Hi Marvin, Questions finally come faster than expected...
I've made some tests to refresh my memory about the new design of CAS 4.0 (on my own overlay : https://github.com/leleuj/cas-overlay-demo). And I found a problem. The way to reproduce the issue : Url : *http://localhost:8080/cas/login?service=http://front1*, Authentication with *jle/jle* Url : *http://localhost:8080/cas/login?service=http://front1&renew=true*, Authentication with *jle/jle* (same credentials) When I try to validate the service ticket, I get an error : Ticket failed validation specification. Possible errors could include attempting to validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew true request. It works properly with CAS server 3.5.2. It comes from the new *supplementalAuthentications* property. When using renew=true, from the *AuthenticationViaFormAction* class, we call the *grantServiceTicket* method with not null credentials in the * CentralAuthenticationServiceImpl* class. The new authentication is compared to the old one : if it's not the same, an error is thrown (like in 3.5), but the new (same) authentication is also added to the * supplementalAuthentications* property of the TGT [1]. When calling the *getChainedAuthentications* method from the TGT, the * supplementalAuthentications* are also returned [2]. In the *ServiceValidateController* class, we validate the returned assertion. In that case, it's the * Cas20WithoutProxyingValidationSpecification* class that checks if the chained authentications has just one element [3] which is false (2 elements are returned : one as the authentication and one more from the * supplementalAuthentications*). That's why it fails. I don't think that it's the expected behaviour. Although I reviewed this source code (and especially the * supplementalAuthentications* property), I'm not sure to understand why we need it eventually, as we have the same authentication in the authentication and in the supplemental authentications. Can you give me some explanations on this ? Thanks. Best regards, Jérôme [1] : https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java#L294 [2] : https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/ticket/TicketGrantingTicketImpl.java#L217 [3] : https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/validation/Cas20WithoutProxyingValidationSpecification.java#L44 2013/9/26 Marvin S. Addison <[email protected]> > Tests are really necessary on these behaviours to avoid breaking things. >> > > Wholeheartedly agree. I thought we had test coverage for this, but > apparently not. I'm happy to help out with that if you would like. > > I opened JIRA CAS-1362 : I will fix it as soon as possible. CAS-1348 >> might be related also. >> > > Sounds good. I will review any pull requests that come out of fixes. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
