From f7815e8da282997567c73ae9d8ad288dd3e2c485 Mon Sep 17 00:00:00 2001
From: Scott Battaglia <scott_battaglia@rutgers.edu>
Date: Mon, 10 Sep 2007 15:11:56 +0000
Subject: [PATCH] SEC-520

added parameter to determine whether to encode the session id or not and an explanation on when it should/should not be used.
---
 .../ui/cas/CasProcessingFilterEntryPoint.java    | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/acegisecurity/ui/cas/CasProcessingFilterEntryPoint.java b/core/src/main/java/org/acegisecurity/ui/cas/CasProcessingFilterEntryPoint.java
index 53ae80225e..840269a39e 100644
--- a/core/src/main/java/org/acegisecurity/ui/cas/CasProcessingFilterEntryPoint.java
+++ b/core/src/main/java/org/acegisecurity/ui/cas/CasProcessingFilterEntryPoint.java
@@ -46,6 +46,16 @@ public class CasProcessingFilterEntryPoint implements AuthenticationEntryPoint,
 
     private ServiceProperties serviceProperties;
     private String loginUrl;
+    
+    /**
+     * Determines whether the Service URL should include the session id for the specific user.  As of CAS 3.0.5, the
+     * session id will automatically be stripped.  However, older versions of CAS (i.e. CAS 2), do not automatically
+     * strip the session identifier (this is a bug on the part of the older server implementations), so an option to
+     * disable the session encoding is provided for backwards compatibility.
+     * 
+     * By default, encoding is enabled.
+     */
+    private boolean encodeServiceUrlWithSessionId = true;
 
     //~ Methods ========================================================================================================
 
@@ -59,7 +69,7 @@ public class CasProcessingFilterEntryPoint implements AuthenticationEntryPoint,
         throws IOException, ServletException {
         final HttpServletRequest request = (HttpServletRequest) servletRequest;
         final HttpServletResponse response = (HttpServletResponse) servletResponse;
-        final String urlEncodedService = response.encodeURL(this.serviceProperties.getService());
+        final String urlEncodedService = this.encodeServiceUrlWithSessionId ? response.encodeURL(this.serviceProperties.getService()) : this.serviceProperties.getService();
 
         final StringBuffer buffer = new StringBuffer(255);
 
@@ -94,4 +104,8 @@ public class CasProcessingFilterEntryPoint implements AuthenticationEntryPoint,
     public void setServiceProperties(final ServiceProperties serviceProperties) {
         this.serviceProperties = serviceProperties;
     }
+    
+    public void setEncodeServiceUrlWithSessionId(final boolean encodeServiceUrlWithSessionId) {
+    	this.encodeServiceUrlWithSessionId = encodeServiceUrlWithSessionId;
+    }
 }