SEC-306: jsessionid included in CAS service on new Session -> authentication fails #570
Labels
in: cas
An issue in spring-security-cas
status: declined
A suggestion or change that we don't feel we should currently apply
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Daniel Wiell(Migrated from SEC-306) said:
I just upgraded from 0.83 to 1.0.1 and have encountered a problem.
Here is the important part of the configuration.
When accessing the application, without any previous HttpSession created, the service parameter in the CAS loginUrl request contains the jsessionid.
That is, CAS creates a ticket for the service:
https://tomcat/j_acegi_cas_security_check?jsessionid= C1A1049F8A
The service should be:
https://tomcat/j_acegi_cas_security_check
Hence, the login fails.
My first shot for workaround was to set createSessionAllowed to false. While this got rid of the jsessionid parameter, it prevents the ExceptionTranslatorFilter from storing the original request. Hence, the defaultTargetUrl will used for redirection.
In my solution, I override CasProcessingFilterEntryPoint.commence(), copy and pasted the function and changed row 66 from:
final String urlEncodedService = response.encodeURL(this.serviceProperties.getService());
to:
final String urlEncodedService = this.serviceProperties.getService();
This works fine for me, as the urlEncodedService anyway is URL encoded in line 73.
The text was updated successfully, but these errors were encountered: