URL parameters lost after LoginController

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

URL parameters lost after LoginController

Jackson, Allan

We just upgraded to uPortal 5, and I’m seeing an issue when deep linking to a portlet from an external system. If the user is already logged into the portal, the link works fine, but if they have to go through the portal’s LoginController first, the request parameters are getting stripped off.

 

I recorded the list of URL redirects that the browser goes through (with some fake portlet names and data):

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&ticket=CasTicketHere

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent

 

The step that is actually hitting the portal’s LoginController class is #4 (step 3 never makes it clear to the controller). At that point, it tries to pull out the refUrl parameter, but the URL has already been fully decoded, so the refUrl only goes up until the very first ampersand character instead of including all the parameters that it should contain.

 

 

After writing up the start of this email, I tried downgrading the cas-client jar to v 3.2.2 (from 3.5.1), and that actually fixed the problem. Using that version of the cas client, I’m seeing these URLs:

  1. same
  2. same
  3. same
  4. NONE
  5. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentEmplId=1234567&anotherOption=true

 

The crucial difference here is that it only tries to hit the LoginController one time (and it’s using the correct url encoding at that point).

 

Does anyone have any ideas about ways to resolve this? That jar file is being pulled in by uPortal core, so it’s not easy to downgrade it with our default build options. At this point I’m still not sure if it’s a bug in the CAS code, uPortal code, or some sort of version mismatch with the standalone CAS we’re running.

 

Thanks,

Allan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B56832BF-6751-4E20-A559-8181E8D10F11%40ku.edu.
Reply | Threaded
Open this post in threaded view
|

Re: URL parameters lost after LoginController

Jackson, Allan

After poking around in the CAS source code, I found the encodeServiceUrl parameter. This setting defaults to true, but it was disabled for uPortal core with an unrelated commit last year. Does anyone know more about why this was changed? If I set the value back to true, it fixes the issues I’m seeing.

 

https://github.com/Jasig/uPortal/commit/579913b5d45f03bca167813b090b61cec323f0e9

 

Allan

 

 

From: <[hidden email]> on behalf of "Jackson, Allan" <[hidden email]>
Date: Tuesday, August 6, 2019 at 11:14 AM
To: "[hidden email]" <[hidden email]>
Subject: [uportal-user] URL parameters lost after LoginController

 

We just upgraded to uPortal 5, and I’m seeing an issue when deep linking to a portlet from an external system. If the user is already logged into the portal, the link works fine, but if they have to go through the portal’s LoginController first, the request parameters are getting stripped off.

 

I recorded the list of URL redirects that the browser goes through (with some fake portlet names and data):

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&ticket=CasTicketHere

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent

 

The step that is actually hitting the portal’s LoginController class is #4 (step 3 never makes it clear to the controller). At that point, it tries to pull out the refUrl parameter, but the URL has already been fully decoded, so the refUrl only goes up until the very first ampersand character instead of including all the parameters that it should contain.

 

 

After writing up the start of this email, I tried downgrading the cas-client jar to v 3.2.2 (from 3.5.1), and that actually fixed the problem. Using that version of the cas client, I’m seeing these URLs:

  1. same
  2. same
  3. same
  4. NONE
  5. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentEmplId=1234567&anotherOption=true

 

The crucial difference here is that it only tries to hit the LoginController one time (and it’s using the correct url encoding at that point).

 

Does anyone have any ideas about ways to resolve this? That jar file is being pulled in by uPortal core, so it’s not easy to downgrade it with our default build options. At this point I’m still not sure if it’s a bug in the CAS code, uPortal code, or some sort of version mismatch with the standalone CAS we’re running.

 

Thanks,

Allan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B56832BF-6751-4E20-A559-8181E8D10F11%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/E2EB8C5D-2F2E-4777-8FBA-730265B0A433%40ku.edu.
Reply | Threaded
Open this post in threaded view
|

Re: URL parameters lost after LoginController

Jonathan M. Tran-2

encodeServiceUrl = false was added as part of a fix for UP-5000. I unfortunately didn't document what the URLs looked like before and after the encodeServiceUrl change to recall what exactly it was that made CAS unhappy in the past ... It looks like I was chasing down two things at that time
Setting encodeServiceUrl to true, things appear redirect and serviceValidate as it should. I imagine that it should be changed.

Luckily, this bean can be overriden in overridesContext.xml until its updated in upstream.

- Jonathan

On 8/6/19 11:51 AM, Jackson, Allan wrote:

After poking around in the CAS source code, I found the encodeServiceUrl parameter. This setting defaults to true, but it was disabled for uPortal core with an unrelated commit last year. Does anyone know more about why this was changed? If I set the value back to true, it fixes the issues I’m seeing.

 

https://github.com/Jasig/uPortal/commit/579913b5d45f03bca167813b090b61cec323f0e9

 

Allan

 

 

From: [hidden email] on behalf of "Jackson, Allan" [hidden email]
Date: Tuesday, August 6, 2019 at 11:14 AM
To: [hidden email] [hidden email]
Subject: [uportal-user] URL parameters lost after LoginController

 

We just upgraded to uPortal 5, and I’m seeing an issue when deep linking to a portlet from an external system. If the user is already logged into the portal, the link works fine, but if they have to go through the portal’s LoginController first, the request parameters are getting stripped off.

 

I recorded the list of URL redirects that the browser goes through (with some fake portlet names and data):

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&ticket=CasTicketHere

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent

 

The step that is actually hitting the portal’s LoginController class is #4 (step 3 never makes it clear to the controller). At that point, it tries to pull out the refUrl parameter, but the URL has already been fully decoded, so the refUrl only goes up until the very first ampersand character instead of including all the parameters that it should contain.

 

 

After writing up the start of this email, I tried downgrading the cas-client jar to v 3.2.2 (from 3.5.1), and that actually fixed the problem. Using that version of the cas client, I’m seeing these URLs:

  1. same
  2. same
  3. same
  4. NONE
  5. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentEmplId=1234567&anotherOption=true

 

The crucial difference here is that it only tries to hit the LoginController one time (and it’s using the correct url encoding at that point).

 

Does anyone have any ideas about ways to resolve this? That jar file is being pulled in by uPortal core, so it’s not easy to downgrade it with our default build options. At this point I’m still not sure if it’s a bug in the CAS code, uPortal code, or some sort of version mismatch with the standalone CAS we’re running.

 

Thanks,

Allan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B56832BF-6751-4E20-A559-8181E8D10F11%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/E2EB8C5D-2F2E-4777-8FBA-730265B0A433%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/19fafd0b-8a35-032c-9268-144c340b62c3%40cpp.edu.
Reply | Threaded
Open this post in threaded view
|

Re: URL parameters lost after LoginController

Jackson, Allan

Ah, thanks for the context! I did notice some differences in the way the cas-client was behaving between versions 3.3, 3.4, and 3.5 so it’s possible that the encodeServiceUrl=false change was needed at that time but no longer is.

 

 

From: <[hidden email]> on behalf of "Jonathan M. Tran" <[hidden email]>
Date: Tuesday, August 6, 2019 at 2:30 PM
To: "[hidden email]" <[hidden email]>
Subject: Re: [uportal-user] URL parameters lost after LoginController

 

encodeServiceUrl = false was added as part of a fix for UP-5000. I unfortunately didn't document what the URLs looked like before and after the encodeServiceUrl change to recall what exactly it was that made CAS unhappy in the past ... It looks like I was chasing down two things at that time
Setting encodeServiceUrl to true, things appear redirect and serviceValidate as it should. I imagine that it should be changed.

Luckily, this bean can be overriden in overridesContext.xml until its updated in upstream.

- Jonathan
 

On 8/6/19 11:51 AM, Jackson, Allan wrote:

After poking around in the CAS source code, I found the encodeServiceUrl parameter. This setting defaults to true, but it was disabled for uPortal core with an unrelated commit last year. Does anyone know more about why this was changed? If I set the value back to true, it fixes the issues I’m seeing.

 

https://github.com/Jasig/uPortal/commit/579913b5d45f03bca167813b090b61cec323f0e9

 

Allan

 

 

From: [hidden email] on behalf of "Jackson, Allan" [hidden email]
Date: Tuesday, August 6, 2019 at 11:14 AM
To: [hidden email] [hidden email]
Subject: [uportal-user] URL parameters lost after LoginController

 

We just upgraded to uPortal 5, and I’m seeing an issue when deep linking to a portlet from an external system. If the user is already logged into the portal, the link works fine, but if they have to go through the portal’s LoginController first, the request parameters are getting stripped off.

 

I recorded the list of URL redirects that the browser goes through (with some fake portlet names and data):

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&ticket=CasTicketHere

 

  1. http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent

 

The step that is actually hitting the portal’s LoginController class is #4 (step 3 never makes it clear to the controller). At that point, it tries to pull out the refUrl parameter, but the URL has already been fully decoded, so the refUrl only goes up until the very first ampersand character instead of including all the parameters that it should contain.

 

 

After writing up the start of this email, I tried downgrading the cas-client jar to v 3.2.2 (from 3.5.1), and that actually fixed the problem. Using that version of the cas client, I’m seeing these URLs:

  1. same
  2. same
  3. same
  4. NONE
  5. http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentEmplId=1234567&anotherOption=true

 

The crucial difference here is that it only tries to hit the LoginController one time (and it’s using the correct url encoding at that point).

 

Does anyone have any ideas about ways to resolve this? That jar file is being pulled in by uPortal core, so it’s not easy to downgrade it with our default build options. At this point I’m still not sure if it’s a bug in the CAS code, uPortal code, or some sort of version mismatch with the standalone CAS we’re running.

 

Thanks,

Allan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B56832BF-6751-4E20-A559-8181E8D10F11%40ku.edu.


--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/E2EB8C5D-2F2E-4777-8FBA-730265B0A433%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/19fafd0b-8a35-032c-9268-144c340b62c3%40cpp.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B412F36E-7AFA-4595-9578-3CC3CF86E223%40ku.edu.
Reply | Threaded
Open this post in threaded view
|

Re: URL parameters lost after LoginController

Julien Gribonvald-2
Hi,
sorry to be late in this topic.

Just one thing, did you make all test with the embedded CAS ?
This params seems to depends on the CAS version also, for older version you should keep this param to false. As example with my CAS the encodeServiceUrl set to true doesn't permit to validate correctly the uPortal service.

Also on one other post l told that this parameter should depends on user customization, and in best case it should be compatible with the CAS embedded.

-
Julien


Le mardi 6 août 2019 21:34:47 UTC+2, Jackson, Allan a écrit :

Ah, thanks for the context! I did notice some differences in the way the cas-client was behaving between versions 3.3, 3.4, and 3.5 so it’s possible that the encodeServiceUrl=false change was needed at that time but no longer is.

 

 

From: <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@...> on behalf of "Jonathan M. Tran" <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">j...@...>
Date: Tuesday, August 6, 2019 at 2:30 PM
To: "<a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@..." <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@...>
Subject: Re: [uportal-user] URL parameters lost after LoginController

 

encodeServiceUrl = false was added as part of a fix for <a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-5000%3FoldIssueView%3Dtrue&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041717010&amp;sdata=UfZQHy0UtU6oP7%2FFGUGe8VOZcN3UzIa%2FydvGr8eNrqw%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fapereo.atlassian.net%252Fbrowse%252FUP-5000%253FoldIssueView%253Dtrue%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041717010%26sdata%3DUfZQHy0UtU6oP7%252FFGUGe8VOZcN3UzIa%252FydvGr8eNrqw%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErCBIn6S7V9rduDTOsdRprUiRo6w&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fapereo.atlassian.net%252Fbrowse%252FUP-5000%253FoldIssueView%253Dtrue%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041717010%26sdata%3DUfZQHy0UtU6oP7%252FFGUGe8VOZcN3UzIa%252FydvGr8eNrqw%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErCBIn6S7V9rduDTOsdRprUiRo6w&#39;;return true;"> UP-5000. I unfortunately didn't document what the URLs looked like before and after the encodeServiceUrl change to recall what exactly it was that made CAS unhappy in the past ... It looks like I was chasing down two things at that time
Setting encodeServiceUrl to true, things appear redirect and serviceValidate as it should. I imagine that it should be changed.

Luckily, this bean can be overriden in <a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJasig%2FuPortal-start%2Fblob%2Fmaster%2Foverlays%2FuPortal%2Fsrc%2Fmain%2Fresources%2Fproperties%2FcontextOverrides%2FoverridesContext.xml&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041727017&amp;sdata=2hJYahfAfWkYbDokBQ0yzaUftys0t69r6k%2BsfwwsknU%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FJasig%252FuPortal-start%252Fblob%252Fmaster%252Foverlays%252FuPortal%252Fsrc%252Fmain%252Fresources%252Fproperties%252FcontextOverrides%252FoverridesContext.xml%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041727017%26sdata%3D2hJYahfAfWkYbDokBQ0yzaUftys0t69r6k%252BsfwwsknU%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHFlqi3JmZfbVC82h-4SYBJEONJvA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FJasig%252FuPortal-start%252Fblob%252Fmaster%252Foverlays%252FuPortal%252Fsrc%252Fmain%252Fresources%252Fproperties%252FcontextOverrides%252FoverridesContext.xml%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041727017%26sdata%3D2hJYahfAfWkYbDokBQ0yzaUftys0t69r6k%252BsfwwsknU%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHFlqi3JmZfbVC82h-4SYBJEONJvA&#39;;return true;"> overridesContext.xml until its updated in upstream.

- Jonathan
 

On 8/6/19 11:51 AM, Jackson, Allan wrote:

After poking around in the CAS source code, I found the encodeServiceUrl parameter. This setting defaults to true, but it was disabled for uPortal core with an unrelated commit last year. Does anyone know more about why this was changed? If I set the value back to true, it fixes the issues I’m seeing.

 

<a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJasig%2FuPortal%2Fcommit%2F579913b5d45f03bca167813b090b61cec323f0e9&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041747033&amp;sdata=w5a6tEBJpy9roOF8GNo4PkEwhkE6fa3s%2BNt6oIfrzhI%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FJasig%252FuPortal%252Fcommit%252F579913b5d45f03bca167813b090b61cec323f0e9%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041747033%26sdata%3Dw5a6tEBJpy9roOF8GNo4PkEwhkE6fa3s%252BNt6oIfrzhI%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE53QJy63B3zxOErAIetCUEjtO2Eg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252FJasig%252FuPortal%252Fcommit%252F579913b5d45f03bca167813b090b61cec323f0e9%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041747033%26sdata%3Dw5a6tEBJpy9roOF8GNo4PkEwhkE6fa3s%252BNt6oIfrzhI%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE53QJy63B3zxOErAIetCUEjtO2Eg&#39;;return true;">https://github.com/Jasig/uPortal/commit/579913b5d45f03bca167813b090b61cec323f0e9

 

Allan

 

 

From: <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;"><uport...@...> on behalf of "Jackson, Allan" <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;"><allan...@...>
Date: Tuesday, August 6, 2019 at 11:14 AM
To: <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">"uport...@..." <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;"><uport...@...>
Subject: [uportal-user] URL parameters lost after LoginController

 

We just upgraded to uPortal 5, and I’m seeing an issue when deep linking to a portlet from an external system. If the user is already logged into the portal, the link works fine, but if they have to go through the portal’s LoginController first, the request parameters are getting stripped off.

 

I recorded the list of URL redirects that the browser goes through (with some fake portlet names and data):

 

  1. <a href="http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&amp;studentId=1234567&amp;anotherOption=true" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHBnN53Xk0jJ9bs4i5xBuwxVYC9mw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHBnN53Xk0jJ9bs4i5xBuwxVYC9mw&#39;;return true;">http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. <a href="https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2FCasServerUrl%2Fcas%2Flogin%3Fservice%3Dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%253FrefUrl%253D%252FuPortal%252Fp%252FPortletName%25253Faction%25253D%25252FDisplayStudent%252526studentId%25253D1234567%252526anotherOption%25253Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFyrhWnezpS9zwEVJGCLMe3ANpNOQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2FCasServerUrl%2Fcas%2Flogin%3Fservice%3Dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%253FrefUrl%253D%252FuPortal%252Fp%252FPortletName%25253Faction%25253D%25252FDisplayStudent%252526studentId%25253D1234567%252526anotherOption%25253Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFyrhWnezpS9zwEVJGCLMe3ANpNOQ&#39;;return true;">https://CasServerUrl/cas/login?service=http://localhost:8080/uPortal/Login%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue

 

  1. <a href="http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&amp;ticket=CasTicketHere" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue%26ticket%3DCasTicketHere\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFHqyjQa1MCZnDx3Oa4e4Q6aaZMJg&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%253Faction%253D%252FDisplayStudent%2526studentId%253D1234567%2526anotherOption%253Dtrue%26ticket%3DCasTicketHere\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFHqyjQa1MCZnDx3Oa4e4Q6aaZMJg&#39;;return true;">http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue&ticket=CasTicketHere

 

  1. <a href="http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&amp;studentId=1234567&amp;anotherOption=true" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGbxgLk7CTOGJ4Tr5rsXuSyUXed3w&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2FLogin%3FrefUrl%3D%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGbxgLk7CTOGJ4Tr5rsXuSyUXed3w&#39;;return true;">http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/PortletName?action=/DisplayStudent&studentId=1234567&anotherOption=true

 

  1. <a href="http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNELfhZSrI4xlvh__1kvP3Ai8Jv3Tw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNELfhZSrI4xlvh__1kvP3Ai8Jv3Tw&#39;;return true;">http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent

 

The step that is actually hitting the portal’s LoginController class is #4 (step 3 never makes it clear to the controller). At that point, it tries to pull out the refUrl parameter, but the URL has already been fully decoded, so the refUrl only goes up until the very first ampersand character instead of including all the parameters that it should contain.

 

 

After writing up the start of this email, I tried downgrading the cas-client jar to v 3.2.2 (from 3.5.1), and that actually fixed the problem. Using that version of the cas client, I’m seeing these URLs:

  1. same
  2. same
  3. same
  4. NONE
  5. <a href="http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&amp;studentEmplId=1234567&amp;anotherOption=true" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentEmplId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGs3ipLGtofTpnruhE4Je395MtdlQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2FuPortal%2Fp%2FPortletName%3Faction%3D%2FDisplayStudent%26studentEmplId%3D1234567%26anotherOption%3Dtrue\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGs3ipLGtofTpnruhE4Je395MtdlQ&#39;;return true;">http://localhost:8080/uPortal/p/PortletName?action=/DisplayStudent&studentEmplId=1234567&anotherOption=true

 

The crucial difference here is that it only tries to hit the LoginController one time (and it’s using the correct url encoding at that point).

 

Does anyone have any ideas about ways to resolve this? That jar file is being pulled in by uPortal core, so it’s not easy to downgrade it with our default build options. At this point I’m still not sure if it’s a bug in the CAS code, uPortal code, or some sort of version mismatch with the standalone CAS we’re running.

 

Thanks,

Allan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@apereo.org.
To view this discussion on the web visit <a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fuportal-user%2FB56832BF-6751-4E20-A559-8181E8D10F11%2540ku.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041757035&amp;sdata=U91fsMLyaXQiwPaWIaB7poJ9YemlxDn1QONKTnv3k40%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252FB56832BF-6751-4E20-A559-8181E8D10F11%252540ku.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041757035%26sdata%3DU91fsMLyaXQiwPaWIaB7poJ9YemlxDn1QONKTnv3k40%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGi11vtTJ3cNfF91IkFsb0zQRg4Ig&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252FB56832BF-6751-4E20-A559-8181E8D10F11%252540ku.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041757035%26sdata%3DU91fsMLyaXQiwPaWIaB7poJ9YemlxDn1QONKTnv3k40%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGi11vtTJ3cNfF91IkFsb0zQRg4Ig&#39;;return true;"> https://groups.google.com/a/apereo.org/d/msgid/uportal-user/B56832BF-6751-4E20-A559-8181E8D10F11%40ku.edu.


--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@apereo.org.
To view this discussion on the web visit <a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fuportal-user%2FE2EB8C5D-2F2E-4777-8FBA-730265B0A433%2540ku.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041767049&amp;sdata=U2BEmxQ2KE0%2Bk0fodUlQSMrr4DcsXyNYGj4lcqAKa3E%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252FE2EB8C5D-2F2E-4777-8FBA-730265B0A433%252540ku.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041767049%26sdata%3DU2BEmxQ2KE0%252Bk0fodUlQSMrr4DcsXyNYGj4lcqAKa3E%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHy9idf0YPAAWcYWLMy_pzHboY-3w&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252FE2EB8C5D-2F2E-4777-8FBA-730265B0A433%252540ku.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041767049%26sdata%3DU2BEmxQ2KE0%252Bk0fodUlQSMrr4DcsXyNYGj4lcqAKa3E%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHy9idf0YPAAWcYWLMy_pzHboY-3w&#39;;return true;"> https://groups.google.com/a/apereo.org/d/msgid/uportal-user/E2EB8C5D-2F2E-4777-8FBA-730265B0A433%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="vIoM6ZNuFQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uporta...@apereo.org.
To view this discussion on the web visit <a href="https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fuportal-user%2F19fafd0b-8a35-032c-9268-144c340b62c3%2540cpp.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&amp;data=02%7C01%7Callanjackson%40ku.edu%7C19f598a52f964202502008d71aa47a2a%7C3c176536afe643f5b96636feabbe3c1a%7C0%7C0%7C637007166041777051&amp;sdata=JvZ%2FioHNm2f1B97q8L%2Ff5cMW4TDsPXudFGLIln1OKPs%3D&amp;reserved=0" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252F19fafd0b-8a35-032c-9268-144c340b62c3%252540cpp.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041777051%26sdata%3DJvZ%252FioHNm2f1B97q8L%252Ff5cMW4TDsPXudFGLIln1OKPs%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGelCmVMRR0pQRG-1kv4LeyE0BDYQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fnam01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgroups.google.com%252Fa%252Fapereo.org%252Fd%252Fmsgid%252Fuportal-user%252F19fafd0b-8a35-032c-9268-144c340b62c3%252540cpp.edu%253Futm_medium%253Demail%2526utm_source%253Dfooter%26data%3D02%257C01%257Callanjackson%2540ku.edu%257C19f598a52f964202502008d71aa47a2a%257C3c176536afe643f5b96636feabbe3c1a%257C0%257C0%257C637007166041777051%26sdata%3DJvZ%252FioHNm2f1B97q8L%252Ff5cMW4TDsPXudFGLIln1OKPs%253D%26reserved%3D0\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGelCmVMRR0pQRG-1kv4LeyE0BDYQ&#39;;return true;"> https://groups.google.com/a/apereo.org/d/msgid/uportal-user/19fafd0b-8a35-032c-9268-144c340b62c3%40cpp.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/46ee2c82-d5c6-4752-8bf5-a7d1c59797a6%40apereo.org.