On Fri, Jan 22, 2010 at 9:26 AM, Barry Silk <[email protected]>wrote:
> Scott, > > Will the case of the context CAS or cas make a difference how cas will > respond to a serviceValidate request? > > We have experimented with this and for some reason, when Spring Security > issues a serviceValidate request (and the URL of the request seems to be > properly formatted by inspecting the logs), cas goes into the login-webflow > and eventually winds up responding with the login page. When we go through > the process by hand, the same serviceValidate request returns the userid (or > a validation error) as expected -- it does not go through the login-webflow > at all. Why would CAS treat a serviceRequest as a login request? Where > does that decision get made? > It doesn't. However, if a 404 is issued, by default you are sent to the login page. > > This is a very frustrating problem! > > Thanks, > Barry > ________________________________________ > From: Scott Battaglia [[email protected]] > Sent: Friday, January 22, 2010 8:41 AM > To: [email protected] > Subject: Re: [cas-user] Problem with CAS ticket validation / Spring > Security > > I'm not sure if it makes a difference but have you deployed it as CAS or > cas ? I see both in the email. > > Cheers, > Scott > > > On Thu, Jan 21, 2010 at 1:20 PM, Barry Silk <[email protected] > <mailto:[email protected]>> wrote: > I hope someone could please help diagnose this problem. I cannot determine > whether the problem is with CAS or Spring Security > > We are using: > -- CAS server 3.3.5 > -- CAS client 3.1.10 > -- Spring Security 3.0.1 > > I have attached the Spring Security configuration file plus the log files > that illustrate what the problem is. > > The first step is attempting to access a protected resource in the web-app > (APLITS) using the following url: > > https://ob-2068:9443/APLITS > > Then the Web-app/Spring Security redirects to CAS to the login page with > the following URL: > > > https://ob-2068:8443/CAS/login?service=https%3A%2F%2FOB-2068%3A9443%2FAPLITS%2Fj_spring_cas_security_check > > The user successfully logs in with username/password and the ticket gets > added to the registry: > > (from log) Added ticket [ST-1-HHnUWSpCMrPOfcfcyq0f-cas] to registry. > > Then, CAS redirects the browser to: > > > https://OB-2068:9443/APLITS/j_spring_cas_security_check?ticket=ST-1-HHnUWSpCMrPOfcfcyq0f-cas > > The web-app processes this url and attempts to issue a serviceValidate back > to CAS: > > (from log) Constructing validation url: > https://OB-2068:8443/cas/serviceValidate?ticket=ST-1-HHnUWSpCMrPOfcfcyq0f-cas&service=https%3A%2F%2FOB-2068%3A9443%2FAPLITS%2Fj_spring_cas_security_check > > But, CAS response with the xml for a login page, instead of returning the > userid: > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" " > http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> > <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> > <head> > <title>CAS – Central Authentication Service</title> > <meta http-equiv="Content-Type" content="text/html; > charset=utf-8" /> > <style type="text/css" media="screen">@import > 'css/cas.css'/**/;</style> > <!--[if gte IE 6]><style type="text/css" media="screen">@import > 'css/ie_cas.css';</style><![endif]--> > <script type="text/javascript" > src="js/common_rosters.js"></script> > <link rel="icon" href="/CAS/favicon.ico" type="image/x-icon" /> > </head> > > ... > </html> > > That is the problem. > > > However, instead of going to the application directly and going through the > steps by manually specifying the URLs, we get the expected result: > > https://ob-2068:8443/CAS/login?sevice=https://ob-2068:9443/APLITS > > results in the CAS login page. Enter the userid and password successfully > and CAS redirects to: > > > https://ob-2068:9443/APLITS/j_spring_cas_security_check?ticket=ST-3-yEMDMjhbtWoHnYgXce1S-cas > > Redeeming this ticket manually through the browser: > > > https://OB-2068:8443/CAS/serviceValidate?service=https://OB-2068:9443/APLITS/j_spring_cas_security_check&ticket=ST-3-yEMDMjhbtWoHnYgXce1S-cas > > Results in CAS returning the authenticated userid as expected? > > My question is, why doesn't it work with the spring security configuration, > which appears to be generating the proper serviceValidate request to CAS?? > > > THANKS for any insight you can provide for this. > > Barry Silk > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
