If multiple requests to secured resources occur concurrently, the CAS component does not handle the last redirect properly. Here's the behavior:
1. Let's say that three concurrent requests to different secured resources come in for a user that has already authenticated to a CAS server.
2. Each request will hit the spring security layer and not have an authenticated user in the session.
3. Each request will call the CAS login url like this: https://cas-server/cas/login?service=blah
4. Since the user has authenticated to CAS the response from each request will be a different service ticket.
5. The spring security layer then correctly calls the validation url with the service ticket.
6. CAS server returns the authenticated user in each request (in our example three responses come back)
7. The spring security layer then needs to get the original request made in step #1 (when alwaysUseDefaultTargetUrl is false).
8. The SavedRequestAwareWrapper is consulted and a single redirect URL is returned from the user's HttpSession.
The problem is that the SavedRequestAwareWrapper uses the user's session with a single key to store the URL. This means that there can only be one URL per user for ticket validation. A race condition determines which URL is ultimately redirected to.
We'll need to create a better way to track the original secured request in order to solve this.