We are using CAS proxy tickets behind a load-balanced NAT where the same service needs to be accessed by different URLs depending on the client service location and other things. We also want to disable SSL for requests that are solely within the NAT, and the NAT clients can't access the public URLs.
We also wanted to avoid tomcat and CAS session replication due to the increased network traffic and the need to make sessions fully serializable.
The simplest solution seemed to be to hack the CentralAuthenticationServiceImpl.java in cas-server-core-3.3 to allow a simple map of equivalent URLs (e.g. external to internal, or internal nat1 to internal nat2) to avoid the message "<ServiceTicket [ST-4-gwcOBrQVe3NB6Hb0Yigb-cas] with service [
http://localhost:10880/app1/j_acegi_cas_security_check does not match supplied service [
https://www.sample.com/app1/j_acegi_cas_security_check]>"
I called this from validateServiceTicket() instead of just comparing ticket service IDs (urls):
protected boolean validateTicket(ServiceTicket serviceTicket, Service service) {
if (serviceTicket.isValidFor(service)) return true; // This method also updates ticket timestamp state so still needs to be called.
// Hack to allow more than one url for service.
if (serviceTicket instanceof ServiceTicketImpl) {
return isAlias(serviceTicket.getService().getId(), service.getId());
}
return false;
}
protected boolean isAlias(String url1, String url2) {
String prop = System.getProperty("casAlias."+url1);
return prop != null && prop.equals(url2);
}
This seems to work....Any comments on this approach?
