ok, so what I did isn't anything great...I just added the following to
the casPostResponseView.jsp
<noscript>
<p>You are being redirected to ${originalUrl}. Please click
"Continue" to continue your login.</p>
<p><input type="submit" value="Continue" /></p>
</noscript>
so that my page became
<%@ page language="java" session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"; %>
<html>
<body onload="document.acsForm.submit();">
<form name="acsForm" action="${originalUrl}" method="post">
<div style="display: none">
<c:forEach items="${parameters}" var="entry">
<textarea rows=10 cols=80 name="${entry.key}"><c:out
value="${entry.value}" /></textarea>
</c:forEach>
</div>
<noscript>
<p>You are being redirected to ${originalUrl}. Please click
"Continue" to continue your login.</p>
<p><input type="submit" value="Continue" /></p>
</noscript>
</form>
</body>
</html>
that way when the user has javascript disabled, they will get a
message telling them where they are being redirected and given the
ability to continue manually. I'll create a JIRA for this
On Tue, Jan 19, 2010 at 10:56 AM, Scott Battaglia
<[email protected]> wrote:
> That should be the page. Feel free (i.e. we encourage ;-)) to contribute
> back your changes to the page!
>
> Cheers
> Scott
>
>
> On Tue, Jan 19, 2010 at 10:54 AM, Curtis Garman <[email protected]>
> wrote:
>>
>> True, most users won't know the difference...I only ask because it has
>> the potential to increase helpdesk calls...if the login fails in the
>> manner I described, the user just gets a white screen (at lease in
>> firefox) and they won't know what to do.
>>
>> What page would I need to change? Is it the casPostResponseView.jsp
>>
>> Curtis
>>
>> On Tue, Jan 19, 2010 at 9:17 AM, Scott Battaglia
>> <[email protected]> wrote:
>> > Well that page can always be updated to include an actual submit button
>> > and
>> > an appropriate message. We just never did it (because the number of
>> > people
>> > with JavaScript turned off is pretty minimal).
>> >
>> >
>> > On Tue, Jan 19, 2010 at 10:15 AM, Curtis Garman <[email protected]>
>> > wrote:
>> >>
>> >> hmm...gotcha...ok so am I correct in assuming then that if the user
>> >> has javascript turned off they are just out of luck?...it would
>> >> probably be a good idea then to have cas check if javascript is
>> >> enabled an only proceed if it is...otherwise display a message to the
>> >> user that they need to enable it...or display a submit button.
>> >>
>> >> Curtis
>> >>
>> >> On Tue, Jan 19, 2010 at 9:07 AM, <[email protected]> wrote:
>> >> > You've told it to respond via POST. You cannot do redirects via POST
>> >> > in
>> >> > http so we need to create a form and submit it. Which is what its
>> >> > attempting
>> >> > to do.
>> >> >
>> >> >
>> >> > Sent from my Verizon Wireless BlackBerry
>> >> >
>> >> > -----Original Message-----
>> >> > From: Curtis Garman <[email protected]>
>> >> > Date: Tue, 19 Jan 2010 09:05:09
>> >> > To: <[email protected]>
>> >> > Subject: Re: [cas-user] CAS 3.3.4 login fails when javascript is
>> >> > disabled
>> >> >
>> >> > Sorry for the delay in more details...long weekend...my steps are as
>> >> > follows:
>> >> >
>> >> > 1) login to uportal
>> >> > 2) switch off javascript
>> >> > 3) login to my casified app via the following SSO link
>> >> >
>> >> >
>> >> > https://<server>/cas/login?method=POST&service=https://<server>/<webapp>/login
>> >> > where the service url performs some post processing after coming back
>> >> > from CAS
>> >> > 4) I recieve the following response
>> >> >
>> >> > <html>
>> >> > <body onload="document.acsForm.submit();">
>> >> > <form name="acsForm"
>> >> > action="https://<server>/<webapp>/login" method="post">
>> >> > <div style="display: none">
>> >> > <textarea rows=10 cols=80
>> >> > name="ticket">ST-98-714toQ3wFWq93tcqslre-cas</textarea>
>> >> > </div>
>> >> > </form>
>> >> > </body>
>> >> > </html>
>> >> >
>> >> > Why I'm getting this at all is a mystery to me...I never made a call
>> >> > to google or perhaps saml (not sure if this form is specific to
>> >> > google
>> >> > or saml) but it appears to be doing something to call this page
>> >> > before
>> >> > validating my existing cas ticket
>> >> >
>> >> > Curtis
>> >> >
>> >> > On Thu, Jan 14, 2010 at 7:22 PM, Scott Battaglia
>> >> > <[email protected]> wrote:
>> >> >> Yes, that would be expected (arguably we should probably have a way
>> >> >> to
>> >> >> submit that form for JavaScript-disabled). I think the original
>> >> >> poster
>> >> >> was
>> >> >> saying if he then went to a non-Google Apps application, the
>> >> >> redirect
>> >> >> would
>> >> >> still fail. Unless I read it wrong.
>> >> >>
>> >> >>
>> >> >> On Thu, Jan 14, 2010 at 6:21 PM, Johan Reinalda
>> >> >> <[email protected]> wrote:
>> >> >>>
>> >> >>> Scott,
>> >> >>>
>> >> >>> I can replicate this.
>> >> >>> (at Thunderbird, 3 days ago we went live with CAS3.3.5, Google
>> >> >>> Apps,
>> >> >>> Moodle, and some internally developed web apps, all working off
>> >> >>> MS-AD
>> >> >>> accounts)
>> >> >>>
>> >> >>> When I go to Gapps mail interface, with Firefox 3.5.7 with
>> >> >>> Javascript
>> >> >>> disabled, I get redirected to our CAS login page. The returned,
>> >> >>> hung page
>> >> >>> has an onload=submit() as follows, and thus you're dead in the
>> >> >>> water!
>> >> >>>
>> >> >>> Johan
>> >> >>> I&IT
>> >> >>> Thunderbird School of Global Management
>> >> >>> CAS @ https://login.thunderbird.edu
>> >> >>>
>> >> >>> ==================
>> >> >>>
>> >> >>> "Hung" URL (shortened the saml request for readability):
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> https://login.thunderbird.edu/cas/login?SAMLRequest=fVLJbt....&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fglobal.t-bird.edu%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fglobal.t-bird.edu%252F%26bsv%3Dzpwhtygjntrz%26ltmpl%3Ddefault%26ltmplcache%3D2
>> >> >>>
>> >> >>> HTML Content of above (saml keys somewhat shortened):
>> >> >>>
>> >> >>> <html>
>> >> >>> <body onload="document.acsForm.submit();">
>> >> >>> <form name="acsForm"
>> >> >>> action="https://www.google.com/a/global.t-bird.edu/acs";
>> >> >>> method="post">
>> >> >>> <div style="display: none">
>> >> >>>
>> >> >>> <textarea rows=10 cols=80
>> >> >>> name="SAMLResponse"><?xml
>> >> >>> version="1.0" encoding="UTF-8"?>
>> >> >>> <samlp:Response
>> >> >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>> >> >>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>> >> >>> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> >> >>> ID="iaakapbhfmfkngflfngoopdplmhgjaofhccjjala"
>> >> >>> IssueInstant="2010-01-14T16:12:45Z"
>> >> >>> Version="2.0"><Signature
>> >> >>>
>> >> >>>
>> >> >>> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod
>> >> >>>
>> >> >>>
>> >> >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
>> >> >>> /><SignatureMethod
>> >> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
>> >> >>> /><Reference
>> >> >>> URI=""><Transforms><Transform
>> >> >>>
>> >> >>>
>> >> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>> >> >>> /></Transforms><DigestMethod
>> >> >>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
>> >> >>>
>> >> >>>
>> >> >>> /><DigestValue>m0mTxxyJj3cXrJjilwjpibB7zXk=</DigestValue></Reference></SignedInfo><SignatureValue>t91KQtTk6eaXNNU3HGK8pJm7Ua9hbEn35eOhjqUh9v7SZ94wSg1ziEtYuJYqvYI889MNC7YLMjd4
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> fECJr4AOrzOfcEFEKgpBMi/SKcc+UgHuQUer9g==</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>uWn6/TurLUy6W70rMIkcAfLNMr4/1Ra/ju7MgNi1kjL5VRkgCGQuozMH7/jKbzIDdQxnNrGaor8o
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> VnYFblIaIq05ngKGcr1ulBPreUzXagpyTU2QLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature><samlp:Status><samlp:StatusCode
>> >> >>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"
>> >> >>> /></samlp:Status><Assertion
>> >> >>> ID="pfjeimfgpknnnionmnhceanbpjnilphmalgmhgdo"
>> >> >>> IssueInstant="2003-04-17T00:46:02Z"
>> >> >>>
>> >> >>>
>> >> >>> Version="2.0"><Issuer>https://www.opensaml.org/IDP</Issuer><Subject><NameID
>> >> >>>
>> >> >>>
>> >> >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">[email protected]</NameID><SubjectConfirmation
>> >> >>>
>> >> >>>
>> >> >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData
>> >> >>> InResponseTo="lcphjmnkcimmdockldcfhaekkagokofkkpbkoemk"
>> >> >>> NotOnOrAfter="2011-01-14T16:12:45Z"
>> >> >>>
>> >> >>> Recipient="https://www.google.com/a/global.t-bird.edu/acs"
>> >> >>> /></SubjectConfirmation></Subject><Conditions
>> >> >>> NotBefore="2003-04-17T00:46:02Z"
>> >> >>>
>> >> >>>
>> >> >>> NotOnOrAfter="2011-01-14T16:12:45Z"><AudienceRestriction><Audience>https://www.google.com/a/global.t-bird.edu/acs</Audience></AudienceRestriction></Conditions><AuthnStatement
>> >> >>>
>> >> >>>
>> >> >>> AuthnInstant="2010-01-14T16:12:45Z"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
>> >> >>> </textarea>
>> >> >>>
>> >> >>> <textarea rows=10 cols=80
>> >> >>>
>> >> >>>
>> >> >>> name="RelayState">https://www.google.com/a/global.t-bird.edu/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fglobal.t-bird.edu%2F&bsv=zpwhtygjntrz&ltmpl=default&ltmplcache=2</textarea>
>> >> >>> </div>
>> >> >>> </form>
>> >> >>> </body>
>> >> >>> </html>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> ----- Original Message -----
>> >> >>> From: Scott Battaglia
>> >> >>> To: [email protected]
>> >> >>> Sent: Thursday, January 14, 2010 8:59 AM
>> >> >>> Subject: Re: [cas-user] CAS 3.3.4 login fails when javascript is
>> >> >>> disabled
>> >> >>> That doesn't make much sense because most apps don't use the
>> >> >>> JavaScript
>> >> >>> method for redirecting back.
>> >> >>>
>> >> >>> Can you let me know what steps you've taken to repeat this? We
>> >> >>> have
>> >> >>> one
>> >> >>> user at RU that uses our Google Apps support so I can maybe ask him
>> >> >>> to
>> >> >>> try
>> >> >>> and execute the same steps you are.
>> >> >>>
>> >> >>> Thanks
>> >> >>> Scott
>> >> >>>
>> >> >>>
>> >> >>> On Thu, Jan 14, 2010 at 10:12 AM, Curtis Garman
>> >> >>> <[email protected]>
>> >> >>> wrote:
>> >> >>>>
>> >> >>>> I've got google apps configured with cas and when I try to login
>> >> >>>> to a
>> >> >>>> totally different app without javascript enabled, I get a white
>> >> >>>> screen. Looking closer at the page source shows that it is part
>> >> >>>> of a
>> >> >>>> saml request and it is failing because it is depending on an
>> >> >>>> automatic
>> >> >>>> form submission via javascript. It looks to me like the saml stuff
>> >> >>>> is
>> >> >>>> being checked first, failing because of having javascript
>> >> >>>> disabled,
>> >> >>>> and thus causing all other authentications to halt. Is there
>> >> >>>> anyway
>> >> >>>> around this or is this a side effect of having google apps
>> >> >>>> configured?
>> >> >>>>
>> >> >>>> --
>> >> >>>> Curtis Garman
>> >> >>>> Web Programmer
>> >> >>>> Heartland Community College
>> >> >>>>
>> >> >>>> --
>> >> >>>> You are currently subscribed to [email protected] as:
>> >> >>>> [email protected]
>> >> >>>> To unsubscribe, change settings or access archives, see
>> >> >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >> >>>
>> >> >>> --
>> >> >>> You are currently subscribed to [email protected] as:
>> >> >>> [email protected]
>> >> >>>
>> >> >>>
>> >> >>> To unsubscribe, change settings or access archives, see
>> >> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >> >>>
>> >> >>> --
>> >> >>> You are currently subscribed to [email protected] as:
>> >> >>> [email protected]
>> >> >>>
>> >> >>>
>> >> >>> To unsubscribe, change settings or access archives, see
>> >> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >> >>
>> >> >> --
>> >> >> You are currently subscribed to [email protected] as:
>> >> >> [email protected]
>> >> >> To unsubscribe, change settings or access archives, see
>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Curtis Garman
>> >> > Web Programmer
>> >> > Heartland Community College
>> >> >
>> >> > --
>> >> > You are currently subscribed to [email protected] as:
>> >> > [email protected]
>> >> > To unsubscribe, change settings or access archives, see
>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >> >
>> >> >
>> >> > --
>> >> > You are currently subscribed to [email protected] as:
>> >> > [email protected]
>> >> > To unsubscribe, change settings or access archives, see
>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >>
>> >>
>> >>
>> >> --
>> >> Curtis Garman
>> >> Web Programmer
>> >> Heartland Community College
>> >>
>> >> --
>> >> You are currently subscribed to [email protected] as:
>> >> [email protected]
>> >> To unsubscribe, change settings or access archives, see
>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
>> >>
>> >
>> > --
>> > You are currently subscribed to [email protected] as:
>> > [email protected]
>> > To unsubscribe, change settings or access archives, see
>> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>
>> --
>> Curtis Garman
>> Web Programmer
>> Heartland Community College
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Curtis Garman
Web Programmer
Heartland Community College
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
