While testing CAS 7 (RC7), we encountered either a puzzling bug, or some
configuration effect we don't understand.
Normally, if we don't specify an application with for /cas/login, after
authentication we expect to be directed to a "Log In Successful" page for
an unknown target destination that displays the attributes and their values
for the user. We've found however, that once we've successfully logged in
for a target destination we actually have a service registration for (e.g.
"/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom" [*], any
subsequent attempts to use /cas/login without a target destination always
redirects us to the first successful target destination we successfully log
in to (e.g., example.com in this case). This even happens after
/cas/logout, a new private/incognito browser window, or even a different
browser, so it seems to be tied to the CAS server itself.
[*] For example, with the following JSON service registration for
example.com:
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"name" : "Example_Default_MFA",
"serviceId" : "^https://example\\.com(/.*)*",
"description" : "Default MFA Test example.com",
"id" : 20230720150127,
"evaluationOrder" : 10000009,
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-duo" ] ],
"failureMode" : "OPEN"
}
}
If we restart CAS, and try just "/cas/login", we get the expected
attributes results page. If we then try
"/cas/login?renew=true&service=https%3A%2F%2Fexample%2Ecom", we get the
expected example.com page. But if we then try just "/cas/login" again, we
are only directed back to example.com as previously described.
Only restarting CAS seems to clear the condition. After restart, if we
first try it with the example.com target, then without logging out try it
without a target using just "/cas/login" we get the expected attributes
page. However, if we then logout with "/cas/logout" and then once again use
just the target-less "/cas/login", we get directed back to example.com
rather than the attributes page.
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0mezA%3D_xUakzM6GXTAwLEjpVc5K_Q3KOgvnh%3D3%3DSQvaw%40mail.gmail.com.
