CAS 5.3.X JWT and method=HEADER

47 views
Skip to first unread message

Facundo Mateo

unread,
Mar 19, 2019, 11:09:04 AM3/19/19
to CAS Community
Hello everyone,

We have configured "JWT as service ticket" to get JWTs in our apps. We have tried successfully the flow using REDIRECT and POST. 
Some cas clients need to get the ticket as http header. We tried method= HEADER in our flow but we get an error. 
 As far as I have tried It works fine on normal service ticket flow. 

I am not sure if method=HEADER is supported for "JWT as service" flow or it is a bug. Is this flow supported by CAS ? Has somebody had the same issue?

INSTALATION CONTEXT
  • cas version: 5.3.9
  • ticket registry: redis
  • service registry: mysql
  • user DB: openldap

ANALYSIS

I debug CAS to get some extra information. 
When method is HEADER,  CAS is trying to validate twice the service ticket. First time it is validated according to jwt as service flow. But second one it seems to be non necessary. it fails because service ticket can be just used once on our configuration.


ERROR

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.actions.InjectResponseHeadersAction@507c30ed in state 'headerView' of flow 'login' -- action execution attributes were 'map[[empty]]'
	at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
	at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
	at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
	at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
	at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
	at org.springframework.webflow.engine.State.enter(State.java:194)
	at org.springframework.webflow.engine.Transition.execute(Transition.java:228)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
	at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
	at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
	at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)
	at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
	at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
	at org.springframework.webflow.engine.State.enter(State.java:194)
	at org.springframework.webflow.engine.Transition.execute(Transition.java:228)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
	at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
	at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116)
	at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547)
	at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390)

............
............
	org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.generateToken(TokenWebApplicationServiceResponseBuilder.java:70)
	at org.apereo.cas.token.authentication.principal.TokenWebApplicationServiceResponseBuilder.buildInternal(TokenWebApplicationServiceResponseBuilder.java:49)
	at org.apereo.cas.authentication.principal.WebApplicationServiceResponseBuilder.build(WebApplicationServiceResponseBuilder.java:43)
	at org.apereo.cas.web.flow.actions.RedirectToServiceAction.doExecute(RedirectToServiceAction.java:41)
	at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
	at sun.reflect.GeneratedMethodAccessor292.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
	at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
	at com.sun.proxy.$Proxy197.execute(Unknown Source)
	at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
	... 145 more
Caused by: org.jasig.cas.client.validation.TicketValidationException: No se ha reconocido el tique 'ST-515-Zy-tXl2RHia9ID96k83AZgk-YYsDSSO01'
	at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:84)
	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:198)
	at ar.gov.santafe.stg.sso.jwt.JWTTokenTicketBuilder.build(JWTTokenTicketBuilder.java:54)
	at sun.reflect.GeneratedMethodAccessor546.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
	... 163 more



Thanks in advance, Facundo

Reply all
Reply to author
Forward
0 new messages