Re: [cas-user] Re: Double Login for Mozilla 4.0 User Agent
Awesome, thanks for all the feedback guys. Very much appreciated. Get Outlook for Android<https://aka.ms/ghei36> From: cas-user@apereo.org on behalf of leleuj Sent: Tuesday, January 28, 2020 5:59:55 AM To: CAS Community Subject: [cas-user] Re: Double Login for Mozilla 4.0 User Agent Hi, You have the following property/option: cas.tgc.pinToSession (true by default) to attach the IP and user-agent to the SSO session. In most cases, it's the right choice, but you may want to disable that behavior. Thanks. Best regards, Jérôme Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit : Hi Justin, Nice that you think of a workaround! I think it is strange that ticket granting ticket containing user agent... Therefore, I have go ahead and done some additional digging and found the following: https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 Seems to me that, instead of the TGT containing user agent, is that the cookie manager will not allow cookie created under differnet user agent. @Override protected String obtainValueFromCompoundCookie(final String cookieValue, final HttpServletRequest request) { val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).splitToList(cookieValue); if (cookieParts.isEmpty()) { throw new IllegalStateException("Invalid empty cookie"); } val value = cookieParts.get(0); if (!cookieProperties.isPinToSession()) { LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided"); return value; } if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { throw new IllegalStateException("Invalid cookie. Required fields are missing"); } val remoteAddr = cookieParts.get(1); val userAgent = cookieParts.get(2); if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) { throw new IllegalStateException("Invalid cookie. Required fields are empty"); } val clientInfo = ClientInfoHolder.getClientInfo(); if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { throw new IllegalStateException("Invalid cookie. Required remote address " + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); } val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); if (!userAgent.equals(agent)) { throw new IllegalStateException("Invalid cookie. Required user-agent " + userAgent + " does not match " + agent); } return value; } Have you see the above error (Invalid cookie. Required user-agent) in your CAS error log? If so then it would justified my theory. Still, I don't think it is wise to touch on that part of the source code, but it is always good to know in case you need to actually make support on the legacy service for cross compatibility and main browser. Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY5PR12MB41628350507E03DB95B7602BF30A0%40BY5PR12MB4162.namprd12.prod.outlook.com.
[cas-user] Re: Double Login for Mozilla 4.0 User Agent
Hi, You have the following property/option: *cas.tgc.pinToSession* (true by default) to attach the IP and user-agent to the SSO session. In most cases, it's the right choice, but you may want to disable that behavior. Thanks. Best regards, Jérôme Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit : > > Hi Justin, > > Nice that you think of a workaround! > > I think it is strange that ticket granting ticket containing user agent... > > Therefore, I have go ahead and done some additional digging and found the > following: > > https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 > > > Seems to me that, instead of the TGT containing user agent, is that the > cookie manager will not allow cookie created under differnet user agent. > > @Override > protected String obtainValueFromCompoundCookie(final String cookieValue, > final HttpServletRequest request) { > val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)). > splitToList(cookieValue); > if (cookieParts.isEmpty()) { > throw new IllegalStateException("Invalid empty cookie"); > } > val value = cookieParts.get(0); > if (!cookieProperties.isPinToSession()) { > LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value > as it was provided"); > return value; > } > if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { > throw new IllegalStateException("Invalid cookie. Required fields are > missing"); > } > val remoteAddr = cookieParts.get(1); > val userAgent = cookieParts.get(2); > if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) > { > throw new IllegalStateException("Invalid cookie. Required fields are empty > "); > } > val clientInfo = ClientInfoHolder.getClientInfo(); > if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { > throw new IllegalStateException("Invalid cookie. Required remote address " > + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); > } > val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); > if (!userAgent.equals(agent)) { > throw new IllegalStateException("Invalid cookie. Required user-agent " + > userAgent + " does not match " + agent); > } > return value; > } > > > Have you see the above error (*Invalid cookie. Required user-agent*) > in your CAS error log? If so then it would justified my theory. > > Still, I don't think it is wise to touch on that part of the source code, > but it is always good to know in case you need to actually make support on > the legacy service for cross compatibility and main browser. > > Cheers! > - Andy > > > > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.
[cas-user] Re: Double Login for Mozilla 4.0 User Agent
Hi Justin, Nice that you think of a workaround! I think it is strange that ticket granting ticket containing user agent... Therefore, I have go ahead and done some additional digging and found the following: https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 Seems to me that, instead of the TGT containing user agent, is that the cookie manager will not allow cookie created under differnet user agent. @Override protected String obtainValueFromCompoundCookie(final String cookieValue, final HttpServletRequest request) { val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)). splitToList(cookieValue); if (cookieParts.isEmpty()) { throw new IllegalStateException("Invalid empty cookie"); } val value = cookieParts.get(0); if (!cookieProperties.isPinToSession()) { LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided"); return value; } if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { throw new IllegalStateException("Invalid cookie. Required fields are missing "); } val remoteAddr = cookieParts.get(1); val userAgent = cookieParts.get(2); if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) { throw new IllegalStateException("Invalid cookie. Required fields are empty" ); } val clientInfo = ClientInfoHolder.getClientInfo(); if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { throw new IllegalStateException("Invalid cookie. Required remote address " + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); } val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); if (!userAgent.equals(agent)) { throw new IllegalStateException("Invalid cookie. Required user-agent " + userAgent + " does not match " + agent); } return value; } Have you see the above error (*Invalid cookie. Required user-agent*) in your CAS error log? If so then it would justified my theory. Still, I don't think it is wise to touch on that part of the source code, but it is always good to know in case you need to actually make support on the legacy service for cross compatibility and main browser. Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f373ad7a-bc64-4c43-ad51-6921811ac28b%40apereo.org.
[cas-user] Re: Double Login for Mozilla 4.0 User Agent
Thanks Andy for the information. We spent some more time this morning troubleshooting the behavior and have discovered the reason for this behavior. It seems that the ticket granting cookie is encoded and is not just the TGT, it is TGT+Client IP+Browser Agent. When a call comes into login?service= the validation checks the cookie and validates that the TGT is still valid and now also checks that the Browser Agent matches what it was when the cookie was created. In this case when we login to SSO using IE 11 the browser agent is Mozilla 5.0, when we access the old legacy application (which has it's domain set under compatibility view) and the app redirects to SSO for authentication the user agent is changed to Mozilla 4.0. Since the user agent of the request no longer matches the user agent when the cookie was created, the cookie is considered invalid. Based on the code it doesn't look like there is any way to override this behavior (not that one should). Based on the fact that this legacy app must be run in capability view our only work around is to also have those users add our portal URL to compatibility view as well so that the user agents will match during validation. On Thursday, January 23, 2020 at 8:55:15 PM UTC-5, Andy Ng wrote: > > Hi Justin, > > CAS 5 have said that at least the UI will have problem with IE 9 or below, > so I doubt they build CAS 5 with IE 7 support in mind > > https://apereo.github.io/cas/5.3.x/installation/User-Interface-Customization.html#browser-support > > I don't have IE 7 setup on my system so can't really test on this... > > However, I have look into this properties here: > > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#adaptive-authentication > > Seems like it is possible to reject agent like so: > *cas.authn.adaptive.rejectBrowsers=Gecko.+* > > But by default there are no reject agent for this, so I doubt the issue is > related to adaptive authentication. > > Can you enabled your CAS debug log and post any anomaly here (with > sensitive info censored of course), so the community can look at your CAS > log and see if there are any other problem with that. > > Cheers! > - Andy > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd537760-1a3c-48cd-addd-f68b707fc130%40apereo.org.
[cas-user] Re: Double Login for Mozilla 4.0 User Agent
Hi Justin, CAS 5 have said that at least the UI will have problem with IE 9 or below, so I doubt they build CAS 5 with IE 7 support in mind https://apereo.github.io/cas/5.3.x/installation/User-Interface-Customization.html#browser-support I don't have IE 7 setup on my system so can't really test on this... However, I have look into this properties here: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#adaptive-authentication Seems like it is possible to reject agent like so: *cas.authn.adaptive.rejectBrowsers=Gecko.+* But by default there are no reject agent for this, so I doubt the issue is related to adaptive authentication. Can you enabled your CAS debug log and post any anomaly here (with sensitive info censored of course), so the community can look at your CAS log and see if there are any other problem with that. Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e77e69e-2135-4788-91e4-9070ad87902f%40apereo.org.