Hi, in CAS4 using SAML accessing a URL with an exact match of registered service returns Application not Autorized to use Cas. With more permissive regexpr Cas allows usage but still with annoynig url with query parameters.
Use case: -Take cas4 overlay add saml support as of https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4 -Build simple client with filter entries as shown below -add <property name="serviceId" value="^https?://whatever.example.com:8444/cas-client/index.jsp" /> as registered service- -In browser: https://whatever.example.com:8444/cas-client/index.jsp results in: cas login page with url https://whatever.example.com:8444/cas/login?TARGET=https%3A%2F%2Fwhatever.example.com%3A8444%2Fcas-client%2F whith user password/input throws following result: Application Not Authorized to Use CAS *Conclusion*: only with regular expression ^https?://whatever.example.com:8444/cas-client/.* can I authorize a page, showing this result URL. https://whatever.example.com:8444/cas-client/?TARGET=https%3A%2F%2Fwhatever.example.com%3A8444%2Fcas-client%2F *Questions*: 1. shoudnt SAML be able to validate exact match? 2. should validation result bring requested page WITHOUT query parameters? Appreciate any comments Manfredo Hopp -*cas-client filter entries* <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> <!--filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class--> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://whatever.example.com:8444/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://whatever.example.com:8444</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> <!--filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class--> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://whatever.example.com:8444/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://whatever.example.com:8444</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <!-- Adjust to accommodate clock drift between client/server. Increasing tolerance has security consequences, so it is preferable to correct the source of clock drift instead. --> <param-name>tolerance</param-name> <param-value>5000</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <!-- Other filters as needed --> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
