ACEGI, proxyValidate and PGTIOU
Scott Battaglia
scott.battaglia at gmail.com
Tue Jun 19 09:40:25 EDT 2007
CAS's JVM does not trust your client application's certificate.
If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.
If you haven't added the certificate, you need to do so :-)
-Scott
On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:
>
> Hi,
>
>
>
> I am using CAS with ACEGI security and I have the basics working. But when
> I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
> below), it only partly works. I am able to still authenticate through CAS,
> but the resulting authentication token does not have the PGTIOU set … it is
> an empty string.
>
>
>
> I have checked the log files on the Tomcat instance hosting the CAS server
> and I find the following exceptions which seem to relate to the proxy
> callback URL. Any idea what is wrong?
>
>
>
> 2007-06-19 09:25:58,812 ERROR [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
> - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:280)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
> (StrictSSLProtocolSocketFactory.java:223)
>
> at org.apache.commons.httpclient.HttpConnection.open(
> HttpConnection.java:706)
>
> at
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
> (MultiThreadedHttpConnectionManager.java:1321)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
> HttpMethodDirector.java:386)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> HttpMethodDirector.java:170)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:396)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:324)
>
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:75)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> 2007-06-19 09:25:58,812 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
> - <TicketException generating ticket for:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:215)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: error.authentication.credentials.bad
>
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:105)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> ... 22 more
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/44eb3383/attachment.html
More information about the cas
mailing list