I am using Apereo CAS 6.3.3 generated by CAS Overlay project. The integration with the application and LDAP is working well, but there are two problems that I have noticed. These problems are random and happens only with 20% of the requests.
1.) If someone directly accesses the CAS log-in page with ?execution=anything , the page shows the following HTTP 500 error. org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'anything', the expected format is '_'
Is there anyway the error can be disabled and instead the page is redirected to application log-in page instead.
2.) Is there anyway the too many redirects error can be disabled for the expired service tickets so that the end user is redirected to the login page instead of first seeing the error message on the browser?
Thanks.
Applications that integrate with an SSO solution such as CAS do/should not have their own log-in page. After all, that's why they use CAS.
That said, to handle this error, you'll need to modify the CAS login webflow, and have it properly catch this error using what Spring Webflow calls Global Exception Handlers. Only then you can decide how to respond and handle the scenario with bad flow execution states.
Yes. There is.
You need to get the application to respond correctly to failed validation attempts. If it sees a validation failure due to an expired ticket, the application should honor the failure, and ask for a new non-expired service ticket.
You may also need to adjust the service ticket timeout; perhaps there is lag or delay such that the ticket is seen as expired by the time it reaches the application, and is sent back to CAS for validation.
The best way to stop an infinite redirect loop is to stop the entity that is causing or sending those, and correct the mistake rather than hiding it with an error message. That's just an aspirin, and while it helps, it does not treat the underlying problem.
There is no login page, or the browser to redirect to. The failure is the result of a back-channel validation call. There is no browser.