Thanks for the quick reply, Scott! On Tue, Mar 16, 2010 at 2:25 PM, Scott Battaglia <[email protected]>wrote:
> On Tue, Mar 16, 2010 at 2:17 PM, Adam Franco <[email protected]>wrote: > >> *Question (up front for those skimming the list):* > > > Answers, for those looking for them quickly :-) > > >> >> Should my CAS server be returning proxy tickets that begin with "PT"? >> > No, it can return them with ST. See the spec for more info. Its been > doing this since 3.0 > > >> Is this a configuration option? >> > > No, its not. > > >> Is this something that was added after CAS-3.3.3? >> > > No, its been there since CAS 3 > > Cheers, > Scott > > >> >> *Background:* >> >> I have been recently testing the latest phpCAS version (1.1.0RC6 / >> https://www.ja-sig.org/svn/cas-clients/phpcas/tr...@48086) which now has >> a switch that now runs service tickets through a different path than proxy >> tickets. Their relevant change is: >> >> break; >> case CAS_VERSION_2_0: // check for a Service or Proxy >> Ticket >> - if( preg_match('/^[SP]T-/',$ticket) ) { >> - phpCAS::trace('ST or PT \''.$ticket.'\' found'); >> + if (preg_match('/^ST-/', $ticket)) { >> + phpCAS::trace('ST \'' . $ticket . '\' found'); >> + $this->setST($ticket); >> + unset ($_GET['ticket']); >> + } else if (preg_match('/^PT-/', $ticket)) { >> + phpCAS::trace('PT \'' . $ticket . '\' found'); >> $this->setPT($ticket); >> unset($_GET['ticket']); >> } else if ( !empty($ticket) ) { >> //ill-formed ticket, halt >> phpCAS::error('ill-formed ticket found in the URL >> (ticket=`'.htmlentities($ticket).'\')'); >> >> What I noticed in testing is that with this client is that my CAS server >> (3.3.3 with a custom overlay) returns proxy tickets that begin with "ST-" >> rather than "PT-": >> >> >> https://login.middlebury.edu/cas/proxy?targetService=http%3A%2F%2Fchisel.middlebury.edu%2F~afranco%2Fphpcas_cookiestorage%2Fservice%2F%3Fparam%3D1397087449&pgt=TGT-2447-zAWGcUHZvTgFNaTwjWG1nSU0gxiOoCIbbflTgeunLwaMU2nJoq-harpie<https://login.middlebury.edu/cas/proxy?targetService=http%3A%2F%2Fchisel.middlebury.edu%2F%7Eafranco%2Fphpcas_cookiestorage%2Fservice%2F%3Fparam%3D1397087449&pgt=TGT-2447-zAWGcUHZvTgFNaTwjWG1nSU0gxiOoCIbbflTgeunLwaMU2nJoq-harpie> >> >> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> <cas:proxySuccess> >> >> <cas:proxyTicket>ST-3103-cn5FJWG4Cvv4OdfGNAqZ-griffon</cas:proxyTicket> >> </cas:proxySuccess> >> </cas:serviceResponse> >> >> Because phpCAS now switches based on the first part of the ticket string, >> proxy tickets get sent to the serviceValidate URL rather than the >> proxyValidate URL and fail validation. At the end of the day, it may be that >> this phpCAS change is invalid due to the CAS >> Protocol<http://www.jasig.org/cas/protocol>section 3.3.1 allowing proxy >> tickets to begin with "ST-": >> >> Proxy tickets SHOULD begin with the characters, "PT-". Proxy tickets MUST >>> begin with either the characters, "ST-" or "PT-". >>> >> >> >> *My questions for this list: * >> Should my CAS server be returning proxy tickets that begin with "PT"? >> Is this a configuration option? >> Is this something that was added after CAS-3.3.3? >> >> Once I know if my CAS server is messed up or is operating as expected, >> I'll follow up with the phpCAS team to notify them if their client change >> don't fit the protocol correctly. >> >> Thanks for your help, >> Adam >> >> P.S. I have have attached my logs for the sequence for the client app, the >> service app, and the pgt storage script for reference in case they are >> helpful. >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
