We have several webapps, as well as an external device authenticating against the same Jasig CAS instance. This worked fine and well with tomcat 6.0.29, but after upgrading to 6.0.33 everything broke.

We found that it was an issue with our Validation Filter redirection, because adding the following init-param in our CAS Validation Filter fixed communication between our webapps:

<init-param>
    <param-name>redirectAfterValidation</param-name>
    <param-value>false</param-value>
</init-param>

We eventually learned that this was necessary because tomcat 6.0.33 enables sets this to true by default, where it was originally set to false. The issue is, now our external mobile device cannot complete a full authentication session because it does not redirect.

The mobile device authenticates successfully, but after authentication our CAS sends an http internal server error 500 and kaputs with no useful debug logging. Changing the redirectAfterValidation init-param value to true fixes this though.

My question is, if this was working before with the default value to false, why doesn’t this work now? Is there another change in 6.0.33 that I’m not seeing? Sorry if this question is a bit vague, I’ll try to add as much as I can when asked.