ACEGI, proxyValidate and PGTIOU

Bill Bailey Bill.Bailey at northlandchurch.net
Wed Jun 20 10:02:17 EDT 2007 

Hi Jens,

 

I can't see any similar problems with DNS lookup. The hostname resolves
to the proper IP address and if I do a reverse on the IP I get the
correct hostname.

 

And no, I am not requiring client certificates. I have clientAuth=false
in both server.xml files. Interestingly, I have now managed to break
things to the point that it is failing one step sooner than before ...
and even though I would swear I have returned everything to the point it
was when I started, it is still failing with a different error. Before,
at least the Acegi client was able to call proxyValidate, but CAS was
failing when it tried to invoke the proxyCallbackUrl. Now I can't even
get the proxyValidate call to succeed. It fails every time with
"InvalidAlgorithmParameterException : trustAnchors parameter must be
non-empty".

 

This is the single most frustrating experience I can remember
configuring something and I've had some pretty bad experiences before.

 

Bill

 

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Hausherr, Jens
Sent: Wednesday, June 20, 2007 3:47 AM
To: Yale CAS mailing list
Subject: AW: ACEGI, proxyValidate and PGTIOU

 

Hi Bill,

I encountered some problems with SSL certificates also - but mine were a
result of broken DNS entries: the reverse lookup used in certificate
validation resulted in random hostnames returned for the IP address %-).

Does your tomcat installation (the SSL connector) require client
certificates? The exception "javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated" seems to point in this direction. I do not know
if commons-httpclient supports client authentication for SSL.

Just a wild guess...

Jens

 

________________________________

Von: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] Im
Auftrag von Bill Bailey
Gesendet: Dienstag, 19. Juni 2007 15:50
An: Yale CAS mailing list
Betreff: RE: ACEGI, proxyValidate and PGTIOU

 

Thanks, Scott.

 

However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect
via SSL to both Tomcat instances. Is there a problem with what I am
doing from a CAS perspecive? Is there another keystore beyond the ones
configured in server.xml that I need to be populating?

 

Bill

 

 

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Tuesday, June 19, 2007 9:40 AM
To: Yale CAS mailing list
Subject: Re: ACEGI, proxyValidate and PGTIOU

 

CAS's JVM does not trust your client application's certificate.

If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.

If you haven't added the certificate, you need to do so :-) 

-Scott

On 6/19/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:

Hi,

 

I am using CAS with ACEGI security and I have the basics working. But
when I try to add the proxyCallbackUrl to the CasProxyTicketValidator
(see below), it only partly works. I am able to still authenticate
through CAS, but the resulting authentication token does not have the
PGTIOU set ... it is an empty string.

 

I have checked the log files on the Tomcat instance hosting the CAS
server and I find the following exceptions which seem to relate to the
proxy callback URL. Any idea what is wrong?

 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unkn
own Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.verifyHostname(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory
.createSocket(StrictSSLProtocolSocketFactory.java:223) 

            at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
6)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpCon
nectionAdapter.open(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMe
thodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:170)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)

            at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthentica
tionHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194) 

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 

2007-06-19 09:25:58,812 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor> 

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:819)

            at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:399)

            at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:354)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

            at
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

            at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:290)

            at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:206)

            at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:228)

            at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:175)

            at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)

            at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)

            at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)

            at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
16)

            at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:84
4)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:194)

            ... 22 more


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 

 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070620/cb9468ec/attachment.html

More information about the cas mailing list