ACEGI, proxyValidate and PGTIOU
Scott Battaglia
scott.battaglia at gmail.com
Tue Jun 19 12:55:23 EDT 2007
Bill,
You're going to want to unprotect that page. Acegi should not be forcing it
to redirect.
-Scott
On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:
>
> I have now exported both certificates from the two keystores … tomcat.crtfrom C:\keystore\.keystore … and
> jvm.crt from C:\Program Files\Java\jdk1.6.0_01\jre\lib\security\cacerts …
> and I've compared them and they are identical. And I have tried connecting
> to https://nacdnws002l.northlandcc.net:8443/casProxy/receptor using a
> browser and although it redirects me to CAS to log in first, once I log in
> it forwards me to the URL with no complaint from the browser … and when I
> view the certificate the browser received from Tomcat, it look like I would
> expect (i.e. CN=nacdnws002l.northlandcc.net, same org, org unit, dates of
> expiration, etc.). Unless I'm completely not understanding how SSL works
> (which looks more and more like a possibility to me), I can't see any reason
> I should be getting an error.
>
>
>
> I have no idea what to try next. I'm hoping someone else has some other
> ideas to troubleshoot this further. Even if you don't see anything I'm doing
> wrong, I would be interested in hearing that. Because I am starting to doubt
> my own sanity. J
>
>
>
> Bill Bailey
>
>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Bill Bailey
> *Sent:* Tuesday, June 19, 2007 11:20 AM
> *To:* Yale CAS mailing list
> *Subject:* RE: ACEGI, proxyValidate and PGTIOU
>
>
>
> A few more tidbits in case it helps any.
>
>
>
> The 'default' keystore appears to be in C:\Documents and
> Settings\bbailey\.keystore so I don't see how that keystore could be
> relevant … neither Tomcat nor the JVM should be using this by default I
> think.
>
>
>
> I have double checked the certificate and the hostname in it is
> nacdnws002l.northlandcc.net … just like the fully qualified host and
> domain used in the proxyCallbackUrl.
>
>
>
> Is there any way to get the JVM to tell you what exactly it is that it
> doesn't like about the certificate? For example, hostname mismatch? Not
> found in keystore? In keystore but not trusted? Or whatever?
>
>
>
> I fell like I'm just taking stabs in the dark right now.
>
>
> Bill
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Bill Bailey
> *Sent:* Tuesday, June 19, 2007 10:59 AM
> *To:* Yale CAS mailing list
> *Subject:* RE: ACEGI, proxyValidate and PGTIOU
>
>
>
> Scott,
>
>
>
> I should add a couple things just in case they come up as questions.
>
>
>
> 1) I did select to trust the certificate when I imported it into
> cacerts … the default was no, but I enter yes … and the tomcat certificate
> is listed as trusted when I do a keytool –list.
>
> 2) I have verified that both tomcats are using the 1.6.0_01 JVM …
> there are other Java versions installed on this machine, but it does not
> appear Tomcat is using any of them
>
>
>
> Bill
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Bill Bailey
> *Sent:* Tuesday, June 19, 2007 10:53 AM
> *To:* Yale CAS mailing list
> *Subject:* RE: ACEGI, proxyValidate and PGTIOU
>
>
>
> Hi Scott,
>
>
>
> Thanks again. I am getting a clearer picture, but I still can't get it to
> work. I've seen a lot of other people discussing SSL/Certificate issues on
> this list so I guess it is my turn to feel the pain.
>
>
>
> Here are the steps I did … I deleted the old keystore I was using for
> Tomcat and started from scratch.
>
>
>
> keytool –genkey –alias tomcat –keypass changeit –keystore
> C:\keystore\.keystore
>
>
>
> I then set keystoreFile=C:\keystore\.keystore in both the Tomcat 6.0 and
> Tomcat 5.5 server.xml files.
>
>
>
> Basic SSL works fine after doing the above two steps …
>
>
>
> keytool –export –alias tomcat –file tomcat.crt –keystore
> C:\keystore\.keystore
>
>
>
> Certificate file tomcat.crt exports without any errors or warnings …
>
>
>
> keytool –import –file tomcat.crt –alias tomcat –keystore "C:\Program
> Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"
>
>
>
> Certificate imports without any errors or warnings …
>
>
>
> keytool –list –keystore "C:\Program
> Files\Java\jdk1.6.0_01\jre\lib\security\cacerts"
>
>
>
> Lists 44 entries including the certificate just added under the tomcat
> alias
>
>
>
> Still gets the same error as before …
>
>
>
> I did notice that doing keytool –list without a –keystore parameter
> returned an empty list so I wondered if there was another keystore at play
> here. So I tried adding the certificate to the 'default' keystore using the
> following command.
>
>
>
> keytool –import –file tomcat.crt –alias tomcat
>
>
>
> Certificate imports without any errors or warnings …
>
>
>
> keytool –list
>
>
>
> Lists 1 entry … the new certificate with the tomcat alias I just added
>
>
>
> Still get the same error.
>
>
>
> I am losing my mind here. What am I still not doing?
>
>
> Thanks in advance for any suggestions.
>
>
> Bill
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Tuesday, June 19, 2007 9:56 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: ACEGI, proxyValidate and PGTIOU
>
>
>
> Bill,
>
> That's not the JVM's list of certificates. That's Tomcat's keystore. The
> JVM stores its certificates in JAVA_HOME\jre\lib\security\cacerts
>
> You would need to insert your certificate using a command such as the
> following:
>
> %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts
>
>
>
>
>
>
>
>
>
>
>
>
>
> (assuming you've exported the container's certificate to server.crt).
>
>
> -Scott
>
> On 6/19/07, *Bill Bailey* <Bill.Bailey at northlandchurch.net> wrote:
>
> Thanks, Scott.
>
>
>
> However, I guess I am still a little confused. I have Tomcat 6.0 and
> Tomcat 5.5 running on the same machine (my development machine). I ran
> into some issues earlier with Tomcat finding the right keystore with my
> certificates so I added keystoreFile=C:\keystore\.keystore to the
> server.xml in both versions of Tomcat. So I thought both JVM's would be
> using the same keystore file. This works fine for allowing me to connect via
> SSL to both Tomcat instances. Is there a problem with what I am doing from a
> CAS perspecive? Is there another keystore beyond the ones configured in
> server.xml that I need to be populating?
>
>
>
> Bill
>
>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Tuesday, June 19, 2007 9:40 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: ACEGI, proxyValidate and PGTIOU
>
>
>
> CAS's JVM does not trust your client application's certificate.
>
> If you've added the certificate to CAS's JVM, that most likely means the
> hostname does not match the cn.
>
> If you haven't added the certificate, you need to do so :-)
>
> -Scott
>
> On 6/19/07, *Bill Bailey* <Bill.Bailey at northlandchurch.net> wrote:
>
> Hi,
>
>
>
> I am using CAS with ACEGI security and I have the basics working. But when
> I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
> below), it only partly works. I am able to still authenticate through CAS,
> but the resulting authentication token does not have the PGTIOU set … it is
> an empty string.
>
>
>
> I have checked the log files on the Tomcat instance hosting the CAS server
> and I find the following exceptions which seem to relate to the proxy
> callback URL. Any idea what is wrong?
>
>
>
> 2007-06-19 09:25:58,812 ERROR [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
> - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:280)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
> (StrictSSLProtocolSocketFactory.java:223)
>
> at org.apache.commons.httpclient.HttpConnection.open(
> HttpConnection.java:706)
>
> at
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
> (MultiThreadedHttpConnectionManager.java:1321)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
> HttpMethodDirector.java:386)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> HttpMethodDirector.java:170)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:396)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:324)
>
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:75)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> 2007-06-19 09:25:58,812 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor
> >
>
> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
> - <TicketException generating ticket for: https://nacdnws002l.northlandcc.net:8443/casProxy/receptor
> >
>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:215)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: error.authentication.credentials.bad
>
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:105)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> ... 22 more
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070619/c4e36038/attachment-0001.html
More information about the cas
mailing list