Error 500 after authentication - service fails to authorize me

77 views
Skip to first unread message

Jennifer LaVoie

unread,
Jan 7, 2019, 7:19:21 PM1/7/19
to CAS Community
Trying to get a new authorized service to work.  I get through to our cas login page, I can authenticate, but then I get this error returned.


org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Ticket 'ST-24-UBBnZVuL7dYjEXnopRzJUFf0Th8-cas3-prd' does not match supplied service. The original service was 'https://travel.host.com:4447/tvlexp/tvlexp-flex/index.html' and the supplied service was 'https://travel.host.com:4447/tvlexp/tvlexp-flex/index.html;GLMSSESSIONID=yI0qXyny74f0aHv_ba0lAkIt2fR2rdHAVRh75L-5lX_brVwVLl6e!-1429711590'.

After I get this error, i click the back button on my browser, and it works.  I got right in.

Any ideas?

Thank you
Jen

Ray Bon

unread,
Jan 7, 2019, 7:50:15 PM1/7/19
to cas-...@apereo.org
Jen,

The ST is being validated against a URL with GLMSSESSIONID... but this was not present with the log in request (the 2 need to match).
Change the CAS client to not send GLMS... or send it with the log in request.
Or maybe change the service registry id to something like https://travel.host.com:4447/tvlexp/tvlexp-flex/.* (memory may be rusty here).

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Jennifer LaVoie

unread,
Jan 7, 2019, 7:52:27 PM1/7/19
to CAS Community
I am using cas 5.4.2

Jennifer LaVoie

unread,
Jan 7, 2019, 8:08:05 PM1/7/19
to CAS Community
how do I configure my as server not  not send GLMSSESSIONID?

Jennifer LaVoie

unread,
Jan 7, 2019, 8:14:12 PM1/7/19
to CAS Community
i tried to fiddle with the service url, but no luck...But thank you so much

I have two apps acting strangely

driving me crazy LOL


On Monday, January 7, 2019 at 7:50:15 PM UTC-5, rbon wrote:

Alberto Cabello Sánchez

unread,
Jan 8, 2019, 2:35:58 AM1/8/19
to cas-...@apereo.org
On Tue, 8 Jan 2019 00:50:10 +0000
Ray Bon <rb...@uvic.ca> wrote:

> Jen,
>
> The ST is being validated against a URL with GLMSSESSIONID... but
> this was not present with the log in request (the 2 need to match).
> Change the CAS client to not send GLMS... or send it with the log
> in request.
>
> Or maybe change the service registry id to something like
> https://travel.host.com:4447/tvlexp/tvlexp-flex/.* (memory may be
> rusty here).

Hi,

I don't think this will work: when service registry URL doesn't match
the supplied URL, the error message is different (something like "you
are not authorized to use CAS").

Greetings,

--
Alberto Cabello Sánchez
Servicio de Informática
Universidad de Extremadura

Jennifer LaVoie

unread,
Jan 8, 2019, 11:33:29 AM1/8/19
to CAS Community
here is the complete error I get

org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Ticket 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied service. The original service was 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366' and the supplied service was 'https://travel-test.host.edu:4443/tvlexp/index.htm'.
	at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:93)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
	at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
	at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
	at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
	at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
	at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
	at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
	at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
	at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
	at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
	at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
	at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
	at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
	at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
	at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
	at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: org.opensaml.SAMLException: Ticket 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied service. The original service was 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366' and the supplied service was 'https://travel-test.host.edu:4443/tvlexp/index.htm'.
	at org.opensaml.SAMLException.getInstance(Unknown Source)
	at org.opensaml.SAMLResponse.fromDOM(Unknown Source)
	at org.opensaml.SAMLResponse.(Unknown Source)
	at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:48)

Ray Bon

unread,
Jan 8, 2019, 12:04:44 PM1/8/19
to cas-...@apereo.org
A 'not authorized to use CAS' message happens before authentication. This error happens on ST validation.

Ray Bon

unread,
Jan 8, 2019, 12:27:37 PM1/8/19
to cas-...@apereo.org
Jen,

What kind of control do you have over the client application?

It is odd that GLMSSESSIONID is sent as a parameter rather than being stored in a cookie, but stranger things have happened.

What does your service entry look like?

We have some entries that end in a fixed pattern and some that end with .*
It has been a while since I encountered this error and I am not sure if changes to the service entry will affect the result.

Ray

Jennifer LaVoie

unread,
Jan 8, 2019, 1:58:54 PM1/8/19
to CAS Community
Hi Ray

I did try to put the .* in the services URL, but no joy.

Here is my service file

{
  @class: org.apereo.cas.services.RegexRegisteredService
  name: Travel and Expense
  id: 1546908138322
  description: Production
  expirationPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
    deleteWhenExpired: false
    notifyWhenDeleted: false
  }
  proxyPolicy:
  {
    @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
  }
  evaluationOrder: -1
  usernameAttributeProvider:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
    canonicalizationMode: NONE
    encryptUsername: false
  }
  logoutType: BACK_CHANNEL
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    consentPolicy:
    {
      @class: org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
      enabled: true
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
    excludeDefaultAttributes: false
    authorizedToReleaseAuthenticationAttributes: true
  }
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    failureMode: NOT_SET
    bypassEnabled: false
  }
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    order: 0
    enabled: true
    ssoEnabled: true
    requireAllAttributes: true
    caseInsensitive: false

Ray Bon

unread,
Jan 8, 2019, 2:28:01 PM1/8/19
to cas-...@apereo.org
Jen,

When CAS redirects after login, is the GLMS... part of the URL?
If it is, then the fix will have to be on client side.

Ray

Jennifer LaVoie

unread,
Jan 8, 2019, 2:37:50 PM1/8/19
to cas-...@apereo.org
yes it is part of the URL...

Ok...I will speak with my app owner person

thank you
Jen

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1546975675.5350.35.camel%40uvic.ca.


--
"Confusion is a word we have invented for an order which is not understood."  ~Henry Miller
Reply all
Reply to author
Forward
0 new messages