We're updating the issue view to help you get more done. 

Cas20ProxyReceivingTicketValidationFilter generates E_SERVICE_MISMATCH when deep linking content that requires authentication

Description

When trying to directly access a portlet via a deeplink, we get an "HTTP Status 403 - E_SERVICE_MISMATCH" error. This happens when the portlet has permissions such that authentication is required.

On the other hand, if a portlet has permissions such that everyone can access the portlet, the E_SERVICE_MISMATCH error is not thrown.

If you try to hit directly hit something that requires authentication such as http://localhost:8080/uPortal/p/announcementsAdmin

 

 <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> 
    <cas:authenticationFailure code='INVALID_SERVICE'>ticket 'ST-2-INDyzNuiXqIpdSH6MsKP-cas01.example.org' does not match supplied service. The original service was 'http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/announcementsAdmin' and the supplied service was 'http://localhost:8080/uPortal/Login'.</cas:authenticationFailure> 
</cas:serviceResponse>

 

It appears that whatever's building the validation URL isn't using entire URL as it appears that we lose the refUrl param ...

I think it should be using http://localhost:8080/uPortal/Login?refUrl=/uPortal/p/announcementsAdmin as the service, not dropping the refUrl

 

After doing some comparing with uP 4 I came up with the following solution: 
https://github.com/jonathanmtran/uPortal/commit/54f59a497d7c6a5abbed3aa631a34a6a8c30f7fa

By setting not setting the service to a "hardcoded value" it takes the URL given to it by uP and uses that to generate the desired service parameter. Setting encodeServiceUrl to false prevents the parameter from being encoded thus making CAS happy

Environment

None

Status

Assignee

Jonathan M. Tran

Reporter

Jonathan M. Tran

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

5.0.4
5.0.5
5.0.1
5.0.0
5.0.3
5.0.2

Priority

Major