CAS proxy - can't receive PGTIOU
Scott Battaglia
scott.battaglia at gmail.com
Thu Nov 29 11:07:51 EST 2007
Dario,
I believe it also checks for certain HTTP status codes:
private static final int[] DEFAULT_ACCEPTABLE_CODES = new int[] {
HttpURLConnection.HTTP_OK, HttpURLConnection.HTTP_NOT_MODIFIED,
HttpURLConnection.HTTP_MOVED_TEMP, HttpURLConnection.HTTP_MOVED_PERM,
HttpURLConnection.HTTP_ACCEPTED};
Double check that its returning one of those status codes. If you
turn on DEBUG logging for the HttpClient it should tell you. Older
versions of the client were "swallowing" one exception which is now
logged at error level. That may be part of the problem. (the latest
code has the fix).
-Scott
On Nov 29, 2007 10:39 AM, Dario Gallicchio <dario.gallicchio at zenvoo.ch>
wrote:
>
> Hello everybody,
>
> I'm developing a virtual desktop system and I want to cas-ify it.
> I'm trying to enable the CAS proxy mechanism, but it seems that I can't
> receive any PGTIOU (and neither PGT). Referring to Proxy CAS walkthrough (
> http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough), I can
> successfully accomplish step 1 and 2.a. Then, I repeat step 1 and
> successfully generate a new ticket, but when I try step 2.b I can only get
> a partial response.
>
> Here are the steps in more details:
>
>
> - Step 1
> - *URL* https://cas.zenvoo.ch:8443/cas/login?
> http://www.zenvoo.ch
> - *Received ticket* ST-15-M2JUs3V7pVubJMOt7RC
> - Step 2.b
> - *URL:*
> https://cas.zenvoo.ch:8443/cas/serviceValidate?ticket=ST-15-M2JUs3V7pVubJMOt7RCb&service=http://www.zenvoo.ch&pgtUrl=https://voot.zenvoo.ch/help.php
> *, *where voot.zenvoo.ch is a server with a correct
> certificate.
> - *Received XML*:
>
> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'<http://www.yale.edu/tp/cas%27>
> >
> <cas:authenticationSuccess>
> <cas:user>dariog</cas:user>
>
>
> </cas:authenticationSuccess>
> </cas:serviceResponse>
>
>
> As you can see, PGTIOU is missing.
>
> - The *CAS server log file* gives me the following error:
>
> 2007-11-29 15:25:18,731 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user which provided the following credentials:
> https://voot.zenvoo.ch/help.php>
> 2007-11-29 15:25:18,731 ERROR [org.jasig.cas.web.ServiceValidateController]
> - <TicketException generating ticket for: https://voot.zenvoo.ch/help.php>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:271)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:125)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:48)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:857)
> at org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:792)
> at org.springframework.web.servlet.FrameworkServlet.processRequest
> (FrameworkServlet.java:475)
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:430)
> at javax.servlet.http.HttpServlet.service(Unknown Source)
> at javax.servlet.http.HttpServlet.service(Unknown Source)
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
> at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown
> Source)
> at org.apache.catalina.core.StandardContextValve.invoke(Unknown
> Source)
> at org.apache.catalina.core.StandardHostValve.invoke(Unknown
> Source)
> at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown
> Source)
> at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
> Source)
> at org.apache.catalina.connector.CoyoteAdapter.service(Unknown
> Source)
> at org.apache.coyote.http11.Http11Processor.process(Unknown
> Source)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Unknown
> Source)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(Unknown
> Source)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: error.authentication.credentials.bad
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:108)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:242)
> ... 22 more
>
> Seemingly, we've got a credential problem here, but I've dug a little
> into CAS server source code and found that
> HttpBasedServiceCredentialsAuthenticationHandler.authenticate() calls
> HttpClient.isValidEndPoint( url ), that at the end of the day creates an
> HttpURLConnection object and calls its connect() method. I did the same in a
> litte test servlet, and I can successfully connect to the url
> https://voot.zenvoo.ch/help.php. So my certificate should be ok. Yet, I
> can't make it working in the Proxy mechanism.
> Anybody could help me?
>
> Thanks in advance
>
> Dario Gallicchio
> Zenvoo team
>
>
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071129/59045358/attachment-0001.html
More information about the cas
mailing list