Search code examples
springsingle-sign-oncasjasig

CAS server cross subdomain ST ticket

I have own Jasig CAS server:

https://cas.example.com

Also, I have two subdomains(applications) connected to this CAS server, for example:

https://ui.example.com
https://api.example.com

I can successfully create ST ticket for https://ui.example.com with a following request:

https://cas.example.com/login?service=https://ui.example.com

response:

https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/

but I'm unable to use this ticket for https://api.example.com

https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com

with a following error:

access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n            Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account

This is my service configuration:

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "^(http?|https?)://.*example.com/.*",
  "name" : "example.com dev
  "theme" : example
  "id" : 20000002,
  "description" : "example.com dev environment",
  "proxyPolicy" : {
    "@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
    "pattern" : "^(http?|https?)://.*example.com/.*"
  },
  "evaluationOrder" : 2,
  "usernameAttributeProvider" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
    },
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

Is it possible to issue one ST ticket that will be accepted by both of these subdomains https://ui.example.com and https://api.example.com ?

Solution

  • It is impossible with Jasig CAS