Re: pgtIou not being sent for CAS 2.0 serviceValidate request

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: pgtIou not being sent for CAS 2.0 serviceValidate request

Adam Franco
Hi folks, I'm setting up CAS 5.2.x (5.2.9) as a maven WAR overlay with an Apache proxy handling SSL termination on 443 in front of my CAS server which is running as a daemon using the embedded Tomcat.

The service is working well for basic CAS 1/2/3 and SAML 1.1 authentication, however I ran into issues with proxy authentication when using the CAS 2.0 protocol.

Basically, when accessing serviceValidate (CAS 2.0) and passing a pgtUrl, the CAS server doesn't try to connect to the service and pass the pgtIou, as it should according to the CAS protocol specification. Thankfully the pgtIou is sent when using CAS 3.0 protocol, providing a work-around, but CAS 2.0 proxy authentication is no longer working according to spec. As a related note, this same client application was able to do proxy-authentication to a cas-server version 3.x (and I believe 4.x), so this seems to be a newer issue in cas server 5.x.


CAS 3.0 -- Works!

Here is the relevant portion of the debug log for the CAS side of a CAS 3.0 /p3/serviceValidate request. Note the lines in bold where the PGTIOU is sent:
2018-06-07 12:18:00,204 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [ST-24-5ggtd29odQOmKmjAC-cVbK-Imx0-ceres] has expired and is now removed fr
om the cache>
2018-06-07 12:18:00,204 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{
  "who" : "B0F836FCDADFDDFF7A17C02C62CDB227",
  "what" : "ST-24-5ggtd29odQOmKmjAC-cVbK-Imx0-ceres",
  "action" : "SERVICE_TICKET_VALIDATED",
  "application" : "CAS",
  "when" : "Thu Jun 07 12:18:00 EDT 2018",
  "clientIpAddress" : "140.233.37.63",
  "serverIpAddress" : "140.233.4.163"
}
>
2018-06-07 12:18:00,204 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-06-07 12:18:00,205 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Is validation specification set to enforce [renew] protocol behavior? [no]. Is assertion issued from a new login? [no]>
2018-06-07 12:18:00,205 DEBUG [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - <Number of chained authentications in the assertion [1]>
2018-06-07 12:18:00,205 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Validation specification is satisfied by the produced assertion>
2018-06-07 12:18:00,205 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@4175357a[id=http://saw.middlebury.edu/~afranco/CAS_Test/,originalUrl=http://saw.middlebury.edu/~afranco/CAS_Test/,artifactId=<null>,principal=B0F836FCDADFDDFF7A17C02C62CDB227,loggedOutAlready=false,format=XML]]>
2018-06-07 12:18:00,205 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No particular authentication context is required for this request>
2018-06-07 12:18:00,219 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Response code from server matched [200].>
2018-06-07 12:18:00,219 DEBUG [org.apereo.cas.ticket.proxy.support.Cas20ProxyHandler] - <Sent ProxyIou of [PGTIOU-10-*********************************************************oKhTtoJwRc-ceres] for service: [https://saw.middlebury.edu/~afranco/CAS_Test/]>

2018-06-07 12:18:00,219 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-24-5ggtd29odQOmKmjAC-cVbK-Imx0-ceres] for service [http://saw.middlebury.edu/~afranco/CAS_Test/]>
2018-06-07 12:18:00,219 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing the output model [[assertion, service, pgtIou, proxyGrantingTicket, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service]] to render view [Cas30ResponseView]>
2018-06-07 12:18:00,220 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - <Prepared CAS response output model with attribute names [[assertion, service, pgtIou, proxyGrantingTicket, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service, principal, chainedAuthentications, primaryAuthentication]]>
2018-06-07 12:18:00,220 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <Processed response principal attributes from the output model to be [[Status, Department, MemberOf, FirstName, DisplayName, Title, LastName, TelephoneNumber, EMail]]>
2018-06-07 12:18:00,220 DEBUG [org.apereo.cas.web.view.Cas30ResponseView] - <CAS is configured to release protocol-level attributes. Processing...>



CAS 2.0 -- Doesn't work...
When a client (using phpCAS) makes the CAS 2.0 serviceValidate request which includes the pgtURL:
the CAS server never connects to the client to transmit the pgtIou.

Here is the relevant portion of the debug log for the CAS side of a CAS 3.0 /serviceValidate request. Note the line in bold where PGTIOU sending isn't done:
2018-06-07 12:08:04,058 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Ticket [ST-23-me1LUGGZxwRdvoz1E7DRT-lPinY-ceres] has expired and is now removed fr
om the cache>
2018-06-07 12:08:04,059 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{
  "who" : "B0F836FCDADFDDFF7A17C02C62CDB227",
  "what" : "ST-23-me1LUGGZxwRdvoz1E7DRT-lPinY-ceres",
  "action" : "SERVICE_TICKET_VALIDATED",
  "application" : "CAS",
  "when" : "Thu Jun 07 12:08:04 EDT 2018",
  "clientIpAddress" : "140.233.37.63",
  "serverIpAddress" : "140.233.4.163"
}
>
2018-06-07 12:08:04,059 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-06-07 12:08:04,071 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Is validation specification set to enforce [renew] protocol behavior? [no]. Is assertion issued from a new login? [no]>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - <Number of chained authentications in the assertion [1]>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <Validation specification is satisfied by the produced assertion>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Locating the primary authentication associated with this service request [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5a493bb[id=http://saw.middlebury.edu/~afranco/CAS_Test/,originalUrl=http://saw.middlebury.edu/~afranco/CAS_Test/,artifactId=<null>,principal=B0F836FCDADFDDFF7A17C02C62CDB227,loggedOutAlready=false,format=XML]]>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No particular authentication context is required for this request>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <No service credentials specified, and/or the proxy handler [Cas10ProxyHandler] cannot handle credentials>
2018-06-07 12:08:04,072 DEBUG [org.apereo.cas.web.AbstractServiceValidateController] - <Successfully validated service ticket [ST-23-me1LUGGZxwRdvoz1E7DRT-lPinY-ceres] for service [http://saw.middlebury.edu/~afranco/CAS_Test/]>
2018-06-07 12:08:04,073 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Preparing the output model [[assertion, service, proxyGrantingTicket, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service]] to render view [Cas20ResponseView]>
2018-06-07 12:08:04,073 DEBUG [org.apereo.cas.web.view.Cas20ResponseView] - <Prepared CAS response output model with attribute names [[assertion, service, proxyGrantingTicket, org.springframework.validation.BindingResult.assertion, org.springframework.validation.BindingResult.service, principal, chainedAuthentications, primaryAuthentication]]>
2018-06-07 12:08:04,073 DEBUG [org.apereo.cas.services.web.view.AbstractDelegatingCasView] - <Prepared output model with objects [assertion]. Now rendering view...>


It seems that a CAS10ProxyHandler is incorrectly chosen even though a pgtUrl is specified in the request and serviceValidate is a CAS 2.0 protocol url. I have yet to be able to track down how the proxyhandler is chosen to figure out a fix.

Adam

--

Adam Franco
Senior Software Developer
Information Technology Services
Middlebury College
Middlebury, VT 05753
[hidden email]
802.443.2244


--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.