ACEGI, proxyValidate and PGTIOU
Scott Battaglia
scott.battaglia at gmail.com
Wed Jun 20 12:17:23 EDT 2007
This may help:
http://forum.springframework.org/showthread.php?t=30094
-Scott
On 6/20/07, Bill Bailey <Bill.Bailey at northlandchurch.net> wrote:
>
> Hi Jens,
>
>
>
> I can't see any similar problems with DNS lookup. The hostname resolves to
> the proper IP address and if I do a reverse on the IP I get the correct
> hostname.
>
>
>
> And no, I am not requiring client certificates. I have clientAuth=false in
> both server.xml files. Interestingly, I have now managed to break things
> to the point that it is failing one step sooner than before … and even
> though I would swear I have returned everything to the point it was when I
> started, it is still failing with a different error. Before, at least the
> Acegi client was able to call proxyValidate, but CAS was failing when it
> tried to invoke the proxyCallbackUrl. Now I can't even get the proxyValidate
> call to succeed. It fails every time with
> "InvalidAlgorithmParameterException : trustAnchors parameter must be
> non-empty".
>
>
>
> This is the single most frustrating experience I can remember configuring
> something and I've had some pretty bad experiences before.
>
>
>
> Bill
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Hausherr, Jens
> *Sent:* Wednesday, June 20, 2007 3:47 AM
> *To:* Yale CAS mailing list
> *Subject:* AW: ACEGI, proxyValidate and PGTIOU
>
>
>
> Hi Bill,
>
> I encountered some problems with SSL certificates also – but mine were a
> result of broken DNS entries: the reverse lookup used in certificate
> validation resulted in random hostnames returned for the IP address %-).
>
> Does your tomcat installation (the SSL connector) require client
> certificates? The exception "javax.net.ssl.SSLPeerUnverifiedException:
> peer not authenticated" seems to point in this direction. I do not know if
> commons-httpclient supports client authentication for SSL.
>
> Just a wild guess…
>
> Jens
>
>
> ------------------------------
>
> *Von:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *Im
> Auftrag von *Bill Bailey
> *Gesendet:* Dienstag, 19. Juni 2007 15:50
> *An:* Yale CAS mailing list
> *Betreff:* RE: ACEGI, proxyValidate and PGTIOU
>
>
>
> Thanks, Scott.
>
>
>
> However, I guess I am still a little confused. I have Tomcat 6.0 and
> Tomcat 5.5 running on the same machine (my development machine). I ran
> into some issues earlier with Tomcat finding the right keystore with my
> certificates so I added keystoreFile=C:\keystore\.keystore to the
> server.xml in both versions of Tomcat. So I thought both JVM's would be
> using the same keystore file. This works fine for allowing me to connect via
> SSL to both Tomcat instances. Is there a problem with what I am doing from a
> CAS perspecive? Is there another keystore beyond the ones configured in
> server.xml that I need to be populating?
>
>
>
> Bill
>
>
>
>
> ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Tuesday, June 19, 2007 9:40 AM
> *To:* Yale CAS mailing list
> *Subject:* Re: ACEGI, proxyValidate and PGTIOU
>
>
>
> CAS's JVM does not trust your client application's certificate.
>
> If you've added the certificate to CAS's JVM, that most likely means the
> hostname does not match the cn.
>
> If you haven't added the certificate, you need to do so :-)
>
> -Scott
>
> On 6/19/07, *Bill Bailey* <Bill.Bailey at northlandchurch.net> wrote:
>
> Hi,
>
>
>
> I am using CAS with ACEGI security and I have the basics working. But when
> I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
> below), it only partly works. I am able to still authenticate through CAS,
> but the resulting authentication token does not have the PGTIOU set … it is
> an empty string.
>
>
>
> I have checked the log files on the Tomcat instance hosting the CAS server
> and I find the following exceptions which seem to relate to the proxy
> callback URL. Any idea what is wrong?
>
>
>
> 2007-06-19 09:25:58,812 ERROR [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
> - <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
> Source)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:280)
>
> at
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
> (StrictSSLProtocolSocketFactory.java:223)
>
> at org.apache.commons.httpclient.HttpConnection.open(
> HttpConnection.java:706)
>
> at
> org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
> (MultiThreadedHttpConnectionManager.java:1321)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
> HttpMethodDirector.java:386)
>
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
> HttpMethodDirector.java:170)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:396)
>
> at org.apache.commons.httpclient.HttpClient.executeMethod(
> HttpClient.java:324)
>
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:75)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> 2007-06-19 09:25:58,812 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> 2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
> - <TicketException generating ticket for:
> https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>
>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:215)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:159)
>
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
>
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:819)
>
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:754)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:399)
>
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:354)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :690)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java
> :803)
>
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:290)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:206)
>
> at org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:228)
>
> at org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:175)
>
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:128)
>
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:104)
>
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:109)
>
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:216)
>
> at org.apache.coyote.http11.Http11Processor.process(
> Http11Processor.java:844)
>
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:634)
>
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
> JIoEndpoint.java:445)
>
> at java.lang.Thread.run(Unknown Source)
>
> Caused by: error.authentication.credentials.bad
>
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
>
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:105)
>
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:194)
>
> ... 22 more
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070620/8dba39e9/attachment.html
More information about the cas
mailing list