gunark-rubycas-server 0.6.99.336 → 0.7.999.20090212

data/History.txt

@@ -1,7 +1,26 @@
-=== 0.7.0 :: In Progress
+=== 0.8.0 :: In Progress...
 
-* New features:
-  * Implemented single-sign-out functionality as specified in CAS 3.1.  See
+* NEW:
+  * Support for localization via Ruby-GetText. [antono]
+  * New SQL authenticator (sql_rest_auth) compatible with the
+    restful_authentication Rails plugin. [antono]
+
+* FIXED:
+  * Fixed weird problems with loading controllers when using older versions of 
+    activesupport and/or rubygems.
+  * Failure to connect to a service during a single sign out request is now
+    handled gracefully.
+  * Required gem dependencies have been re-enabled in the gemspec.
+
+=== 0.7.1 :: 2008-11-10
+
+* Fixed dependency loading problems introduced by upstream changes in RubyGems 
+  1.3.1.
+
+=== 0.7.0 :: 2008-11-04
+
+* NEW:
+  * Implemented single-sign-out functionality as specified in CAS 3.3.  See
     http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out.
   * It is now possible to configure Authenticators to return extra attributes
     to CAS clients alongside the username. For an example of how to do this see
@@ -14,7 +33,7 @@
   * Added new Google authenticator for authenticating against Google/GMail
     accounts.
        
-* Changes to existing functionality:
+* CHANGED:
   * Service URIs are now automatically normalized. For example, if the service 
     URI given to the server has a 'ticket' parameter, the ticket will now be 
     automatically stripped. This is to avert any possible issues raised by 
@@ -48,7 +67,7 @@
     errors (where the server rather than the client is at fault) have error 500.
     Previously most responses had error code 200, regardless of their contents.
     
-* Bug fixes
+* FIXED:
   * Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
     was changed upstream forcing a change to the way we look for ProxyGrantingTickets
     to delete on logout).
@@ -56,6 +75,8 @@
     expected -- however currently this only works when the server is running
     in the foregaround. When daemonized, USR2 will shut down the server without
     restarting (see issue #58).
+  * Fixed activerecord/activesupport gem load problems, hopefully once and for all
+    (however picnic-0.7.0 is now required).
 
 === 0.6.0 :: 2008-03-28
 

data/Manifest.txt

@@ -7,10 +7,8 @@ README.txt
 Rakefile
 bin/rubycas-server
 bin/rubycas-server-ctl
-casserver.db
-casserver.log
-casserver_db.log
 config.example.yml
+config.ru
 config/hoe.rb
 config/requirements.rb
 custom_views.example.rb
@@ -18,17 +16,20 @@ lib/casserver.rb
 lib/casserver/authenticators/active_directory_ldap.rb
 lib/casserver/authenticators/base.rb
 lib/casserver/authenticators/client_certificate.rb
+lib/casserver/authenticators/google.rb
 lib/casserver/authenticators/ldap.rb
 lib/casserver/authenticators/ntlm.rb
 lib/casserver/authenticators/open_id.rb
 lib/casserver/authenticators/sql.rb
 lib/casserver/authenticators/sql_encrypted.rb
 lib/casserver/authenticators/sql_md5.rb
+lib/casserver/authenticators/sql_rest_auth.rb
 lib/casserver/authenticators/test.rb
 lib/casserver/cas.rb
 lib/casserver/conf.rb
 lib/casserver/controllers.rb
 lib/casserver/environment.rb
+lib/casserver/localization.rb
 lib/casserver/models.rb
 lib/casserver/postambles.rb
 lib/casserver/utils.rb
@@ -48,8 +49,20 @@ lib/themes/urbacon/login_box_bg.png
 lib/themes/urbacon/logo.png
 lib/themes/urbacon/theme.css
 lib/themes/warning.png
-misc/basic_cas_single_signon_mechanism_diagram.png
-misc/basic_cas_single_signon_mechanism_diagram.svg
+locale/de_DE/LC_MESSAGES/rubycas-server.mo
+locale/es_ES/LC_MESSAGES/rubycas-server.mo
+locale/fr_FR/LC_MESSAGES/rubycas-server.mo
+locale/ja_JP/LC_MESSAGES/rubycas-server.mo
+locale/pl_PL/LC_MESSAGES/rubycas-server.mo
+locale/ru_RU/LC_MESSAGES/rubycas-server.mo
+po/de_DE/rubycas-server.po
+po/es_ES/rubycas-server.po
+po/fr_FR/rubycas-server.po
+po/ja_JP/rubycas-server.po
+po/pl_PL/rubycas-server.po
+po/ru_RU/rubycas-server.po
+po/rubycas-server.pot
+public/restart.txt
 resources/init.d.sh
 script/console
 script/destroy
@@ -58,6 +71,7 @@ script/txt2html
 setup.rb
 tasks/deployment.rake
 tasks/environment.rake
+tasks/localization.rake
 tasks/website.rake
 vendor/isaac_0.9.1/LICENSE
 vendor/isaac_0.9.1/README
@@ -67,8 +81,4 @@ vendor/isaac_0.9.1/crypt/ISAAC.rb
 vendor/isaac_0.9.1/isaac.gemspec
 vendor/isaac_0.9.1/setup.rb
 vendor/isaac_0.9.1/test/TC_ISAAC.rb
-website/index.html
-website/index.txt
-website/javascripts/rounded_corners_lite.inc.js
-website/stylesheets/screen.css
-website/template.html.erb
+

data/README.txt

@@ -1,7 +1,8 @@
 = RubyCAS-Server
 
-*Copyright*:: 2008 Urbacon Ltd.
-*Authors*::   Matt Zukowski <matt at roughest dot net>, Jason Zylks
+*Copyright*:: Portions contributed by Matt Zukowski are copyright (c) 2008 Urbacon Ltd.
+              Other portions are copyright of their respective authors.
+*Authors*::   See http://github.com/gunark/rubycas-server/commits/
 *Homepage*::  http://rubycas-server.googlecode.com
 
 For info and installation instructions please see http://code.google.com/p/rubycas-server

data/bin/rubycas-server

@@ -8,10 +8,11 @@ else
   require 'rubygems'
   
   # make things backwards-compatible for rubygems < 0.9.0
-  unless Object.method_defined? :gem
+  if respond_to?(:require_gem)
+    puts "WARNING: aliasing gem to require_gem in #{__FILE__} -- you should update your RubyGems system!"
     alias gem require_gem
   end
-  
+ 
   gem 'picnic'
 end
 
@@ -19,8 +20,8 @@ require 'picnic/cli'
 
 cli = Picnic::Cli.new(
   'rubycas-server',
-  :app_path => File.expand_path(File.dirname(File.expand_path(__FILE__))),
-  :app_module => 'CASServer'
+  :app_module => 'CASServer',
+  :app_file => File.expand_path(File.dirname(File.expand_path($0))+"/../lib/casserver.rb")
 )
 
 cli.handle_cli_input

data/bin/rubycas-server-ctl

@@ -8,10 +8,11 @@ else
   require 'rubygems'
   
   # make things backwards-compatible for rubygems < 0.9.0
-  unless Object.method_defined? :gem
+  if respond_to?(:require_gem)
+    puts "WARNING: aliasing gem to require_gem in #{__FILE__} -- you should update your RubyGems system!"
     alias gem require_gem
   end
-  
+ 
   gem 'picnic'
 end
 

data/config/hoe.rb

@@ -8,9 +8,10 @@ RUBYFORGE_PROJECT = 'rubycas-server' # The unix name for your project
 HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
 DOWNLOAD_PATH = "http://rubyforge.org/projects/#{RUBYFORGE_PROJECT}"
 EXTRA_DEPENDENCIES = [
-  ['activesupport', '>= 2.0.2'],
-  ['activerecord', '>= 2.0.2'],
-  ['picnic', '>= 0.6.5']
+  'activesupport',
+  'activerecord',
+  'gettext',
+  ['picnic', '>= 0.7.999']
 ]    # An array of rubygem dependencies [name, version]
 
 @config_file = "~/.rubyforge/user-config.yml"
@@ -36,7 +37,7 @@ ENV['NODOT'] = '1'
 
 #REV = nil
 # UNCOMMENT IF REQUIRED:
-REV = YAML.load(`svn info`)['Revision']
+REV = Time.now.strftime('%y%m%d%H%M')
 VERS = CASServer::VERSION::STRING + (REV ? ".#{REV}" : "")
 RDOC_OPTS = ['--quiet', '--title', 'rubycas-server documentation',
     "--opname", "index.html",
@@ -64,13 +65,13 @@ $hoe = Hoe.new(GEM_NAME, VERS) do |p|
 
   # == Optional
   p.changes = p.paragraphs_of("History.txt", 0..1).join("\n\n")
-  #p.extra_deps = EXTRA_DEPENDENCIES
+  p.extra_deps = EXTRA_DEPENDENCIES
 
-    p.spec_extras = {:executables => ['rubycas-server', 'rubycas-server-ctl']}    # A hash of extra values to set in the gemspec.
-  end
+  p.spec_extras = {:executables => ['rubycas-server', 'rubycas-server-ctl']}    # A hash of extra values to set in the gemspec.
+end
 
 CHANGES = $hoe.paragraphs_of('History.txt', 0..1).join("\\n\\n")
 PATH    = (RUBYFORGE_PROJECT == GEM_NAME) ? RUBYFORGE_PROJECT : "#{RUBYFORGE_PROJECT}"
 $hoe.remote_rdoc_dir = File.join(PATH.gsub(/^#{RUBYFORGE_PROJECT}\/?/,''), 'rdoc')
 $hoe.rsync_args = '-av --delete --ignore-errors'
-$hoe.spec.post_install_message = File.open(File.dirname(__FILE__) + "/../PostInstall.txt").read rescue ""
+$hoe.spec.post_install_message = File.open(File.dirname(__FILE__) + "/../PostInstall.txt").read rescue ""

data/config.example.yml

@@ -132,7 +132,7 @@ database:
 #    database: some_database_with_users_table
 #    username: root
 #    password: 
-#    server: localhost
+#    host: localhost
 #  user_table: users
 #  username_column: username
 #  password_column: password
@@ -187,7 +187,7 @@ database:
 #      database: some_database_with_users_table
 #      user: root
 #      password:
-#      server: localhost
+#      host: localhost
 #    user_table: user
 #    username_column: username
 #    password_column: password
@@ -212,7 +212,7 @@ database:
 #authenticator: 
 #  class: CASServer::Authenticators::ActiveDirectoryLDAP
 #  ldap:
-#    server: ad.example.net
+#    host: ad.example.net
 #    port: 389
 #    base: dc=example,dc=net
 #    filter: (objectClass=person)
@@ -226,7 +226,7 @@ database:
 #authenticator:
 #  class: CASServer::Authenticators::ActiveDirectoryLDAP
 #  ldap:
-#    server: ad.example.net
+#    host: ad.example.net
 #    port: 636
 #    base: dc=example,dc=net
 #    filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
@@ -247,28 +247,34 @@ database:
 #
 # This is a more general version of the ActiveDirectory authenticator.
 # The configuration is similar, except you don't need an authenticator
-# username or password. Note that this authenticator hasn't been widely
-# tested, so it is not guaranteed to work.
+# username or password. The following example has been reported to work 
+# for a basic OpenLDAP setup.
 #
 #authenticator:
 #  class: CASServer::Authenticators::LDAP
 #  ldap:
-#    server: ldap.example.net
+#    host: ldap.example.net
 #    port: 389
 #    base: dc=example,dc=net
+#    username_attribute: uid
 #    filter: (objectClass=person)
 #
 # If you need more secure connections via TSL, specify the 'encryption'
-# option and change the port:
+# option and change the port. This example also forces the authenticator
+# to connect using a special "authenticator" user with the given
+# username and password (see the ActiveDirectoryLDAP authenticator
+# explanation above):
 #
 #authenticator:
 #  class: CASServer::Authenticators::LDAP
 #  ldap:
-#    server: ldap.example.net
+#    host: ldap.example.net
 #    port: 636
 #    base: dc=example,dc=net
 #    filter: (objectClass=person)
 #    encryption: simple_tls
+#    auth_user: cn=admin,dc=example,dc=net
+#    auth_password: secret
 #
 # If you need additional data about the user passed to the client (for example,
 # their 'cn' and 'mail' attributes, you can specify the list of attributes
@@ -277,7 +283,7 @@ database:
 #authenticator:
 #  class: CASServer::Authenticators::LDAP
 #  ldap:
-#    server: ldap.example.net
+#    host: ldap.example.net
 #    port: 389
 #    base: dc=example,dc=net
 #    filter: (objectClass=person)
@@ -321,7 +327,7 @@ database:
 #  -
 #    class: CASServer::Authenticators::ActiveDirectoryLDAP
 #    ldap:
-#      server: ad.example.net
+#      host: ad.example.net
 #      port: 389
 #      base: dc=example,dc=net
 #      filter: (objectClass=person)
@@ -332,7 +338,7 @@ database:
 #      database: some_database_with_users_table
 #      user: root
 #      password:
-#      server: localhost
+#      host: localhost
 #    user_table: user
 #    username_column: username
 #    password_column: password
@@ -367,6 +373,31 @@ infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-
 # Custom views file.  Overrides methodes in lib/casserver/views.rb
 #custom_views_file: /path/to/custom/views.rb
 
+##### LOCALIZATION (L10N) #######################################################
+# The server will attempt to detect the user's locale and show text in the 
+# appropriate language based on:
+#
+#   1. The 'lang' URL parameter (if any)
+#   2. The 'lang' cookie (if any)
+#   3. The HTTP_ACCEPT_LANGUAGE header supplied by the user's browser.
+#   4. The HTTP_USER_AGENT header supplied by the user's browser.
+#
+# If the locale cannot be established based on one of the above checks (in the 
+# shown order), then the below 'default_locale' option will be used.
+#
+# The format is the same as standard linux locales (langagecode_COUNTRYCODE): 
+#
+#   ru_RU - Russian, Russia
+#   eo_AQ - Esperanto, Antarctica 
+#   
+# It will also work if you leave out the region (i.e. just "ru" for Russian,
+# "eo" for Esperanto).
+#
+# If you are interested in contributing new translations or have corrections
+# to the existing translations, see 
+# http://code.google.com/p/rubycas-server/wiki/HowToContribueTranslations
+#
+default_locale: en
 
 ##### LOGGING ##################################################################
 

data/config.ru

@@ -0,0 +1,21 @@
+require 'rubygems'
+require 'rack'
+
+$APP_NAME = 'rubycas-server'
+$APP_ROOT = File.dirname(File.expand_path(__FILE__))
+$: << $APP_ROOT + "/lib"
+
+require File.dirname(File.expand_path(__FILE__)) + '/lib/casserver'
+
+$LOG = Logger.new("casserver.log")
+$LOG.level = Logger::DEBUG
+
+CASServer.create
+
+if $CONF.uri_path
+	map($CONF.uri_path) do
+		run CASServer
+	end
+else
+	run CASServer
+end

data/lib/casserver/authenticators/google.rb

@@ -0,0 +1,54 @@
+require 'casserver/authenticators/base'
+require 'uri'
+require 'net/http'
+require 'net/https'
+require 'timeout'
+
+# Validates Google accounts against Google's authentication service -- in other 
+# words, this authenticator allows users to log in to CAS using their
+# Gmail/Google accounts.
+class CASServer::Authenticators::Google < CASServer::Authenticators::Base
+  def validate(credentials)
+    read_standard_credentials(credentials)
+
+    return false if @username.blank? || @password.blank?
+   
+    auth_data = {
+      'Email'   => @username, 
+      'Passwd'  => @password, 
+      'service' => 'xapi', 
+      'source'  => 'RubyCAS-Server',
+      'accountType' => 'HOSTED_OR_GOOGLE'
+    }
+   
+    url = URI.parse('https://www.google.com/accounts/ClientLogin')
+    http = Net::HTTP.new(url.host, url.port)
+    http.use_ssl = true
+    
+    # TODO: make the timeout configurable
+    wait_seconds = 10
+    begin
+      timeout(wait_seconds) do
+        res = http.start do |conn|
+          req = Net::HTTP::Post.new(url.path)
+          req.set_form_data(auth_data,'&')
+          conn.request(req)
+        end
+        
+        case res
+        when Net::HTTPSuccess
+          true
+        when Net::HTTPForbidden
+          false
+        else
+          $LOG.error("Unexpected response from Google while validating credentials: #{res.inspect} ==> #{res.body}.")
+          raise CASServer::AuthenticatorError, "Unexpected response received from Google while validating credentials."
+        end
+      end
+    rescue Timeout::Error
+      $LOG.error("Google did not respond to the credential validation request. We waited for #{wait_seconds.inspect} seconds before giving up.")
+      raise CASServer::AuthenticatorError, "Timeout while waiting for Google to validate credentials."
+    end
+
+  end
+end

data/lib/casserver/authenticators/sql_rest_auth.rb

@@ -0,0 +1,77 @@
+require 'casserver/authenticators/base'
+
+require 'digest/sha1'
+
+begin
+  require 'active_record'
+rescue LoadError
+  require 'rubygems'
+  require 'active_record'
+end
+
+# This is a version of the SQL authenticator that works nicely with RestfulAuthentication. 
+# Passwords are encrypted the same way as it done in RestfulAuthentication. 
+# Before use you this, you MUST configure rest_auth_digest_streches and rest_auth_site_key in 
+# config. 
+#
+# Using this authenticator requires restful authentication plugin on rails (client) side.
+#
+# * git://github.com/technoweenie/restful-authentication.git
+#
+class CASServer::Authenticators::SQLRestAuth < CASServer::Authenticators::Base
+
+  def validate(credentials)
+    read_standard_credentials(credentials)
+    
+    raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
+    raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:database]
+    
+    CASUser.establish_connection @options[:database]
+    CASUser.set_table_name @options[:user_table] || "users"
+    
+    username_column = @options[:username_column] || "email"
+    
+    results = CASUser.find(:all, :conditions => ["#{username_column} = ?", @username])
+    
+    if results.size > 0
+      $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
+      user = results.first
+      return (user.crypted_password == user.encrypt(@password)) 
+    else
+      return false
+    end
+  end
+  
+  module EncryptedPassword
+
+    # XXX: this constants MUST be defined in config. 
+    # For more details # look at restful-authentication docs.
+    #
+    REST_AUTH_DIGEST_STRETCHES = $CONF.rest_auth_digest_streches
+    REST_AUTH_SITE_KEY         = $CONF.rest_auth_site_key
+
+    def self.included(mod)
+      raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
+    end
+    
+    def encrypt(password)
+      password_digest(password, self.salt)
+    end
+    
+    def secure_digest(*args)
+      Digest::SHA1.hexdigest(args.flatten.join('--'))
+    end
+
+    def password_digest(password, salt)
+      digest = REST_AUTH_SITE_KEY
+      REST_AUTH_DIGEST_STRETCHES.times do
+        digest = secure_digest(digest, salt, password, REST_AUTH_SITE_KEY)
+      end
+      digest
+    end      
+  end
+  
+  class CASUser < ActiveRecord::Base
+    include EncryptedPassword
+  end
+end

data/lib/casserver/cas.rb

@@ -11,7 +11,8 @@ module CASServer::CAS
     # 3.5 (login ticket)
     lt = LoginTicket.new
     lt.ticket = "LT-" + CASServer::Utils.random_string
-    lt.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    
+    lt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
     lt.save!
     $LOG.debug("Generated login ticket '#{lt.ticket}' for client" +
       " at '#{lt.client_hostname}'")
@@ -30,7 +31,7 @@ module CASServer::CAS
     tgt.ticket = "TGC-" + CASServer::Utils.random_string
     tgt.username = username
     tgt.extra_attributes = extra_attributes
-    tgt.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    tgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
     tgt.save!
     $LOG.debug("Generated ticket granting ticket '#{tgt.ticket}' for user" +
       " '#{tgt.username}' at '#{tgt.client_hostname}'" + 
@@ -45,7 +46,7 @@ module CASServer::CAS
     st.service = service
     st.username = username
     st.ticket_granting_ticket = tgt
-    st.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    st.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
     st.save!
     $LOG.debug("Generated service ticket '#{st.ticket}' for service '#{st.service}'" +
       " for user '#{st.username}' at '#{st.client_hostname}'")
@@ -60,7 +61,7 @@ module CASServer::CAS
     pt.username = pgt.service_ticket.username
     pt.proxy_granting_ticket_id = pgt.id
     pt.ticket_granting_ticket = pgt.service_ticket.ticket_granting_ticket
-    pt.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
+    pt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
     pt.save!
     $LOG.debug("Generated proxy ticket '#{pt.ticket}' for target service '#{pt.service}'" +
       " for user '#{pt.username}' at '#{pt.client_hostname}' using proxy-granting" +
@@ -87,7 +88,7 @@ module CASServer::CAS
       pgt.ticket = "PGT-" + CASServer::Utils.random_string(60)
       pgt.iou = "PGTIOU-" + CASServer::Utils.random_string(57)
       pgt.service_ticket_id = st.id
-      pgt.client_hostname = env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_HOST'] || env['REMOTE_ADDR']
+      pgt.client_hostname = @env['HTTP_X_FORWARDED_FOR'] || @env['REMOTE_HOST'] || @env['REMOTE_ADDR']
       
       # FIXME: The CAS protocol spec says to use 'pgt' as the parameter, but in practice
       #         the JA-SIG and Yale server implementations use pgtId. We'll go with the
@@ -119,7 +120,7 @@ module CASServer::CAS
       if lt.consumed?
         error = "The login ticket you provided has already been used up. Please try logging in again."
         $LOG.warn("Login ticket '#{ticket}' previously used up")
-      elsif Time.now - lt.created_on < CASServer::Conf.login_ticket_expiry
+      elsif Time.now - lt.created_on < $CONF.login_ticket_expiry
         $LOG.info("Login ticket '#{ticket}' successfully validated")
       else
         error = "Your login ticket has expired. Please try logging in again."
@@ -142,7 +143,7 @@ module CASServer::CAS
       error = "No ticket granting ticket given."
       $LOG.debug(error)
     elsif tgt = TicketGrantingTicket.find_by_ticket(ticket)
-      if CASServer::Conf.expire_sessions && Time.now - tgt.created_on > CASServer::Conf.ticket_granting_ticket_expiry
+      if $CONF.expire_sessions && Time.now - tgt.created_on > $CONF.ticket_granting_ticket_expiry
         error = "Your session has expired. Please log in again."
         $LOG.info("Ticket granting ticket '#{ticket}' for user '#{tgt.username}' expired.")
       else
@@ -169,7 +170,7 @@ module CASServer::CAS
       elsif st.kind_of?(CASServer::Models::ProxyTicket) && !allow_proxy_tickets
         error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' is a proxy ticket, but only service tickets are allowed here.")
         $LOG.warn("#{error.code} - #{error.message}")
-      elsif Time.now - st.created_on > CASServer::Conf.service_ticket_expiry
+      elsif Time.now - st.created_on > $CONF.service_ticket_expiry
         error = Error.new(:INVALID_TICKET, "Ticket '#{ticket}' has expired.")
         $LOG.warn("Ticket '#{ticket}' has expired.")
       elsif !st.matches_service? service
@@ -234,30 +235,38 @@ module CASServer::CAS
   # See http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out
   def send_logout_notification_for_service_ticket(st)
     uri = URI.parse(st.service)
-    http = Net::HTTP.new(uri.host,uri.port)
+    http = Net::HTTP.new(uri.host, uri.port)
     #http.use_ssl = true if uri.scheme = 'https'
     
-    http.start do |conn|
-      path = uri.path
-      path = '/' if path.empty?
-      
-      time = Time.now
-      rand = CASServer::Utils.random_string
-      
-      data = %{<samlp:LogoutRequest ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
+    time = Time.now
+    rand = CASServer::Utils.random_string
+    
+    path = uri.path
+    path = '/' if path.empty?
+    
+    req = Net::HTTP::Post.new(path)
+    req.set_form_data(
+      'logoutRequest' => %{<samlp:LogoutRequest ID="#{rand}" Version="2.0" IssueInstant="#{time.rfc2822}">
 <saml:NameID></saml:NameID>
 <samlp:SessionIndex>#{st.ticket}</samlp:SessionIndex>
 </samlp:LogoutRequest>}
-      
-      response = conn.request_post(path, data)
-      
-      if response.code.to_i == 200
-        $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
-        return true
-      else
-        $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'."
-        return false
+    )
+    
+    begin
+      http.start do |conn|
+        response = conn.request(req)
+              
+        if response.kind_of? Net::HTTPSuccess
+          $LOG.info "Logout notification successfully posted to #{st.service.inspect}."
+          return true
+        else
+          $LOG.error "Service #{st.service.inspect} responed to logout notification with code '#{response.code}'!"
+          return false
+        end
       end
+    rescue => e
+      $LOG.error "Failed to send logout notification to service #{st.service.inspect} due to #{e}"
+          return false
     end
   end
   
@@ -283,7 +292,7 @@ module CASServer::CAS
   end
   
   # Strips CAS-related parameters from a service URL and normalizes it,
-  # removing trailing / and ?.
+  # removing trailing / and ?. Also converts any spaces to +.
   #
   # For example, "http://google.com?ticket=12345" will be returned as
   # "http://google.com". Also, "http://google.com/" would be returned as
@@ -300,7 +309,11 @@ module CASServer::CAS
     end
     
     clean_service.gsub!(/[\/\?]$/, '')
+    clean_service.gsub!(' ', '+')
     
+    $LOG.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if
+      dirty_service != clean_service
+      
     return clean_service
   end
   module_function :clean_service_url