5.3.9/5.3.10 renew=true appears broken with pac4j included in WAR overlay
24 views
Skip to first unread message
Rich Renomeron
Apr 23, 2019, 5:16:10 PM4/23/19
to cas-...@apereo.org
When using my overlay, which includes pac4j, renew=true doesn't seem to work -- it seems to happily issue a service ticket without bothering to ask for credentials if there's an existing single sign-on session, regardless of whether the initial authentication uses pac4j or not. When I remove pac4j, the renew=true parameter prompts for credentials as it should.
An afternoon of debugging leads me to think that this is caused by the clientAction state returning a 'warn' event -- which short-circuits the 'renewRequestCheck' state and goes directly to redirect. While the renew parameter is checked somewhere in there, it doesn't look like anything is done with it before CAS issues a service ticket and goes on its merry way. This seems wrong to me.
It looks like this behavior is a result of this commit:
A couple of questions:
- Why does DelegatedClientAuthenticationAction call super.doExecute() at all when there is no clientName parameter and/or no credentials in the request? Shouldn't it just return an error() to go back to the main authentication flow, as it would if there is no TGT present? Why is the single sign-on case different?
- Assuming that we want to continue onward with trying to grant a service ticket in the clientAction when there's a TGT, what's the right way to prevent a service ticket to be issued when renew=true is present? Would we want it to show up as an authN failure (which I assume would trigger a credential challenge), or some other event?
- As an immediate workaround for my overlay, would changing the webflow to transition to 'renewRequestCheck' on a 'warn' from the clientAction be safe?
Thanks,
Rich
Rich
Rich Renomeron
Apr 24, 2019, 12:35:24 PM4/24/19
to cas-...@apereo.org
I have a fix which is basically a backport of what the master branch does. I'll submit a PR tomorrow or Friday when I have the correct computer available.
Thanks,
Rich
Rich
Reply all
Reply to author
Forward
0 new messages