CAS proxy mode
Scott Battaglia
scott.battaglia at gmail.com
Mon Oct 22 09:33:28 EDT 2007
Simon,
If your proxied application is not using a commercial certificate, its
certificate or or the intermediary CA's certificate will need to be added to
the cacerts file of the JVM that CAS is run on. This way CAS will trust the
certificate and issue the proxy ticket.
-Scott
On 10/22/07, Simon Rousseau <sim_rouss_inf at hotmail.com> wrote:
>
> Hi,
>
> We are wondering about a little details.
>
> When we want to use CAS in proxy mode, do we need to add the certificate
> from the distant server in the CAS cacert?
>
> I'm asking this because at this time, our application can successfully
> connect to the CAS server but when we read the CAS log we see an error in
> it. As you can see a service ticket is granted but in the second part an
> Exception is trowed on creation of the proxy ticket.
>
> 2007-10-17 11:01:17,658 INFO [
> org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket
> [ST-4-Z9y6r2ny5x1GpHF9nkrRbEtcrt6UlHfhtLZ-20] for service [
> http://ca-dti-simrou:8080/sakai-login-tool/container] for user [851s555]
> 2007-10-17 11:01:17,716 ERROR [org.jasig.cas.util.UrlUtils] -
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: No trusted certificate found
> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA12275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake
> (DashoA12275)
> at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA12275)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
> (DashoA12275)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:626)
> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java
> :272)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode
> (DashoA12275)
> at org.jasig.cas.util.UrlUtils.getResponseCodeFromUrl(UrlUtils.java
> :45)
> at
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
>
> (HttpBasedServiceCredentialsAuthenticationHandler.java:63)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:79)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:195)
> at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:128)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:139)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:44)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:717)
> at org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:658)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:392)
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:347)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke
> (StandardWrapperValvejava:213)
> at org.apache.catalina.core.StandardContextValve.invoke
> (StandardContextValvejava:178)
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:148)
> at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java
> :199)
> at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java
> :282)
> at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
> at org.apache.jk.common.ChannelSocket.processConnection(
> ChannelSocket.java:684)
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(
> ChannelSocket.java:876)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:534)
> Caused by: sun.security.validator.ValidatorException: No trusted
> certificate found
> at sun.security.validator.SimpleValidator.buildTrustedChain(
> SimpleValidator.java:304)
> at sun.security.validator.SimpleValidator.engineValidate(
> SimpleValidator.java:107)
> at sun.security.validator.Validator.validate(Validator.java:202)
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted
> (DashoA12275)
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted
> (DashoA12275)
> ... 41 more
> 2007-10-17 11:01:17,720 INFO [
> org.jasig.cas.authentication.AuthenticationManagerImpl] -
> AuthenticationHandler:
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed to authenticate the user.
> 2007-10-17 11:01:17,720 ERROR [org.jasig.cas.web.ServiceValidateController]
> - TicketException generating ticket for:
> https://ca-dti-simrou:8443/sakai-login-tool/CasProxyServlet
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:216)
> at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
> ServiceValidateController.java:128)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(
> AbstractController.java:139)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
> SimpleControllerHandlerAdapter.java:44)
> at org.springframework.web.servlet.DispatcherServlet.doDispatch(
> DispatcherServlet.java:717)
> at org.springframework.web.servlet.DispatcherServlet.doService(
> DispatcherServlet.java:658)
> at org.springframework.web.servlet.FrameworkServlet.processRequest(
> FrameworkServlet.java:392)
> at org.springframework.web.servlet.FrameworkServlet.doGet(
> FrameworkServlet.java:347)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> at org.jasig.cas.web.init.SafeDispatcherServlet.service(
> SafeDispatcherServlet.java:115)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:252)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:173)
> at org.apache.catalina.core.StandardWrapperValve.invoke
> (StandardWrapperValvejava:213)
> at org.apache.catalina.core.StandardContextValve.invoke
> (StandardContextValvejava:178)
> at org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:126)
> at org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:105)
> at org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:107)
> at org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:148)
> at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java
> :199)
> at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java
> :282)
> at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
> at org.apache.jk.common.ChannelSocket.processConnection(
> ChannelSocket.java:684)
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(
> ChannelSocket.java:876)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:534)
> Caused by: error.authentication.credentials.bad
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
> .<clinit>(BadCredentialsAuthenticationException.java:25)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> AuthenticationManagerImpl.java:101)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
> (CentralAuthenticationServiceImpl.java:195)
> ... 25 more
>
> I hope that you have enough details... If not write me back!
>
>
> Cheer's,
>
> Simon Rousseau
> CSSMI
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071022/5f3ab2b2/attachment.html
More information about the cas
mailing list