On Thu, Sep 4, 2008 at 2:52 PM, Lawrence Andreutti < [EMAIL PROTECTED]> wrote:
> Hi Scott, > > > > The service validates do insist that the services match with both CAS > 3.0.6 and CAS 3.3. The messages I see seem to be generated when a service > ticket is created from the TGT (ticket granting ticket) that is stored in a > cookie with the users browser. I'm still trying to reproduce it but it does > look like the generated service ticket is validated using the > CentralAuthenticationServiceImpl (instead of ServiceValidate) class which > does seem to behave differently in CAS 3.0.6 and 3.3. Hopefully, that makes > sense to you. Thanks. > Hi, Tickets are always validated with the CentralAuthenticationServiceImpl class, no matter which version of CAS you are using. -Scott > > > *Larry Andreutti* > > Tel 604.438.7361 ext. 1482 > > > ------------------------------ > > *From: *Scott Battaglia <[EMAIL PROTECTED]> > *Date: *Thu, 4 Sep 2008 12:59:52 -0400 > *To: *Mailing list for CAS developers <[EMAIL PROTECTED]> > *Cc: *Steven Carroll <[EMAIL PROTECTED]>, Elizabeth Allen < > [EMAIL PROTECTED]>, Kevin Burke < > [EMAIL PROTECTED]>, Doug Johnson < > [EMAIL PROTECTED]> > *Subject: *Re: [cas-dev] Mismatched Service URLs > > Regardless of what the logging level was, it should have always rejected it > when it validated the ticket. I don't believe that code has changed at all, > except for maybe the logging level. But we always matched URLs exactly and > rejected if they didn't match (the only exception was removing jsessions) > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > On Thu, Sep 4, 2008 at 12:23 PM, Lawrence Andreutti < > [EMAIL PROTECTED]> wrote: > > Hi, > > > > We are in the process of trying to upgrade from CAS 3.0.6 to CAS 3.3. One > thing we have noticed is that CAS 3.3 (and other CAS versions older than > 3.0.6) is much stricter that service URLs exactly match the service that > created the service ticket. For example, with CAS 3.0.6 I would see entries > in the logs like this: > > > > 2008-09-03 00:03:00,920 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket > [ST-466628-ODF0WfzIpJzLOSOQ3lwiNYUheLH3mTf69qb-sso1] does not match supplied > service: > http://www.active.com/event_detail.cfm?EVENT_ID=1537452&CHECKSSO=0 > > > > However, this is essentially just a warning and authentication would still > continue. With CAS 3.3, I see entries in the logs like this: > > > > 2008-08-27 14:22:51,897 ERROR > [org.jasig.cas.CentralAuthenticationServiceImpl] ServiceTicket [ > ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com < > http://ST-31-QPmtYnffxMWN0Idg4LI6-ssoaus.active.com> ] with service [ > http://a2aus.active.com/NonACM/login/A2LoginHome.aspx does not match > supplied service [http://a2aus.active.com/NonACM/Login/A2LoginHome.aspx] > > > > The big difference is that this condition is now an ERROR (not a DEBUG > warning) and the authentication is rejected. Unfortunately, we seem to have > a lot of applications with mismatching service URLs like this and we would > like to move to CAS 3.3 in a month or so. At least for the short term until > we get all these service URLs lined up, is there some way to configure CAS > 3.3 so it acts more like CAS 3.0.6 (it still logs the mismatch but allows > processing to continue)? Thanks. > > > > *Larry Andreutti > * > Software Engineer > > Active Network, Ltd. > > > > [EMAIL PROTECTED] > > Tel 604.438.7361 ext. 1482 > > Fax 604.432.9708 > > 6400 Roberts Street, Suite 160 > > Burnaby, BC Canada V5G 4C9 > > www.ActiveNetwork.com <http://www.activenetwork.com/> > > > > _______________________________________________ > cas-dev mailing list > [EMAIL PROTECTED] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > > > > > ------ End of Forwarded Message >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
