hmm...gotcha...ok so am I correct in assuming then that if the user has javascript turned off they are just out of luck?...it would probably be a good idea then to have cas check if javascript is enabled an only proceed if it is...otherwise display a message to the user that they need to enable it...or display a submit button.
Curtis On Tue, Jan 19, 2010 at 9:07 AM, <[email protected]> wrote: > You've told it to respond via POST. You cannot do redirects via POST in http > so we need to create a form and submit it. Which is what its attempting to do. > > > Sent from my Verizon Wireless BlackBerry > > -----Original Message----- > From: Curtis Garman <[email protected]> > Date: Tue, 19 Jan 2010 09:05:09 > To: <[email protected]> > Subject: Re: [cas-user] CAS 3.3.4 login fails when javascript is disabled > > Sorry for the delay in more details...long weekend...my steps are as follows: > > 1) login to uportal > 2) switch off javascript > 3) login to my casified app via the following SSO link > https://<server>/cas/login?method=POST&service=https://<server>/<webapp>/login > where the service url performs some post processing after coming back > from CAS > 4) I recieve the following response > > <html> > <body onload="document.acsForm.submit();"> > <form name="acsForm" action="https://<server>/<webapp>/login" > method="post"> > <div style="display: none"> > <textarea rows=10 cols=80 > name="ticket">ST-98-714toQ3wFWq93tcqslre-cas</textarea> > </div> > </form> > </body> > </html> > > Why I'm getting this at all is a mystery to me...I never made a call > to google or perhaps saml (not sure if this form is specific to google > or saml) but it appears to be doing something to call this page before > validating my existing cas ticket > > Curtis > > On Thu, Jan 14, 2010 at 7:22 PM, Scott Battaglia > <[email protected]> wrote: >> Yes, that would be expected (arguably we should probably have a way to >> submit that form for JavaScript-disabled). I think the original poster was >> saying if he then went to a non-Google Apps application, the redirect would >> still fail. Unless I read it wrong. >> >> >> On Thu, Jan 14, 2010 at 6:21 PM, Johan Reinalda >> <[email protected]> wrote: >>> >>> Scott, >>> >>> I can replicate this. >>> (at Thunderbird, 3 days ago we went live with CAS3.3.5, Google Apps, >>> Moodle, and some internally developed web apps, all working off MS-AD >>> accounts) >>> >>> When I go to Gapps mail interface, with Firefox 3.5.7 with Javascript >>> disabled, I get redirected to our CAS login page. The returned, hung page >>> has an onload=submit() as follows, and thus you're dead in the water! >>> >>> Johan >>> I&IT >>> Thunderbird School of Global Management >>> CAS @ https://login.thunderbird.edu >>> >>> ================== >>> >>> "Hung" URL (shortened the saml request for readability): >>> >>> https://login.thunderbird.edu/cas/login?SAMLRequest=fVLJbt....&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fglobal.t-bird.edu%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fglobal.t-bird.edu%252F%26bsv%3Dzpwhtygjntrz%26ltmpl%3Ddefault%26ltmplcache%3D2 >>> >>> HTML Content of above (saml keys somewhat shortened): >>> >>> <html> >>> <body onload="document.acsForm.submit();"> >>> <form name="acsForm" >>> action="https://www.google.com/a/global.t-bird.edu/acs"; method="post"> >>> <div style="display: none"> >>> >>> <textarea rows=10 cols=80 name="SAMLResponse"><?xml >>> version="1.0" encoding="UTF-8"?> >>> <samlp:Response >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" >>> ID="iaakapbhfmfkngflfngoopdplmhgjaofhccjjala" >>> IssueInstant="2010-01-14T16:12:45Z" >>> Version="2.0"><Signature >>> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" >>> /><SignatureMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" >>> /><Reference URI=""><Transforms><Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" >>> /></Transforms><DigestMethod >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" >>> /><DigestValue>m0mTxxyJj3cXrJjilwjpibB7zXk=</DigestValue></Reference></SignedInfo><SignatureValue>t91KQtTk6eaXNNU3HGK8pJm7Ua9hbEn35eOhjqUh9v7SZ94wSg1ziEtYuJYqvYI889MNC7YLMjd4 >>> >>> fECJr4AOrzOfcEFEKgpBMi/SKcc+UgHuQUer9g==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>uWn6/TurLUy6W70rMIkcAfLNMr4/1Ra/ju7MgNi1kjL5VRkgCGQuozMH7/jKbzIDdQxnNrGaor8o >>> >>> VnYFblIaIq05ngKGcr1ulBPreUzXagpyTU2QLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature><samlp:Status><samlp:StatusCode >>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" >>> /></samlp:Status><Assertion >>> ID="pfjeimfgpknnnionmnhceanbpjnilphmalgmhgdo" >>> IssueInstant="2003-04-17T00:46:02Z" >>> Version="2.0"><Issuer>https://www.opensaml.org/IDP</Issuer><Subject><NameID >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData >>> InResponseTo="lcphjmnkcimmdockldcfhaekkagokofkkpbkoemk" >>> NotOnOrAfter="2011-01-14T16:12:45Z" >>> Recipient="https://www.google.com/a/global.t-bird.edu/acs" >>> /></SubjectConfirmation></Subject><Conditions >>> NotBefore="2003-04-17T00:46:02Z" >>> NotOnOrAfter="2011-01-14T16:12:45Z"><AudienceRestriction><Audience>https://www.google.com/a/global.t-bird.edu/acs</Audience></AudienceRestriction></Conditions><AuthnStatement >>> AuthnInstant="2010-01-14T16:12:45Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> >>> </textarea> >>> >>> <textarea rows=10 cols=80 >>> name="RelayState">https://www.google.com/a/global.t-bird.edu/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fglobal.t-bird.edu%2F&bsv=zpwhtygjntrz&ltmpl=default&ltmplcache=2</textarea> >>> </div> >>> </form> >>> </body> >>> </html> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ----- Original Message ----- >>> From: Scott Battaglia >>> To: [email protected] >>> Sent: Thursday, January 14, 2010 8:59 AM >>> Subject: Re: [cas-user] CAS 3.3.4 login fails when javascript is disabled >>> That doesn't make much sense because most apps don't use the JavaScript >>> method for redirecting back. >>> >>> Can you let me know what steps you've taken to repeat this? We have one >>> user at RU that uses our Google Apps support so I can maybe ask him to try >>> and execute the same steps you are. >>> >>> Thanks >>> Scott >>> >>> >>> On Thu, Jan 14, 2010 at 10:12 AM, Curtis Garman <[email protected]> >>> wrote: >>>> >>>> I've got google apps configured with cas and when I try to login to a >>>> totally different app without javascript enabled, I get a white >>>> screen. Looking closer at the page source shows that it is part of a >>>> saml request and it is failing because it is depending on an automatic >>>> form submission via javascript. It looks to me like the saml stuff is >>>> being checked first, failing because of having javascript disabled, >>>> and thus causing all other authentications to halt. Is there anyway >>>> around this or is this a side effect of having google apps configured? >>>> >>>> -- >>>> Curtis Garman >>>> Web Programmer >>>> Heartland Community College >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > Curtis Garman > Web Programmer > Heartland Community College > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- Curtis Garman Web Programmer Heartland Community College -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
