cas Digest, Vol 48, Issue 30

Scott Battaglia scott.battaglia at gmail.com
Mon May 21 10:52:37 EDT 2007 

Tim,

If you want to parse the XML, I believe the endpoint is "serviceValidate"
and not "validate".

-Scott

On 5/21/07, Tim Speevack <tim.speevack at yale.edu> wrote:
>
>  Scott,
> The response that's causing the exception at:
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(
> ServiceTicketValidator.java:221)
> is literally "yes\ntms64\n", which is obviously not xml.
> Tim
>
>
> Can you see what the XML response back from CAS was?  There may be an
> invalid character in there (as evidenced by Content is not allowed in
> prolog.).
>
> -Scott
>
> On 5/17/07, Tim Speevack <tim.speevack at yale.edu> wrote:
> >
> >
> > Apologies to all who have answered these questions a billion times,
> > but...
> >
> > I'm trying to get tomcat/spring/acegi to talk to CAS.  I've gotten it
> > working to some degree, but am now stuck on the following error:
> >
> > [Fatal Error] :1:1: Content is not allowed in prolog.
> > May 17, 2007 2:06:14 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
> > SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
> > Unable to validate ProxyTicketValidator
> > [ [edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> >   [edu.yale.its.tp.cas.client.ServiceTicketValidator
> >     casValidateUrl=[https://secure.its.yale.edu/cas/servlet/validate ]
> >     ticket=[ST-11059954-4vXxKMmEaRychGbtR62b]
> >
> > service=[http%3A%2F%2Fyag-
> > client-36.art.yale.edu%3A8080%2Fyuagit%2Fsecure%2Ftest.jsp]
> >
> >     renew=false
> >     entireResponse=[yes
> > <my netid>
> > ]]]]
> >
> > I've gone through all the online references I can find, but can't get
> > past this error.  Clearly I'm getting a valid ticket & login succeeds,
> > so I'm assuming that this has something to do with SSL & Tomcat.  I've
> > followed all the posts related to keytool, but still no luck.
> >
> > Here's how things are configured:
> >
> > JVM:    JAVA_HOME=C:\jdk1.6.0
> >
> > TOMCAT:    CATALINA_HOME=C:\tomcat
> >   server.xml was modified to enable SSL, and keystore & trust are
> > explicitly defined:
> >     <Connector port="8443" maxHttpHeaderSize="8192"
> >                maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75"
> >                enableLookups="false" disableUploadTimeout="true"
> >                acceptCount="100" scheme="https" secure="true"
> >                clientAuth="false" sslProtocol="TLS"
> >                  keystoreFile="C:\DOCUME~1\<my netid>\.keystore"
> >                  keystorePass="changeit"
> >                  truststoreFile="C:/jdk1.6.0/jre/lib/security/cacerts"
> >                />
> >
> > KEYSTORE: I created a batch file since I had to run this more than once:
> >
> >
> >   @echo off
> >   set USERKEYSTORE=C:\DOCUME~1\tms64\.keystore
> >   set JVMKEYSTORE=%JAVA_HOME%\jre\lib\security\cacerts
> >
> >   keytool -delete -alias tomcat -keystore "%USERKEYSTORE%" \
> >     -keypass changeit -storepass changeit -keyalg RSA
> >
> >   keytool -delete -alias tomcat -keystore "%JVMKEYSTORE%" \
> >     -keypass changeit -storepass changeit -keyalg RSA
> >
> >   keytool -genkey -alias tomcat -keystore %USERKEYSTORE% \
> >     -validity 9999 -keypass changeit -storepass changeit -keyalg RSA \
> >     -dname "CN=<mymachinename>.art.yale.edu, OU=artgallery, O=yale,
> > L=newhaven, S=ct, C=us"
> >
> >   keytool -export -alias tomcat -keystore %USERKEYSTORE% \
> >     -file server.crt -keypass changeit -storepass changeit -keyalg RSA
> >
> >   keytool -import -file server.crt -alias tomcat -keystore %JVMKEYSTORE%
> > \
> >     -keypass changeit -storepass changeit -keyalg RSA
> >
> >
> > All references I found on this process were somewhat vague.  For example
> >
> > http://www.ja-sig.org/products/cas/server/ssl/index.html shows:
> >
> > %JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file
> > %FILE_NAME%
> > %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
> > -keystore %JAVA_HOME%/jre/lib/security/cacerts
> > %JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
> >
> > It's not clear from this example whether %FILE_NAME% and server.crt are
> > intended to be the same files, though after reading
> > http://tp.its.yale.edu/pipermail/cas-dev/2007-April/001751.html it would
> >
> > appear that that is the intention.
> >
> > I'm sure I've missed a critical point somewhere, but I'm not at all
> > familiar with ssl setup so it's not obvious.  I'm fairly sure that the
> > remainder of the setup is correct, but I can provide gory details of the
> >
> > webapp configuration, spring, acegi, etc.
> >
> > Any help will be much appreciated!
> > Tim
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070521/03d2ca55/attachment.html

More information about the cas mailing list