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,507 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST
2019|CAS|PGT-4-*****kZoGrtX01o-tomt|PROXY_GRANTING_TICKET_CREATED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,510 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={cn=[Ray Bon], eduPersonNickname=[Ray],
mail=[[email protected]<mailto:[email protected]>], sn=[Bon],
uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
uvicEduPersonSpridenID=[V001],
uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,512 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST
2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,553 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,558 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt for
https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,595 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={cn=[Ray Bon], eduPersonNickname=[Ray],
mail=[[email protected]<mailto:[email protected]>], sn=[Bon],
uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
uvicEduPersonSpridenID=[V001],
uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:04,599 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:04 PST
2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:21,225 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:21 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:21,229 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:21 PST 2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt for
https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:21,257 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:21 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={cn=[Ray Bon], eduPersonNickname=[Ray],
mail=[[email protected]<mailto:[email protected]>], sn=[Bon],
uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
uvicEduPersonSpridenID=[V001],
uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:21,259 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:21 PST
2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:22,326 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:22 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:22,330 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:22 PST 2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt for
https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1
2019-11-15 10:07:22,342 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:22 PST 2019|CAS|[result=Service Access
Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon,
attributes={cn=[Ray Bon], eduPersonNickname=[Ray],
mail=[[email protected]<mailto:[email protected]>], sn=[Bon],
uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z],
uvicEduPersonSpridenID=[V001],
uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1
2019-11-15 10:07:22,344 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15
10:07:22 PST
2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1
Ray
On Fri, 2019-11-15 at 09:00 -0800, Pol Dellaiera wrote:
Hi Ray,
I checked the file, I understood it despite the fact that I'm not a Java
developper.
However, I think this is not what I was looking for.
I will rephrase my question.
Context of the situation: development of a CAS client library for
authentication.
I'm looking for the proper way to validate the ticket that is passed in the
URL. Those tickets can be identified depending on the 3 first characters: "ST-"
or "PT-".
Service tickets or proxy tickets.
When the CAS client library detects those tickets in the URL, it is supposed to
trigger either a serviceValidate either a proxyValidate service.
According to me, there are two ways to implement this mechanism:
1. Based on the ticket type, trigger one or the other service validation
service.
2. Based on the configuration, check if the library is supposed to work in
proxy mode, and if yes use proxyValidate, if not use serviceValidate.
Now, what's I'm asking here is precisely that, what is the proper way to
validate a ticket, should it be on the ticket type that the user receive in
query parameter or based on the configuration of the CAS client ?
You can test online the stuff I'm developing here:
https://cas-bundle-demo.herokuapp.com/
Thanks.
On Friday, November 15, 2019 at 12:07:13 AM UTC+1, rbon wrote:
Pol,
In the java client,
https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java,
XmlUtils is used to get the 'proxyTicket'. Not sure why it is in XML but this
might help you track down how it was done here.
Ray
On Tue, 2019-11-12 at 23:26 -0800, Pol Dellaiera wrote:
Hi,
I'm writing a CAS library and I'm facing a question and I don't know how to
address it.
The question is the following:
* What is the proper way to detect the type of a ticket in the URL ?
- By doing some introspection in the request URL and detecting if the ticket
starts with ST- (for service ticket) or PT- (for proxy ticket) ?
- By checking the configuration of the serviceValidate and see if the parameter
pgtUrl is set or not.
I don't know what is the best option for the moment, any help/advice is welcome.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e3cc35df2b37d70fc69ec383c89dbdf19c1f2b6.camel%40uvic.ca.
