Error 500 with any service

[wouldsmina]

Hi,

I'm trying to install CAS v6.5 to replace a v6.3. Authentication on the CAS without service works, but with service=... in the url I get "500:Internal Server Error" (before user authentication).

Server : https://cas2-test.univ-lemans.fr/cas/

Service example : https://cas2-test.univ-lemans.fr/cas/login?service=https%3A%2F%2Fwebmail.univ-lemans.fr

Log :

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@748140c7 in state 'null' of flow 'login' -- action execution attributes were 'map[[empty]]'

the rest of the logs do not seem relevant to me but ask me if necessary.

added dependencies before build :

    implementation "org.apereo.cas:cas-server-support-x509-webflow"
    implementation "org.apereo.cas:cas-server-core-api-configuration-model"
    implementation "org.apereo.cas:cas-server-support-token-tickets"
    implementation "org.apereo.cas:cas-server-support-discovery-profile"
    implementation "org.apereo.cas:cas-server-webapp-init"
    implementation "org.apereo.cas:cas-server-support-ldap"
    implementation "org.apereo.cas:cas-server-support-json-service-registry"
    implementation "org.apereo.cas:cas-server-support-oidc"
    implementation "org.apereo.cas:cas-server-support-saml-sp-integrations"
    implementation "org.apereo.cas:cas-server-support-oauth-webflow"

service file :

{
    "@class" : "org.apereo.cas.services.RegexRegisteredService",
    "serviceId" : "^(https|http|imaps|imap|smb|sftp)?://[-a-z0-9.:]*.univ-lemans.fr(:[\\d]+)?/?.*",
    "name": "UNIV-FR",
    "informationUrl": null,
    "privacyUrl": null,
    "id": 1,
    "description": "univ-fr",
    "evaluationOrder":99,
    "usernameAttributeProvider":
    {
      "@class": "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
      "canonicalizationMode": "LOWER",
      "encryptUsername": "false",
      "usernameAttribute": "uid"
    },
    "ticketGrantingTicketExpirationPolicy": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceTicketGrantingTicketExpirationPolicy",
      "maxTimeToLiveInSeconds":7200
    },
        "proxyPolicy" : {
    "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
     "pattern" : "^(http|https|imaps)://.*"
        },
        "proxyGrantingTicketExpirationPolicy": {
     "@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyGrantingTicketExpirationPolicy",
     "maxTimeToLiveInSeconds": 7200
    }
}

can someone help me understand my mistake please?

Thanks.

[Petr Bodnár]

Hi,

I've just discovered an error present since CAS 6.5.0, maybe it also relates to your problem:

It seems like by accident, in this commit, a call to enforceRegisteredServiceAccess() was removed from the grantServiceTicket() method (while being left in the other methods), which leads to NullPointerException from ensureServiceSsoAccessIsAllowed() (and 500 Internal Server Error) when an authenticated client asks for a service which is not registered.

So maybe you've got problem in registering / matching service successfully, seeing this error as a result? Even though you write "before user authentication", so you say your flow is different?

I wonder if CAS authors can fix this themselves, or is it better to create a PR for this seemingly trivial fix (i.e. put back the removed line) ourselves?