749714 – mod_auth_cas infinite redirect loop

Bug 749714 - mod_auth_cas infinite redirect loop

Summary: mod_auth_cas infinite redirect loop

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	mod_auth_cas
Sub Component:
Version:	el6
Hardware:	x86_64
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Adam Miller
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-28 02:32 UTC by William Brown
Modified:	2013-05-10 07:17 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-10 07:17:16 UTC
Type:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description William Brown 2011-10-28 02:32:23 UTC

Description of problem:

Using mod_auth_cas to protect a directory in apache. When a CAS ticket is expired due  hard time out, an infinite redirect loop occurs.


Version-Release number of selected component (if applicable):

Name        : mod_auth_cas                 Relocations: (not relocatable)
Version     : 1.0.8.1                           Vendor: Fedora Project
Release     : 2.el6                         Build Date: Wed 30 Jun 2010 12:06:41 AM CST
Install Date: Wed 05 Oct 2011 11:21:10 AM CST      Build Host: x86-02.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: mod_auth_cas-1.0.8.1-2.el6.src.rpm
Size        : 57675                            License: GPLv3+ with exceptions
Signature   : RSA/8, Wed 30 Jun 2010 01:11:05 PM CST, Key ID 3b49df2a0608b895
Packager    : Fedora Project
URL         : http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas
Summary     : Apache 2.0/2.2 compliant module that supports the CASv1 and CASv2 protocols
Description :
mod_auth_cas is an Apache 2.0/2.2 compliant module that supports the CASv1
and CASv2 protocols


Steps to Reproduce:
1. Have a ticket hit the hard timeout of the application session timeout.
2. Attempt to visit a link protected by CAS
  
Actual results:

Infinite redirect loop


Expected results:

User authenticates.


Additional info:

Apache log of redirect in progress, along with offending URL's


[Thu Oct 27 16:32:08 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:17 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:20 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET, referer: https://wiki.example.com/its/index.php/Online_Applications_Uplift/Oncall_roster
[Thu Oct 27 16:32:32 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET
[Thu Oct 27 16:32:44 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET
[Thu Oct 27 16:33:04 2011] [error] [client 10.0.42.27] MOD_AUTH_CAS: INVALID_TICKET


10.0.42.27 - - [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962558-ZETw6mekD9wbfU3JomrT-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:03 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962559-M01BY0HCvec3kfTpRBEZ-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950210-7bk7XVxXHAmLlOnRgtbO-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950211-vu6XZKfVi7xrOurYQumj-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962560-nbqOriV3aMacKrQfS9QH-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950212-KCPLD6LMzVYN0aSF5HYA-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:04 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:05 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950213-cJgTcKrdHj3SjP1a5Cch-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950213-cJgTcKrdHj3SjP1a5Cch-blitzwing.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950215-f9chxxN2MgIxEtcedSoP-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962561-DaUDDAra5LheLhTEIB7H-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950217-zH7qcXBKx1xgVNYhACU1-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:08 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:09 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950218-YYOltzgdtm9eIU3ffLZo-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:09 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962562-Y0TsKPkLeOqXIquwCEnq-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950220-xtkX9mFCvedwulScHkeg-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:10 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962563-m4SFW2C7ldGie2bRzzSi-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962563-m4SFW2C7ldGie2bRzzSi-blurr.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962573-tiLcm9A05SiaibSuUfkS-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950229-QCmEu5gN97FbNWrEB7an-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:17 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962575-50qpycqUWcVD1REyIgfS-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950231-aeZEguOIGs22RwRJfGex-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962577-U0zubyoemyJqeb2bqPA7-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950232-UQZOBE5ZNKUBcQdYBU0y-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:18 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950234-0tEolbVAcDlGNqsCioM5-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950234-0tEolbVAcDlGNqsCioM5-blitzwing.auth.example.com HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962581-PXX6614CdOc0DTfb7bFs-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:20 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962582-0C9dbJf74UBEvGenEez6-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962583-70LtCUDdM6pnZqNaYCnC-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962584-UXLRebBa4YNU6umMhtyF-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-950237-GQbdo0YVjWBDOULIfaEs-blitzwing.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:21 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962585-gLSbCB1gZD7q1vJMiN4l-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit HTTP/1.1" 302 436
10.0.42.27 - username [27/Oct/2011:16:32:22 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 302 377
10.0.42.27 - - [27/Oct/2011:16:32:32 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 401 489
10.0.42.27 - - [27/Oct/2011:16:32:32 +1030] "GET /favicon.ico HTTP/1.1" 200 1150
10.0.42.27 - - [27/Oct/2011:16:32:44 +1030] "GET /its/index.php?title=Online_Applications_Uplift/Oncall_roster&action=edit&ticket=ST-962586-hUr30J7YTime9Zfjdf1T-blurr.auth.example.com HTTP/1.1" 401 489
10.0.42.27 - - [27/Oct/2011:16:32:50 +1030] "GET /its HTTP/1.1" 302 355
10.0.42.27 - username [27/Oct/2011:16:32:56 +1030] "GET /its?ticket=ST-950259-gkJ6Ubevc9Q3MCo034M7-blitzwing.auth.example.com HTTP/1.1" 302 304
10.0.42.27 - username [27/Oct/2011:16:32:56 +1030] "GET /its HTTP/1.1" 301 1



The two CAS servers are clustered, and all sessions and tickets are shared between them. All CAS tickets have been checked to have the correct domain. No SELinux denials have occurred during this time. 

We are willing to help debug and test a potential solution to this issue also.

Note You need to log in before you can comment on or make changes to this bug.