Apache input filters are not guaranteed to be called with a complete request but instead should assume the request may be fed in piece-meal, in multiple calls. However, the CAS input filter for single signout (cas_in_filter) logic presumes that the first call will have a complete request as it just examines the current bucket brigade, possibly incomplete, for evidence of SAML signout request, calling the CAS signout if found.
We have seen cases where the single sign-out request is split into two pieces.
https://mail-archives.apache.org/mod_mbox/httpd-users/201510.mbox/%3C39A0AA41C90BDA42BEB03EF9F45DC3F80A058AD2@UCDEDC1PWXMR003.de.db.com%3E
The fix involves a request-scope persistent data structure to build up a copy of the request suitable across multiple calls for passing to CASSAMLLogout
Apache input filters are not guaranteed to be called with a complete request but instead should assume the request may be fed in piece-meal, in multiple calls. However, the CAS input filter for single signout (cas_in_filter) logic presumes that the first call will have a complete request as it just examines the current bucket brigade, possibly incomplete, for evidence of SAML signout request, calling the CAS signout if found.
We have seen cases where the single sign-out request is split into two pieces.
https://mail-archives.apache.org/mod_mbox/httpd-users/201510.mbox/%3C39A0AA41C90BDA42BEB03EF9F45DC3F80A058AD2@UCDEDC1PWXMR003.de.db.com%3E
The fix involves a request-scope persistent data structure to build up a copy of the request suitable across multiple calls for passing to CASSAMLLogout