After fix in CAS-1065, login form is not shown on error of Spnego

Description

After fix in CAS-1065, login form is not shown on error of Spnego.
Before that fix, if spnego authentication faild, browser was redirected to the login form. After fix, browser just shows message "This request requires HTTP authentication ()." (401) and browser is not any more redirected to the login form.

Environment

None

Activity

Show:
Marvin Addison
August 23, 2012, 12:47 PM

Can either of you test the fix proposed in and see whether it resolves the issue?

Philippe Marasse
August 30, 2012, 1:09 PM

The end-state view we show in case of failed SPNEGO authentication has a little problem with some of our users with too big fingers, as some of them noticed one thing :

  • if kerberos authentication fails, login form is shown, fine.

  • user enter login and a bad password (it happens sometimes...)

  • the next login form does not show any error message !

I think the issues come from spnego in login-webflow, as I recorded this exchange between CAS server (S: ) and client's browser (C: ) :

  • C: GET /cas/login

  • S: 401 Unauthorized (start SPNEGO Negotiation) - and my casNegotiateView

  • C: GET /cas/login with invalid Authorization Header

  • S: 401 (or 200 with fix) show login form

  • C: POST /cas/login with credentials

  • S: login/password is invalid => 401 Unauthorized (start SPNEGO Negotiation) and my casNegotiateView (this one eats error message I suppose)

  • C: GET /cas/login with invalid Authorization Header

  • S: 401 (or 200 with fix) show login form... without error message !

One remark : I think there's no need to retry a failed SPNEGO negotiation. If SPNEGO fails once, and so the Login/Password, skipping another negotiation (and the associated view), will allow Login Form to show the error message.

I've tested successfully this modification (transition "generated" from generateLoginTicket points to hasFailedSpnego instead of startSpnego)

Antoni Alatalo
November 24, 2012, 1:44 PM

Please check for new proposed solution.

Antoni

Antoni Alatalo
December 7, 2012, 8:35 AM

New solution is send. See datails in

Antoni

John Gasper
September 23, 2013, 2:50 PM

Submitted pull request (https://github.com/Jasig/cas/pull/321) to make optional (invoked by parameter).

Assignee

John Gasper

Reporter

Antoni Alatalo

Labels

None

Estimated End Date

None

Components

Fix versions

Affects versions

Priority

Major
Configure