Acegi / Unable to validate ProxyTicketValidator

Scott Battaglia scott.battaglia at gmail.com
Fri May 18 14:28:04 EDT 2007 

Can you see what the XML response back from CAS was?  There may be an
invalid character in there (as evidenced by Content is not allowed in
prolog.).

-Scott

On 5/17/07, Tim Speevack <tim.speevack at yale.edu> wrote:
>
>
> Apologies to all who have answered these questions a billion times, but...
>
> I'm trying to get tomcat/spring/acegi to talk to CAS.  I've gotten it
> working to some degree, but am now stuck on the following error:
>
> [Fatal Error] :1:1: Content is not allowed in prolog.
> May 17, 2007 2:06:14 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
> SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
> Unable to validate ProxyTicketValidator
> [ [edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
>   [edu.yale.its.tp.cas.client.ServiceTicketValidator
>     casValidateUrl=[https://secure.its.yale.edu/cas/servlet/validate]
>     ticket=[ST-11059954-4vXxKMmEaRychGbtR62b]
>
> service=[http%3A%2F%2Fyag-
> client-36.art.yale.edu%3A8080%2Fyuagit%2Fsecure%2Ftest.jsp]
>
>     renew=false
>     entireResponse=[yes
> <my netid>
> ]]]]
>
> I've gone through all the online references I can find, but can't get
> past this error.  Clearly I'm getting a valid ticket & login succeeds,
> so I'm assuming that this has something to do with SSL & Tomcat.  I've
> followed all the posts related to keytool, but still no luck.
>
> Here's how things are configured:
>
> JVM:    JAVA_HOME=C:\jdk1.6.0
>
> TOMCAT:    CATALINA_HOME=C:\tomcat
>   server.xml was modified to enable SSL, and keystore & trust are
> explicitly defined:
>     <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                  keystoreFile="C:\DOCUME~1\<my netid>\.keystore"
>                  keystorePass="changeit"
>                  truststoreFile="C:/jdk1.6.0/jre/lib/security/cacerts"
>                />
>
> KEYSTORE: I created a batch file since I had to run this more than once:
>
>   @echo off
>   set USERKEYSTORE=C:\DOCUME~1\tms64\.keystore
>   set JVMKEYSTORE=%JAVA_HOME%\jre\lib\security\cacerts
>
>   keytool -delete -alias tomcat -keystore "%USERKEYSTORE%" \
>     -keypass changeit -storepass changeit -keyalg RSA
>
>   keytool -delete -alias tomcat -keystore "%JVMKEYSTORE%" \
>     -keypass changeit -storepass changeit -keyalg RSA
>
>   keytool -genkey -alias tomcat -keystore %USERKEYSTORE% \
>     -validity 9999 -keypass changeit -storepass changeit -keyalg RSA \
>     -dname "CN=<mymachinename>.art.yale.edu, OU=artgallery, O=yale,
> L=newhaven, S=ct, C=us"
>
>   keytool -export -alias tomcat -keystore %USERKEYSTORE% \
>     -file server.crt -keypass changeit -storepass changeit -keyalg RSA
>
>   keytool -import -file server.crt -alias tomcat -keystore %JVMKEYSTORE% \
>     -keypass changeit -storepass changeit -keyalg RSA
>
>
> All references I found on this process were somewhat vague.  For example
> http://www.ja-sig.org/products/cas/server/ssl/index.html shows:
>
> %JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file
> %FILE_NAME%
> %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
> -keystore %JAVA_HOME%/jre/lib/security/cacerts
> %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
>
> It's not clear from this example whether %FILE_NAME% and server.crt are
> intended to be the same files, though after reading
> http://tp.its.yale.edu/pipermail/cas-dev/2007-April/001751.html it would
> appear that that is the intention.
>
> I'm sure I've missed a critical point somewhere, but I'm not at all
> familiar with ssl setup so it's not obvious.  I'm fairly sure that the
> remainder of the setup is correct, but I can provide gory details of the
> webapp configuration, spring, acegi, etc.
>
> Any help will be much appreciated!
> Tim
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070518/b2dc395a/attachment.html

More information about the cas mailing list