On Tue, Mar 16, 2010 at 2:17 PM, Adam Franco <[email protected]> wrote:
> *Question (up front for those skimming the list):* Answers, for those looking for them quickly :-) > > Should my CAS server be returning proxy tickets that begin with "PT"? > No, it can return them with ST. See the spec for more info. Its been doing this since 3.0 > Is this a configuration option? > No, its not. > Is this something that was added after CAS-3.3.3? > No, its been there since CAS 3 Cheers, Scott > > *Background:* > > I have been recently testing the latest phpCAS version (1.1.0RC6 / > https://www.ja-sig.org/svn/cas-clients/phpcas/tr...@48086) which now has > a switch that now runs service tickets through a different path than proxy > tickets. Their relevant change is: > > break; > case CAS_VERSION_2_0: // check for a Service or Proxy > Ticket > - if( preg_match('/^[SP]T-/',$ticket) ) { > - phpCAS::trace('ST or PT \''.$ticket.'\' found'); > + if (preg_match('/^ST-/', $ticket)) { > + phpCAS::trace('ST \'' . $ticket . '\' found'); > + $this->setST($ticket); > + unset ($_GET['ticket']); > + } else if (preg_match('/^PT-/', $ticket)) { > + phpCAS::trace('PT \'' . $ticket . '\' found'); > $this->setPT($ticket); > unset($_GET['ticket']); > } else if ( !empty($ticket) ) { > //ill-formed ticket, halt > phpCAS::error('ill-formed ticket found in the URL > (ticket=`'.htmlentities($ticket).'\')'); > > What I noticed in testing is that with this client is that my CAS server > (3.3.3 with a custom overlay) returns proxy tickets that begin with "ST-" > rather than "PT-": > > > https://login.middlebury.edu/cas/proxy?targetService=http%3A%2F%2Fchisel.middlebury.edu%2F~afranco%2Fphpcas_cookiestorage%2Fservice%2F%3Fparam%3D1397087449&pgt=TGT-2447-zAWGcUHZvTgFNaTwjWG1nSU0gxiOoCIbbflTgeunLwaMU2nJoq-harpie > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:proxySuccess> > > <cas:proxyTicket>ST-3103-cn5FJWG4Cvv4OdfGNAqZ-griffon</cas:proxyTicket> > </cas:proxySuccess> > </cas:serviceResponse> > > Because phpCAS now switches based on the first part of the ticket string, > proxy tickets get sent to the serviceValidate URL rather than the > proxyValidate URL and fail validation. At the end of the day, it may be that > this phpCAS change is invalid due to the CAS > Protocol<http://www.jasig.org/cas/protocol>section 3.3.1 allowing proxy > tickets to begin with "ST-": > > Proxy tickets SHOULD begin with the characters, "PT-". Proxy tickets MUST >> begin with either the characters, "ST-" or "PT-". >> > > > *My questions for this list: * > Should my CAS server be returning proxy tickets that begin with "PT"? > Is this a configuration option? > Is this something that was added after CAS-3.3.3? > > Once I know if my CAS server is messed up or is operating as expected, I'll > follow up with the phpCAS team to notify them if their client change don't > fit the protocol correctly. > > Thanks for your help, > Adam > > P.S. I have have attached my logs for the sequence for the client app, the > service app, and the pgt storage script for reference in case they are > helpful. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
