Permanent links don't work with CAS Authentication ?


We trying to use permanent link like this one “http://localhost/nuxeo/nxdoc/default/5e84c7a3-e40c-4152-9497-b0cfdb916a6a/view_documents” to access document on a “nuxeo-cap-5.6-tomcat” server, with HF15 and DM add-on.

We first test this possibility with a default authentification: it works as expected (direct access).

But, we need use CAS authentication and in this case, the permanent link doesn't work anymore … It's for us an important issue because we need direct acces on task (workflow context) send via email to our users.

Is it a known problem ?

We've done tests on two differents “Centos (5.9 and 6.4)” servers:

  • In both case:

    • a first direct access doesn't work. The return URL from CAS is wrong: the path to the document is missing.
  • On one server (Centos 6.4, nuxeo-5.6-HF10), after a first connection and deconnection (without removing JSESSION cookie) to the plateform, the direct access on a document works even with a CAS access for authentication (the return URL is correct). No error message are seen (with a default log4j configuration).

  • On the other one (Centos 5.9, nuxeo-5.6-HF15), an access after a first connection and deconnection (without removing JSESSION cookie) doesn't work and an error message is sent in the log:

    2013-04-25 14:26:49,819 ERROR [org.nuxeo.ecm.core.api.CoreSession] Permission 'Read' is not granted to 'invite' on document /default-domain/workspaces/niv2/dd (5e84c7a3-e40c-4152-9497-b0cfdb916a6a - Folder)
    2013-04-25 14:26:49,821 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/nuxeo]] L'écouteur d'évènement de session (session event listener) a généré une exception java.lang.IllegalStateException: Please end the HttpSession via org.jboss.seam.web.Session.instance().invalidate()
    at org.jboss.seam.contexts.Lifecycle.endSession(

    Thanks for your help

1 votes

0 answers



We just try nuxeo5.6-HF15 on a Ubuntu 11.10 machine and we got the same result than with the Centos 5.9, nuxeo-5.6-HF15 version: . permanent link doesn't work; after CAS authentification, we reach the same page as with a connection to the plateform "http://localhost/nuxeo".


Sorry that I don't have any hint to help you solve this, but I've tested against a 5.6-HF15 with CAS authentication and permanent links do work correctly on this version.



Thank for the replay. It was on a CentOS server?


No, it's (i don't know which version)

I thought about the nuxeo server. When we arrived on the "CAS authentification page", we have already lost part of the return URL, so after connection, we are on the home page and not on the document page. After this first connection, the permanent link work until deconnexion.

Did you try with the delete of nuxeo cookies before go to a document directly with its permanent link (and then reconnect)?



I think it's more a nuxeo problem as the URL used to go to the CAS server for authentication, is a truncated URL. It's sound like the already resolved NXP-5593 problem (CAS Authentication should redirect to the requested URL) as far as I understand the description. But we are on a 5.6 nuxeo server and not on an unpatched 5.3 or 5.4.1…

I've tested this and it works correctly, the URL does not get truncated and after logging in on CAS I'm redirected to the correct page.
Can you trace the HTTP requests and responses to see at which point the URL gets truncated? (with something like firebug or httpfox).

First, thank you for your help.

We trace as you suggest with "HttpFox" and the lost of URL's end appends near the beginning:

    - the first redirect seems correct,
    - the second looks wrong ?

Here, the start of the output (with MYHOST for our hostname and AUTH_HOST for our CAS server):

GET 302 Redirect to: /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true http://MYHOST:8080/nuxeo/nxdoc/default/e72298ab-a7bb-4502-ad07-10e8de2d698f/view_documents

GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true

GET 200 text/html https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces

In this configuration, we chain three authentification plugins: <pre>



With a new test without the "ANONYMOUS_AUTH_FOR_CAS2" plugin, we got the following result:

    . Permanent links work,
    - the acces to the nuxeo plateform via the URL &quot;http://MYHOST:8080/nuxeo/&quot; is redirected to the CAS server
      (no more &quot;guest page&quot;)

Here, the beginning of trace got with "HttpFox":

GET 302 Redirect to: http://MYHOST:8080/nuxeo/nxstartup.faces;jsessionid=678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo http://MYHOST:8080/nuxeo/

GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces%3Bjsessionid%3D678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo http://MYHOST:8080/nuxeo/nxstartup.faces;jsessionid=678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo

GET 200 text/html https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces%3Bjsessionid%3D678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo


Yes, the second redirect is wrong, the service isn't encoded correctly, I'll try to give you a fix next week.
I've created NXP-11602 to track this issue.

This should be fixed (works in my tests!) and available in the next hotfix (5.6-HF18).


We've tried the 5.6-HF18 nuxeo server with the "nuxeo-platform-login-cas2-5.6.0-HF18.jar". We retried the ANONYMOUS_AUTH_FOR_CAS2 plugin, and permanent links still not work for us. (We didn't see any difference in the httpfox log with our previous test).

Can you send us an sample of your own xml configuration? Or have you another idea ?

Besides, we've made tests without ANONYMOUS_AUTH_FOR_CAS2: permanent links seem to work (direct access to a workspace for instance) without any previous connection but we got another problem. We'll describe it a new question.

Thanks for your help.


For the curious, link to our second pb with CAS authentication and permanent links :

My configuration is pretty much what's in the documentation except for the server names. It's possible my changes leveraged other fixes that were not backported (my tests were on the 5.7 dev branch), in which case your issues should be solved with the 5.7.1 version (not yet released).

Hello, is this fixed and if yes can you please tell me what is the hotfix to begin with ? Cause here it seems we're still getting into this kind of trouble with 5.6-HF-23 Thank you


It wasn't fixed for 5.6-HF18 so it's probably the case for HF23. I didn't try with 5.7 or 5.8. But as it not the only problem with CAS authentication (see, we change the authentication mode to use shibboleth.

We have try yesterday CAS authentication on 5.8 without ANONYMOUS_AUTH, but permanent links still no work, so we drop it again to use shibboleth.


Using CAS authentication with anonymous auth enabled, we've got the same problem( the return URL from CAS is appURL not the permanentlink ). This bug is still present in 5.8.