(Sorry if this is better suited for the phpCAS mailing list or elsewhere, not actually sure where my problem is).
I've run into an odd issue twice, both with a plugin I was developing and with the CAS plugin bundled with Moodle 1.9.9(ish, there's some patches that bring it up to 1.9.10, I'd imagine) when I try and use the proxying feature with gateway mode, and I'm trying to figure out if it's a quirk of my environment, expected behavior, or me completely misunderstanding something. Basically, if I use phpcas::proxy(); or $CAS = new CASClient(CAS_VERSION_2_0,TRUE,$cas_hostname,$cas_port,$cas_uri,false); I wind up getting phpCAS's CAS authentication failed! during validation of the service ticket. When I dig into the CAS server logs, I see that the ticket is validating without a problem, but that the CAS server is failing its initial callback to the service (done in proxy mode before sending the pgtIOU). 2011-05-27 09:45:19,616 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: [callbackUrl: https://moodle-dev.example.com/login/index.php] 2011-05-27 09:45:19,622 ERROR [org.jasig.cas.web.ServiceValidateController] - TicketException generating ticket for: [callbackUrl: https://moodle-dev.example.com/login/index.php] Digging a little bit more shows this: 2011-05-27 09:45:19,615 ERROR [org.jasig.cas.util.HttpClient] - Server redirected too many times (20) right before everything fails. I'm not sure how to dig deeper into this, but my guess at this point is that what's happening is that the CAS sever makes a callback to the URL as instructed. This URL is protected by CAS so a redirect is sent (Location: https://cas-dev.example.com/login?service=https%3A%2F%2Fmoodle-dev.example.com%2Flogin%2Findex.php&gateway=true in my example), but since it is in gateway mode, CAS bounces itself back to Moodle.. and this is where I assume the process starts over again, resulting in the endless redirect. My suspicion is however phpCAS is remembering whether or not a given CAS client has previously visited (to stop the endless redirecting) is failing for the HttpClient CAS calls for its URL callback, but I'm not sure how to test further. I think phpCAS just uses php's sessions w/ cookies to keep track of such things, but not sure. I can work around the issue easily enough through a variety of methods (not starting the CAS Dance if the request comes from the CAS server itself, setting a different PGT callback URL that's not protected by CAS, not using the particular combination of gateway+proxy, etc, etc..), but after hitting this issue twice, I'm wondering if there's something wrong in my setup or understanding of CAS. Any thoughts? Hope I was clear, I sometimes get the terminology muddled. Matt -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
