Redirect URL in case of wrong ticket ?
28 views
Skip to first unread message
m.ich.elgre
Feb 3, 2023, 8:11:44 AM2/3/23
to CAS Community
Hello
<Valve
I have a problem when someone uses an URL with an old or invalid ticket to access the application. I think that this is a common problem but I couldn't find clues to solve it.
The service settings uses the default :
"responseType": "REDIRECT"
Other choices (POST, HEADER) seem not to work well for me. REDIRECT works very well, all is fine, there is even a single-sign-out, with only one issue.
When the browser goes back to the application after authentication, the URL includes the ticket : ?ticket=ST-260-FX8wq79ZjsYs...
The problem is that if this URL is reused when the ticket is outdated, the user gets a 401 error.
État HTTP 401 – Non authorisé
Type Rapport d'état
message Ticket 'ST-260-FX8wq79ZjsYs...' not recognized
description La requête nécessite une authentification HTTP.
This may happen for instance if a user bookmarks the URL, or goes back in his browser history, etc. I see this often.
The application runs under Tomcat. There is a valve that does the authentication and puts the principal in the session's data.
className="org.jasig.cas.client.tomcat.v90.Cas20CasAuthenticator"
encoding="UTF-8"
casServerLoginUrl="https://.../cas/login"
casServerUrlPrefix="https://.../cas/"
serverName="..."
encoding="UTF-8"
casServerLoginUrl="https://.../cas/login"
casServerUrlPrefix="https://.../cas/"
serverName="..."
/>
How can I avoid that the token is in the final URL, or manage the 401 error in order to redirect the flow to the CAS login instead of showing the error ?
Thank you.
Michael
Pascal Rigaux
Feb 3, 2023, 9:26:21 AM2/3/23
to cas-...@apereo.org
Hi,
It seems you're need the equivalent of "redirectAfterValidation" of java-cas-client Cas20ProxyReceivingTicketValidationFilter...
Are you using https://github.com/lemon-arrebol/lemon-sso-java-cas-client ?
NB: Another less standard solution could be the following on HTML page:
window.history.replaceState({}, null, location.href.replace(/[?&]ticket=[^#]*/, ''))
(which also saves an HTTP 302 but who cares...)
> --
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org <mailto:cas-user+u...@apereo.org>.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/886aeb8e-0c19-47c4-8dcd-59ad2bbb42dbn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/886aeb8e-0c19-47c4-8dcd-59ad2bbb42dbn%40apereo.org?utm_medium=email&utm_source=footer>.
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-PAS (Pôle Applications et Services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 04 08 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59 - 06 74 55 57 67
It seems you're need the equivalent of "redirectAfterValidation" of java-cas-client Cas20ProxyReceivingTicketValidationFilter...
Are you using https://github.com/lemon-arrebol/lemon-sso-java-cas-client ?
NB: Another less standard solution could be the following on HTML page:
window.history.replaceState({}, null, location.href.replace(/[?&]ticket=[^#]*/, ''))
(which also saves an HTTP 302 but who cares...)
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org <mailto:cas-user+u...@apereo.org>.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/886aeb8e-0c19-47c4-8dcd-59ad2bbb42dbn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/886aeb8e-0c19-47c4-8dcd-59ad2bbb42dbn%40apereo.org?utm_medium=email&utm_source=footer>.
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-PAS (Pôle Applications et Services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 04 08 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59 - 06 74 55 57 67
Reply all
Reply to author
Forward
0 new messages