CAS protocol violation

Voradesh Yenbut yenbut at cs.washington.edu
Tue Mar 13 13:30:26 EDT 2018 

I am not sure if this is relevant. 

Anyway, at our site, in order for shiboleth-idp 3.3.1/3.3.2 to work
with mod_auth_cas-1.0.9.1 or mod_auth_cas-1.1 on Fedora systems, a new
"CASBase64.java" was made from "Base64.java" in commons-codec-1.10
with all of its routine names changed from Base64 to CASBase64 and one
base64-encoding character changed as follows:

--- Base64.java	2018-03-13 09:36:34.623321637 -0700
+++ CASBase64.java	2017-03-20 13:44:19.000000000 -0700
@@ -90,8 +90,8 @@
     private static final byte[] URL_SAFE_ENCODE_TABLE = {
             'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
             'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
             'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
             'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
-            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_'
+            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '.'
     };
 
@@ -115,7 +115,7 @@
     private static final byte[] DECODE_TABLE = {
             -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
             -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-            -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, 62, -1, 63, 52, 53, 54,
+            -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, 62, 63, 63, 52, 53, 54,
             55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4,
             5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
             24, 25, -1, -1, -1, -1, 63, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34,

(I did not see '_' or '.' character at https://issues.shibboleth.net/jira/browse/IDP-1265.)

A compiled CASBase64.java, CASBase64.class, is added to
commons-codec-1.10.jar, and CASBase64 is made used by the following
beans in cas-protocol.xml:

  <bean id="CASencodedTicketSealer" lazy-init="true"
     class="net.shibboleth.utilities.java.support.security.DataSealer"
     p:keyStrategy-ref="shibboleth.DataSealerKeyStrategy"
     p:encoder-ref="CASbase64Codec"
     p:decoder-ref="CASbase64Codec" />

  <!-- CASBase64 is org.apache.commons.codec.binary.Base64 with encoding '_' character changed to '.' -->
  <bean id="CASbase64Codec" class="org.apache.commons.codec.binary.CASBase64"
     c:lineLength="0"
     c:lineSeparator="#{new byte[] {10} }"
     c:urlSafe="true" />

That seems to have worked until we hit another problem when large
number of attributes are passed via XML and a buffer in mod_auth_cas
had to be increased.

---
Voradesh Yenbut

Computer Science & Engineering
University of Washington

More information about the users mailing list