SEC-1592: CAS proxy receptor requests must not pass through the filter chain #1831
Labels
in: cas
An issue in spring-security-cas
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Sébastien Launay (Migrated from SEC-1592) said:
I configured spring-security-cas in my webapp for generating proxy tickets.
During ticket validation we provide a pgtUrl parameter and then the CAS server tries
to connect to our webapp (using the configured proxyReceptorUrl) to determine is this
URL is a valid end-point but it result in a 404 because the request is passed trough
the servlet but is not handled (because no controller is mapped for this URL).
If we set the grails.plugins.springsecurity.rejectIfNoRule parameter [1] to true or if I mark this
proxy receptor URL with the role "IS_AUTHENTICATED_REMEMBERED" then it works:
This works because the CAS server is not strict about the expected XML fragment,
only the a proper status code is mandatory [2].
Current workaround is to create a controller for this URL with anonymous access and
always respond with a 200 and some text.
I believe this issue is not related to Grails and may impact any webapp using
spring-security-cas and wanting to generate proxy tickets.
Furthermore, the default behaviour in cas-client [3] is already to stop processing the
request once it has been handled by the Cas20ProxyReceivingTicketValidationFilter [3].
[1] http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/index.html
[2] https://source.jasig.org/cas3/tags/cas-3-3-5-1-final/cas-server-core/src/main/java/org/jasig/cas/authentication/handler/support/HttpBasedServiceCredentialsAuthenticationHandler.java
[2] https://source.jasig.org/cas3/tags/cas-3-3-5-1-final/cas-server-core/src/main/java/org/jasig/cas/util/HttpClient.java
[3] https://source.jasig.org/cas-clients/java-client/tags/cas-client-3.1.12/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java
[3] https://source.jasig.org/cas-clients/java-client/tags/cas-client-3.1.12/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractTicketValidationFilter.java
The text was updated successfully, but these errors were encountered: