Unable to validate ProxyTicketValidator
Uday Kari
ukari at pdc.org
Fri Apr 13 17:23:16 EDT 2007
Chris:
No can do, sorry (same error...). Also using localhost is apparently
fine (for demo, not for prod) according to the following reference
(which claims success)
* http://www-128.ibm.com/developerworks/web/library/wa-singlesign/
I am suspecting there is some tomcat server configuration that I am
missing or may be in the way I am using CASFilter (again so far just
following instructions). The only change I made to tomcat is the
un-commenting the SSL directive and adding the entries for keystoreFile
and truststoreFile as below:
Server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/ukari/.keystore"
truststoreFile="C:/jdk1.5.0_06/jre/lib/security/cacerts"
/>
web.xml looks like this:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8443</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My "hello-world" jsp is simply the following:
<%@page language="java" import="org.apache.commons.lang.StringUtils" %>
<HTML>
<BODY>
<%
String remoteUser = StringUtils.trimToEmpty(request.getRemoteUser());
if (remoteUser.length() == 0)
{
remoteUser = "??? (remoteUser not found in request)";
}
out.print("Hello " + remoteUser + " from Application 1");
%>
</BODY>
</HTML>
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Chris Roffler
Sent: Friday, April 13, 2007 10:04 AM
To: Yale CAS mailing list
Subject: RE: Unable to validate ProxyTicketValidator
You need to create the certificate with a real dns name, you can't use
localhost !
----- Original Message -----
From: Uday Kari <mailto:ukari at pdc.org>
To: cas at tp.its.yale.edu
Sent: 4/13/2007 9:52:37 PM
Subject: Unable to validate ProxyTicketValidator
Thanks, Andrew. As recommended moved this thread from dev list
to here.
Basically, struggling to get the CAS demo going here using just
plain old tomcat 5.5.20 and jdk1.5.0_06 getting the same error Unable to
validate ProxyTicketValidator. Please let me know if I can provide
additional information.
I did seem to make an incremental improvement though. The
Microsoft Internet Explorer (Version 7.0.5730.11) browser still
complains as before but I no longer get the message "The security
certificate presented by this website was issued for a different
website's address." This seems to have eliminated by following Andrew
's note below (paraphrasing/translating) whereby he seems to be saying
that I should be create the certificate with the name localhost
(right?).
Specifically, when executing the following command
C:\jdk1.5.0_06\bin>keytool -genkey -alias tomcat -keypass
changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: is
What is the name of your organization?
[Unknown]: pdc
What is the name of your City or Locality?
[Unknown]: kihei
What is the name of your State or Province?
[Unknown]: hi
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost:8443, OU=is, O=pdc, L=kihei, ST=hi, C=US
correct?
[no]: yes
Of course, I import this into the JVM cacerts file as
recommended/required in various threads since CAS uses the JVM cacerts
file which needs to have the same entry as the tomcat keystore. For
completeness, here is how I imported the about certificate into cacerts:
C:\jdk1.5.0_06\bin>keytool -delete -alias tomcat -keypass
changeit -keystore ..\
jre\lib\security\cacerts
Enter keystore password: changeit
C:\jdk1.5.0_06\bin>keytool -export -alias tomcat -keypass
changeit -file server.
crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\jdk1.5.0_06\bin>keytool -import -file server.crt -alias
tomcat -keypass chang
eit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Serial number: 461fd754
Valid from: Fri Apr 13 09:17:40 HST 2007 until: Thu Jul 12
09:17:40 HST 2007
Certificate fingerprints:
MD5: C4:F8:5F:7B:90:1B:32:2E:1B:96:10:01:49:3C:40:A3
SHA1:
F1:2B:1F:0F:4D:DE:61:EE:C8:36:37:D9:20:8C:A8:41:EE:03:F1:A9
Trust this certificate? [no]: yes
Certificate was added to keystore
My server.xml file entry for SSL is as follows:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and
Settings/ukari/.keystore" />
Again the workflow to get the error is identical to my message
below except for the minor browser level improvement noted above by
naming the certificate "localhost"
________________________________
From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew Petro
Sent: Thursday, April 12, 2007 5:56 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] Unable to validate ProxyTicketValidator
> with the familiar warning about the SSL certificate being
named differently than localhost
> casValidateUrl=[https://localhost:8443/cas/proxyValidate]
Here's my hypothesis:
The CAS server SSL cert does not authenticate "localhost", but
the CASFilter is configured to validate the ticket against a CAS
addressed as "localhost". Since the cert doesn't match, the client JVM
does not see an SSL cert it likes for authenticating the callback.
Since the client JVM didn't see a cert it liked on the callback, the
callback fails. Since the callback failed, the CASFilter (via the
ProxyTicketValidator) is unable to validate the service ticket.
Yielding the error you're see! ing.
This thread doesn't seem to be about developing CAS server or
the CAS client libraries. It should probably be moved to the cas@ email
list.
Andrew
http://support.unicon.net/
Uday Kari wrote:
Followed the instruction in the following thread and verified
that the SSL certification is in JVM cacerts file as required:
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html
However, I am still getting the Unable to validate
ProxyTicketValidator error when I finish logging in...
Specifically:
* The request https://localhost:8443/ works fine with the
familiar warning about the SSL certificate being named differently than
localhost. (so server is up).
* https://localhost:8443/app1 leads to the application
after the above warning, but immediately redirects to CAS as expected.
* I login with the "equal" credentials such as yahoo/yahoo
and google/google.
* Apparently the ticket generates just fine.
* Then on the way back to render the protected (but very
simple jsp within the app1 context), I get an HTTP 500 error with the
following stack trace on the screen:
exception
javax.servlet.ServletException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
root cause
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
Specifically, here are the excerpts from my
Catalina.2007-04-12.log for the last two login attempts (user/password =
yahoo, google)
Apr 12, 2007 3:56:13 PM edu.yale.its.tp.cas.client.CASReceipt
getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:56:13 PM
edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM edu.yale.its.tp.cas.client.CASReceipt
getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM
edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
And, the following from my stdout_20070412.log
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: yahoo>
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] for service
[https://localhost:8443/app1/] for user [yahoo]>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: google>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] for service
[https://localhost:8443/app1/] for user [google]>
________________________________
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070413/e50f4efe/attachment-0001.html
More information about the cas
mailing list