Thanks Ray, you confirm what I was thinking. I implemented it here: https://github.com/drupol/psrcas/blob/master/src/AbstractCas.php#L151
Thanks for your time and help mate! -*φol d.*- *Communications without intelligence is noise;* * Intelligence without communications is irrelevant.** [Alfred M. Gray]* On Fri, Nov 15, 2019 at 8:02 PM Ray Bon <[email protected]> wrote: > Pol, > > It is based on configuration (I should have looked more closely at your > original request). In my java demo app, there is this part in web.xml > > <filter-mapping> > <filter-name>CAS Validation Filter Proxy</filter-name> > <url-pattern>/proxy/proxyClient</url-pattern> > <url-pattern>/proxy/pgtCallback</url-pattern> > </filter-mapping> > > All calls to those paths will be directed to proxyValidate (filter-name is > what I called it). > > From the logs below, CAS returns a ST first and the client calls > proxyValidate. This is at step 4 in this description > https://apereo.github.io/cas/6.1.x/installation/Configuring-Proxy-Authentication.html. > Thus you can not make your decision on ST or PT, nor can it depend on > presence of PGT. > > This is tomcat access logs for a proxy app: > > 127.0.0.1 - - [15/Nov/2019:10:07:01 -0800] "GET > /cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient > HTTP/1.1" 200 19800 > 127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "POST > /cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient > HTTP/1.1" 302 - > 127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET > /cas/proxyValidate?pgtUrl=https%3A%2F%2Fdemocasclientlocal.uvic.ca > %2Fproxy%2FpgtCallback&ticket=ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt&service=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient HTTP/1.1" 200 1546 > 127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET > /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 212 > 127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET > /cas/proxyValidate?ticket=PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt&service=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 1538 > 127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET > /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 212 > 127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET > /cas/proxyValidate?ticket=PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt&service=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 1539 > 127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET > /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 213 > 127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET > /cas/proxyValidate?ticket=PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt&service=https%3A%2F% > 2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft > HTTP/1.1" 200 1539 > > and this is CAS audit log for the same: > > 2019-11-15 10:07:01,446 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:01 PST 2019|CAS|[event=success,timestamp=Fri Nov 15 10:07:01 PST > 2019,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]|AUTHENTICATION_EVENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,436 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|Supplied credentials: > [RememberMeUsernamePasswordCredential(super=UsernamePasswordCredential(username=rbon, > source=null, customFields={}), > rememberMe=false)]|AUTHENTICATION_SUCCESS|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,438 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasc > lientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > mail=[[email protected]], uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc], eduPersonNickname=[Ray], cn=[Ray Bon], > sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,444 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > mail=[[email protected]], uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc], eduPersonNickname=[Ray], cn=[Ray Bon], > sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,446 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST > 2019|CAS|TGT-4-*****9y2hvjd40o-tomt|TICKET_GRANTING_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,458 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,461 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt for > https://democasclientlocal.uvic.ca/proxy/proxyClient|SERVICE_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,502 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|Supplied credentials: > [AbstractCredential()]|AUTHENTICATION_SUCCESS| > https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,505 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access > Granted,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED| > https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,507 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST > 2019|CAS|PGT-4-*****kZoGrtX01o-tomt|PROXY_GRANTING_TICKET_CREATED| > https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,510 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[ > [email protected]], sn=[Bon], > uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED| > https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,512 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST > 2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,553 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,558 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt for > https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,595 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[ > [email protected]], sn=[Bon], > uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:04,599 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:04 PST > 2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:21,225 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:21 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:21,229 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:21 PST 2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt for > https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:21,257 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:21 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[ > [email protected]], sn=[Bon], > uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:21,259 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:21 PST > 2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:22,326 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:22 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:22,330 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:22 PST 2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt for > https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:22,342 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:22 PST 2019|CAS|[result=Service Access Granted,service= > https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, > attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[ > [email protected]], sn=[Bon], > uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], > uvicEduPersonSpridenID=[V001], > uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1 > 2019-11-15 10:07:22,344 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov > 15 10:07:22 PST > 2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1 > > Ray > > On Fri, 2019-11-15 at 09:00 -0800, Pol Dellaiera wrote: > > Hi Ray, > > I checked the file, I understood it despite the fact that I'm not a Java > developper. > > However, I think this is not what I was looking for. > > I will rephrase my question. > > Context of the situation: development of a CAS client library for > authentication. > > I'm looking for the proper way to validate the ticket that is passed in > the URL. Those tickets can be identified depending on the 3 first > characters: "ST-" or "PT-". > Service tickets or proxy tickets. > > When the CAS client library detects those tickets in the URL, it is > supposed to trigger either a serviceValidate either a proxyValidate service. > > According to me, there are two ways to implement this mechanism: > > 1. Based on the ticket type, trigger one or the other service validation > service. > 2. Based on the configuration, check if the library is supposed to work in > proxy mode, and if yes use proxyValidate, if not use serviceValidate. > > Now, what's I'm asking here is precisely that, what is the proper way to > validate a ticket, should it be on the ticket type that the user receive in > query parameter or based on the configuration of the CAS client ? > > You can test online the stuff I'm developing here: > https://cas-bundle-demo.herokuapp.com/ > > Thanks. > On Friday, November 15, 2019 at 12:07:13 AM UTC+1, rbon wrote: > > Pol, > > In the java client, > https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java, > XmlUtils is used to get the 'proxyTicket'. Not sure why it is in XML but > this might help you track down how it was done here. > > Ray > > On Tue, 2019-11-12 at 23:26 -0800, Pol Dellaiera wrote: > > Hi, > > I'm writing a CAS library and I'm facing a question and I don't know how > to address it. > > The question is the following: > > * What is the proper way to detect the type of a ticket in the URL ? > > - By doing some introspection in the request URL and detecting if the > ticket starts with ST- (for service ticket) or PT- (for proxy ticket) ? > - By checking the configuration of the serviceValidate and see if the > parameter pgtUrl is set or not. > > I don't know what is the best option for the moment, any help/advice is > welcome. > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e3cc35df2b37d70fc69ec383c89dbdf19c1f2b6.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e3cc35df2b37d70fc69ec383c89dbdf19c1f2b6.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAqYw%2BkZA6C28ns5zm%3DCn-qBDhscuUmzcLQgfstnaKwQDkBEOw%40mail.gmail.com.
