Hi Ray
I did try to put the .* in the services URL, but no joy.
Here is my service file
{
@class: org.apereo.cas.services.RegexRegisteredService
serviceId: ^https://travel.host.edu:4447/tvlexp/.*(\\z|.*)
name: Travel and Expense
id: 1546908138322
description: Production
expirationPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy
deleteWhenExpired: false
notifyWhenDeleted: false
}
proxyPolicy:
{
@class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
}
evaluationOrder: -1
usernameAttributeProvider:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
canonicalizationMode: NONE
encryptUsername: false
}
logoutType: BACK_CHANNEL
attributeReleasePolicy:
{
@class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy
principalAttributesRepository:
{
@class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
expiration: 2
timeUnit: HOURS
}
consentPolicy:
{
@class:
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
enabled: true
}
authorizedToReleaseCredentialPassword: false
authorizedToReleaseProxyGrantingTicket: false
excludeDefaultAttributes: false
authorizedToReleaseAuthenticationAttributes: true
}
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
failureMode: NOT_SET
bypassEnabled: false
}
accessStrategy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
order: 0
enabled: true
ssoEnabled: true
requireAllAttributes: true
caseInsensitive: false
}
On Tuesday, January 8, 2019 at 12:27:37 PM UTC-5, rbon wrote:
>
> Jen,
>
> What kind of control do you have over the client application?
>
> It is odd that GLMSSESSIONID is sent as a parameter rather than being
> stored in a cookie, but stranger things have happened.
>
> What does your service entry look like?
>
> We have some entries that end in a fixed pattern and some that end with .*
> It has been a while since I encountered this error and I am not sure if
> changes to the service entry will affect the result.
>
> Ray
>
> On Tue, 2019-01-08 at 08:33 -0800, Jennifer LaVoie wrote:
>
> here is the complete error I get
>
> org.jasig.cas.client.validation.TicketValidationException:
> org.opensaml.SAMLException: Ticket
> 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied
> service. The original service was
> 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366'
> and the supplied service was
> 'https://travel-test.host.edu:4443/tvlexp/index.htm'.
> at
> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:93)
> at
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
> at
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
> at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
> at
> org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
> at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
> at
> org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)
> at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
> at
> weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
> at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
> at
> weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
> at
> weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
> at
> weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
> at
> weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
> at
> weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
> at
> weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
> at
> weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
> at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
> at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
> Caused by: org.opensaml.SAMLException: Ticket
> 'ST-68-Ym0B6A15gcil-QfPnLUps5D8Zt8-cas3-test' does not match supplied
> service. The original service was
> 'https://travel-test.host.edu:4443/tvlexp/index.htm;GLMSSESSIONID=NUwuSWilRK-4UvO5dzEvnCinKPmZgMxDmvRnbuoSFXSp7uuseQk-!304726366'
> and the supplied service was
> 'https://travel-test.host.edu:4443/tvlexp/index.htm'.
> at org.opensaml.SAMLException.getInstance(Unknown Source)
> at org.opensaml.SAMLResponse.fromDOM(Unknown Source)
> at org.opensaml.SAMLResponse.(Unknown Source)
> at
> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:48)
>
>
> On Tuesday, January 8, 2019 at 2:35:58 AM UTC-5, alberto wrote:
>
> On Tue, 8 Jan 2019 00:50:10 +0000
> Ray Bon <[email protected]> wrote:
>
> > Jen,
> >
> > The ST is being validated against a URL with GLMSSESSIONID... but
> > this was not present with the log in request (the 2 need to match).
> > Change the CAS client to not send GLMS... or send it with the log
> > in request.
> >
> > Or maybe change the service registry id to something like
> > https://travel.host.com:4447/tvlexp/tvlexp-flex/.* (memory may be
> > rusty here).
>
> Hi,
>
> I don't think this will work: when service registry URL doesn't match
> the supplied URL, the error message is different (something like "you
> are not authorized to use CAS").
>
> Greetings,
>
> --
> Alberto Cabello Sánchez
> Servicio de Informática
> Universidad de Extremadura
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af7f218c-8905-4bc9-8610-44bdba482d74%40apereo.org.
