SEC-306: jsessionid included in CAS service on new Session -> authentication fails

[spring-projects-issues]

Daniel Wiell(Migrated from SEC-306) said:

I just upgraded from 0.83 to 1.0.1 and have encountered a problem.

Here is the important part of the configuration.

When accessing the application, without any previous HttpSession created, the service parameter in the CAS loginUrl request contains the jsessionid.
That is, CAS creates a ticket for the service:
https://tomcat/j_acegi_cas_security_check?jsessionid= C1A1049F8A
The service should be:
https://tomcat/j_acegi_cas_security_check

Hence, the login fails.

My first shot for workaround was to set createSessionAllowed to false. While this got rid of the jsessionid parameter, it prevents the ExceptionTranslatorFilter from storing the original request. Hence, the defaultTargetUrl will used for redirection.

In my solution, I override CasProcessingFilterEntryPoint.commence(), copy and pasted the function and changed row 66 from:
final String urlEncodedService = response.encodeURL(this.serviceProperties.getService());
to:
final String urlEncodedService = this.serviceProperties.getService();

This works fine for me, as the urlEncodedService anyway is URL encoded in line 73.

[spring-projects-issues]

Scott Battaglia said:

Acegi has the correct behavior. You are most likely using a version of CAS prior to 3.0.5, which did not strip the jsesson from the URL.

[spring-projects-issues]

Scott Battaglia said:

CAS 3.0.5 was released which should correct the problem:
http://www.ja-sig.org/products/cas/announcements/index.html#ann1

[spring-projects-issues]

Ben Alex said:

Scott, please close this issue if not Acegi Security specific.

[spring-projects-issues]

Scott Battaglia said:

This was resolved with a fix to the CAS Server, version 3.0.5. This version correctly removes session ids from service urls.