[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zimbra and CAS - Issuing multiple tickets and browser gets an error



Yes, we've seen it. It took us quite awhile to figure out what was going on.

The problem only happened on Chrome and Safari -- Firefox was fine (can't remember IE). And the reason Firefox kept working is that it ignored a directive coming back from the Proxy that said "don't use keep-alive". Firefix *did* keep the connection to the Proxy open which is why it worked. 

The core cause of the problem is that the CAS client tries to do one final redirect, after CAS authentication completes, back to the original URL with the "ticket=...." attribute stripped off of the URL. But since this happens before Zimbra has set the zmauth token, the proxy server still doesn't know what mailbox server this user is on, so when the new request comes in from the browser, it may send the request to a different mailbox server -- which doesn't know the CAS authentication has happened and sends the user to CAS again. (the reason it doesn't happen with Firefox is because, with keep-alive working, the new request comes back to the same mailbox server because the HTTP connection is still open, so the fact that CAS auth has been done is remembered)

The fix is to modify the parameters that are defined in zimbra.web.xml.in for the CAS client. We added this:

<filter>
  <filter-name>CasValidationFilter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

  ....

  <!-- Setting redirectAfterValidation to true will cause the cas-client to redirect to preauth.jsp after
  service validation. This causes some browsers (chrome, safari) to re-enter jetty as a new session
  resulting in the lost of CAS authentication state in the session. -->
  <init-param>
   <param-name>redirectAfterValidation</param-name>
   <param-value>false</param-value>
  </init-param>

</filter>


----- Original Message -----
> I asked this on the cas-users mailing list but thought I'd ask it here
> as well as it may be a Zimbra only issue. For those of you using CAS,
> have you ever seen this behavior? We use Zimbra Proxy in case that
> matters. We just turned CAS on in our production Zimbra environment in
> the last week, so this is pretty new to us.
> 
> 
> A user attempts to browse to the Zimbra web UI, logs in through CAS,
> and gets an error in their browser saying "too many redirects". In the
> CAS logs (Catalina.out) we see that CAS at times is issuing multiple
> service tickets...and it seems to coincide with the user receiving the
> "too many redirects" error. Below is an example, and in this case
> there were at least 8 tickets issued...just showing a few here.
> 
> 2011-10-25 20:39:09,427 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
> authenticated the user which provided the following credentials:
> [username: BLAH]>
> 2011-10-25 20:39:09,474 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
> ticket [ST-273941-JcWRA6oSq0m1QthmSTIA-cas] for service
> [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>
> 2011-10-25 20:39:11,183 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
> ticket [ST-273942-dDZQvmp9GjBV1cW9fJmB-cas] for service
> [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>
> 2011-10-25 20:39:12,732 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
> ticket [ST-273943-jQ4lWCvFwz1toe7V1bII-cas] for service
> [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>
> 
> 
> Anyone seen this before or know what may be causing it?
> 
> Thanks,
> Matt

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University