At the College of Engineering, we are in the process of adding SSL certificates to all of our WordPress sites. On top of faster load times with HTTP/2 and higher page rankings in Google’s search engine, we also wanted our WordPress logins to be secure. It is a simple procedure that adds one more layer of obfuscation. Well, it was supposed to be a simple procedure but I ran into an issue when securing the WordPress login process.
Application Not Authorized to Use CAS
- WordPress 4.7.1 running on WP Engine
- CAS Maestro plugin
- SSL certificate: WP Engine: Let’s Encrypt
- HTTPS forced for all pages including wp-admin and wp-login
- CNAME registered with CAS
I encountered a problem when I forced HTTPS on wp-admin and wp-login in WP Engine’s SSL panel. When trying to authenticate against CAS, :80 (%3A80) was being added after the site URL in the service parameter.
With port 80 being appended to the site URL, it caused CAS to return a message saying the application was not authorized to use CAS. If port 80 was then added to the CAS entry for the site, when a user successfully authenticated, they were shown a page that said, “This site can’t provide a secure connection.” This was because port 80 was being used in conjunction with HTTPS. While researching this issue on Google to see if anyone else was having similar issues, I saw a lot of people giving up and either removing SSL altogether or just having SSL enabled for the front end of the website. The backend of WordPress was left unsecured. This was not acceptable to me and I was determined to find a solution.
The plugin I downloaded from WordPress uses phpCAS 1.3.2. I was able to locate and isolate the section of code that was appending port 80 to the URL. Before I would start writing my own patch, I decided to update phpCAS to 1.3.4 by removing the old files in the plugin’s folder and adding the new files. The changelog didn’t reference a fix but I figured it was worth a try. The worst that could’ve happened is the plugin would throw fatal errors and I would lose 10 minutes updating the files. After testing though, port 80 was no longer being appended to the URL. I discovered the function building the service URL in phpCAS/CAS/Client.php was modified slightly. Instead of
(Version 1.3.2 of Client.php)
$server_port = $_SERVER['HTTP_X_FORWARDED_PORT'];
it was changed to
(Version 1.3.4 of Client.php)
$ports = explode(',', $_SERVER['HTTP_X_FORWARDED_PORT']);
$server_port = $ports;
Note: Other changes may have been made to the client. It is recommended to remove and replace phpCAS with the latest version instead of making this single modification.
How To Fix The Plugin
If you don’t have access to the plugin files on your site or don’t feel comfortable replacing the phpCAS files yourself following the instructions below, feel free to leave a note in the comments and I can send you a copy of my plugin file. There is discussion on releasing a more stable/more robust version of the plugin.
- Backup your site and deactivate the plugin.
- Download the cas-maestro folder to your computer via SFTP. (This just makes things a bit easier. I also deleted the plugin from the site after downloading. This gives me the added assurance no old code is left.)
- Go inside the cas-maestro plugin you downloaded to your computer and remove everything inside the phpCAS folder
- Go to https://wiki.jasig.org/display/CASC/phpCAS+installation+guide
- Download the latest stable release (currently 1.3.4) without PEAR
- Unzip the file
- Copy all of the files in the CAS-1.3.4 folder and paste them inside the phpCAS folder in the cas-maestro folder (cas-maestro\phpCAS)
- Upload the cas-maestro folder back to your site via SFTP
- Reactivate the plugin. (Your settings should remain since they are stored in the database.)
- Test your updates by logging into WordPress via CAS. You shouldn’t see the :80 (%3A80) there anymore.
My motivation behind this article was to document my solution so others don’t have to disable SSL on the front end and/or backend of the website. There wasn’t an issue until I forced wp-admin and wp-login to use HTTPS. Sites that didn’t force HTTPS for logging into WordPress didn’t have the port appended in my testing. Updating the phpCAS client did the trick. Hopefully this article helps you and others who are facing the same issue. Please let me know in the comments below if you encounter scenarios with the CAS Maestro plugin and CAS that I didn’t account for.