CAS 6.6.6 and 6.6.7 Embedded Tomcat Container - cas.tgc.domain

Question

The servers starts normally with the following parameters:

     _    ____  _____ ____  _____ ___     ____    _    ____  
    / \  |  _ \| ____|  _ \| ____/ _ \   / ___|  / \  / ___| 
   / _ \ | |_) |  _| | |_) |  _|| | | | | |     / _ \ \___ \ 
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_____|_| \_\_____\___/   \____/_/   \_\____/ 
                                                             

CAS Version: 6.6.7
CAS Branch: 6.6.x
CAS Commit Id: a5c262011e09d45f2438fd27e61eabf14a50960d
CAS Build Date/Time: 2023-03-30T23:36:48Z
Spring Boot Version: 2.7.3
Spring Version: 5.3.22
Java Home: /opt/java/openjdk
Java Vendor: Eclipse Adoptium
Java Version: 11.0.17
JVM Free Memory: 397 MB
JVM Maximum Memory: 1 GB
JVM Total Memory: 775 MB
OS Architecture: aarch64
OS Name: Linux
OS Version: 5.15.49-linuxkit
OS Date/Time: 2023-05-21T16:42:49.557524
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.73
------------------------------------------------------------

However trying to login to the server produces the following exception:

  ____  _____    _    ______   __
 |  _ \| ____|  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V / 
 |  _ <| |___ / ___ \| |_| || |  
 |_| \_\_____/_/   \_\____/ |_|  
                                 
>
2023-05-21 16:43:03,193 INFO [org.apereo.cas.web.CasWebApplicationReady] - <>
2023-05-21 16:43:03,193 INFO [org.apereo.cas.web.CasWebApplicationReady] - <Ready to process requests @ [2023-05-21T16:43:03.068Z]>
2023-05-21 16:43:23,105 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistry].>
2023-05-21 16:43:33,092 INFO [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired tickets removed.>
2023-05-21 16:43:34,656 WARN [javax.persistence.spi] - <javax.persistence.spi::No valid providers found.>
2023-05-21 16:43:34,673 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].[dispatcherServlet]] - <Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.login.InitialFlowSetupAction@6dcc7696 in state 'null' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause>
java.lang.IllegalArgumentException: An invalid domain [.my-boring-website.com] was specified for this cookie
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:218) ~[tomcat-coyote-9.0.73.jar!/:9.0.73]
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:153) ~[tomcat-coyote-9.0.73.jar!/:9.0.73]
    at org.apache.catalina.connector.Response.generateCookieString(Response.java:970) ~[tomcat-catalina-9.0.73.jar!/:9.0.73]
    at org.apache.catalina.connector.Response.addCookie(Response.java:923) ~[tomcat-catalina-9.0.73.jar!/:9.0.73]
    at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:314) ~[tomcat-catalina-9.0.73.jar!/:9.0.73]
    at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:61) ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
    at org.springframework.security.web.firewall.FirewalledResponse.addCookie(FirewalledResponse.java:72) ~[spring-security-web-5.7.3.jar!/:5.7.3]
    at javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:61) ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
    at org.springframework.web.util.CookieGenerator.removeCookie(CookieGenerator.java:222) ~[spring-web-5.3.22.jar!/:5.3.22]
    at org.apereo.cas.web.flow.login.InitialFlowSetupAction.clearTicketGrantingCookieFromContext(InitialFlowSetupAction.java:118) ~[cas-server-support-actions-core-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.login.InitialFlowSetupAction.configureWebflowForTicketGrantingTicket(InitialFlowSetupAction.java:111) ~[cas-server-support-actions-core-6.6.7.jar!/:6.6.7]
    at org.apereo.cas.web.flow.login.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91) ~[cas-server-support-actions-core-6.6.7.jar!/:6.6.7]
    at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.engine.Flow.start(Flow.java:526) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:139) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:264) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1070) ~[spring-webmvc-5.3.22.jar!/:5.3.22]
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.22.jar!/:5.3.22]
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.22.jar!/:5.3.22]
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) ~[spring-webmvc-5.3.22.jar!/:5.3.22]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) ~[javax.servlet-api-4.0.1.jar!/:4.0.1]
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.22.jar!/:5.3.22]
...

This is obviously because the configuration property:

cas.tgc.domain=.my-boring-website.com

is set as specified in the documents:

https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html

but Tomcat does NOT like that because: How to change Cookie Processor to LegacyCookieProcessor in tomcat 8

If I change the configuration entry to:

cas.tgc.domain=my-boring-website.com

Notice I removed the leading "." but this prevents me from using SSO.

I know that running an external server will solve this issue by making the modifications suggested in the question for "Cookie Processor to Legacy..." but I really was trying to avoid doing so.

This is also happening in cas v6.6.6

Anyone run into this problem and found a solutions using the embedded container?

Answer 1

Well, the documentation is wrong as the field sets the correct domain in the cookie without the leading "."

I was following the documentation and spent some time on this issue. I have answered here just in case anyone else runs into this "problem".