Tomcat CAS Client Filter Only Working at / (Root)

Colin Ryan

unread,

Nov 22, 2024, 10:50:35 PM11/22/24

to cas-...@apereo.org

Folks,

CAS Client 3.6.4

Filter is starting in the logs, but I only want CAS to be in play for 1
specific WebApp installed on this Tomcat 9 instance.

If I change the url-patterns in the web.xml file to "/*" everything
works, but if I try to scope CAS down to the specific App the filter's
appear to never be "invoked". I have a simple .jsp file in
/ldapconn/casverify.jsp for confirming CAS. If I in a freshly started
browser go to

/ldapconn/casverify.jsp I do not get redirected to CAS for
authentication and get errors obviously in my JSP.

Even if I go to CAS directly and login and then go to
/ldapconn/casverify.jsp I get the same error.

If I change the url-patterns to just "/*" it all works as expected.

Here is my web.xml


<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
   <init-param>
    <param-name>casServerUrlPrefix</param-name>
<param-value>https://ssoservice.mydomain.net/cas</param-value>
</init-param>
<init-param>
    <param-name>serverName</param-name>
<param-value>http://ldapconn.mydomain.net:8080</param-value>
</init-param>
</filter>



<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
    <param-name>casServerUrlPrefix</param-name>
<param-value>https://ssoservice.mydomain.net/cas</param-value>
</init-param>
<init-param>
    <param-name>serverName</param-name>
<param-value>http://ldapconn.mydomain.net:8080</param-value>
</init-param>
</filter>



<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/ldapconn/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/ldapconn/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/ldapconn/*</url-pattern>
</filter-mapping>

Ray Bon

unread,

Nov 25, 2024, 1:57:19 PM11/25/24

to cas-...@apereo.org

Colin,

The filters are ordered. Authentication filter must be listed before validation filter.

Ray

On Fri, 2024-11-22 at 13:40 -0500, Colin Ryan wrote:

[You don't often get email from col...@caveo.ca. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Folks,

CAS Client 3.6.4

Filter is starting in the logs, but I only want CAS to be in play for 1

specific WebApp installed on this Tomcat 9 instance.

If I change the url-patterns in the web.xml file to "/*" everything

works, but if I try to scope CAS down to the specific App the filter's

appear to never be "invoked". I have a simple .jsp file in

/ldapconn/casverify.jsp for confirming CAS. If I in a freshly started

browser go to

/ldapconn/casverify.jsp I do not get redirected to CAS for

authentication and get errors obviously in my JSP.

Even if I go to CAS directly and login and then go to

/ldapconn/casverify.jsp I get the same error.

If I change the url-patterns to just "/*" it all works as expected.

Here is my web.xml



<filter>

   <filter-name>CAS Validation Filter</filter-name>

<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

    <init-param>

     <param-name>casServerUrlPrefix</param-name>

<param-value>https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fssoservice.mydomain.net%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376066536%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OfsE9HMJzlE4fkcoP83ShfURURxqDMcJ6wksYw%2Ft7wk%3D&reserved=0</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fldapconn.mydomain.net%3A8080%2F&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376086761%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=pChxlFSf6aasE1D4Lq037Rv6nzPIU4WHqjPAtS0i%2FdE%3D&reserved=0</param-value>

</init-param>

</filter>



<filter>

   <filter-name>CAS Authentication Filter</filter-name>

<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

   <init-param>

     <param-name>casServerUrlPrefix</param-name>

<param-value>https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fssoservice.mydomain.net%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376097782%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=XS%2BgBACgj1tp16bY3db3ohSw94WajWupQnxRXB3ehEs%3D&reserved=0</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fldapconn.mydomain.net%3A8080%2F&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376110255%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=adVzJR7CAYa7QVdyIIey%2B3iJNmJVikxwj5%2Bn%2BpNMPCc%3D&reserved=0</param-value>

</init-param>

</filter>



<filter>

   <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

</filter>

<filter-mapping>

     <filter-name>CAS Authentication Filter</filter-name>

     <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

<filter-mapping>

     <filter-name>CAS Validation Filter</filter-name>

     <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

<filter-mapping>

   <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

   <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

--

- Website: https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376121285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xuxlHxU%2BKrXYJA3i%2BlDGbDBY0DqpnwpnRqDfbUTwzz4%3D&reserved=0

- List Guidelines: https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376132089%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ghQQ69ubKIsO564UuW8kOjc44w0pEuvhW8tSD98monc%3D&reserved=0

- Contributions: https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376142745%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZEJVa97c2Fq1tA7WrXU2p5whAp%2B6TVkp%2BBWUJ8avVnQ%3D&reserved=0

---

You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion visit https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2Fc9057747-931f-4578-9459-e049e5c80ff2%2540caveo.ca&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376153359%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7QMR5RrzsGcphF8UDr9VjHGc8sQ6p2ggdX6S15%2BrUWM%3D&reserved=0.

Ray Bon

unread,

Nov 25, 2024, 10:19:18 PM11/25/24

to col...@caveo.ca, cas-...@apereo.org

Colin,

I have this filter order (I should have included this earlier):

Authentication

Validation

Wrapper

Filters are applied in the order they are listed in web.xml. There is no mechanism to skip nor go backwards.

One must authenticate before validate.

Note: if you want to use a logout filter, it would precede authenticate.

Ray

On Mon, 2024-11-25 at 14:38 -0500, Colin Ryan wrote:

You don't often get email from col...@caveo.ca. Learn why this is important

Ray,

Changed to the following:

<filter-mapping>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/ldapconn/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/ldapconn/*</url-pattern>
</filter-mapping>


Same issue

Thanks

<param-value>Warning this link may be malicious, it actually goes to the site "ssoservice.mydomain.net" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fssoservice.mydomain.net%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376066536%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OfsE9HMJzlE4fkcoP83ShfURURxqDMcJ6wksYw%2Ft7wk%3D&reserved=0</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>Warning this link may be malicious, it actually goes to the site "ldapconn.mydomain.net:8080" while displaying:https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fldapconn.mydomain.net%3A8080%2F&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376086761%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=pChxlFSf6aasE1D4Lq037Rv6nzPIU4WHqjPAtS0i%2FdE%3D&reserved=0</param-value>

</init-param>

</filter>



<filter>

   <filter-name>CAS Authentication Filter</filter-name>

<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

   <init-param>

     <param-name>casServerUrlPrefix</param-name>

<param-value>Warning this link may be malicious, it actually goes to the site "ssoservice.mydomain.net" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fssoservice.mydomain.net%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376097782%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=XS%2BgBACgj1tp16bY3db3ohSw94WajWupQnxRXB3ehEs%3D&reserved=0</param-value>

</init-param>

<init-param>

<param-name>serverName</param-name>

<param-value>Warning this link may be malicious, it actually goes to the site "ldapconn.mydomain.net:8080" while displaying:https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fldapconn.mydomain.net%3A8080%2F&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376110255%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=adVzJR7CAYa7QVdyIIey%2B3iJNmJVikxwj5%2Bn%2BpNMPCc%3D&reserved=0</param-value>

</init-param>

</filter>



<filter>

   <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

</filter>

<filter-mapping>

     <filter-name>CAS Authentication Filter</filter-name>

     <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

<filter-mapping>

     <filter-name>CAS Validation Filter</filter-name>

     <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

<filter-mapping>

   <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

   <url-pattern>/ldapconn/*</url-pattern>

</filter-mapping>

--

- Website: Warning this link may be malicious, it actually goes to the site "apereo.github.io" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376121285%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xuxlHxU%2BKrXYJA3i%2BlDGbDBY0DqpnwpnRqDfbUTwzz4%3D&reserved=0

- List Guidelines: Warning this link may be malicious, it actually goes to the site "goo.gl" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376132089%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ghQQ69ubKIsO564UuW8kOjc44w0pEuvhW8tSD98monc%3D&reserved=0

- Contributions: Warning this link may be malicious, it actually goes to the site "goo.gl" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376142745%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZEJVa97c2Fq1tA7WrXU2p5whAp%2B6TVkp%2BBWUJ8avVnQ%3D&reserved=0

---

You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+u...@apereo.org.

To view this discussion visit Warning this link may be malicious, it actually goes to the site "groups.google.com" while displaying:https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2Fc9057747-931f-4578-9459-e049e5c80ff2%2540caveo.ca&data=05%7C02%7Crbon%40uvic.ca%7Cb7c70ead985a42bd102308dd0b71fbdd%7C9c61d3779894427cb13b1d6a51662b4e%7C0%7C0%7C638679306376153359%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7QMR5RrzsGcphF8UDr9VjHGc8sQ6p2ggdX6S15%2BrUWM%3D&reserved=0.

Colin Ryan

unread,

Nov 26, 2024, 12:07:32 PM11/26/24

to cas-...@apereo.org

Ray,

That's what I had originally. It all works if my filter is applied to "/*" but if I use subpath for the webapp installed in tomcat "/ldapconn/*"

it appears to not get invoked/triggered etc.

I will sanity check my eyes again today.

C

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00051693d044ee8e0deda0d969b8287a654c0232.camel%40uvic.ca.

Colin Ryan

unread,

Nov 27, 2024, 2:08:17 AM11/27/24

to cas-...@apereo.org

Appears I "solved" this. I had this in the tomcat "root" web.xml. I put these directives in the <webapps>/WEB-INF/web.xml with root path "/*"

and gave me what I wanted.

C

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/752e1e5b-fcdb-4dc9-aec8-87172a0edee7%40caveo.ca.

Dmitriy Kopylenko

unread,

Nov 27, 2024, 2:08:22 AM11/27/24

to cas-...@apereo.org

You might want to set debug or trace level logging on cas client to get some insights on what it’s doing.

D.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/752e1e5b-fcdb-4dc9-aec8-87172a0edee7%40caveo.ca.

Reply all

Reply to author

Forward