Double Login for Mozilla 4.0 User Agent
68 views
Skip to first unread message
Justin Isenhour
Jan 23, 2020, 6:06:39 PM1/23/20
to CAS Community
Hello All,
We are working on upgrading from CAS 3.5.1 to CAS 5.3.7 and so far everything has gone pretty smoothly, although we have just hit one issue. We have a very very old .Net application that is end of life and we are migrating users off of it but that will take a while to do. This app only works in IE 7 compatibility mode, there were some settings made in IIS to force that (I don't recall exactly what they were as that was done many years back). The issue I am see is that when we login to the SSO portal and try to access this application we are getting the login page again. After troubleshooting I see that if I call the login service URL and emulate IE 7 that it will give the login page every time. Based on this it looks like SSO for Mozilla 4.0 user agent is not allowed by default. Is this something related to a default setting for adaptive authentication or some other default security setting? Is there some setting I can change to allow Mozilla 4.0 user agents?
Thanks,
Justin Isenhour
Andy Ng
Jan 23, 2020, 8:55:15 PM1/23/20
to CAS Community
Hi Justin,
CAS 5 have said that at least the UI will have problem with IE 9 or below, so I doubt they build CAS 5 with IE 7 support in mind
I don't have IE 7 setup on my system so can't really test on this...
However, I have look into this properties here:
Seems like it is possible to reject agent like so:
cas.authn.adaptive.rejectBrowsers=Gecko.+
But by default there are no reject agent for this, so I doubt the issue is related to adaptive authentication.
Can you enabled your CAS debug log and post any anomaly here (with sensitive info censored of course), so the community can look at your CAS log and see if there are any other problem with that.
Cheers!
- Andy
Justin Isenhour
Jan 24, 2020, 4:21:13 PM1/24/20
to CAS Community
Thanks Andy for the information. We spent some more time this morning troubleshooting the behavior and have discovered the reason for this behavior. It seems that the ticket granting cookie is encoded and is not just the TGT, it is TGT+Client IP+Browser Agent. When a call comes into login?service= the validation checks the cookie and validates that the TGT is still valid and now also checks that the Browser Agent matches what it was when the cookie was created.
In this case when we login to SSO using IE 11 the browser agent is Mozilla 5.0, when we access the old legacy application (which has it's domain set under compatibility view) and the app redirects to SSO for authentication the user agent is changed to Mozilla 4.0. Since the user agent of the request no longer matches the user agent when the cookie was created, the cookie is considered invalid. Based on the code it doesn't look like there is any way to override this behavior (not that one should). Based on the fact that this legacy app must be run in capability view our only work around is to also have those users add our portal URL to compatibility view as well so that the user agents will match during validation.
Andy Ng
Jan 28, 2020, 5:46:57 AM1/28/20
to CAS Community
Hi Justin,
Nice that you think of a workaround!
I think it is strange that ticket granting ticket containing user agent...
Therefore, I have go ahead and done some additional digging and found the following:
Seems to me that, instead of the TGT containing user agent, is that the cookie manager will not allow cookie created under differnet user agent.
| @Override | |
| protected String obtainValueFromCompoundCookie(final String cookieValue, final HttpServletRequest request) { | |
| val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).splitToList(cookieValue); | |
| if (cookieParts.isEmpty()) { | |
| throw new IllegalStateException("Invalid empty cookie"); | |
| } | |
| val value = cookieParts.get(0); | |
| if (!cookieProperties.isPinToSession()) { | |
| LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided"); | |
| return value; | |
| } | |
| if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { | |
| throw new IllegalStateException("Invalid cookie. Required fields are missing"); | |
| } | |
| val remoteAddr = cookieParts.get(1); | |
| val userAgent = cookieParts.get(2); | |
| if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) { | |
| throw new IllegalStateException("Invalid cookie. Required fields are empty"); | |
| } | |
| val clientInfo = ClientInfoHolder.getClientInfo(); | |
| if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { | |
| throw new IllegalStateException("Invalid cookie. Required remote address " | |
| + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); | |
| } | |
| val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); | |
| if (!userAgent.equals(agent)) { | |
| throw new IllegalStateException("Invalid cookie. Required user-agent " + userAgent + " does not match " + agent); | |
| } | |
| return value; | |
| } |
Have you see the above error (Invalid cookie. Required user-agent....) in your CAS error log? If so then it would justified my theory.
Still, I don't think it is wise to touch on that part of the source code, but it is always good to know in case you need to actually make support on the legacy service for cross compatibility and main browser.
Cheers!
- Andy
leleuj
Jan 28, 2020, 5:59:56 AM1/28/20
to CAS Community
Hi,
You have the following property/option: cas.tgc.pinToSession (true by default) to attach the IP and user-agent to the SSO session.
In most cases, it's the right choice, but you may want to disable that behavior.
Thanks.
Best regards,
Jérôme
Justin Isenhour
Jan 28, 2020, 6:44:46 AM1/28/20
to cas-...@apereo.org
Awesome, thanks for all the feedback guys. Very much appreciated.
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of leleuj <lel...@gmail.com>
Sent: Tuesday, January 28, 2020 5:59:55 AM
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Double Login for Mozilla 4.0 User Agent
Sent: Tuesday, January 28, 2020 5:59:55 AM
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Double Login for Mozilla 4.0 User Agent
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.
Reply all
Reply to author
Forward
0 new messages