Skip Menu |

This queue is for tickets about the Authen-CAS-UserAgent CPAN distribution.

Report information
The Basics
Id: 83468
Status: resolved
Priority: 0/
Queue: Authen-CAS-UserAgent
People
Owner: Nobody in particular
Requestors: grousse [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Feb 20 05:31:43 2013 grousse [...] cpan.org - Ticket created
Hello. Login form submission doesn't work, with a jasig CAS server 3.4.7. Using the debugger, it seems related to the lack of 'lt' field in the submission request in default callback, which seems to be an anti-XSRF token. It is also sort-of documented in the comment before the callback definition: TODO: add LT support I tried to do it myself, but the login callback doesn't seem to receive the content of the related original request, needed to extract lt value. And I was a bit lost about how the different callbacks are called exactly to get further...
  Wed Feb 20 13:46:38 2013 daniel.frett [...] ccci.org - Correspondence added
On Wed Feb 20 05:31:43 2013, GROUSSE wrote: Show quoted text
> Hello. > > Login form submission doesn't work, with a jasig CAS server 3.4.7. Using > the debugger, it seems related to the lack of 'lt' field in the > submission request in default callback, which seems to be an anti-XSRF > token. It is also sort-of documented in the comment before the callback > definition: > TODO: add LT support > > I tried to do it myself, but the login callback doesn't seem to receive > the content of the related original request, needed to extract lt value. > And I was a bit lost about how the different callbacks are called > exactly to get further...
Hi, I just packaged up some work I did on adding LT support a few months ago and pushed it to github [1]. I believe the code is complete, but I haven't tested it yet, so it might need some fixes. The reason that the initial login page response isn't available in the handler is because that request hadn't fired at the point the handler is run. Authen::CAS::UserAgent looks for the redirect to the cas login url and authenticates the user at that point, before the redirect fires. I'm going to leave this issue open for now until I get a chance to test the code and merge it into master. -Daniel [1] https://github.com/frett/perl-Authen-CAS-UserAgent/tree/ltSupport
  Wed Feb 20 13:46:39 2013 The RT System itself - Status changed from 'new' to 'open'
  Thu Feb 21 10:59:06 2013 grousse [...] cpan.org - Correspondence added
Le Mer 20 Fév 2013 13:46:38, dfrett a écrit : Show quoted text
> Hi, > I just packaged up some work I did on adding LT support a few months > ago and pushed it to > github [1]. I believe the code is complete, but I haven't tested it > yet, so it might need some > fixes.
Hi Daniel. I tested it, it's better, but it's not sufficient. Here are the traces in CAS server log for release code: "POST /cas/login HTTP/1.1" 200 5610 "-" "libwww-perl/6.04" "GET /cas/login?service=http%3a%2f%2flocalhost%2f HTTP/1.1" 200 6222 "-" "libwww-perl/6.04 CAS-UserAgent/0.9" Here are the same for the updated code: "GET /cas/login?service=http%3A%2F%2Flocalhost%2F HTTP/1.1" 200 6222 "-" "libwww-perl/6.04" "POST /cas/login HTTP/1.1" 302 - "-" "libwww-perl/6.04" "GET /cas/login?service=http%3a%2f%2flocalhost%2f HTTP/1.1" 200 6222 "-" "libwww-perl/6.04 CAS-UserAgent/0.910" The 302 response status to the POST request show than authentication succeed, but the agent is unable to extract the ticket from the location header in the response. Here are the traces with an actual browser: "GET /cas/login?service=http%3a%2f%2flocalhost%2f HTTP/1.1" 200 6083 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1" "POST /cas/login?service=http%3a%2f%2flocalhost%2f HTTP/1.1" 302 - "https://cas.domain.com/cas/login?service=http%3a%2f%2flocalhost%2f" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1" "GET /cas/serviceValidate?service=http%3a%2f%2flocalhost%2f&ticket=ST-19-NLTY4m60vKnWELBfMoGZ-localhost HTTP/1.1" 200 174 "-" "mod_auth_cas 1.0.9.1" The main difference seems to be than the service is passed as a parameter URL when posting. I'll try to adapt the code myself.
  Thu Feb 21 12:12:13 2013 grousse [...] cpan.org - Correspondence added
Le Jeu 21 Fév 2013 10:59:06, GROUSSE a écrit : Show quoted text
> The main difference seems to be than the service is passed as a > parameter URL when posting. I'll try to adapt the code myself.
Actually, the issue was due to the lack of cookie support in the agent used to retrieve the ticket. You have a pull request on github fixing the issue :)
  Thu Feb 28 15:59:10 2013 daniel.frett [...] ccci.org - Correspondence added
On Thu Feb 21 12:12:13 2013, GROUSSE wrote: Show quoted text
> Le Jeu 21 Fév 2013 10:59:06, GROUSSE a écrit :
> > The main difference seems to be than the service is passed as a > > parameter URL when posting. I'll try to adapt the code myself.
> Actually, the issue was due to the lack of cookie support in the agent > used to retrieve the ticket. You have a pull request on github fixing > the issue :)
Thanks for the patch. I just tested the code out against my local CAS servers and it appears to be working correctly. I just bundled up a new version with the login ticket support including your patch and uploaded it to CPAN. Thanks again, Daniel
  Thu Feb 28 15:59:11 2013 daniel.frett [...] ccci.org - Status changed from 'open' to 'resolved'