ACEGI, proxyValidate and PGTIOU

Bill Bailey Bill.Bailey at northlandchurch.net
Tue Jun 19 09:50:02 EDT 2007 

Thanks, Scott.

 

However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect
via SSL to both Tomcat instances. Is there a problem with what I am
doing from a CAS perspecive? Is there another keystore beyond the ones
configured in server.xml that I need to be populating?

 

Bill

 

 

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:40 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU

 

CAS's JVM does not trust your client application's certificate.

If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.

If you haven't added the certificate, you need to do so :-) 

-Scott

On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:

Hi,

 

I am using CAS with ACEGI security and I have the basics working. But
when I try to add the proxyCallbackUrl to the CasProxyTicketValidator
(see below), it only partly works. I am able to still authenticate
through CAS, but the resulting authentication token does not have the
PGTIOU set ... it is an empty string.

 

I have checked the log files on the Tomcat instance hosting the CAS
server and I find the following exceptions which seem to relate to the
proxy callback URL. Any idea what is wrong?

 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn
own Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.verifyHostname(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.createSocket(StrictSSLProtocolSocketFactory.java:223) 

            at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
6)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon
nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:170)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica
tionHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194) 

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)

            ... 22 more


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/a90fa2c5/attachment-0001.html

More information about the cas mailing list