[cas-user] service id & cleanupUrl on service creation

Fri, 26 Aug 2016 02:00:40 -0700 

Hi,

Probably it's just me, but in our CAS (4.1.4) logs we have random errors 
like

2016-08-25 11:03:05,399 ERROR 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Service ticket 
[ST-113-icLdxoWXyaRPKXg4ZvJC-myhost] with service 
[https://something.net/whatever?param1=value1&param2=value2] does not match 
supplied service [https://something.net/whatever]

I tried to investigate the cause for this and wondered why does the service 
id on the ticket have the params included or is that on purpose. 

I then found this in SimpleWebApplicationServiceImpl.java:

    public static SimpleWebApplicationServiceImpl createServiceFrom(
        final HttpServletRequest request) {
        ...
        final String serviceToUse;
        ...
        } else if (StringUtils.hasText(service)) {
            serviceToUse = service;

        final String id = cleanupUrl(serviceToUse);
        ...

        return new SimpleWebApplicationServiceImpl(id, serviceToUse,
            artifactId, "POST".equals(method) ? Response.ResponseType.POST
                : Response.ResponseType.REDIRECT);
    }

The cleanupUrl method:

    /**
     * Cleanup the url. Removes jsession ids and query strings.
     *
     * @param url the url
     * @return sanitized url.
     */
    protected static String cleanupUrl(final String url) {
        if (url == null) {
            return null;
        }
        final int jsessionPosition = url.indexOf(";jsession");
        if (jsessionPosition == -1) {
            return url;
        }
        final int questionMarkPosition = url.indexOf('?');
        if (questionMarkPosition < jsessionPosition) {
            return url.substring(0, url.indexOf(";jsession"));
        }
        return url.substring(0, jsessionPosition)
            + url.substring(questionMarkPosition);
    }

So it seems that the query parameters are never removed from the URL if 
there no jsession in it. Is this on purpose? Is it so that if a ticket is 
requested for service=http://xxx?yyy=zzz then the validation can not be 
made against http://xxx ?

Thanks!
Tom

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a6db0a3-ec82-46d0-af78-3848351f3c9b%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Reply via email to