INVALID_TICKET/ticket not recognized error for just granted ticket...

tedzo tedzo2003 at yahoo.com
Sat Jan 13 21:20:46 EST 2007 

Hello,
With the CAS filters set, I am redirected to CAS's login page and after successful login (username=password), I am redirected to my app's page with a ticket. However, If you notice the log entries below, the first line mentions that a ticket was granted (ST-2....). The next line complains that the just granted ticket is invalid and is not recognized. Further down, at the bottom, another ticket appears to be granted (ST-3....). I am not sure why a second one was granted.

My tomcat's logs-

2007-01-13 17:38:37,758 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20] for service [http://localhost:8080/DMM/login.jsp] for user [ml]>
2007-01-13 17:38:38,211 ERROR [http-8080-Processor25] client.CASReceipt:61     - validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20] service=[http%3A%2F%2Flocalhost%3A8080%2FDMM%2Flogin.jsp] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code='INVALID_TICKET'>
        ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized
    </cas:authenticationFailure>
</cas:serviceResponse>
]]]] was not successful.
2007-01-13 17:38:38,242 ERROR [http-8080-Processor25] filter.CASFilter :380     - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20] service=[http%3A%2F%2Flocalhost%3A8080%2FDMM%2Flogin.jsp] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code='INVALID_TICKET'>
        ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized
    </cas:authenticationFailure>
</cas:serviceResponse>
]]]]
2007-01-13 17:38:38,258 ERROR [http-8080-Processor25] [/DMM].[jsp]     :253     - Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20] service=[http%3A%2F%2Flocalhost%3A8080%2FDMM%2Flogin.jsp] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code='INVALID_TICKET'>
        ticket 'ST-2-PgC9skgfRcVA9cqRbmwPcJAYQip0E0zmgES-20' not recognized
    </cas:authenticationFailure>
</cas:serviceResponse>
]]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62)
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
......

2007-01-13 17:38:38,774 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-3-CJAKM2GaTN17LOYzwGxc12YCryRPVKe37KB-20] for service [http://localhost:8080/DMM/login.jsp] for user [ml]>

I believe everything else is correctly setup. I can access https://localhost and go to Tomcat's initial page. I have exported and imported certificates using keytool. The jvm that tomcat uses knows about the certificates as does Tomcat itself.
web.xml
<filter>
    <filter-name>CAS Filter</filter-name>
    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://localhost:8443/cas/login</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>https://localhost:8443/cas/proxyValidate</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name>
      <param-value>http://localhost:8080/DMM/login.jsp</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>CAS Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
    <dispatcher>FORWARD</dispatcher> 
    <dispatcher>INCLUDE</dispatcher> 
    <dispatcher>REQUEST</dispatcher> 
  </filter-mapping>

server.xml-
        <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" keystoreFile="C:\Documents and Settings\av\.keystore"
               keystorePass="changeit" sslProtocol="TLS"/>

Any help is appreciated.

Av.

 
---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070113/eabe8c66/attachment.html

More information about the cas mailing list