JBoss CAS problem

Scott Battaglia scott_battaglia at rutgers.edu
Sat Aug 12 23:18:57 EDT 2006 

You need to add your certificate to your JVM's local cacerts file 
(generally, JAVA_HOME\jre\lib\security\cacerts)

Check out: http://www.ja-sig.org/products/cas/server/ssl/index.html

-Scott

Scott Battaglia
Application Developer, Architecture & Engineering Team
Enterprise Systems and Services, Rutgers University
v: 732.445.0097 | f: 732.445.5493 | scott_battaglia at rutgers.edu 



Alex Dorandish wrote:
> Hi All,
>
> I have tried to get sample cas running for two sample web application. 
> Steps I took:
>
> 1. I created SSL certificate and added to JBoss.
> 2. Deployed CAS on the jboss server (ver 4.0.4)
> 3. Created two sample web application with one public page and one 
> secured page each.
> 4. Changed both web applications web.xml and added
>
>         <filter>
>                 <filter-name>CAS Filter</filter-name>
>                 
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>                 <init-param>
>                         
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>                         
> <param-value>https://localhost:8443/cas/login</param-value>
>                 </init-param>
>                 <init-param>
>                         
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>                         
> <param-value>https://localhost:8443/cas/serviceValidate</param-value>
>                 </init-param>
>                 <init-param>
>                         
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>                         <param-value>localhost:8080</param-value>
>                 </init-param>
>         </filter>
>         <filter-mapping>
>             <filter-name>CAS Filter</filter-name>
>             <url-pattern>/private/*</url-pattern>
>         </filter-mapping>
>
> What happens is it gets redirected to loging page. It logins 
> successfully but it throughs the following exception:
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to 
> validate ProxyTicketValidator 
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] 
> [edu.yale.its.tp.cas.client.ServiceTicketValidator 
> casValidateUrl=[https://localhost:8443/cas/serviceValidate] 
> ticket=[ST-2-5qgpLLMsFNRu2d25L2eBoNCwQMmeVZJzIeq-20] 
> service=[http%3A%2F%2Flocalhost%3A8080%2FSampleCas%2Fprivate%2Findex.jsp] 
> renew=false]]]
>         at 
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>         at 
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>         at 
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>         at 
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
>         at 
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
>         at 
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
>         at 
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
>         at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>         at 
> org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
>         at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target
>         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown 
> Source)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown 
> Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>         at 
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown 
> Source)
>         at 
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown 
> Source)
>         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown 
> Source)
>         at 
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
>         at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
>         at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown 
> Source)
>         at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
>         at 
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
>         at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown 
> Source)
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown 
> Source)
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
>         at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown 
> Source)
>         at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:36)
>         at 
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>         at 
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>         ... 20 more
> Caused by: sun.security.validator.ValidatorException: PKIX path 
> building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
> find valid certification path to requested target
>         at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>         at sun.security.validator.PKIXValidator.engineValidate(Unknown 
> Source)
>         at sun.security.validator.Validator.validate(Unknown Source)
>         at 
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown 
> Source)
>         at 
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown 
> Source)
>         ... 35 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
> unable to find valid certification path to requested target
>         at 
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown 
> Source)
>         at java.security.cert.CertPathBuilder.build(Unknown Source)
>         ... 40 more
>
> Any reasons why?
>
> Cheers,
>
> Alex
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list