Yes, your analysis is correct. The service parameter should be retrieved from the SWF context instead. The assumption on the url parameter also has issues with SAML validation, since the parameter name changes.
Captured the issue here: https://issues.jasig.org/browse/CAS-1303 From: Simon Wong [mailto:[email protected]] Sent: Wednesday, April 24, 2013 3:25 AM To: [email protected] Subject: [cas-user] Failed to retrieve service URL if LPPE is used (if password change warning page is displayed). I am using CAS v3.5.2, I have tried to resemble the LDAP Password Policy Enforcement (LPPE) function to supports JDBC based authentication. I found that the application (using Spring Security) redirection doesn't work as expected if a warning page is displayed when my password will expired soon. The scenario is: - Login the application (http://localhost:8080/myapp) - It will redirect to CAS login screen as I haven't login before - I input the correct username/password to login - As my password will be expired soon and it is within the warning period, the login-webflow.xml will forward to the view casWarnPassView.jsp - In casWarnPassView.jsp, if I don't want to change the password now, it should redirect back to the application. >From the logic of casWarnPassView.jsp The application URL could be retrieved as URL "service" parameter. <spring:message code="screen.warnpass.message.line2" arguments="${fn:escapeXml(param.service)}${fn:indexOf(param.service, '?') eq -1 ? '?' : '&'}${ticketArg}" /> However, I found that my application service URL is stored in flash scope instead of URL parameter. Here is the flow scope data I extracted from web flow action. context.getFlowScope(): map['service' -> http://localhost:8080/myapp/j_spring_cas_security_check, 'credentials' -> [username: test_user], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> [null]] I would like to know whether my justification is correct or not. Regards, Simon -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
