Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT
58 views
Skip to first unread message
William
Aug 22, 2016, 4:47:22 PM8/22/16
to CAS Community
I am running the following test on the latest CAS 5.0.0.RC1-SNAPSHOT build:
https://github.com/wcrowell/cas-functional-tests/blob/5.0.x/src/test/groovy/org/apereo/cas/test/validation/MultiLevelProxySpec.groovy
I have run this test successfully against CAS 4.2.2, 4.2.4, 4.2.5-SNAPSHOT.
This test generates proxy tickets to access a really simple web app called protected-web-app which is a CAS client.
I noticed a behavior where I cannot use a ProxyTicket after submitting a ProxyGrantingTicket to the "/proxy" endpoint.
For some reason CAS thinks it has already been used:
2016-08-22 16:06:44,947 DEBUG [org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - <Ticket usage count 1 is greater than or equal to 1>
and then it removes it:
2016-08-22 16:06:44,947 DEBUG [org.apereo.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [PT-2-f96UqRibdLcYREKZhh9N-192] from the registry.>
I am not able to attach files in Google Groups for some reason. Therefore, here is the link to the log: https://raw.githubusercontent.com/wcrowell/cas-functional-tests/5.0.x/logs/catalina.out
Did something change in CAS 5 with the ticket usage for Proxy Tickets or is this potentially a bug?
Thank you.
Misagh Moayyed
Aug 23, 2016, 1:23:57 AM8/23/16
to CAS Community
When you say "cannot use a ProxyTicket after submitting a ProxyGrantingTicket to the "/proxy” endpoint”:Your logs don’t show this. There is no validation failure for a given PT because it’s expired. In fact, all your STs and PTs are validated successfully.
--
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/70c35ab9-9823-43b4-bb85-5694307d3e27%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
William
Aug 23, 2016, 9:33:52 AM8/23/16
to CAS Community, mmoa...@unicon.net
Misagh,
It could be an issue with the test, but it would seem that the same test would fail in CAS 4.2.x.
Here is the sequence of steps:
1) Post a user name and password to /cas/v1/tickets and get a Ticket Granting Ticket.
2) Post the Ticket Granting Ticket and registered service you want to access (in this case "/protected-web-app") to "/cas/v1/tickets/<TGT>" where TGT is the Ticket Granting Ticket and obtain a Service Ticket.
3) Send a GET request to "/cas/serviceValidate" containing the service to access, the Service Ticket, and the proxy URL of the service (in this case "/protected-web-app/proxyUrl" which is the CAS client). A Proxy Granting Ticket IOU will be issued.
4) Send a GET request to the proxy URL of the service (in this case "/protected-web-app/proxyUrl" which is the CAS client) and get a Proxy Granting Ticket.
5) Send a GET request to "/cas/proxy" containing the Proxy Granting Ticket and get a one-time use Proxy Ticket.
6) Send a GET request to "/cas/proxyValidate" containing the service to access (in this case "/protected-web-app"), the Proxy Ticket, and the proxy URL (in this case "/protected-web-app/proxyUrl" which is the CAS client). You should get the corresponding Proxy Granting Ticket and proxy URL that was issued for this Proxy Ticket.
Step 6 is where it fails and says the Proxy Ticket was already used.
I will look into this a bit more, but I am confused why this would work in CAS 4.2.x.
Misagh Moayyed
Aug 23, 2016, 9:49:18 AM8/23/16
to CAS Community
I “might" know what the issue may be. Your final validation event is not failing because of expiration policies. That bit is fine. Your test is also fine. It’s failing afterwards where the validation spec does not allow use of proxies. Go ahead and submit an issue. Possible bean injection problem, etc. We’ll review it together.
Thanks!
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d6daaa-9083-498a-9abc-8912f93af55e%40apereo.org.
William
Aug 23, 2016, 11:18:21 AM8/23/16
to CAS Community, mmoa...@unicon.net
Misagh,
I really hope this is not an issue and maybe something strange with my test.
I did open an issue: https://github.com/apereo/cas/issues/1966
I will continue to troubleshoot this and see what I can find.
I will continue to troubleshoot this and see what I can find.
Thanks,
Bill Crowell
Reply all
Reply to author
Forward
0 new messages