Unable to validate ProxyTicketValidator
Uday Kari
ukari at pdc.org
Fri Apr 13 21:05:40 EDT 2007
Chris: Thanks. Still same problem with localhost:8080. However,
another incremental improvement was that there are no more browser
warnings before getting to the CAS login screen (goes there directly).
Encouraged, I changed that to simply localhost (as mentioned in the IBM
paper to which there is a link in this thread) .
Specifically changed, as below:
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost</param-value>
</init-param>
That seems to get rid of the "Unable to validate ProxyTicketValidator"
error (!). However, I still get a page not found error. Nothing weird
in logs, though. (Ugh!)
stdout_20070413.log:
2007-04-13 13:45:21,882 INFO
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] - <No PasswordEncoder set. Using default:
org.jasig.cas.authentication.handler.PlainTextPasswordEncoder>
2007-04-13 13:45:21,882 INFO
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] - <No Class to Support set. Using default:
org.jasig.cas.authentication.principal.UsernamePasswordCredentials>
2007-04-13 13:45:21,882 WARN
[org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler] -
<org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword
AuthenticationHandler is only to be used in a testing environment.
NEVER enable this in a production environment.>
2007-04-13 13:45:21,913 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - <No
UniqueTicketIdGenerator specified for
org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using
org.jasig.cas.util.DefaultUniqueTicketIdGenerator>
2007-04-13 13:45:22,632 INFO
[org.jasig.cas.web.ServiceValidateController] - <No successView
specified. Using default of casServiceSuccessView>
2007-04-13 13:45:22,632 INFO
[org.jasig.cas.web.ServiceValidateController] - <No failureView
specified. Using default of casServiceFailureView>
2007-04-13 13:45:22,647 INFO
[org.jasig.cas.web.ServiceValidateController] - <No authentication
specification class set. Defaulting to
org.jasig.cas.validation.Cas20ProtocolValidationSpecification>
2007-04-13 13:45:22,647 INFO
[org.jasig.cas.web.ServiceValidateController] - <No successView
specified. Using default of casServiceSuccessView>
2007-04-13 13:45:22,647 INFO
[org.jasig.cas.web.ServiceValidateController] - <No failureView
specified. Using default of casServiceFailureView>
2007-04-13 13:45:22,710 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - <FormObjectClass
not set. Using default class of
org.jasig.cas.authentication.principal.UsernamePasswordCredentials with
formObjectName credentials and validator
org.jasig.cas.validation.UsernamePasswordCredentialsValidator.>
2007-04-13 13:45:31,836 INFO
[org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - <Setting
ContextPath for cookies to: /cas>
2007-04-13 13:45:39,852 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: yahoo>
2007-04-13 13:45:39,867 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-zunToh0BFVzcgPYdyMvPs3grvPart9CaJNV-20] for service
[http://localhost/app1/index.jsp] for user [yahoo]> This suggests I
should try jk-mount the app1 context to either IIS or apache at
localhost...but doing that generates the ProxyTicketValidator error
again!
2007-04-13 13:45:41,977 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Starting cleaning of expired tickets from ticket registry at [Fri Apr
13 13:45:41 HST 2007]>
2007-04-13 13:45:41,977 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed. Removing now.>
2007-04-13 13:45:41,977 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished cleaning of expired tickets from ticket registry at [Fri Apr
13 13:45:41 HST 2007]>
Although I am encouraged by this, I was reminded why I had changed the
original param-value to localhost:8443 anyway. It is because in the
browser URL (to which I am redirected after the apparently successful
login) is the following:
*
https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost%2Fapp1%2
Findex.jsp (notice no 8080 port in the service=yadayada)
That seems to indicate that I probably need to stand-up an apache at
localhost (thereby jkmounting app1)...since I know that port 8080 or
8443 will not work. Seems like a round-about way to get there. However
doing that generates the same "Unable to validate ProxyTicketValidator"
all over again. Relevant log entries are below.
catalina.2007-04-13.log
Apr 13, 2007 2:43:15 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-j5ZabIPFTUbYIA3dkk0ryEo1ao6nRWbiTFa-20]
service=[http%3A%2F%2Flocalhost%2Fapp1%2F] renew=false]]]
Apr 13, 2007 2:43:15 PM edu.yale.its.tp.cas.client.filter.CASFilter
doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-j5ZabIPFTUbYIA3dkk0ryEo1ao6nRWbiTFa-20]
service=[http%3A%2F%2Flocalhost%2Fapp1%2F] renew=false]]]
stdout_20070413.log:
(beyond the above)
...
2007-04-13 14:42:36,030 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished cleaning of expired tickets from ticket registry at [Fri Apr
13 14:42:36 HST 2007]>
2007-04-13 14:43:00,688 INFO
[org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - <Setting
ContextPath for cookies to: /cas>
2007-04-13 14:43:55,834 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: uday>
2007-04-13 14:43:55,850 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-3-Ncqgdx903u92kT4GCzjp1l3n1bkRTOTdz4G-20] for service
[http://localhost/app1/] for user [uday]>
So right now I have a catch-22: The ProxyTicketValidator error goes
away if I use just localhost, but it does not get me back to the
application after successful login (as reflected in logs). I get a page
not found error and the redirect seems to looking for
http://localhost/app1/. And if I try to "compensate" and provide an
apache redirect to it (jkmount app1) it crashes again with the sickening
ProxyTicketValidator error.
Uday Kari
Pacific Disaster Center
(808) 891-7942
________________________________
From: Chris Roffler [mailto:croffler at earthlink.net]
Sent: Friday, April 13, 2007 11:45 AM
To: Uday Kari
Subject: RE: Unable to validate ProxyTicketValidator
Just noticed :
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8443</param-value>
</init-param>
Are you sure that is the correct setup ? That should be localhost:8080
?!
In the server .xml file : where is keystorePass, was it the default
password you used ?
----- Original Message -----
From: Uday Kari <mailto:ukari at pdc.org>
To: croffler at earthlink.net;Yale CAS mailing list
<mailto:cas at tp.its.yale.edu>
Sent: 4/13/2007 11:23:04 PM
Subject: RE: Unable to validate ProxyTicketValidator
Chris:
No can do, sorry (same error...). Also using localhost is
apparently fine (for demo, not for prod) according to the following
reference (which claims success)
*
http://www-128.ibm.com/developerworks/web/library/wa-singlesign/
I am suspecting there is some tomcat server configuration that I
am missing or may be in the way I am using CASFilter (again so far just
following instructions). The only change I made to tomcat is the
un-commenting the SSL directive and adding the entries for keystoreFile
and truststoreFile as below:
Server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and
Settings/ukari/.keystore"
truststoreFile="C:/jdk1.5.0_06/jre/lib/security/cacerts" />
web.xml looks like this:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8443</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My "hello-world" jsp is simply the following:
<%@page language="java"
import="org.apache.commons.lang.StringUtils" %>
<HTML>
<BODY>
<%
String remoteUser =
StringUtils.trimToEmpty(request.getRemoteUser());
if (remoteUser.length() == 0)
{
remoteUser = "??? (remoteUser not found in request)";
}
out.print("Hello " + remoteUser + " from Application 1");
%>
</BODY>
</HTML>
________________________________
From: cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu] On Behalf Of Chris Roffler
Sent: Friday, April 13, 2007 10:04 AM
To: Yale CAS mailing list
Subject: RE: Unable to validate ProxyTicketValidator
You need to create the certificate with a real dns name, you
can't use localhost !
----- Original Message -----
From: Uday Kari <mailto:ukari at pdc.org>
To: cas at tp.its.yale.edu
Sent: 4/13/2007 9:52:37 PM
Subject: Unable to validate ProxyTicketValidator
Thanks, Andrew. As recommended moved this thread from
dev list to here.
Basically, struggling to get the CAS demo going here
using just plain old tomcat 5.5.20 and jdk1.5.0_06 getting the same
error Unable to validate ProxyTicketValidator. Please let me know if I
can provide additional information.
I did seem to make an incremental improvement though.
The Microsoft Internet Explorer (Version 7.0.5730.11) browser still
complains as before but I no longer get the message "The security
certificate presented by this website was issued for a different
website's address." This seems to have eliminated by following Andrew
's note below (paraphrasing/translating) whereby he seems to be saying
that I should be create the certificate with the name localhost
(right?).
Specifically, when executing the following command
C:\jdk1.5.0_06\bin>keytool -genkey -alias tomcat
-keypass changeit -keyalg RSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: is
What is the name of your organization?
[Unknown]: pdc
What is the name of your City or Locality?
[Unknown]: kihei
What is the name of your State or Province?
[Unknown]: hi
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost:8443, OU=is, O=pdc, L=kihei, ST=hi, C=US
correct?
[no]: yes
Of course, I import this into the JVM cacerts file as
recommended/required in various threads since CAS uses the JVM cacerts
file which needs to have the same entry as the tomcat keystore. For
completeness, here is how I imported the about certificate into cacerts:
C:\jdk1.5.0_06\bin>keytool -delete -alias tomcat
-keypass changeit -keystore ..\
jre\lib\security\cacerts
Enter keystore password: changeit
C:\jdk1.5.0_06\bin>keytool -export -alias tomcat
-keypass changeit -file server.
crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\jdk1.5.0_06\bin>keytool -import -file server.crt
-alias tomcat -keypass chang
eit -keystore ..\jre\lib\security\cacerts
Enter keystore password: changeit
Owner: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Issuer: CN=localhost, OU=IS, O=PDC, L=Kihei, ST=HI, C=US
Serial number: 461fd754
Valid from: Fri Apr 13 09:17:40 HST 2007 until: Thu Jul
12 09:17:40 HST 2007
Certificate fingerprints:
MD5:
C4:F8:5F:7B:90:1B:32:2E:1B:96:10:01:49:3C:40:A3
SHA1:
F1:2B:1F:0F:4D:DE:61:EE:C8:36:37:D9:20:8C:A8:41:EE:03:F1:A9
Trust this certificate? [no]: yes
Certificate was added to keystore
My server.xml file entry for SSL is as follows:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and
Settings/ukari/.keystore" />
Again the workflow to get the error is identical to my
message below except for the minor browser level improvement noted above
by naming the certificate "localhost"
________________________________
From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew Petro
Sent: Thursday, April 12, 2007 5:56 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] Unable to validate
ProxyTicketValidator
> with the familiar warning about the SSL certificate
being named differently than localhost
>
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
Here's my hypothesis:
The CAS server SSL cert does not authenticate
"localhost", but the CASFilter is configured to validate the ticket
against a CAS addressed as "localhost". Since the cert doesn't match,
the client JVM does not see an SSL cert it likes for authenticating the
callback. Since the client JVM didn't see a cert it liked on the
callback, the callback fails. Since the callback failed, the CASFilter
(via the ProxyTicketValidator) is unable to validate the service ticket.
Yielding the error you're see! ing.
This thread doesn't seem to be about developing CAS
server or the CAS client libraries. It should probably be moved to the
cas@ email list.
Andrew
http://support.unicon.net/
Uday Kari wrote:
Followed the instruction in the following thread and
verified that the SSL certification is in JVM cacerts file as required:
http://www.mail-archive.com/cas-dev@tp.its.yale.edu/msg00090.html
However, I am still getting the Unable to validate
ProxyTicketValidator error when I finish logging in...
Specifically:
* The request https://localhost:8443/ works fine
with the familiar warning about the SSL certificate being named
differently than localhost. (so server is up).
* https://localhost:8443/app1 leads to the
application after the above warning, but immediately redirects to CAS as
expected.
* I login with the "equal" credentials such as
yahoo/yahoo and google/google.
* Apparently the ticket generates just fine.
* Then on the way back to render the protected
(but very simple jsp within the app1 context), I get an HTTP 500 error
with the following stack trace on the screen:
exception
javax.servlet.ServletException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
root cause
edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-6-cDriGKlSaCFOeNf3DWqLyILhIDaWlpW2JG7-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
Specifically, here are the excerpts from my
Catalina.2007-04-12.log for the last two login attempts (user/password =
yahoo, google)
Apr 12, 2007 3:56:13 PM
edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:56:13 PM
edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM
edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
Apr 12, 2007 3:57:53 PM
edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20]
service=[https%3A%2F%2Flocalhost%3A8443%2Fapp1%2F] renew=false]]]
And, the following from my stdout_20070412.log
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: yahoo>
2007-04-12 15:56:13,099 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-4-P3kihjtft7UGHzY4PynoJkuyBLp7bfLBjD1-20] for service
[https://localhost:8443/app1/] for user [yahoo]>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordA
uthenticationHandler successfully authenticated the user which provided
the following credentials: google>
2007-04-12 15:57:53,404 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-5-prfNAfpSop6mcxseBbbEnBVnk7c7S0xwRIt-20] for service
[https://localhost:8443/app1/] for user [google]>
________________________________
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070413/4253b9f8/attachment-0001.html
More information about the cas
mailing list