Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

not recognized cas ticket

Tags:

single-sign-on

cas

I have a REST api in my web application where I get cas ticket generated by another webapp.

That webapp intern use cas20proxyticketvalidator to validate the ticket. Therefore, I also use Cas20ProxyTicketValidator in my custom filter to validate the ticket.

But it always give me following error:

ticket = ST-148008-jWXKeEdHkxmuktvYqXF6-cas
org.jasig.cas.client.validation.TicketValidationException:
                ticket 'ST-148008-jWXKeEdHkxmuktvYqXF6-cas' not recognized

        at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidat
or.java:86)
        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java
:217)

Why my ticket is not recognized?

like image 783
pradipta goldar Avatar asked Oct 22 '25 06:10

pradipta goldar

2 Answers

The way that cas validates tickets is:

  1. Your client (or the other web app) requests a ticket from the relay server for a particular service, for example case http%3A%2F%2Fwww.mywebapp.com
  2. The cas server generates a row that stores the user's ssoguid, the service and the ticket. It returns the ticket to the client (or other web app)
  3. The client (or other webapp) sends the ticket to your server
  4. Your server then sends a request to the serviceValidate endpoint of the cas server with the ticket and the service, http%3A%2F%2Fmywebapp.com
  5. The cas server uses the ticket and service pair to find the row it generated. If it finds the row it: a) checks to see if the service is real by sending a request to that url b) deletes the row to invalidate the ticket after this validation check c) it returns the user attached to the ticket to your server. Now the ticket can not be validated again.

The problem you are experiencing could arise for several reasons:

  1. The ticket has already been validated (I don't think that is the case for you)
  2. The service you send when generating the ticket is different to the service you send to the serviceValidate endpoint (they have to be identical). (I would guess that this is the problem you are experiencing, especially if another webapp generated the ticket. The cas server would have http%3A%2F%2Fotherwebapp.com on file but would be trying to find a row with http%3A%2F%2Fmywebapp.com, which doesn't exist because you didn't create it)
  3. The service sent can not be contacted by the relay server (I'm not exactly sure of the details about how this works or exactly when the check it done but it is recommended that you use a service that can be contacted)
like image 190
Harro Avatar answered Oct 27 '25 05:10

Harro

In my case, the ticket was expiring before validation. Default expiry of service ticket is 10s.

like image 20
ANU279 Avatar answered Oct 27 '25 07:10

ANU279

Sign in to Comment

Related questions

In using OAuth 2.0 Authorization Code Flow with a Mobile App should the Browser return Authorization Code or Access Token to the Mobile App?
Is it possible to implement SSO in a ReactJs application with SAML2? if possible how?
Connect AWS CloudFront to Single Sign-On (SSO)
SSO authentication angular application with service gateway call
Keycloak bulk user import
The authorization server does not support obtaining a token using this method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!