Hi Jérôme,
I wasn’t able to restore "service" as a query parameter. For security reasons,
the HttpServletRequest class does not expose any methods to modify its query
parameters .
I’m not sure if there’s a better way, but what I ended up doing was writing a
“Filter” that wraps the request in a “HttpServletRequestWrapper” class like the
following.
public final class OAuthServiceParameterFilter implements Filter {
static class FilteredRequest extends HttpServletRequestWrapper {
public FilteredRequest(final ServletRequest request) {
super((HttpServletRequest) request);
}
@Override
public String getParameter(final String param) {
String value = super.getParameter(param);
if (param.equalsIgnoreCase("service") && (value == null)) {
Object service = this.getSession().getAttribute("service");
if (service != null) {
value = service.toString();
}
}
return value;
}
.
.
.
With this class, every time ServiceThemeResolver calls “getParameter” for the
“service” parameter, we return the service value that was stored in the session.
Thanks,
-- Jonathan
From: Jérôme LELEU <lel...@gmail.com<mailto:lel...@gmail.com>>
Reply-To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>"
<cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>>
Date: Thursday, July 17, 2014 at 5:11 AM
To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>"
<cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>>
Subject: Re: [cas-user] CAS OAuth Support 3.5.2 - Working with service
parameter.
Hi,
I don't remember how I came to test RequestContextUtil.getTheme, but you're
right, the default ServiceThemeResolver is based on the "service" query
parameter and not on the "service" in the webflow.
Would you mind overriding my OAuthAction with a new one restoring the "service"
as a query parameter and do a new test?
Thanks.
Best regards,
Jérôme LELEU
Founder of CAS in the cloud:
www.casinthecloud.com<http://www.casinthecloud.com> | Twitter: @leleuj
Chairman of CAS: www.jasig.org/cas<http://www.jasig.org/cas> | Creator of
pac4j: www.pac4j.org<http://www.pac4j.org>
2014-07-16 15:01 GMT+02:00 Jonathan H Shek
<jhs...@mit.edu<mailto:jhs...@mit.edu>>:
Hi Jérôme,
Which theme resolver are you using?
Our code is configured as follows:
>From our Cas-servlet.xml
<!-- Theme Resolver -->
<beanid="themeResolver"class="org.jasig.cas.services.web.ServiceThemeResolver"
p:defaultThemeName="${cas.themeResolver.defaultThemeName}"
p:argumentExtractors-ref="argumentExtractors"
p:servicesManager-ref="servicesManager">
.
.
.
</bean>
>From our argumentExtractorsConfiguration.xml (I believe these are the default
>argument extractors that comes with CAS Server 3.5.2)
<bean
id=“casArgumentExtractor"
class="org.jasig.cas.web.support.CasArgumentExtractor"
p:httpClient-ref="noRedirectHttpClient"
p:disableSingleSignOut="${slo.callbacks.disabled:false}"/>
<beanid="samlArgumentExtractor"class="org.jasig.cas.web.support.SamlArgumentExtractor"
p:httpClient-ref="noRedirectHttpClient"
p:disableSingleSignOut="${slo.callbacks.disabled:false}"/>
<util:listid="argumentExtractors">
<refbean="casArgumentExtractor"/>
<refbean="samlArgumentExtractor"/>
</util:list>
org.jasig.cas.services.web.ServiceThemeResolver
public String resolveThemeName(final HttpServletRequest request) {
if (this.servicesManager == null) {
return getDefaultThemeName();
}
final Service service = WebUtils.getService(this.argumentExtractors,
request);
final RegisteredService rService =
this.servicesManager.findServiceBy(service);
.
.
.
return service != null && rService != null &&
StringUtils.hasText(rService.getTheme()) ? rService.getTheme() :
getDefaultThemeName();
}
The above “org.jasig.cas.services.web.ServiceThemeResolver.resolveThemeName”
method calls each configured argument extractor class which in turn calls a
static method “createServiceFrom” from the “SimpleWebApplicationServiceImpl”
class which creates a service based on an HttpServletRequest’s query parameter.
publicstatic SimpleWebApplicationServiceImpl createServiceFrom(
final HttpServletRequest request, final HttpClient httpClient) {
final String targetService = request
.getParameter(CONST_PARAM_TARGET_SERVICE);
final String method = request.getParameter(CONST_PARAM_METHOD);
final String serviceToUse = StringUtils.hasText(targetService)
? targetService : request.getParameter(CONST_PARAM_SERVICE);
.
.
.
As far as I can tell, the theme resolver we’re using looks for a service value
in a HttpServletRequest’s parameter, while the OAuthAction class, stores this
information in the session and RequestContext.
// retrieve parameters from web session
final Service service = (Service)
session.getAttribute(OAuthConstants.SERVICE);
context.getFlowScope().put(OAuthConstants.SERVICE, service);
// save parameters in web session
final Service service = (Service)
context.getFlowScope().get(OAuthConstants.SERVICE);
if (service != null) {
session.setAttribute(OAuthConstants.SERVICE, service);
}
What am I missing?
I do see a “restoreRequestAttribute” method in the OAuthAction class, but this
method looks to only restore an attribute from a web session as a request
attribute, not parameter.
In addition, this method is never called for the “service” attribute.
/**
* Restore an attribute in web session as an attribute in request.
*
* @param request
* @param session
* @param name
*/
private void restoreRequestAttribute(final HttpServletRequest request,
final HttpSession session, final String name) {
final String value = (String) session.getAttribute(name);
request.setAttribute(name, value);
}
Thank you in advance for any help or clarification you could provide.
-- Jonathan
From: Jérôme LELEU <lel...@gmail.com<mailto:lel...@gmail.com>>
Reply-To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>"
<cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>>
Date: Wednesday, June 18, 2014 at 9:04 AM
To: "cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>"
<cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>>
Subject: Re: [cas-user] CAS OAuth Support 3.5.2 - Working with service
parameter.
Hi,
Indeed, a logger.error would have been appreciated in the "catch
(TicketException" part.
Yes, the "restore" methods are the ones the comment is referring to. And they
are called before the exception is thrown: all parameters should be restored.
I've spent some time to perform a full test and the theme is properly restored
through RequestContextUtil.getTheme. Here is the demo I setup:
https://github.com/leleuj/cas-oauth-demo-3.5.x/commit/8ccb17d18a1b2fbd3049022ce88455c581328bed.
I define a theme for my service and throw an exception as if the authentication
has failed -> the theme is properly restored and generates an error (I have not
that theme)...
Hope it helps.
Best regards,
Jérôme
Jérôme LELEU
Founder of CAS in the cloud:
www.casinthecloud.com<http://www.casinthecloud.com> | Twitter: @leleuj
Chairman of CAS: www.jasig.org/cas<http://www.jasig.org/cas> | Creator of
pac4j: www.pac4j.org<http://www.pac4j.org>
2014-06-17 0:25 GMT+02:00 Jonathan <jhs...@mit.edu<mailto:jhs...@mit.edu>>:
The exception I got appears to have been caught and handled by
CAS/OAuthAction. There's not much of a trace in the log.
OAuthAction.doExecute:
.
.
.
} catch (final TicketException e) {
return error();
}
cas.log
2014-06-16 18:07:07,023 INFO
org.jasig.cas.authentication.AuthenticationManagerImpl -
edu.cas.service.implementation.OAuthAuthenticationHandlerImplementation failed
authenticating
org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials@27f34293
cas-authentication.log
2014-06-16 18:08:43,338 INFO Audit trail record BEGIN
=============================================================
WHO:
org.jasig.cas.support.oauth.authentication.principal.OAuthCredentials@27f34293
WHAT: error.authentication.credentials.bad.usernameorpassword
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Mon Jun 16 18:08:43 EDT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
Again, the problem seems to be that when RequestContextUtil.getTheme is
eventually called, the default theme is used because the service parameter is
null.
The following is the comment for the OAuthAction class:
/**
* This class represents an action in the webflow to retrieve OAuth information
on the callback url which is the webflow url (/login). The
* {@link org.jasig.cas.support.oauth.OAuthConstants.OAUTH_PROVIDER} and the
other OAuth parameters are expected after OAuth authentication.
* Providers are defined by configuration. The {@link
org.jasig.cas.support.oauth.OAuthConstants.SERVICE},
* {@link org.jasig.cas.support.oauth.OAuthConstants.THEME}, {@link
org.jasig.cas.support.oauth.OAuthConstants.LOCALE} and
* {@link org.jasig.cas.support.oauth.OAuthConstants.METHOD} parameters are
saved and restored from web session after OAuth authentication.
*
* @author Jerome Leleu
* @since 3.5.0
*/
Is the comment about restoring parameters from the web session referring to the
following code?
// retrieve parameters from web session
final Service service = (Service)
session.getAttribute(OAuthConstants.SERVICE);
context.getFlowScope().put(OAuthConstants.SERVICE, service);
restoreRequestAttribute(request, session, OAuthConstants.THEME);
restoreRequestAttribute(request, session, OAuthConstants.LOCALE);
restoreRequestAttribute(request, session, OAuthConstants.METHOD);
Thanks,
--
You are currently subscribed to
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
lel...@gmail.com<mailto:lel...@gmail.com>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
jhs...@mit.edu<mailto:jhs...@mit.edu>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
lel...@gmail.com<mailto:lel...@gmail.com>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
jhs...@mit.edu<mailto:jhs...@mit.edu>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
