CAS proxy mode
Lucas Rockwell
lucasrockwell at berkeley.edu
Wed Nov 7 17:17:58 EST 2007
Hi Scott and others,
I have recently run into this problem as well, but with a different
error message. We have a cert authority on campus, and some of the
dev machines use them. I have imported all 3 of the certs in the
chain into the cacerts file (I tried with just the root cert, and
that didn't work), but I still get errors like this:
2007-11-07 13:57:38,910 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided
the following credentials: https://studentsdev.berkeley.edu/OSL/
HelloCAS/testcerts.asp>
2007-11-07 13:57:38,911 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://studentsdev.berkeley.edu/OSL/HelloCAS/
testcerts.asp>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:271)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal
(ServiceValidateController.java:124)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest
(AbstractController.java:153)
...
I turned on debugging, and got this extra line:
2007-11-07 14:12:47,178 DEBUG
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredential
sAuthenticationHandler] - <Attempting to resolve credentials for
https://studentsdev.berkeley.edu/OSL/HelloCAS/testcerts.asp>
then the same as above:
2007-11-07 14:12:52,234 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided
the following credentials: https://studentsdev.berkeley.edu/OSL/
HelloCAS/testcerts.asp>
2007-11-07 14:12:52,239 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://studentsdev.berkeley.edu/OSL/HelloCAS/
testcerts.asp>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
I have even pointed explicitly to the cacerts file in the tomcat
startup script, using the -Djavax.net.ssl.trustStore= and -
Djavax.net.ssl.trustStorePassword= arguments, and that does not help,
either. I have also tried importing the actual public cert that was
issued to the client, and no go.
Does anyone have an hints about what I am doing wrong? Am I missing
some xml config somewhere?
This is with CAS 3.1.0.
Thanks.
-lucas
On Oct 22, 2007, at 6:33 AM, Scott Battaglia wrote:
> Simon,
>
> If your proxied application is not using a commercial certificate,
> its certificate or or the intermediary CA's certificate will need
> to be added to the cacerts file of the JVM that CAS is run on.
> This way CAS will trust the certificate and issue the proxy ticket.
>
> -Scott
>
> On 10/22/07, Simon Rousseau <sim_rouss_inf at hotmail.com> wrote:
> Hi,
>
> We are wondering about a little details.
>
> When we want to use CAS in proxy mode, do we need to add the
> certificate from the distant server in the CAS cacert?
>
> I'm asking this because at this time, our application can
> successfully connect to the CAS server but when we read the CAS log
> we see an error in it. As you can see a service ticket is granted
> but in the second part an Exception is trowed on creation of the
> proxy ticket.
>
> 2007-10-17 11:01:17,658 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service
> ticket [ST-4-Z9y6r2ny5x1GpHF9nkrRbEtcrt6UlHfhtLZ-20] for service
> [http://ca-dti-simrou:8080/sakai-login-tool/container] for user
> [851s555]
> 2007-10-17 11:01:17,716 ERROR [org.jasig.cas.util.UrlUtils] -
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate
> found
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate
> found
> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake
> (DashoA12275)
> at sun.net.www.protocol.https.HttpsClient.afterConnect
> (DashoA12275)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(
> DashoA12275)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream
> (HttpURLConnection.java:626)
> at java.net.HttpURLConnection.getResponseCode
> (HttpURLConnection.java:272)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode
> (DashoA12275)
> at org.jasig.cas.util.UrlUtils.getResponseCodeFromUrl
> (UrlUtils.java:45)
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentia
> lsAuthenticationHandler.authenticate
> (HttpBasedServiceCredentialsAuthenticationHandler.java:63)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate
> (AuthenticationManagerImpl.java:79)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
> icket(CentralAuthenticationServiceImpl.java:195)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal
> (ServiceValidateController.java:128)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest
> (AbstractController.java:139)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.han
> dle(SimpleControllerHandlerAdapter.java:44)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch
> (DispatcherServlet.java:717)
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:658)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest
> (FrameworkServlet.java:392)
> at org.springframework.web.servlet.FrameworkServlet.doGet
> (FrameworkServlet.java:347)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> at org.jasig.cas.web.init.SafeDispatcherServlet.service
> (SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
> (ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter
> (ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke
> (StandardWrapperValvejava:213)
> at org.apache.catalina.core.StandardContextValve.invoke
> (StandardContextValvejava:178)
> at org.apache.catalina.core.StandardHostValve.invoke
> (StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke
> (ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke
> (StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service
> (CoyoteAdapter.java:148)
> at org.apache.jk.server.JkCoyoteHandler.invoke
> (JkCoyoteHandler.java:199)
> at org.apache.jk.common.HandlerRequest.invoke
> (HandlerRequest.java:282)
> at org.apache.jk.common.ChannelSocket.invoke
> (ChannelSocket.java:754)
> at org.apache.jk.common.ChannelSocket.processConnection
> (ChannelSocket.java:684)
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt
> (ChannelSocket.java:876)
> at org.apache.tomcat.util.threads.ThreadPool
> $ControlRunnable.run(ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:534)
> Caused by: sun.security.validator.ValidatorException: No trusted
> certificate found
> at sun.security.validator.SimpleValidator.buildTrustedChain
> (SimpleValidator.java:304)
> at sun.security.validator.SimpleValidator.engineValidate
> (SimpleValidator.java:107)
> at sun.security.validator.Validator.validate(Validator.java:202)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (DashoA12275)
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
> (DashoA12275)
> ... 41 more
> 2007-10-17 11:01:17,720 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentia
> lsAuthenticationHandler failed to authenticate the user.
> 2007-10-17 11:01:17,720 ERROR
> [org.jasig.cas.web.ServiceValidateController] - TicketException
> generating ticket for: https://ca-dti-simrou:8443/sakai-login-tool/
> CasProxyServlet
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
> icket(CentralAuthenticationServiceImpl.java:216)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal
> (ServiceValidateController.java:128)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest
> (AbstractController.java:139)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.han
> dle(SimpleControllerHandlerAdapter.java:44)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch
> (DispatcherServlet.java:717)
> at org.springframework.web.servlet.DispatcherServlet.doService
> (DispatcherServlet.java:658)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest
> (FrameworkServlet.java:392)
> at org.springframework.web.servlet.FrameworkServlet.doGet
> (FrameworkServlet.java:347)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> at org.jasig.cas.web.init.SafeDispatcherServlet.service
> (SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
> (ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter
> (ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke
> (StandardWrapperValvejava:213)
> at org.apache.catalina.core.StandardContextValve.invoke
> (StandardContextValvejava:178)
> at org.apache.catalina.core.StandardHostValve.invoke
> (StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke
> (ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke
> (StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service
> (CoyoteAdapter.java:148)
> at org.apache.jk.server.JkCoyoteHandler.invoke
> (JkCoyoteHandler.java:199)
> at org.apache.jk.common.HandlerRequest.invoke
> (HandlerRequest.java:282)
> at org.apache.jk.common.ChannelSocket.invoke
> (ChannelSocket.java:754)
> at org.apache.jk.common.ChannelSocket.processConnection
> (ChannelSocket.java:684)
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt
> (ChannelSocket.java:876)
> at org.apache.tomcat.util.threads.ThreadPool
> $ControlRunnable.run(ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:534)
> Caused by: error.authentication.credentials.bad
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcep
> tion.<clinit>(BadCredentialsAuthenticationException.java:25)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate
> (AuthenticationManagerImpl.java:101)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingT
> icket(CentralAuthenticationServiceImpl.java:195)
> ... 25 more
>
> I hope that you have enough details... If not write me back!
>
>
> Cheer's,
>
> Simon Rousseau
> CSSMI
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071107/911e8163/attachment.html
More information about the cas
mailing list