CAS protocol violation
Andrew Morgan
morgan at orst.edu
Mon Mar 12 17:54:36 EDT 2018
On Mon, 12 Mar 2018, Marvin Addison wrote:
> On Mon, Mar 12, 2018 at 4:51 PM Andrew Morgan <morgan at orst.edu> wrote:
>
>> It appears that Shibboleth v3.3.1 does not generate Service Tickets that
>> are compliant with the CAS Protocol specification....
>>
>> https://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html#37-ticket-and-ticket-granting-cookie-character-set
>
>
> The IdP CAS protocol support targets the v2 specification [1] that puts no
> restrictions on ticket entity character sets.
>
> This issue was also identified in
>> https://github.com/apereo/mod_auth_cas/issues/134
>
>
> Did you try Dave's patch? I'm pretty sure the issue is "fixed" but we're
> waiting for some positive feedback before merging his patch. Your feedback
> would be helpful to moving it along.
>
> Personally, I'm not too keen on trying to make the EncodingTicketService
> compatible with such a restrictive character set as defined in the v3
> protocol spec. I suppose we don't _have_ to use a baseN encoding scheme,
> but it's a justifiable choice that is non-compliant due to the '=' padding
> character.
I haven't tried the patch myself. My use of mod_auth_cas is v1.0.9.1 in
Debian 8. It looks like I'll have this same problem in Debian 9 though.
One of our departments on-campus is using mod_auth_cas v1.1 and ran into
this problem.
At first, I thought this was a new restriction in v3 of the protocol too.
However, take a look at section 3.7 of the v2 spec... Same character
class restriction.
Given the character class restriction, I wonder if the patch will ever be
accepted into mod_auth_cas. :/
Andy
More information about the users
mailing list