CAS v6.4: Not redirect login-page in safari (macOS Catalina) when I register a service

[Jordi]

CAS v6.4 does not work for me in Safari (macOS Catalina).

I have done a basic CAS configuration using cas-overlay-template (cas-overlay-template). These are the steps I have done:

1. I have configured it to boot into an External Apache Tomcat v9.
2. I configure CAS to authentificate with LDAP Authentication.
3. I have registered a service in LDAP.

When i try to login in Chrome, Firefox or Edge on Windows, all works fine, but in Safari and Chrome on macOS Catalnia dosen't work, the login form reload again.

I tried to modify the HTML and do a basic login, without using the default HTML, but the result is the same.

In version 5.2 it worked perfectly, but it does not work in versions 6.2 and 6.4.

I have only detected this problem when I have a registered service and the login has to redirect to the service page.

This is the log when call CAS from Firefox, the authentication works well:

https://i.stack.imgur.com/8xlPf.png

but, in Safari, the authentication dosen't work:

https://i.stack.imgur.com/GDs4e.png

Any suggestions?

Many thanks in advance!

[Baba Ndiaye]

Hi can you do a tutorial video step by step how to configure CAS with LDAP authentication please and share the link

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b541fa1-6c7f-4d26-b5a1-b7b1940151d2n%40apereo.org.

[Ray Bon]

Jordi,

When you say that the login form reloads, is authentication successful; is there a redirect with ST to the target application?

You can check your logs for the above.

Ray

On Thu, 2021-10-21 at 00:41 -0700, Jordi wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Jordi]

Hello 

I did another test only with json register service, without LDAP Authentication. The problem is when I register a service, because CAS not redirect to.

In this example the URL that I am calling is : https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fcas-sample%2F

I send you the video and the project (https://we.tl/t-MMM4MbxyPF send you by https://wetransfer.com/). The project was deployed on apache Tomcat v9.0.31

SO Version:

Safari version:

This works perfectly on all browsers on Windows, but doesn't work on Safari . 

Many thanks!

[Jordi]

Hello  Ray Bon,

this is the log:

If do you need more information, i could extract more logs. 

Thanks.

[Ray Bon]

Jordi,

If the log in screen is being shown, cas thinks you need to authenticate.

Before looking at the spring logs, check the cas audit log. It will have lines like:

2021-10-21 17:43:37,920 INFO  [       org.aper.insp.audi.supp.Slf4jLoggingAuditTrailManager] - <Thu Oct 21 17:43:37 PDT 2021|CAS| ...

This is the relevant section in log4j2.xml

        <!-- Log audit to all root appenders, and also to audit log (additivity is not false) -->

        <AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" >

            <!-- <AppenderRef ref="casAudit"/>

            <AppenderRef ref="syslog"/> -->

        </AsyncLogger>

You can also try these loggers to get details about your service:

        <!-- INFO  Granted ticket [...] for service [...] for user [...]

             DEBUG Resolved service [limited details about service]

                   Located registered service definition [service details] -->

        <AsyncLogger name="org.apereo.cas.DefaultCentralAuthenticationService" level="debug" />

        <!-- DEBUG service definitions -->

        <AsyncLogger name="org.apereo.cas.adaptors" level="debug" />

Ray

On Fri, 2021-10-22 at 01:03 -0700, Jordi wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Jordi]

Hi,

I send you my log4j2.xml (see attached file).

This is the log "cas.log":

[32m2021-10-23 16:36:03,832 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>

[32m2021-10-23 16:36:12,135 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: {result=Service Access Granted, requiredAttributes={}}

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Sat Oct 23 16:36:12 CEST 2021

CLIENT IP ADDRESS: XXX.XXX.XXX.XXX

SERVER IP ADDRESS: XXX.XXX.XXX.XXX

=============================================================

>

[36m2021-10-23 16:36:12,294 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]>

[36m2021-10-23 16:36:12,294 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]>

[36m2021-10-23 16:36:12,301 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://XXXXXXXXX.com:8443/cas-sample/]>

[36m2021-10-23 16:36:12,301 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [^(https|imaps)://.*] with id [10001] in context scope>

[36m2021-10-23 16:36:12,321 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false))] for [test]>

[36m2021-10-23 16:36:12,330 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>

[32m2021-10-23 16:36:12,331 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Sat Oct 23 16:36:12 CEST 2021}

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Sat Oct 23 16:36:12 CEST 2021

CLIENT IP ADDRESS: XXX.XXX.XXX.XXX

SERVER IP ADDRESS: XXX.XXX.XXX.XXX

=============================================================

>

[36m2021-10-23 16:36:14,221 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es_ES] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,222 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es_ES] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,223 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_es_ES] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,224 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages_es] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,224 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [file:/etc/cas/config/custom_messages] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,224 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_es] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,225 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML>

[36m2021-10-23 16:36:14,226 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages_es.properties] with encoding 'UTF-8'>

[36m2021-10-23 16:36:14,231 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Loading properties [messages.properties] with encoding 'UTF-8'>

[32m2021-10-23 16:36:29,202 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: {result=Service Access Granted, requiredAttributes={}}

ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED

APPLICATION: CAS

WHEN: Sat Oct 23 16:36:29 CEST 2021

CLIENT IP ADDRESS: XXX.XXX.XXX.XXX

SERVER IP ADDRESS: XXX.XXX.XXX.XXX

=============================================================

>

[36m2021-10-23 16:36:29,204 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://XXXXXXXXX.com:8443/cas-sample/]>

[36m2021-10-23 16:36:29,205 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [^(https|imaps)://.*] with id [10001] in context scope>

[36m2021-10-23 16:36:29,205 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria(tryAll=false))] for [test]>

[36m2021-10-23 16:36:29,206 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context>

[32m2021-10-23 16:36:29,206 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Sat Oct 23 16:36:29 CEST 2021}

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Sat Oct 23 16:36:29 CEST 2021

CLIENT IP ADDRESS: XXX.XXX.XXX.XXX

SERVER IP ADDRESS: XXX.XXX.XXX.XXX

=============================================================

>

[33m2021-10-23 16:37:03,833 WARN [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <[test.10001.json] does not match the recommended pattern [(\w+-)+(\d+)\.json]. While CAS tries to be forgiving as much as possible, it's recommended that you rename the file to match the requested pattern to avoid issues with duplicate service loading. Future CAS versions may try to strictly force the naming syntax, refusing to load the file.>

[36m2021-10-23 16:37:03,833 DEBUG [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Attempting to read and parse [/opt/URVsso/cas-test/apache-tomcat-9.0.31.8443/webapps/cas/WEB-INF/classes/services/test.10001.json]>

[32m2021-10-23 16:37:03,835 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [1] service(s) from [JsonServiceRegistry].>

[32m2021-10-23 16:37:13,902 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>

[36m2021-10-23 16:37:13,902 DEBUG [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.>

Many thanks

[Ray Bon]

Jordi,

Near the end of the log output is this;

[33m2021-10-23 16:37:03,833 WARN [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <[test.10001.json] does not match the recommended pattern [(\w+-)+(\d+)\.json]

Change the file name to test-10001.json. (This should be unrelated to your issue).

Then 10s goes by and ticket cleanup happens.

There should be other audit log lines referring to AUTHENTICATION_SUCCESS, TICKET_GRANTING_TICKET_CREATED, etc.

Use the safari developer tools in a private window to be sure the correct form submission is taking place and cookies are being created and sent/received.

This is a safari issue, not really a cas issue.

Ray

[Thomas]

Dear Jordi,

You stated in your description of the issue that (I quote):

"[...] in Safari and Chrome on macOS Catalnia dosen't work, the login form reload again.[...]

Were you able to try:

1. On a recent version of MacOS ?

2. On Mozilla Firefox on any MacOS version?

Is the result still being looping on login form?

Thx in advance,

Tom

[Jordi]

Hello,

in a recent version of MacOs all works perfectly, but in Catalina doesn't work.

I think that the problem is the OS system, because in Chrome and Edge sometimes doesn't work. 

Tests:

In macOS Catalina:

• Safari doesn't work
• Chrome and Edge sometimes doesn't work.
• Firefox always works.

In macOS Big sur:

• Safari, chrome, Firefox and Edge works well.

In Windows 10:

• Chrome, Firefox and Edge works well.

I have many users using macOS catalina, and I can't update CAS to the last version. I think this is a problem, because the problem appear in CAS version 6.X.

Maybe the problem is this:

Attach video Edge test.