ACEGI, proxyValidate and PGTIOU

Tue Jun 19 09:37:25 EDT 2007

Hi,

Sorry for the dup, but I somehow sent the previous email before I was
finished ...

I am using CAS with ACEGI security and I have the basics working. But
when I try to add the proxyCallbackUrl to the CasProxyTicketValidator
(see below), it only partly works. I am able to still authenticate
through CAS, but the resulting authentication token does not have the
PGTIOU set ... it is an empty string.

   <bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketVal
idator">

      <property name="casValidate">

<value>https://nacdnws002l.northlandcc.net:8444/cas/proxyValidate</value
>

      </property>

      <property name="proxyCallbackUrl">

<value>https://nacdnws002l.northlandcc.net:8443/casProxy/receptor</value
>

      </property>

      <property name="serviceProperties">

         <ref bean="serviceProperties"/>

      </property>

      <property name="trustStore">

         <value>C:\keystore\.keystore</value>

      </property>

   </bean>

I have checked the log files on the Tomcat instance hosting the CAS
server and I find the following exceptions which seem to relate to the
proxy callback URL. The first error is SSL related and the second seems
to indicate that when CAS calls back to the
SpringConfiguredProxyReceptorServlet, it is being redirected back to CAS
and something is going wrong. I thought I understood the protocol, but I
am clearly still missing something. Any suggestions as to what is wrong
here?

Bill

============== Stack Trace from CAS logs ===================

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn
own Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.verifyHostname(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.createSocket(StrictSSLProtocolSocketFactory.java:223)

            at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
6)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon
nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:170)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica
tionHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)

            ... 22 more

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/8bddd40d/attachment.html 