Proper way to detect if a ticket is a service ticket or a proxy ticket?

[Pol Dellaiera]

Hi,

I'm writing a CAS library and I'm facing a question and I don't know how to address it.

The question is the following:

* What is the proper way to detect the type of a ticket in the URL ?

- By doing some introspection in the request URL and detecting if the ticket starts with ST- (for service ticket) or PT- (for proxy ticket) ?
- By checking the configuration of the serviceValidate and see if the parameter pgtUrl is set or not.

I don't know what is the best option for the moment, any help/advice is welcome.

[Ray Bon]

Pol,

In the java client, https://github.com/apereo/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java, XmlUtils is used to get the 'proxyTicket'. Not sure why it is in XML but this might help you track down how it was done here.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Pol Dellaiera]

Hi Ray,

I checked the file, I understood it despite the fact that I'm not a Java developper.

However, I think this is not what I was looking for.

I will rephrase my question.

Context of the situation: development of a CAS client library for authentication.

I'm looking for the proper way to validate the ticket that is passed in the URL. Those tickets can be identified depending on the 3 first characters: "ST-" or "PT-".

Service tickets or proxy tickets.

When the CAS client library detects those tickets in the URL, it is supposed to trigger either a serviceValidate either a proxyValidate service.

According to me, there are two ways to implement this mechanism:

1. Based on the ticket type, trigger one or the other service validation service.

2. Based on the configuration, check if the library is supposed to work in proxy mode, and if yes use proxyValidate, if not use serviceValidate.

Now, what's I'm asking here is precisely that, what is the proper way to validate a ticket, should it be on the ticket type that the user receive in query parameter or based on the configuration of the CAS client ?

You can test online the stuff I'm developing here: https://cas-bundle-demo.herokuapp.com/

Thanks.

[Ray Bon]

Pol,

It is based on configuration (I should have looked more closely at your original request). In my java demo app, there is this part in web.xml

  <filter-mapping>

    <filter-name>CAS Validation Filter Proxy</filter-name>

    <url-pattern>/proxy/proxyClient</url-pattern>

    <url-pattern>/proxy/pgtCallback</url-pattern>

  </filter-mapping>

All calls to those paths will be directed to proxyValidate (filter-name is what I called it).

From the logs below, CAS returns a ST first and the client calls proxyValidate. This is at step 4 in this description https://apereo.github.io/cas/6.1.x/installation/Configuring-Proxy-Authentication.html. Thus you can not make your decision on ST or PT, nor can it depend on presence of PGT.

This is tomcat access logs for a proxy app:

127.0.0.1 - - [15/Nov/2019:10:07:01 -0800] "GET /cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient HTTP/1.1" 200 19800

127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "POST /cas/login?service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient HTTP/1.1" 302 -

127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET /cas/proxyValidate?pgtUrl=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FpgtCallback&ticket=ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxy%2FproxyClient HTTP/1.1" 200 1546

127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 212

127.0.0.1 - - [15/Nov/2019:10:07:04 -0800] "GET /cas/proxyValidate?ticket=PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 1538

127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 212

127.0.0.1 - - [15/Nov/2019:10:07:21 -0800] "GET /cas/proxyValidate?ticket=PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 1539

127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET /cas/proxy?pgt=PGT-4-FXrglfpmLmSLp-4Ag-kwHg3IUXzg4fFa2ZzLbaWylrRsjHYFVnc1K0dGNkZoGrtX01o-tomt&targetService=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 213

127.0.0.1 - - [15/Nov/2019:10:07:22 -0800] "GET /cas/proxyValidate?ticket=PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt&service=https%3A%2F%2Fdemocasclientlocal.uvic.ca%2Fproxiable%2FproxyService%3Fparam%3DGetProxyData%26clientSessionId%3D99F6A3153E6E5B29571723C62774F410.aft HTTP/1.1" 200 1539

and this is CAS audit log for the same:

2019-11-15 10:07:01,446 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:01 PST 2019|CAS|[event=success,timestamp=Fri Nov 15 10:07:01 PST 2019,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]|AUTHENTICATION_EVENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,436 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|Supplied credentials: [RememberMeUsernamePasswordCredential(super=UsernamePasswordCredential(username=rbon, source=null, customFields={}), rememberMe=false)]|AUTHENTICATION_SUCCESS|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,438 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasc

lientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], mail=[rb...@uvic.ca.xxxyyyzzz], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc], eduPersonNickname=[Ray], cn=[Ray Bon], sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,444 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], mail=[rb...@uvic.ca.xxxyyyzzz], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc], eduPersonNickname=[Ray], cn=[Ray Bon], sn=[Bon]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,446 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|TGT-4-*****9y2hvjd40o-tomt|TICKET_GRANTING_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,458 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,461 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt for https://democasclientlocal.uvic.ca/proxy/proxyClient|SERVICE_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,502 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|Supplied credentials: [AbstractCredential()]|AUTHENTICATION_SUCCESS|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,505 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,507 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|PGT-4-*****kZoGrtX01o-tomt|PROXY_GRANTING_TICKET_CREATED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,510 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[rb...@uvic.ca.xxxyyyzzz], sn=[Bon], uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|https://democasclientlocal.uvic.ca/proxy/pgtCallback|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,512 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|ST-7-MNgTg1gFW66DcnOb68U8Q2mfNig-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,553 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,558 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt for https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,595 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[rb...@uvic.ca.xxxyyyzzz], sn=[Bon], uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:04,599 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:04 PST 2019|CAS|PT-8-nn1IDJzmnko30aI5TtTmUaEE5ZA-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:21,225 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:21 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:21,229 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:21 PST 2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt for https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:21,257 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:21 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[rb...@uvic.ca.xxxyyyzzz], sn=[Bon], uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:21,259 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:21 PST 2019|CAS|PT-9-bNJsO2Qk0XOgTHC4zUE-5KlnHog-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:22,326 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:22 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:22,330 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:22 PST 2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt for https://democasclientlocal.uvic.ca/proxiable/proxyService?param=GetProxyData&clientSessionId=99F6A3153E6E5B29571723C62774F...|PROXY_TICKET_CREATED|rbon|127.0.0.1|127.0.0.1

2019-11-15 10:07:22,342 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:22 PST 2019|CAS|[result=Service Access Granted,service=https://democasclientlocal.uvic.ca/pr...,principal=SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], eduPersonNickname=[Ray], mail=[rb...@uvic.ca.xxxyyyzzz], sn=[Bon], uvicEduPersonNetLinkContactUpdateTimestamp=[20201024000000Z], uvicEduPersonSpridenID=[V001], uvicEduPersonYubiKeyID=[cccccc]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|127.0.0.1|127.0.0.1

2019-11-15 10:07:22,344 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Nov 15 10:07:22 PST 2019|CAS|PT-10-T1X-UIA0m5BK0VHpBxZa9znOyco-tomt|SERVICE_TICKET_VALIDATE_SUCCESS|rbon|127.0.0.1|127.0.0.1

Ray

[Pol]

Thanks Ray, you confirm what I was thinking.

I implemented it here: https://github.com/drupol/psrcas/blob/master/src/AbstractCas.php#L151

Thanks for your time and help mate!

 -φol d.-

  Communications without intelligence is noise;
  Intelligence without communications is irrelevant.
  [Alfred M. Gray]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e3cc35df2b37d70fc69ec383c89dbdf19c1f2b6.camel%40uvic.ca.