Bug 749714

Summary: mod_auth_cas infinite redirect loop
Product: [Fedora] Fedora EPEL Reporter: William Brown <william>
Component: mod_auth_casAssignee: Adam Miller <maxamillion>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: maxamillion, tremble
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-10 07:17:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description William Brown 2011-10-28 02:32:23 UTC 
Description of problem:

Using mod_auth_cas to protect a directory in apache. When a CAS ticket is expired due  hard time out, an infinite redirect loop occurs.


Version-Release number of selected component (if applicable):

Name        : mod_auth_cas                 Relocations: (not relocatable)
Version     : 1.0.8.1                           Vendor: Fedora Project
Release     : 2.el6                         Build Date: Wed 30 Jun 2010 12:06:41 AM CST
Install Date: Wed 05 Oct 2011 11:21:10 AM CST      Build Host: x86-02.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: mod_auth_cas-1.0.8.1-2.el6.src.rpm
Size        : 57675                            License: GPLv3+ with exceptions
Signature   : RSA/8, Wed 30 Jun 2010 01:11:05 PM CST, Key ID 3b49df2a0608b895
Packager    : Fedora Project
URL         : http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas
Summary     : Apache 2.0/2.2 compliant module that supports the CASv1 and CASv2 protocols
Description :
mod_auth_cas is an Apache 2.0/2.2 compliant module that supports the CASv1
and CASv2 protocols


Steps to Reproduce:
1. Have a ticket hit the hard timeout of the application session timeout.
2. Attempt to visit a link protected by CAS
  
Actual results:

Infinite redirect loop


Expected results:

User authenticates.


Additional info:

Apache log of redirect in progress, along with offending URL's


[Thu Oct 27 16:32:08 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:17 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:20 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:32 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET
[Thu Oct 27 16:32:44 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET
[Thu Oct 27 16:33:04 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET


10.0.42.27 - - [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962558-ZETw6mekD9wbfU3JomrT-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962559-M01BY0HCvec3kfTpRBEZ-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950210-7bk7XVxXHAmLlOnRgtbO-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950211-vu6XZKfVi7xrOurYQumj-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962560-nbqOriV3aMacKrQfS9QH-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950212-KCPLD6LMzVYN0aSF5HYA-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:05 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950213-cJgTcKrdHj3SjP1a5Cch-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950213-cJgTcKrdHj3SjP1a5Cch-blitzwing.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950215-f9chxxN2MgIxEtcedSoP-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962561-DaUDDAra5LheLhTEIB7H-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950217-zH7qcXBKx1xgVNYhACU1-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:09 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950218-YYOltzgdtm9eIU3ffLZo-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:09 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962562-Y0TsKPkLeOqXIquwCEnq-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950220-xtkX9mFCvedwulScHkeg-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962563-m4SFW2C7ldGie2bRzzSi-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962563-m4SFW2C7ldGie2bRzzSi-blurr.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962573-tiLcm9A05SiaibSuUfkS-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950229-QCmEu5gN97FbNWrEB7an-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962575-50qpycqUWcVD1REyIgfS-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950231-aeZEguOIGs22RwRJfGex-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962577-U0zubyoemyJqeb2bqPA7-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950232-UQZOBE5ZNKUBcQdYBU0y-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950234-0tEolbVAcDlGNqsCioM5-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950234-0tEolbVAcDlGNqsCioM5-blitzwing.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962581-PXX6614CdOc0DTfb7bFs-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962582-0C9dbJf74UBEvGenEez6-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962583-70LtCUDdM6pnZqNaYCnC-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962584-UXLRebBa4YNU6umMhtyF-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950237-GQbdo0YVjWBDOULIfaEs-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962585-gLSbCB1gZD7q1vJMiN4l-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:32 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 401 489
10.0.42.27 - - [27/Oct/2011:16:32:32 +1030] "GET /favicon.ico HTTP/1.1" 200 1150
10.0.42.27 - - [27/Oct/2011:16:32:44 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 401 489
10.0.42.27 - - [27/Oct/2011:16:32:50 +1030] "GET /its HTTP/1.1" 302 355
10.0.42.27 - username [27/Oct/2011:16:32:56 +1030] "GET /its?ticket=ST-950259-gkJ6Ubevc9Q3MCo034M7-blitzwing.auth.example.com HTTP/1.1" 302 304
10.0.42.27 - username [27/Oct/2011:16:32:56 +1030] "GET /its HTTP/1.1" 301 1



The two CAS servers are clustered, and all sessions and tickets are shared between them. All CAS tickets have been checked to have the correct domain. No SELinux denials have occurred during this time. 

We are willing to help debug and test a potential solution to this issue also.