Closed fluca1978 closed 7 years ago
I've found that adding a line on the CAS_Client to remove the 'nocache' parameter it seems to work:
if (isset($request_uri[1]) && $request_uri[1]) { $query_string= $this->_removeParameterFromQueryString('ticket', $request_uri[1]); $query_string= $this->_removeParameterFromQueryString('nocache', $query_string);
Please check the logs before the authentication. It is highly likely the that initial redirect to the CAS server was done with a different service URL. If this service=xxxx does not 100% match with the other one during validation this could be the problem.
To debug you should share the full log. From first visit at the website and redirect to the CAS server and then the authentication failure. Carefully review what service URLs were used during all steps.
Btw. is there any specific reason why you are using the really old CAS10 Protocol?
Please note I was trying versione 1 of the protocol just in case the cas server was respnding with a different service url, but here follows a full 2 stack of the client in action:
89FC .START (2017-07-10 08:49:07) phpCAS-1.3.5 ****************** [CAS.php:468] 89FC .=> phpCAS::client('2.0', 'sso-t', 443, 'cas') [AuthenticationHandler.php:719] 89FC .| => CAS_Client::__construct('2.0', false, 'sso-t', 443, 'cas', true) [CAS.php:358] 89FC .| | Starting a new session u5pa4kqvnln3qas7sd5oogq860 [Client.php:932] 89FC .| | Session is not authenticated [Client.php:938] 89FC .| <= '' 89FC .<= '' 89FC .=> phpCAS::setNoCasServerValidation() [AuthenticationHandler.php:745] 89FC .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1644] 89FC .<= '' 89FC .=> phpCAS::forceAuthentication() [AuthenticationHandler.php:753] 89FC .| => CAS_Client::forceAuthentication() [CAS.php:1098] 89FC .| | => CAS_Client::isAuthenticated() [Client.php:1280] 89FC .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1393] 89FC .| | | | no user found [Client.php:1635] 89FC .| | | <= false 89FC .| | | no ticket found [Client.php:1494] 89FC .| | <= false 89FC .| | => CAS_Client::redirectToCas(false) [Client.php:1289] 89FC .| | | => CAS_Client::getServerLoginURL(false, false) [Client.php:1656] 89FC .| | | | => CAS_Client::getURL() [Client.php:342] 89FC .| | | | | Final URI: http://localhost/edilweb/ [Client.php:3549] 89FC .| | | | <= 'http://localhost/edilweb/' 89FC .| | | <= 'https://sso-t/cas/login?service=http%3A%2F%2Flocalhost%2Fedilweb%2F' 89FC .| | | Redirect to : https://sso-t/cas/login?service=http%3A%2F%2Flocalhost%2Fedilweb%2F [Client.php:1663] 89FC .| | | exit() 89FC .| | | - 89FC .| | - 89FC .| - 4681 .START (2017-07-10 08:49:16) phpCAS-1.3.5 ****************** [CAS.php:468] 4681 .=> phpCAS::client('2.0', 'sso-t', 443, 'cas') [AuthenticationHandler.php:719] 4681 .| => CAS_Client::__construct('2.0', false, 'sso-t', 443, 'cas', true) [CAS.php:358] 4681 .| | Starting a new session u5pa4kqvnln3qas7sd5oogq860 [Client.php:932] 4681 .| | Session is not authenticated [Client.php:938] 4681 .| | Ticket 'ST-77-sIv45FqninZAymacwhdD-cas' found [Client.php:1020] 4681 .| <= '' 4681 .<= '' 4681 .=> phpCAS::setNoCasServerValidation() [AuthenticationHandler.php:745] 4681 .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1644] 4681 .<= '' 4681 .=> phpCAS::forceAuthentication() [AuthenticationHandler.php:753] 4681 .| => CAS_Client::forceAuthentication() [CAS.php:1098] 4681 .| | => CAS_Client::isAuthenticated() [Client.php:1280] 4681 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1393] 4681 .| | | | no user found [Client.php:1635] 4681 .| | | <= false 4681 .| | | CAS 2.0 ticket
ST-77-sIv45FqninZAymacwhdD-cas' is present [Client.php:1446]
4681 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) [Client.php:1448]
4681 .| | | | [Client.php:3169]
4681 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3176]
4681 .| | | | | => CAS_Client::getURL() [Client.php:453]
4681 .| | | | | | Final URI: http://localhost/edilweb/?nocache=1499669356103 [Client.php:3549]
4681 .| | | | | <= 'http://localhost/edilweb/?nocache=1499669356103'
4681 .| | | | <= 'https://sso-t/cas/serviceValidate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499669356103'
4681 .| | | | => CAS_Client::_readURL('https://sso-t/cas/serviceValidate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499669356103&ticket=ST-77-sIv45FqninZAymacwhdD-cas', NULL, NULL, NULL) [Client.php:3191]
4681 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
4681 .| | | | | | Response Body:
4681 .| | | | | |
Now the service is http://localhost/edilweb
and it seems to me it does match, but it is the nocache option that is hardcoded into the cas redirect code that makes the URL do not match. That's why adding the extra option removal in the php source code:
$query_string= $this->_removeParameterFromQueryString('nocache', $query_string);
makes it working. Any idea?
The nocache= in the service URL is certainly the issue why the ticket are not validate.
You claim that this is added by phpCAS. I'm however pretty certain we are not adding anything in the URLs but only in the HTTP Headers. I did a full search of our code for this string but did not find any hits.
Are you sure this is not caused by your own code/config?
You claim that this is added by phpCAS.
No, I was saying that the cas server was inserting this parameter and that the cas client (phpCAS) was not removing it. I found that our cas application has a Java class org.jasig.cas.web.flowDynamicRedirectViewSelector that seems to insert such parameter in the URL as follows:
url = url + "nocache=" + System.currentTimeMillis();
Since I don't own the configuration of the cas server, but I'm in charge of the cas client, is there a way to instrument phpCAS to avoid such parameter in the redirect URL? The only way I found is to change the phpCAS code to remove the nocache
parameter similarly as the ticket
one.
On the other hand, could I allow phpCAS to accept the nocache
disregarding its value (that is a timestamp and therefore cannot be known at priori)?
Suggestions?
Sorry for misunderstanding.
It really makes no sense that the CAS server is injecting this nocache
parameter. This seems like an odd fix for some issue on another CAS client app.
The service URL is an integral part of the authentication and nothing that should be changed by the server.... The change violates the CAS protocol specs. See 2.2.1 and 2.2.4
If you want you can use phpCAS::setFixedServiceURL() to manually fix the URL. I'm however not sure the fixes this odd hack.
This would be fixing a bad workaround with another one.
You should be talking to the owners of the CAS server and let them explain what they are doing. In my view they have broken the protocol...
Thanks for the explaination, it is quite clear this is not an issue with phpCAS, so I close the issue.
Using version 1.3.5 I've got the error `CAS response: no after a correct login on the cas login page.
The error reported is: Fatal error: Uncaught CAS_AuthenticationException: CAS URL: https://sso-t.comune.modena.it/cas/validate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499421369574&ticket=ST-52-Hfcod30Jf0Urv9jVfl6d-cas Authentication failure: ST not validated Reason: CAS error CAS response: no in /sviluppo/php/CAS-1.3.5/CAS/Client.php:2012 Stack trace: #0 /sviluppo/php/CAS-1.3.5/CAS/Client.php(1432): CAS_Client->validateCAS10('https://sso-t.c...', 'no\n\n', NULL, false) #1 /sviluppo/php/CAS-1.3.5/CAS/Client.php(1280): CAS_Client->isAuthenticated() #2 /sviluppo/php/CAS-1.3.5/CAS.php(1098): CAS_Client->forceAuthentication()
and the log of cas is as follows:
5B33 .=> phpCAS::forceAuthentication() [AuthenticationHandler.php:745] 5B33 .| => CAS_Client::forceAuthentication() [CAS.php:1098] 5B33 .| | => CAS_Client::isAuthenticated() [Client.php:1280] 5B33 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1393] 5B33 .| | | | no user found [Client.php:1635] 5B33 .| | | <= false 5B33 .| | | CAS 1.0 ticket
ST-52-Hfcod30Jf0Urv9jVfl6d-cas' is present [Client.php:1430] 5B33 .| | | => CAS_Client::validateCAS10('', NULL, NULL, false) [Client.php:1432] 5B33 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:1990] 5B33 .| | | | | => CAS_Client::getURL() [Client.php:453] 5B33 .| | | | | | Final URI: http://localhost/edilweb/?nocache=1499421369574 [Client.php:3548] 5B33 .| | | | | <= 'http://localhost/edilweb/?nocache=1499421369574' 5B33 .| | | | <= 'https://sso-t.comune.modena.it/cas/validate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499421369574' 5B33 .| | | | => CAS_Client::_readURL('https://sso-t/cas/validate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499421369574&ticket=ST-52-Hfcod30Jf0Urv9jVfl6d-cas', NULL, NULL, NULL) [Client.php:1999] 5B33 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242] 5B33 .| | | | | | Response Body: 5B33 .| | | | | | no 5B33 .| | | | | |5B33 .| | | | | |
5B33 .| | | | | | [CurlRequest.php:84] 5B33 .| | | | | <= true 5B33 .| | | | <= true 5B33 .| | | | Ticket has not been validated [Client.php:2011] 5B33 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'ST not validated', 'https://sso-t.comune.modena.it/cas/validate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499421369574&ticket=ST-52-Hfcod30Jf0Urv9jVfl6d-cas', false, false, 'no') [Client.php:2014] 5B33 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:77] 5B33 .| | | | | <= 'http://localhost/edilweb/?nocache=1499421369574' 5B33 .| | | | | CAS URL: https://sso-t/cas/validate?service=http%3A%2F%2Flocalhost%2Fedilweb%2F%3Fnocache%3D1499421369574&ticket=ST-52-Hfcod30Jf0Urv9jVfl6d-cas [AuthenticationException.php:80] 5B33 .| | | | | Authentication failure: ST not validated [AuthenticationException.php:81] 5B33 .| | | | | Reason: CAS error [AuthenticationException.php:90] 5B33 .| | | | | CAS response: no 5B33 .| | | | |
5B33 .| | | | | [AuthenticationException.php:102] 5B33 .| | | | | exit() `