[cas-user] url-encoding causes "does not match supplied service" validation error

Wed, 30 Jun 2010 08:02:12 -0700 

Hi everyone,

We are rolling out the latest cas and have an error happening with a cilent 
that url-encodes the service parameter:

https://cas2.mygcx.org/internal/login?service=https%3A%2F%2Fdataserver.tntkdware.com%2Fdataserver%2Ftoontown%2Fstaffportal%2Flogin.aspx%3FReturnUrl%3D%252fdataserver%252ftoontown%252fstaffportal%252fdefault.aspx&logoutCallback=https%3A%2F%2Fdataserver.tntkdware.com%2Fdataserver%2Ftoontown%2Fstaffportal%2Flogin.aspx%3FReturnUrl%3D%252fdataserver%252ftoontown%252fstaffportal%252fdefault.aspx

which we then try to validate:

https://cas2.mygcx.org/internal/serviceValidate?service=https://dataserver.tntkdware.com/dataserver/toontown/staffportal/login.aspx?ReturnUrl=/dataserver/toontown/staffportal/default.aspx&ticket=ST-11-LPrVR3IDADciCrDxbu3F-cas

which gives us:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
        <cas:authenticationFailure code='INVALID_SERVICE'>
                ticket &#039;ST-11-LPrVR3IDADciCrDxbu3F-cas&#039; does not 
match supplied service.  The original service was 
&#039;https://dataserver.tntkdware.com/dataserver/toontown/staffportal/login.aspx?ReturnUrl=%2fdataserver%2ftoontown%2fstaffportal%2fdefault.aspx&#039;
 and the supplied service was 
&#039;https://dataserver.tntkdware.com/dataserver/toontown/staffportal/login.aspx?ReturnUrl=/dataserver/toontown/staffportal/default.aspx&#039;.
        </cas:authenticationFailure>
</cas:serviceResponse>

And the two urls extracted from that error message for readability:

https://dataserver.tntkdware.com/dataserver/toontown/staffportal/login.aspx?ReturnUrl=%2fdataserver%2ftoontown%2fstaffportal%2fdefault.aspx

https://dataserver.tntkdware.com/dataserver/toontown/staffportal/login.aspx?ReturnUrl=/dataserver/toontown/staffportal/default.aspx

The only difference which I can tell is the url-encoding...

So do I need to make sure all clients don't url-encode their service parameter 
or is there something I can do to tell CAS to allow them? Or is this possibly a 
CAS bug?

thanks,

ken.

Ken Burcham
Damrei Web Development
-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to