CAS Proxy Authentication.
Brewster, Jeffrey
brewj at vt.edu
Thu Jul 12 12:16:53 EDT 2007
Hi all,
I am attempting to set up proxy authentication using CAS. I have two
simplified
servlet applications; "CasProxyDemo-FrontEnd" and
"CasProxyDemo-BackEnd".
I am also using a local instance of CAS. I want to log into
CasProxyDemo-FrontEnd and have a jsp page that includes a page from
"CasProxyDemo-BackEnd". I am using a servlet in CasProxyDemo-FrontEnd
to get the proxyTicket like so:
CASReceipt receipt =
(CASReceipt)request.getSession().
getAttribute("edu.yale.its.tp.cas.client.filter.receipt");
String proxyTicket =
ProxyTicketReceptor.getProxyTicket(receipt.getPgtIou(),
"https://abc.vt.edu/CasProxyDemo-BackEnd");
I then pass the value of proxyTicket to my jsp page which does the
import like:
<c:import
url="https://abc.vt.edu/CasProxyDemo-BackEnd/?ticket=ST-3-QE511caPVASyag
y1l2ElXfdQXe7PWD0KgtV-20" />
My descriptors are:
----------------------------------------------------------------
CasProxyDemo-FrontEnd Descriptor
----------------------------------------------------------------
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://abc.vt.edu/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://abc.vt.edu/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>abc.vt.edu</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-na
me>
<param-value>https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServlet</p
aram-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
.....
<servlet>
<servlet-name>ProxyTicketReceptor</servlet-name>
<servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-cl
ass>
<init-param>
<param-name>edu.yale.its.tp.cas.proxyUrl</param-name>
<param-value>https://abc.vt.edu/cas/proxy</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>ProxyTicketReceptor</servlet-name>
<url-pattern>/CasProxyServlet</url-pattern>
</servlet-mapping>
----------------------------------------------------------------
CasProxyDemo-BackEnd Descriptor
----------------------------------------------------------------
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://abc.vt.edu/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://abc.vt.edu/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>abc.iad.vt.edu</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-nam
e>
<param-value>https://abc.vt.edu/CasProxyDemo-FrontEnd</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
----------------------------------------------------------------
This is my log output from CasProxyDemo-FrontEnd.log
----------------------------------------------------------------
2007-07-12 11:34:05,523 [main] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - CASFilter initialized as:
[[CASFilter: casGateway=false wrapRequest=false
casAuthorizedProxies=[[]] casLogin=[https://abc.vt.edu/cas/login]
casProxyCallbackUrl=[https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxySe
rvlet] casServerName=[abc.vt.edu]
casValidate=[https://abc.vt.edu/cas/proxyValidate]]
2007-07-12 11:35:16,507 [http-443-Processor25] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - Redirecting browser to
[https://abc.vt.edu/cas/login?service=https%3A%2F%2Fabc.vt.edu%2FCasProx
yDemo-FrontEnd%2Fstart)
2007-07-12 11:35:21,757 [http-443-Processor25] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - about to validate
ProxyTicketValidator: [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://abc.vt.edu/cas/proxyValidate]
proxyCallbackUrl=[https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServl
et] ticket=[ST-2-sSvi3zj7SoF1fwJniuTcyScbhMyuYBuUPaK-20]
service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-FrontEnd%2Fstart]
renew=false]]]
2007-07-12 11:35:22,445 [http-443-Processor22] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - Redirecting browser to
[https://abc.vt.edu/cas/login?service=https%3A%2F%2Fabc.vt.edu%2FCasProx
yDemo-FrontEnd%2FCasProxyServlet)
2007-07-12 11:35:22,523 [http-443-Processor22] DEBUG
edu.yale.its.tp.cas.proxy.ProxyTicketReceptor - adding
pgtIou=[PGTIOU-2-t42nPMmVDtvhYobbW6ziKASIzJ3IV4t27B0],
pgt=[edu.yale.its.tp.cas.proxy.ProxyGrantingTicket
pgtId=[TGT-3-g3Pba5bNRg64HeMEnR99dyeuWHSvrjtbapa-50]
casProxyUrl=[https://abc.vt.edu/cas/proxy]] to the cache.
2007-07-12 11:35:23,117 [http-443-Processor24] ERROR
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/CasProxy
Demo-FrontEnd].[jsp] - Servlet.service() for servlet jsp threw
exception
java.io.IOException: Server returned HTTP response code: 500 for URL:
https://abc.vt.edu/CasProxyDemo-BackEnd/?ticket=ST-3-QE511caPVASyagy1l2E
lXfdQXe7PWD0KgtV-20
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnec
tion.java:1149)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsUR
LConnectionImpl.java:234)
at
org.apache.taglibs.standard.tag.common.core.ImportSupport.acquireReader(
ImportSupport.java:331)
at
org.apache.taglibs.standard.tag.common.core.ImportSupport.acquireString(
ImportSupport.java:241)
at
org.apache.taglibs.standard.tag.common.core.ImportSupport.doEndTag(Impor
tSupport.java:161)
at
org.apache.jsp.frontEnd_jsp._jspx_meth_c_005fimport_005f0(frontEnd_jsp.j
ava:119)
at org.apache.jsp.frontEnd_jsp._jspService(frontEnd_jsp.java:91)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
va:328)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:315)
at
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:188)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:317)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:210)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:174)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
51)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
0)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:685)
at java.lang.Thread.run(Thread.java:595)
----------------------------------------------------------------
And here is my log output from CasProxyDemo-BackEnd.log.
----------------------------------------------------------------
2007-07-12 11:34:06,070 [main] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - CASFilter initialized as:
[[CASFilter: casGateway=false wrapRequest=true
casAuthorizedProxies=[[https://abc.vt.edu/CasProxyDemo-FrontEnd]]
casLogin=[https://abc.vt.edu/cas/login] casServerName=[abc.vt.edu]
casValidate=[https://abc.vt.edu/cas/proxyValidate]]
2007-07-12 11:35:22,898 [http-443-Processor23] DEBUG
edu.yale.its.tp.cas.client.filter.CASFilter - about to validate
ProxyTicketValidator: [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://abc.vt.edu/cas/proxyValidate]
ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20]
service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F]
renew=false]]]
2007-07-12 11:35:22,976 [http-443-Processor23] ERROR
edu.yale.its.tp.cas.client.CASReceipt - validation of
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://abc.vt.edu/cas/proxyValidate]
ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20]
service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F]
errorCode=[INVALID_SERVICE] errorMessage=[ticket
'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied
service] renew=false entireResponse=[<cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does
not match supplied service
</cas:authenticationFailure>
</cas:serviceResponse>
]]]] was not successful.
2007-07-12 11:35:22,976 [http-443-Processor23] ERROR
edu.yale.its.tp.cas.client.filter.CASFilter -
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://abc.vt.edu/cas/proxyValidate]
ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20]
service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F]
errorCode=[INVALID_SERVICE] errorMessage=[ticket
'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied
service] renew=false entireResponse=[<cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does
not match supplied service
</cas:authenticationFailure>
</cas:serviceResponse>
]]]]
2007-07-12 11:35:22,992 [http-443-Processor23] ERROR
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/CasProxy
Demo-BackEnd].[jsp] - Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://abc.vt.edu/cas/proxyValidate]
ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20]
service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F]
errorCode=[INVALID_SERVICE] errorMessage=[ticket
'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied
service] renew=false entireResponse=[<cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does
not match supplied service
</cas:authenticationFailure>
</cas:serviceResponse>
]]]]
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62)
at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:215)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:210)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:174)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:117)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
51)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
0)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:685)
at java.lang.Thread.run(Thread.java:595)
Judging by the log output, I think things are working as expected up to
the
point at which the CasProxyDemo-BackEnd app. trys to validate the ticket
I appended to the
url. It states that ticket is not valid for the service -
CasProxyDemo-BackEnd.
My hope is that this is just a simple config param issue. Any help would
be greatly appreciated.
Thanks in advance.
Jeff Brewster
Virginia Tech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070712/66b87ab8/attachment.html
More information about the cas
mailing list