After I login CAS, it cannot redirect me to the application -- please help
Edward Chen
edwardc at wolfram.com
Mon Feb 11 17:59:55 EST 2008
Here is the copy from Tomcat for your reference to trouble shoot my problem.
I join to Tomcat, click on /servlets-examples
<http://edwardscwin.wri.wolfram.com:8080/servlets-examples> and then pop
up the CAS login page, I input "uday" "uday", then have the following
from Tomcat
2008-02-11 16:50:13,328 INFO
[org.jasig.cas.authentication.AuthenticationManager
Impl] - <AuthenticationHandler:
org.jasig.cas.authentication.handler.support.Sim
pleTestUsernamePasswordAuthenticationHandler successfully authenticated
the user
which provided the following credentials: uday>
2008-02-11 16:50:13,328 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] -
<Granted service ticket [ST-2-AWyE2SiAax0h9CmPkAimYOKigmbNdLjc2QZ-20]
for servic
e
[http://edwardscwin.wri.wolfram.com:8080/servlets-examples/servlet/HelloWorldE
xample] for user [uday]>
Feb 11, 2008 4:50:13 PM edu.yale.its.tp.cas.client.CASReceipt getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validat
e ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyLi
st=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[htt
ps://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
ticket=[ST-2-AWyE2SiA
ax0h9CmPkAimYOKigmbNdLjc2QZ-20]
service=[http%3A%2F%2Fedwardscwin.wri.wolfram.co
m%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
Feb 11, 2008 4:50:13 PM edu.yale.its.tp.cas.client.filter.CASFilter doFilter
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validat
e ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyLi
st=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[htt
ps://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
ticket=[ST-2-AWyE2SiA
ax0h9CmPkAimYOKigmbNdLjc2QZ-20]
service=[http%3A%2F%2Fedwardscwin.wri.wolfram.co
m%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
Scott Battaglia wrote:
> You need add the certificate to your keystore (which is where it
> failed). Find the JVM that you use to start up Tomcat and follow the
> keystore instructions. The path should be something like
> %JAVA_HOME%\jre\lib\security\cacerts
>
> -Scott
>
> On Feb 11, 2008 4:34 PM, Edward Chen <edwardc at wolfram.com
> <mailto:edwardc at wolfram.com>> wrote:
>
> Hi,
>
> I am using XP and tomcat 5.5 to do the CAS
>
> Please help me trouble shoot/fix this. It's urgent.
>
> I follow the demo to install CAS demo from the following website
>
> http://www.ja-sig.org/wiki/display/CASUM/Demo
>
>
> Step 1: Install JDK Version
>
> I am Ok with step 1
>
>
> Step 2: Used keytool to self-author a server certificate for DEMO
>
>
> I have the follwoing error
>
> .......
> .......
> C:\Program Files\Java\jre1.5.0_06\bin>keytool -export -alias tomcat
> -keypass cha
> ngeit -file server.crt
> Enter keystore password: changeit
> Certificate stored in file <server.crt>
>
> C:\Program Files\Java\jre1.5.0_06\bin>keytool -import -file server.crt
> -keypass
> changeit -keystore ..\jre\lib\security\cacerts
> Enter keystore password: changeit
> Owner: CN=edwardscwin.wri.wolfram.com
> <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI, L=Champaign,
> ST=IL, C=US
> Issuer: CN=edwardscwin.wri.wolfram.com
> <http://edwardscwin.wri.wolfram.com>, OU=R&D, O=WRI, L=Champaign,
> ST=IL, C=US
> Serial number: 47b0b802
> Valid from: Mon Feb 11 15:02:58 CST 2008 until: Sun May 11
> 16:02:58 CDT
> 2008
> Certificate fingerprints:
> MD5: 45:25:94:AB:52:2B:F2:92:68:8F:F0:39:19:80:59:82
> SHA1:
> 08:88:37:A1:1C:52:A5:33:0F:51:68:34:81:F9:DF:83:05:41:65:B6
> Trust this certificate? [no]: yes
> Certificate was added to keystore
> keytool error: java.io.FileNotFoundException:
> ..\jre\lib\security\cacerts (The s
> ystem cannot find the path specified)
>
> C:\Program Files\Java\jre1.5.0_06\bin>
>
>
> Step 3: Install Tomcat
>
> I am ok with step 3
>
>
> Step 4: Configure Tomcat server.xml
>
> I modify it with the following
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="C:/Documents and Settings/edwardc.WRI/.keystore"
> keystorePass="changeit"
> truststoreFile="C:/Program
> Files/Java/jre1.6.0_03/lib/security/cacerts" />
>
>
> Step 5: CASify HelloWorld Servlet
>
> I modify as the following
>
> <filter>
> <filter-name>CAS Filter</filter-name>
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/login</param-value>
>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
> <param-value>https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate</param-value>
>
> </init-param>
> <init-param>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
> <param-value>edwardscwin.wri.wolfram.com:8080
> <http://edwardscwin.wri.wolfram.com:8080></param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>CAS Filter</filter-name>
> <url-pattern>/servlet/HelloWorldExample</url-pattern>
> </filter-mapping>
>
> Do I need to change/modify anything about ?
> edu.yale.its.tp.cas.client.filter
>
>
> Step 6: Drop CAS Client jar into the servlets-examples context
>
> I am ok with it
>
>
> Step 7: Download and Deploy CAS
>
> I am ok. I can see the CAS login page and use uday to login with no
> problem.
>
>
> Step 8. Clean start
>
> OK
>
>
> step 9. TRY IT
>
> * Use fresh browser session to access
>
> http://edwardscwin.wri.wolfram.com:8080/servlets-examples/servlet/HelloWorldExample^
>
> <http://compA:8080/servlets-examples/servlet/HelloWorldExample>
> * Get past all browser alerts/warnings to CAS login page OK to
> see this login page
> * Log in as uday/uday (or any username=password string) OK
> * Again see all sorts of alerts/warnings
> * See Hello World...success. No, I don't see "Hello Wolrd". With the
> following error
>
>
> HTTP Status 500 -
>
> ------------------------------------------------------------------------
>
> *type* Exception report
>
> *message*
>
> *description* _The server encountered an internal error () that
> prevented it from fulfilling this request._
>
> *exception*
>
> javax.servlet.ServletException: Unable to validate
> ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
> ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
> renew=false]]]
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
>
>
> *root cause*
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[https://edwardscwin.wri.wolfram.com:8443/cas/serviceValidate]
> ticket=[ST-6-KccdFv1sOQLyAXZzobchx6hFodfADs6AVe6-20]
> service=[http%3A%2F%2Fedwardscwin.wri.wolfram.com%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
> renew=false]]]
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
>
> *root cause*
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
>
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
>
> *root cause*
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> sun.security.validator.Validator.validate(Unknown Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
>
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
>
> *root cause*
>
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
> Source)
> java.security.cert.CertPathBuilder.build(Unknown Source)
> sun.security.validator.PKIXValidator.doBuild(Unknown Source)
> sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
> sun.security.validator.Validator.validate(Unknown Source)
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
> Source)
> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
> Source)
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
> Source)
>
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
> Source)
> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>
>
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
>
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
>
> *note* _The full stack trace of the root cause is available in the
> Apache Tomcat/5.5.25 logs._
>
> ------------------------------------------------------------------------
>
>
> Apache Tomcat/5.5.25
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
More information about the cas
mailing list