CAS + Oauth2.0 + Redirect
173 views
Skip to first unread message
Diego Henrique Pagani
Jul 2, 2018, 7:38:25 AM7/2/18
to CAS Community
Hi everyone,
i'm having an issue. I have some application that delegates authentication to CAS 5.2.5 using OAuth2.0 protocol. When someone not authenticated access the application, the application redirects to CAS. If the person do not authenticate after some time (or delete the cookies) and submit the form, CAS authenticate the person but, instead of redirect to the service mentioned in the URL param, it redirects to "/".
After some debbugging, I found out that the class "DefaultCallbackLogin.java", the method "redirectToOriginallyRequestedUrl" does the job to redirect, but, it get's from the Session, not from the URL, so, erasing the cookies or have them invalid, lost the redirect.
Does someone know how to solve that issue? Because some users are getting lost, causing an increase number of ticket relating this issue.
Thank you
Diego Henrique Pagani
Jul 2, 2018, 7:47:17 AM7/2/18
to CAS Community
I have that I miss understood the java class :-)
Actually, OAuth20CallbackAuthorizedEndPointController.java, the method
"@GetMapping(path = OAuth20Constants.BASE_OAUTH20_URL + '/' + OAuth20Constants.CALLBACK_AUTHORIZE_URL)
"@GetMapping(path = OAuth20Constants.BASE_OAUTH20_URL + '/' + OAuth20Constants.CALLBACK_AUTHORIZE_URL)
public ModelAndView handleRequest(final HttpServletRequest request, final HttpServletResponse response) {"
controls the redirect.
There is this code:
final DefaultCallbackLogic callback = new DefaultCallbackLogic();
callback.perform(context, oauthConfig, J2ENopHttpActionAdapter.INSTANCE, null, false, false);
That "null" param is the redirect param URL, and when it's null, send to "/"(PAC4J default) and that's is causing this issue. How to solve it?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6878d90c-b3eb-4599-98a7-355d075bf65b%40apereo.org.
Diego Henrique Pagani
Jérôme LELEU
Jul 2, 2018, 9:03:25 AM7/2/18
to CAS Community
Hi,
I don't think there is an easy solution here unless increasing the web session timeout.
The way to deal with the session in pac4j is the SessionStore which by default uses the web session. I think you could customize the CAS configuration to use your own SessionStore.
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6878d90c-b3eb-4599-98a7-355d075bf65b%40apereo.org.
----Diego Henrique Pagani
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALwCSESN%2BiMsVLmYkrArVuRW3Rrq1NEv_W2%3Dxf_kdhxZeQj1UQ%40mail.gmail.com.
Abylay
Jan 28, 2019, 11:45:25 PM1/28/19
to CAS Community
Hi, does anyone have solution for this?
Geoff White
Jan 29, 2019, 7:42:44 AM1/29/19
to cas-...@apereo.org
I ran into this in 5.1.x and fixed it by modifying TerminateSessionAction.java to preserve the pac4JRequestedUrl when killing the session.
I found this fix in a newer version of TerminateSessionAction, I thought it was made prior to 5.2.5 but maybe not.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/317a9de0-e82d-4829-9912-087bfd16efd8%40apereo.org.
Abylay
Jan 30, 2019, 6:32:27 AM1/30/19
to CAS Community
We are using 5.2.0 and we applied mentioned above changes to TerminateSessionAction.java.
But it doesn't help in a situation when user stays to long on CAS login page and web session gets timed out. In that case pac4JRequestedUrl gets lost with the session and user after login will be redirected to /.
But it doesn't help in a situation when user stays to long on CAS login page and web session gets timed out. In that case pac4JRequestedUrl gets lost with the session and user after login will be redirected to /.
So we ended up changing both DefaultSecurityLogic and DefaultCallbackLogic to save pac4JRequestedUrl in cookies besides saving it to session.
Reply all
Reply to author
Forward
0 new messages