web flow problem?
Scott Battaglia
scott.battaglia at gmail.com
Wed Jun 6 17:59:36 EDT 2007
Joe,
You attempted to get a ProxyGrantingTicket for the Webmail service and the
JVM that the CAS server is running in is unable to validate the certificate
of the Webmail server.
[org.jasig.cas.authentication
.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
- javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(
SSLSessionImpl.java:401)
Is it a non-commercial certificate? If so, it will need to be added to the
CAS JVM.
-Scott
On 6/6/07, bozhe <jsalvaggio at norwoodma.gov> wrote:
>
>
> Scott,
> Thanks for the quick reply. Here is the cas.log in debug mode from the
> actions outlined in my previous email ("web flow problem?"):
>
> I turned tomcat off, deleted cas.log, and turned tomcat back on. That gave
> me this:
>
> 2007-06-06 17:28:24,494 WARN
> [org.springframework.ldap.support.LdapContextSource] - Property 'userName'
> not set - anonymous context will be used for read-write operations
> 2007-06-06 17:28:24,501 INFO
> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - No
> PasswordEncoder set. Using default:
> org.jasig.cas.authentication.handler.PlainTextPasswordEncoder
> 2007-06-06 17:28:24,501 INFO
> [org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - No Class
> to Support set. Using default:
> org.jasig.cas.authentication.principal.UsernamePasswordCredentials
> 2007-06-06 17:28:24,518 INFO
> [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - No
> UniqueTicketIdGenerator specified for
> org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using
> org.jasig.cas.util.DefaultUniqueTicketIdGenerator
> 2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
> -
> No authentication specification class set. Defaulting to
> org.jasig.cas.validation.Cas20ProtocolValidationSpecification
> 2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
> -
> No successView specified. Using default of casServiceSuccessView
> 2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
> -
> No failureView specified. Using default of casServiceFailureView
> 2007-06-06 17:28:24,997 INFO [org.jasig.cas.web.ServiceValidateController]
> -
> No successView specified. Using default of casServiceSuccessView
> 2007-06-06 17:28:24,997 INFO [org.jasig.cas.web.ServiceValidateController]
> -
> No failureView specified. Using default of casServiceFailureView
> 2007-06-06 17:28:25,035 INFO
> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not
> set. Using default class of
> org.jasig.cas.authentication.principal.UsernamePasswordCredentials with
> formObjectName credentials and validator
> org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
> 2007-06-06 17:28:44,580 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Starting cleaning of expired tickets from ticket registry at [Wed Jun 06
> 17:28:44 EDT 2007]
> 2007-06-06 17:28:44,580 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0
> found to be removed. Removing now.
> 2007-06-06 17:28:44,580 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Finished cleaning of expired tickets from ticket registry at [Wed Jun 06
> 17:28:44 EDT 2007]
>
>
> Then I logged successfully into CAS by itself (at
> https://www.norwood-ma.gov/cas):
>
> 2007-06-06 17:37:04,178 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Starting cleaning of expired tickets from ticket registry at [Wed Jun 06
> 17:37:04 EDT 2007]
> 2007-06-06 17:37:04,178 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0
> found to be removed. Removing now.
> 2007-06-06 17:37:04,178 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Finished cleaning of expired tickets from ticket registry at [Wed Jun 06
> 17:37:04 EDT 2007]
> 2007-06-06 17:37:59,453 INFO
> [org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - Setting
> ContextPath for cookies to: /cas
> 2007-06-06 17:38:09,424 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
> authenticated the user which provided the following credentials:
> jsalvaggio
>
> Then I closed and reopened my browser and attempted to log in to
> webmail.norwood-ma.gov:
>
> 2007-06-06 17:41:56,850 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
> authenticated the user which provided the following credentials:
> jsalvaggio
> 2007-06-06 17:41:56,857 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket
> [ST-2-IFs6D3RnhK0B2Ud92c1JifcYLfVthnARypg-20] for service
> [http://webmail.norwood-ma.gov/src/login.php] for user [jsalvaggio]
> 2007-06-06 17:41:57,352 ERROR
> [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> ]
> - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(
> SSLSessionImpl.java:401)
> at
>
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:280)
> at
>
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
> (StrictSSLProtocolSocketFactory.java:223)
> at
> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
> at
>
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
> (MultiThreadedHttpConnectionManager.java:1321)
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
> HttpMethodDirector.java:386)
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> HttpMethodDirector.java:170)
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java
> :396)
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java
> :324)
> at
>
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:75)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
> at
>
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:754)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
> at
> org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :128)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :104)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java
> :393)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :216)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
> at java.lang.Thread.run(Thread.java:619)
> 2007-06-06 17:41:57,354 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
>
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> failed to authenticate the user which provided the following credentials:
> https://webmail.norwood-ma.gov/src/login.php
> 2007-06-06 17:41:57,354 ERROR [org.jasig.cas.web.ServiceValidateController
> ]
> - TicketException generating ticket for:
> https://webmail.norwood-ma.gov/src/login.php
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
> at
>
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:215)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:754)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
> at
> org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :128)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :104)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java
> :393)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :216)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: error.authentication.credentials.bad
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:105)
> at
>
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
> ... 23 more
>
>
> Thank you, Scott, or anyone else, who can help me figure this out.
>
>
> Joe Salvaggio
>
>
> Scott Battaglia-2 wrote:
> >
> > You should be able to tell in the CAS log file if the ticket was
> > authenticated successfully or not (if you can't see it, try turning the
> > logging level to DEBUG)
> >
> > Your "You are not authenticated" message is coming from squirrelmail not
> > CAS.
> >
> > -Scott
> >
> > On 6/6/07, jsalvaggio at ci.norwood.ma.us <jsalvaggio at ci.norwood.ma.us>
> > wrote:
> >>
> >> I'll replicate the problem in steps:
> >>
> >> Background: CAS Server 3.0.7
> >> CAS Clients installed: esup-phpcas-0.5.1-1
> >>
> Pam_cas-
> >> 2.0.11-esup-2.0.4
> >>
> >> I've followed a document on cas-ifying squirrelmail. It includes a
> >> downloadable squirrelmail login.php modified with CAS .
> >> When I put the url "webmail.norwood-ma.gov" in the url and hit enter it
> >> takes me to the CAS login page with the following in the url:"
> >>
> https://www.norwood-ma.gov/cas/login?service=http%3A%2F%2Fwebmail.norwood-ma.gov%2Fsrc%2Flogin.php
> >> I enter my username and password (I set it up with ldap-fastbind) hit
> >> enter and it takes me to:
> >> CAS Authentication failed!
> >>
> >> You were not authenticated.
> >>
> >> You may submit your request again by clicking
> >> here<http://webmail.norwood-ma.gov/src/login.php>
> >> .
> >>
> >> If the problem persists, you may contact the administrator of this
> >> site<jsalvaggio at ci.norwood.ma.us>
> >> .
> >> ------------------------------
> >> phpCAS 0.5.1-1 using server
> >> https://www.norwood-ma.gov:443/cas/<https://www.norwood-ma.gov/cas/
> >(CAS
> >> 2.0)
> >>
> >> --with a url of "
> >>
> http://webmail.norwood-ma.gov/src/login.php?ticket=ST-3-aBnEtPuMqqWdyat97ywctFPe7pkHXlcgW6C-20
> >> "
> >>
> >> When I the click the link on the bottom it takes me to this:
> >> Log In Successful
> >>
> >> You have successfully logged into the Central Authentication Service.
> >>
> >> -with the url of "https://www.norwood-ma.gov/cas/login?null"
> >> When I go to the CAS login page by itself
> >> (https://www.norwood-ma.gov/cas)
> >> I can log on with no problem .
> >> Joe Salvaggio
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> >>
> >>
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/web-flow-problem--tf3879194.html#a10997918
> Sent from the CAS Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070606/c15fd870/attachment-0001.html
More information about the cas
mailing list