oAuth authentification and tomcat preventing encoded slashes

[Emmanuel Cervetti]

Hello

Tomcat prevent using encoded slashes in url. It was a blank page when try to use the oAuth server:

https://globalsso.orupaca.fr:8443/oauth2.0/authorize&response_type=code&client_id=leclient&redirect_uri=http%3A%2F%2F10.211.55.3

=>blank page

So I set the tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true , the only answer I could find for such a problem.

Then the issue is different.

https://globalsso.orupaca.fr:8443/oauth2.0/authorize&response_type=code&client_id=leclient&redirect_uri=http%3A%2F%2F10.211.55.3

=>Redirection to the cas login page (without the oAuth context pararmeters)

I've set a breakpoint in OAuth20WrapperController to see if it was a CAS installation problem, and I have the folowing behaviour :

https://globalsso.orupaca.fr:8443/oauth2.0/authorize&response_type=code&client_id=leclient&redirect_uri=http%3A%2F%2F10.211.55.3

=>no breakpoint stops, it go straight forward the cas home page

https://globalsso.orupaca.fr:8443/oauth2.0/authorize&response_type=code&client_id=leclient&redirect_uri=hereAUnselessString

=>breakpoint stops in OAuth20WrapperController, so it seems ok

What could I do to the oAuth client request be handled by cas server ?

My tomcat is 8.5.11

Thank you very much for your answer

[Emmanuel Cervetti]

After forward debuging it's seems to me that oAuth server support in cas4.2 cannot handle url GET data.

All is done to catch the POST parameters in autorize route.

But documentation (both cas and oAuth) tell to use GET parameters for authorization.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/93143320-debe-4892-bbe4-e3b9cc0f69fa%40apereo.org.

[Jérôme LELEU]

Hi,

When the cas-server-support-oauth jar is added to the classpath, the /oauth2.0 URL mapping is automatically added to the CAS servlet regardless of the HTTP method. So the /authorize call should be caught for GET or POST requests.

Which version of Tomcat do you use? I remember doing several successful tests which Tomcat 7/8 with slashes in the redirection URL. Here is the demo I used: https://github.com/leleuj/cas-pac4j-oauth-demo/tree/4.2.x

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/93143320-debe-4892-bbe4-e3b9cc0f69fa%40apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BnfJqOM8QR7LhP67KHSioLwGPSVADNbh-8CcGwf04QFbUNy_Q%40mail.gmail.com.

[Emmanuel Cervetti]

The problem was on the client side, sorry for that.

(I confirm that tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH must be set on true, however )

Thank you for your response

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BnfJqOM8QR7LhP67KHSioLwGPSVADNbh-8CcGwf04QFbUNy_Q%40mail.gmail.com.