After further investigation, it affects localhost only because Apache's
Urlvalidator considers localhost as invalid by default.
My workaround is to create UrlValidator with "ALLOW_LOCAL_URLS" options, at
least for development and local testing, and I can use the latest version
7.2.5
On Friday, 8 August 2025 at 10:40:43 UTC-4 Agus Santosa wrote:
> Thank you for the suggestion, Ray.
> I compared the output between 7.2.3 and 7.2.4 and there's no difference.
>
> I dug the changelog for 7.2.4 and spotted a change in
> AbstractServiceFactory.java that might be the culprit:
>
> // if (StringUtils.isNotBlank(originalUrl) &&
> originalUrl.startsWith("http") && originalUrl.contains("?")) {
> if (StringUtils.isNotBlank(originalUrl) &&
> SimpleUrlValidator.getInstance().isValid(originalUrl)) {
>
> The commented line was from 7.2.3 and the second line was the newer 7.2.4+
> I tried again to rebuild with 7.2.5, but this time I have
> AbstractServiceFactory in my overlay and revert above line, and it works.
>
> I wonder if any CAS developer lurking around this mailing list could
> comment on this behavior.
>
> On Thursday, 7 August 2025 at 16:29:52 UTC-4 Ray Bon wrote:
>
>> Agus,
>>
>> There may be property changes to check; Property rename or encryption key
>> length changes.
>> ./gradlew exportConfigMetadata
>> Will create config-metadata.properties; you can search for your
>> properties, and in most cases old property descriptions will point to the
>> new property.
>>
>> Ray
>>
>> ------------------------------
>> *From:* [email protected] <[email protected]> on behalf of Agus
>> Santosa <[email protected]>
>> *Sent:* August 7, 2025 09:21
>> *To:* CAS Community <[email protected]>
>> *Cc:* Agus Santosa <[email protected]>
>> *Subject:* [cas-user] Re: SAML2 service 7.1.x and 7.2.x
>>
>> Just to add more information, I downloaded a clean fresh version 7.2.5
>> and set it up without any customization.
>>
>> My json service definition is very basic:
>> {
>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>> "serviceId": "test-saml",
>> "name": "testsamlservice",
>> "id": 100000999,
>> "evaluationOrder" : 101,
>> "metadataLocation":
>> "file:/appl/sit/cas7/config/cihiServices/agus_metadata.xml"
>> }
>>
>> I am using sample application (
>> https://github.com/apereo/saml2-sample-java-webapp) to generate metadata
>> and test it.
>>
>> I have no idea if there's additional configuration needed for v7.2+. I
>> tried 7.3 RC and it behaves the same.
>> I guess I'm sticking with 7.1.x for now until I can figure out the
>> solution.
>>
>>
>> On Wednesday, 6 August 2025 at 10:41:33 UTC-4 Agus Santosa wrote:
>>
>> Hi,
>>
>> Does anyone notice any difference between 7.1.x and 7.2.x in terms of
>> SAML2 service registry?
>> For my case, the same SAML2 service works in 7.1.x, but it is somehow not
>> found/authorized in 7.2.x.
>>
>> This is the log
>> 2025-08-06 10:06:48,023 TRACE
>> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Service
>> [local-saml-test] is not cached; Searching [JsonServiceRegistry]>
>> 2025-08-06 10:06:48,025 TRACE
>> [org.apereo.cas.support.saml.services.SamlIdPServicesManagerRegisteredServiceLocator]
>>
>> - <Reviewing service attributes
>> [{headers={jakarta.servlet.http.HttpServletRequest.header-host=[localhost:8543],
>>
>> jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0
>> (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0],
>> jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
>>
>> jakarta.servlet.http.HttpServletRequest.header-accept-language=[en-US,en;q=0.5],
>>
>> jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip,
>> deflate, br, zstd], jakarta.servlet.http.HttpServletRequest.header-referer=[
>> https://localhost:9876/],
>> jakarta.servlet.http.HttpServletRequest.header-connection=[keep-alive],
>> jakarta.servlet.http.HttpServletRequest.header-cookie=[JSESSIONID=4A46B00617D6A13EA14E9F3E74A3D75D;
>>
>> _mkto_trk=id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29;
>>
>> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en-US],
>> jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1],
>>
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document],
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate],
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[same-site],
>> jakarta.servlet.http.HttpServletRequest.header-priority=[u=0, i]},
>> RelayState=[saml-sp-relay-state], service=[
>> https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test],
>>
>> httpRequest={jakarta.servlet.http.HttpServletRequest.httpMethod=[GET],
>> jakarta.servlet.http.HttpServletRequest.requestURL=[
>> https://localhost:8543/cas/login],
>> jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login],
>> jakarta.servlet.http.HttpServletRequest.requestId=[1],
>> jakarta.servlet.http.HttpServletRequest.contextPath=[/cas],
>> jakarta.servlet.http.HttpServletRequest.localeName=[kubernetes.docker.internal]},
>>
>> cookies={jakarta.servlet.http.HttpServletRequest.cookie-JSESSIONID=[4A46B00617D6A13EA14E9F3E74A3D75D],
>>
>> jakarta.servlet.http.HttpServletRequest.cookie-_mkto_trk=[id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29],
>>
>> jakarta.servlet.http.HttpServletRequest.cookie-org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=[en-US]},
>>
>> org.apereo.cas.authentication.principal.Service=[
>> https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test]}]
>>
>> for service id [local-saml-test] to match registered service
>> [localsamltest]>
>> 2025-08-06 10:06:48,026 TRACE
>> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <No service
>> definition was provided>
>> 2025-08-06 10:06:48,055 WARN
>> [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter]
>>
>> - <Service [AbstractWebApplicationService(id=local-saml-test,
>> originalUrl=local-saml-test, artifactId=null, principal=null,
>> source=service, tenant=null, loggedOutAlready=false, format=XML,
>> attributes={headers={jakarta.servlet.http.HttpServletRequest.header-host=[localhost:8543],
>>
>> jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0
>> (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0],
>> jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
>>
>> jakarta.servlet.http.HttpServletRequest.header-accept-language=[en-US,en;q=0.5],
>>
>> jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip,
>> deflate, br, zstd], jakarta.servlet.http.HttpServletRequest.header-referer=[
>> https://localhost:9876/],
>> jakarta.servlet.http.HttpServletRequest.header-connection=[keep-alive],
>> jakarta.servlet.http.HttpServletRequest.header-cookie=[JSESSIONID=4A46B00617D6A13EA14E9F3E74A3D75D;
>>
>> _mkto_trk=id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29;
>>
>> org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en-US],
>> jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1],
>>
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document],
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate],
>> jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[same-site],
>> jakarta.servlet.http.HttpServletRequest.header-priority=[u=0, i]},
>> RelayState=[saml-sp-relay-state], service=[
>> https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test],
>>
>> httpRequest={jakarta.servlet.http.HttpServletRequest.httpMethod=[GET],
>> jakarta.servlet.http.HttpServletRequest.requestURL=[
>> https://localhost:8543/cas/login],
>> jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login],
>> jakarta.servlet.http.HttpServletRequest.requestId=[1],
>> jakarta.servlet.http.HttpServletRequest.contextPath=[/cas],
>> jakarta.servlet.http.HttpServletRequest.localeName=[kubernetes.docker.internal]},
>>
>> cookies={jakarta.servlet.http.HttpServletRequest.cookie-JSESSIONID=[4A46B00617D6A13EA14E9F3E74A3D75D],
>>
>> jakarta.servlet.http.HttpServletRequest.cookie-_mkto_trk=[id:287-VKI-861&token:_mch-localhost-c73c7200637fdabf3d894f21c3c7ef29],
>>
>> jakarta.servlet.http.HttpServletRequest.cookie-org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=[en-US]},
>>
>> org.apereo.cas.authentication.principal.Service=[
>> https://localhost:8543/cas/idp/profile/SAML2/Callback?srid=a4g6f37hb5g945je30da1e82j6bh8i7&entityId=local-saml-test]})]
>>
>> is not authorized>
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc9b98ad-3f4d-4b5d-9fc9-59efaa584edan%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc9b98ad-3f4d-4b5d-9fc9-59efaa584edan%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6b04cd3-3eca-494d-bdc8-433608053c4an%40apereo.org.
