Possible regression for "renew" in CAS 6.2.3 (still present in 6.24)

197 views
Skip to first unread message

Dmngb

unread,
Oct 23, 2020, 9:31:56 AM10/23/20
to CAS Community

  Hello all,

We have observed a behavior change between 6.2.2 and 6.2.3/6.2.4, regarding forced renew.

Nothing obvious stands out in the 'git diff v6.2.2..v6.2.3'.

(I have not been able to bisect further and propose a fix: I still have not found the exact command line to build and deploy sucessfully from sources to my maven local repo. But this is another topic.).

In 6.2.2:

  1. Go to http://cas/login?renew=true&TARGET=http://testapp/   (note: our testapp does not validate the service ticket – I don't think it's relevant for the issue at hand, but I mention it just in case)
  2. Login
  3. Go to http://cas/login?renew=true&TARGET=http://testapp/

Result (as expected): the login UI shows ‘welcome back ‘user’, …’


In 6.2.3/6.2.4:

  Same steps for 1/2/3

  Result: the login UI does not show ‘welcome back ‘user’, …’

-> e.g. existingSingleSignOnSessionAvailable seems to be false in the context used by loginform.html

Bug reproduced with a very basic CAS overlay:

  • cas-server-webapp-jetty + cas-server-support-rest + cas-server-support-json-service-registry
  • application.properties

 server.port=15446

server.address=127.0.0.1

server.ssl.enabled=false

server.servlet.context-path=/cas

cas.authn.accept.users=user::user

cas.logout.followServiceRedirects=true

cas.httpClient.allowLocalLogoutUrls=true

cas.service-registry.json.location=classpath:/services

  • Json registry: an "allow all" service in services/all.json

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : ".*",

  "name" : "ALL-SERVICES",

  "id" : 10000001

}


D.

Ray Bon

unread,
Oct 23, 2020, 12:27:31 PM10/23/20
to cas-...@apereo.org
Damien,

With renew parameter set to true (i.e. force login), the 6.2.2 behaviour is incorrect.
Turn up logging to see what cas is thinking.

Ray

On Fri, 2020-10-23 at 06:31 -0700, Dmngb wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Dmngb

unread,
Oct 23, 2020, 1:12:11 PM10/23/20
to CAS Community, Ray Bon
Ray,

I don't get why you say that 6.2.2 behaviour is wrong.

On both versions (6.2.2 and 6.2.3), the login UI is displayed and asks the user to re-log (this is expected with the renew parameter!).

On 6.2.3, however, the following alert message is not displayed anymore above the username text field:
   "Welcome back, <code><strong>{0}</strong></code>. We have detected an existing single sign-on session for you. However, you are being asked to re-authenticate again. Please enter your Username and Password and proceed."


Damien

Ray Bon

unread,
Oct 23, 2020, 2:21:02 PM10/23/20
to damien...@gmail.com, cas-...@apereo.org
Damien,

My applogies. I thought 'login UI' was in your test app.

Is the cas login page displayed in 6.2.4, but the alert message is not, or are you redirected to the test app?

You could check the source for the log in page, https://github.com/apereo/cas, maybe that text has been removed.

Still, check the logs to see what is different.

Ray

Dmngb

unread,
Oct 28, 2020, 6:21:06 AM10/28/20
to CAS Community, Ray Bon, Dmngb
  Hello,

There's only one user-visible difference between 6.2.2 and 6.2.[34] : the alert message is not displayed. 
Otherwise, everything works as expected and we are redirected to the app after login.

Yes, I have checked the source code, and the warning message is still supposed to be displayed.

See code in /support/cas-server-support-thymeleaf/src/main/resources/templates/fragments/loginform.html:
                    <div th:if="${existingSingleSignOnSessionAvailable}">
                        <i class="mdi mdi-alert-decagram"></i>&nbsp;
                        <span class="mdc-button__label"
                              th:utext="#{screen.welcome.forcedsso(${existingSingleSignOnSessionPrincipal.id},${registeredService.name})}" />
                    </div>

-> existingSingleSignOnSessionAvailable is set to false whereas it should be set to true (in fact, we have noticed, because our own UI customization relies on existingSingleSignOnSessionAvailable being set properly!).

I have not yet been able to build and test from source to find which commit in git log v6.2.2..v6.2.3 has changed the behavior.

Damien

Dmngb

unread,
Nov 19, 2021, 3:14:24 AM11/19/21
to CAS Community, Dmngb, Ray Bon
  Hello,

Just for information, the regression is *not* present in 6.3.7.1 (but still is in 6.2.8).

  Damien

Reply all
Reply to author
Forward
0 new messages