Using CAS SSO behind a reverse proxy providing SSL termination doesn't work correctly

Steps to reproduce

Steps to reproduce:
1. Configure CAS SSO within opencast ( using the public https:// urls provided by the reverse proxy )
2. The SSO login redirects you to the login page, the ticket that gets returned tries to validate
3. Ticket validation error.

Actual Results:

The service url configured in the config is in the form of https://PUBLIC_URL/... but get rewritten by the springframework security cas library to https://PUBLIC_URL:80/... . This is the reason the validation fails. Looking at the springframework code it seems that the library is taking the port from the incoming request, and when it isn't set set's it to the default port 80.

Expected Results:

Don't touch the configured service url.

Workaround (if any):

When using Nginx it's possible to add a header including the port :
proxy_set_header Host $host:$server_port;

When using HaProxy with Openshift we were unable to fix it in a similar fashion. By using the following settings :

http-request set-header Host %[req.hdr(Host)]:%[dst_port]

We were able to get through the login but after login we get redirected to http://PUBLIC_URL:443/... for some unknown reason.


Kristof Keppens
May 7, 2019, 6:39 AM

A newer version of the springframework security cas library fixes this issue and negates the need to customize the nginx reverse proxy and works with the default haproxy included in openshift.

I'll open a pull request with the upgrade from 3.1.4 to 3.1.7. This also includes an upgrade for the cas-client-core from 3.1.12 to 3.3.3 .

Using this version seems to have no other side-effects, CAS login works and default login works as well.

Your pinned fields
Click on the next to a field label to start pinning.


Kristof Keppens


Kristof Keppens


Incorrectly Functioning With Workaround

Tags (folksonomy)