When trying to directly access a portlet via a deeplink, we get an "HTTP Status 403 - E_SERVICE_MISMATCH" error. This happens when the portlet has permissions such that authentication is required.
On the other hand, if a portlet has permissions such that everyone can access the portlet, the E_SERVICE_MISMATCH error is not thrown.
If you try to hit directly hit something that requires authentication such as http://localhost:8080/uPortal/p/announcementsAdmin
<cas:authenticationFailure code='INVALID_SERVICE'>ticket 'ST-2-INDyzNuiXqIpdSH6MsKP-cas01.example.org' does not match supplied service. The original service was 'http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/announcementsAdmin' and the supplied service was 'http://localhost:8080/uPortal/Login'.</cas:authenticationFailure>
It appears that whatever's building the validation URL isn't using entire URL as it appears that we lose the refUrl param ...
I think it should be using http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/announcementsAdmin as the service, not dropping the refUrl
After doing some comparing with uP 4 I came up with the following solution:
By setting not setting the service to a "hardcoded value" it takes the URL given to it by uP and uses that to generate the desired service parameter. Setting encodeServiceUrl to false prevents the parameter from being encoded thus making CAS happy