SAML2 service 7.1.x and 7.2.x
91 views
Skip to first unread message
Agus Santosa
Aug 6, 2025, 10:41:33 AMAug 6
to CAS Community
Hi,
Does anyone notice any difference between 7.1.x and 7.2.x in terms of SAML2 service registry?
For my case, the same SAML2 service works in 7.1.x, but it is somehow not found/authorized in 7.2.x.
This is the log
2025-08-06 10:06:48,023 TRACE [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Service [local-saml-test] is not cached; Searching [JsonServiceRegistry]>
2025-08-06 10:06:48,025 TRACE [org.apereo.cas.support.saml.services.SamlIdPServicesManagerRegisteredServiceLocator] - <Reviewing service attributes [{headers={jakarta.servlet.http.HttpServletRequest.header-host=[localhost:8543], jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0], jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], jakarta.servlet.http.HttpServletRequest.header-accept-language=[en-US,en;q=0.5], jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip, deflate, br, zstd], jakarta.servlet.http.HttpServletRequest.header-referer=[https://localhost:9876/], jakarta.servlet.http.HttpServletRequest.header-connection=[keep-alive], jakarta.servlet.http.HttpServletRequest.header-cookie=[JSESSIONID=4A46B00617D6A13EA14E9F3E74A3D75D; _mkto_trk=id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en-US], jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[same-site], jakarta.servlet.http.HttpServletRequest.header-priority=[u=0, i]}, RelayState=[saml-sp-relay-state], service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test], httpRequest={jakarta.servlet.http.HttpServletRequest.httpMethod=[GET], jakarta.servlet.http.HttpServletRequest.requestURL=[https://localhost:8543/cas/login], jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login], jakarta.servlet.http.HttpServletRequest.requestId=[1], jakarta.servlet.http.HttpServletRequest.contextPath=[/cas], jakarta.servlet.http.HttpServletRequest.localeName=[kubernetes.docker.internal]}, cookies={jakarta.servlet.http.HttpServletRequest.cookie-JSESSIONID=[4A46B00617D6A13EA14E9F3E74A3D75D], jakarta.servlet.http.HttpServletRequest.cookie-_mkto_trk=[id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29], jakarta.servlet.http.HttpServletRequest.cookie-org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=[en-US]}, org.apereo.cas.authentication.principal.Service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test]}] for service id [local-saml-test] to match registered service [localsamltest]>
2025-08-06 10:06:48,026 TRACE [org.apereo.cas.services.mgmt.AbstractServicesManager] - <No service definition was provided>
2025-08-06 10:06:48,025 TRACE [org.apereo.cas.support.saml.services.SamlIdPServicesManagerRegisteredServiceLocator] - <Reviewing service attributes [{headers={jakarta.servlet.http.HttpServletRequest.header-host=[localhost:8543], jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0], jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], jakarta.servlet.http.HttpServletRequest.header-accept-language=[en-US,en;q=0.5], jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip, deflate, br, zstd], jakarta.servlet.http.HttpServletRequest.header-referer=[https://localhost:9876/], jakarta.servlet.http.HttpServletRequest.header-connection=[keep-alive], jakarta.servlet.http.HttpServletRequest.header-cookie=[JSESSIONID=4A46B00617D6A13EA14E9F3E74A3D75D; _mkto_trk=id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en-US], jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[same-site], jakarta.servlet.http.HttpServletRequest.header-priority=[u=0, i]}, RelayState=[saml-sp-relay-state], service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test], httpRequest={jakarta.servlet.http.HttpServletRequest.httpMethod=[GET], jakarta.servlet.http.HttpServletRequest.requestURL=[https://localhost:8543/cas/login], jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login], jakarta.servlet.http.HttpServletRequest.requestId=[1], jakarta.servlet.http.HttpServletRequest.contextPath=[/cas], jakarta.servlet.http.HttpServletRequest.localeName=[kubernetes.docker.internal]}, cookies={jakarta.servlet.http.HttpServletRequest.cookie-JSESSIONID=[4A46B00617D6A13EA14E9F3E74A3D75D], jakarta.servlet.http.HttpServletRequest.cookie-_mkto_trk=[id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29], jakarta.servlet.http.HttpServletRequest.cookie-org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=[en-US]}, org.apereo.cas.authentication.principal.Service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test]}] for service id [local-saml-test] to match registered service [localsamltest]>
2025-08-06 10:06:48,026 TRACE [org.apereo.cas.services.mgmt.AbstractServicesManager] - <No service definition was provided>
2025-08-06 10:06:48,055 WARN [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <Service [AbstractWebApplicationService(id=local-saml-test, originalUrl=local-saml-test, artifactId=null, principal=null, source=service, tenant=null, loggedOutAlready=false, format=XML, attributes={headers={jakarta.servlet.http.HttpServletRequest.header-host=[localhost:8543], jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0], jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], jakarta.servlet.http.HttpServletRequest.header-accept-language=[en-US,en;q=0.5], jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip, deflate, br, zstd], jakarta.servlet.http.HttpServletRequest.header-referer=[https://localhost:9876/], jakarta.servlet.http.HttpServletRequest.header-connection=[keep-alive], jakarta.servlet.http.HttpServletRequest.header-cookie=[JSESSIONID=4A46B00617D6A13EA14E9F3E74A3D75D; _mkto_trk=id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en-US], jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate], jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[same-site], jakarta.servlet.http.HttpServletRequest.header-priority=[u=0, i]}, RelayState=[saml-sp-relay-state], service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test], httpRequest={jakarta.servlet.http.HttpServletRequest.httpMethod=[GET], jakarta.servlet.http.HttpServletRequest.requestURL=[https://localhost:8543/cas/login], jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login], jakarta.servlet.http.HttpServletRequest.requestId=[1], jakarta.servlet.http.HttpServletRequest.contextPath=[/cas], jakarta.servlet.http.HttpServletRequest.localeName=[kubernetes.docker.internal]}, cookies={jakarta.servlet.http.HttpServletRequest.cookie-JSESSIONID=[4A46B00617D6A13EA14E9F3E74A3D75D], jakarta.servlet.http.HttpServletRequest.cookie-_mkto_trk=[id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29], jakarta.servlet.http.HttpServletRequest.cookie-org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=[en-US]}, org.apereo.cas.authentication.principal.Service=[https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test]})] is not authorized>
Agus Santosa
Aug 7, 2025, 2:45:38 PMAug 7
to CAS Community, Agus Santosa
Just to add more information, I downloaded a clean fresh version 7.2.5 and set it up without any customization.
My json service definition is very basic:
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "test-saml",
"name": "testsamlservice",
"id": 100000999,
"evaluationOrder" : 101,
"metadataLocation": "file:/appl/sit/cas7/config/cihiServices/agus_metadata.xml"
}
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "test-saml",
"name": "testsamlservice",
"id": 100000999,
"evaluationOrder" : 101,
"metadataLocation": "file:/appl/sit/cas7/config/cihiServices/agus_metadata.xml"
}
I am using sample application (https://github.com/apereo/saml2-sample-java-webapp) to generate metadata and test it.
I have no idea if there's additional configuration needed for v7.2+. I tried 7.3 RC and it behaves the same.
I guess I'm sticking with 7.1.x for now until I can figure out the solution.
Agus Santosa
Aug 7, 2025, 2:45:39 PMAug 7
to CAS Community, Agus Santosa
An update, the latest working version is 7.2.3
It seems something started to break in 7.2.4.
On Wednesday, 6 August 2025 at 10:41:33 UTC-4 Agus Santosa wrote:
Ray Bon
Aug 7, 2025, 4:29:52 PMAug 7
to cas-...@apereo.org
Agus,
There may be property changes to check; Property rename or encryption key length changes.
./gradlew exportConfigMetadata
Will create config-metadata.properties; you can search for your properties, and in most cases old property descriptions will point to the new property.
Will create config-metadata.properties; you can search for your properties, and in most cases old property descriptions will point to the new property.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Agus Santosa <agusa...@gmail.com>
Sent: August 7, 2025 09:21
To: CAS Community <cas-...@apereo.org>
Cc: Agus Santosa <agusa...@gmail.com>
Subject: [cas-user] Re: SAML2 service 7.1.x and 7.2.x
Sent: August 7, 2025 09:21
To: CAS Community <cas-...@apereo.org>
Cc: Agus Santosa <agusa...@gmail.com>
Subject: [cas-user] Re: SAML2 service 7.1.x and 7.2.x
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc9b98ad-3f4d-4b5d-9fc9-59efaa584edan%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc9b98ad-3f4d-4b5d-9fc9-59efaa584edan%40apereo.org.
Agus Santosa
Aug 8, 2025, 10:40:43 AMAug 8
to CAS Community, Ray Bon
Thank you for the suggestion, Ray.
I compared the output between 7.2.3 and 7.2.4 and there's no difference.
I compared the output between 7.2.3 and 7.2.4 and there's no difference.
I dug the changelog for 7.2.4 and spotted a change in AbstractServiceFactory.java that might be the culprit:
// if (StringUtils.isNotBlank(originalUrl) && originalUrl.startsWith("http") && originalUrl.contains("?")) {
if (StringUtils.isNotBlank(originalUrl) && SimpleUrlValidator.getInstance().isValid(originalUrl)) {
if (StringUtils.isNotBlank(originalUrl) && SimpleUrlValidator.getInstance().isValid(originalUrl)) {
The commented line was from 7.2.3 and the second line was the newer 7.2.4+
I tried again to rebuild with 7.2.5, but this time I have AbstractServiceFactory in my overlay and revert above line, and it works.
I wonder if any CAS developer lurking around this mailing list could comment on this behavior.
Agus Santosa
Aug 12, 2025, 1:06:50 PMAug 12
to CAS Community, Agus Santosa, Ray Bon
After further investigation, it affects localhost only because Apache's Urlvalidator considers localhost as invalid by default.
My workaround is to create UrlValidator with "ALLOW_LOCAL_URLS" options, at least for development and local testing, and I can use the latest version 7.2.5
Reply all
Reply to author
Forward
0 new messages