CAS proxy - can't receive PGTIOU

Dario Gallicchio dario.gallicchio at zenvoo.ch
Thu Nov 29 10:39:53 EST 2007 

 
Hello everybody,
 
I'm developing a virtual desktop system and I want to cas-ify it.
I'm trying to enable the CAS proxy mechanism, but it seems that I can't
receive any PGTIOU (and neither PGT). Referring to Proxy CAS walkthrough
(http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough), I can
successfully accomplish step 1 and  2.a. Then, I repeat step 1 and
successfully generate a new ticket, but when I try step 2.b I can only get a
partial response. 
 
Here are the steps in more details:
 

*	Step 1 


*	URL https://cas.zenvoo.ch:8443/cas/login?http://www.zenvoo.ch 

*	 Received ticket ST-15-M2JUs3V7pVubJMOt7RC

*	Step 2.b  


*	URL:
https://cas.zenvoo.ch:8443/cas/serviceValidate?ticket=ST-15-M2JUs3V7pVubJMOt
7RCb
<https://cas.zenvoo.ch:8443/cas/serviceValidate?ticket=ST-15-M2JUs3V7pVubJMO
t7RCb&service=http://www.zenvoo.ch&pgtUrl=https://voot.zenvoo.ch/help.php>
&service=http://www.zenvoo.ch&pgtUrl=https://voot.zenvoo.ch/help.php, where
voot.zenvoo.ch is a server with a correct certificate.  

*	Received XML:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
 <cas:authenticationSuccess>
  <cas:user>dariog</cas:user>
 


 </cas:authenticationSuccess>
</cas:serviceResponse>
 
As you can see, PGTIOU is missing. 

*	The CAS server log file gives me the following error:

                    2007-11-29 15:25:18,731 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuth
enticationHandler failed to authenticate the user which provided the
following credentials: https://voot.zenvoo.ch/help.php>
2007-11-29 15:25:18,731 ERROR [org.jasig.cas.web.ServiceValidateController]
- <TicketException generating ticket for: https://voot.zenvoo.ch/help.php>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
        at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(
CentralAuthenticationServiceImpl.java:271)
        at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceVal
idateController.java:125)
        at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abstrac
tController.java:153)
        at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Si
mpleControllerHandlerAdapter.java:48)
        at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServl
et.java:857)
        at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServle
t.java:792)
        at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkSer
vlet.java:475)
        at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java
:430)
        at javax.servlet.http.HttpServlet.service(Unknown Source)
        at javax.servlet.http.HttpServlet.service(Unknown Source)
        at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.j
ava:115)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
Source)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
Source)
        at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown
Source)
        at org.apache.catalina.core.StandardContextValve.invoke(Unknown
Source)
        at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
        at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown
Source)
        at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
Source)
        at org.apache.catalina.connector.CoyoteAdapter.service(Unknown
Source)
        at org.apache.coyote.http11.Http11Processor.process(Unknown Source)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Unkn
own Source)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:595)
Caused by: error.authentication.credentials.bad
        at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<
clinit>(BadCredentialsAuthenticationException.java:25)
        at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Authenti
cationManagerImpl.java:108)
        at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(
CentralAuthenticationServiceImpl.java:242)
        ... 22 more



Seemingly, we've got a credential problem here, but I've dug a little into
CAS server source code and found that
HttpBasedServiceCredentialsAuthenticationHandler.authenticate() calls
HttpClient.isValidEndPoint( url ), that at the end of the day creates an
HttpURLConnection object and calls its connect() method. I did the same in a
litte test servlet, and I can successfully connect to the url
https://voot.zenvoo.ch/help.php. So my certificate should be ok. Yet, I
can't make it working in the Proxy mechanism.
Anybody could help me?



Thanks in advance
 
Dario Gallicchio
Zenvoo team

 
 

 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071129/5bdbe5aa/attachment.html

More information about the cas mailing list