Hi,
I originally posted this to
https://groups.google.com/a/apereo.org/g/cas-user/c/sQeZD0NV4jw, but
apparently quite a different problem was reported there...
So, I discovered an error present since CAS *6.5.0*, which happens when
calling REST service "/cas/v1/tickets/{TGT}" and passing it "service" which
is not matched against any service registered in a given CAS instance.
*Expected behavior*: error " 403 Forbidden" is returned - analogical to
when an authenticated user tries to access
"/cas/login?service=<not-registered-service>" (in that case, this problem
is caught early on - in the
*org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution()*
- apparently a filter which is not used for REST services).
*Actual behavior: *error "500 Internal Server Error" is returned, caused by
*NullPointerException* from *ensureServiceSsoAccessIsAllowed(),* called from*
grantServiceTicket().*
This problem seems to be *caused* by this commit
<https://github.com/apereo/cas/commit/ba0929c6ab3147236ddf91b784127ebad6823748>,
where inside *grantServiceTicket()* a call to
*enforceRegisteredServiceAccess()* (basically includes checking
"registeredService" is found) was replaced by a *"too late"* call to an
overloaded variant of this method.
Can CAS authors please confirm and suggest a solution for this? By quickly
analyzing the code, I guess it could be solved either by adding a null
check into *ensureServiceSsoAccessIsAllowed*(), or by returning the
original call to *enforceRegisteredServiceAccess()*, but I'm not sure
without a deeper investigation of the CAS code. (For example, I would
expect that *grantServiceTicket*() will be structurally similar to
*grantProxyTicket()*, but it isn't and I have no clue why.)
(I also wonder, possibly a topic for another thread, provided that I read
it correctly, whether it is really correct that
*enforceRegisteredServiceAccess*() can currently NOT throw an exception
even if passing it registeredService equal to null (see checks including
calling a Groovy script here
<https://github.com/apereo/cas/blob/v6.6.4/core/cas-server-core-services-api/src/main/java/org/apereo/cas/services/RegisteredServiceAccessStrategyAuditableEnforcer.java#L186>).
In previous versions, there was a simple null check and only then all other
checks, which makes more sense to me, because follow-up code, like inside
*grantServiceTicket()*, seems to expect registeredService is not null
anyway.)
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9cbd6202-4554-46d1-878b-cb091096b36an%40apereo.org.
