[long] various problems with demo installation (casServerUrlPrefix, parsing error, PKIX)

Bergmann Gábor zerobaba at gmail.com
Fri Feb 29 19:20:52 EST 2008 

Hi!

I'm absolutely new to CAS (and single sign-on). I'm trying to establish a demo setup not entirely unlike the Demo featured in the User's Manual Wiki 
(http://www.ja-sig.org/wiki/display/CASUM/Demo). I've run into three show-stopping problems, and would like to kindly ask for any assistance or wisdom to share 
on whether I made trivial mistakes or stumbled upon actual bugs. The first one is Cas10TicketValidationFilter requesting casServerUrlPrefix even though it is 
specified; the second one is a SAML parsing error, and the third one is an SSLHandshake/PKIX failure.

For the sake of simplicity, let's call the machines compA and compB. The first one runs the CAS server, both of them aim to run trivial CAS client applications.
compA runs debian etch (stable), Sun java 5  and tomcat 5.5.20 (listening on ports 8180 and 8443) with cas-server-3.2 deployed.
compB runs debian lenny (testing), Sun java 6 and glassfish v2ur1 (listening on ports 8080 and 8181).
Client projects are simple Java web applications using cas-client-core-3.1.1.jar, commons-codec-1.3.jar, commons-logging-1.1.jar, log4j-1.2.15.jar, 
opensaml-1.1b.jar, xmlsec-1.3.0.jar, xalan-j 2.7.1.



--------------------------

PROBLEM 1 - casServerUrlPrefix
If I try to configure the client services with a Cas10TicketValidationFilter, they wouldn't even deploy on either machine, complaining that the parameter 
casServerUrlPrefix is unspecified, regardless whether it was provided as an init-param, context-param, or even both. How come?

* Exception received on deploying:

Exception starting filter CAS Validation Filter java.lang.IllegalArgumentException: casServerUrlPrefix cannot be null. at 
org.jasig.cas.client.util.CommonUtils.assertNotNull(CommonUtils.java:42) at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.<init>(AbstractUrlBasedTicketValidator.java:53) at 
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.<init>(AbstractCasProtocolUrlBasedTicketValidator.java:24) at 
org.jasig.cas.client.validation.Cas10TicketValidator.<init>(Cas10TicketValidator.java:22) at
....

* web.xml:

<context-param>
         <param-name>serverName</param-name>
         <param-value>https://compA:8443 OR https://compB:8181, WHICHEVER APPLIES</param-value>
</context-param>
<filter>
	<filter-name>CAS Authentication Filter</filter-name>
   	<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
	<init-param>
		<param-name>casServerLoginUrl</param-name>
		<param-value>https://compA:8443/cas/login</param-value>
	</init-param>
</filter>
<filter>
	<filter-name>CAS Validation Filter</filter-name>
   	<!--<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>-->
	<filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
         <init-param>
		<param-name>casServerUrlPrefix</param-name>
		<param-value>https://compA:8443/cas</param-value>
	</init-param>
</filter>
<filter>
         <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
   	<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<!-- filter-mappings, listeners, etc omitted -->

--------------------------

PROBLEM 2 - parsing error

If the client is using Saml11TicketValidationFilter, it can be successfully deployed onto compA. It start successfully, redirects the browser to CAS, but when 
the browser is returning from CAS, a parsing error exception is thrown. What could be wrong?

* exception received when delivering the ticket to https://compA:8443/AnotherTestClient/?ticket=ST-11-SWXHLHRjFR9mKuZl6cOP-cas:

java.lang.NumberFormatException: For input string: ""
	java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
	java.lang.Integer.parseInt(Integer.java:468)
	java.lang.Integer.parseInt(Integer.java:497)
	org.opensaml.SAMLResponse.fromDOM(Unknown Source)
	org.opensaml.SAMLResponse.<init>(Unknown Source)
	org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:46)
...

* quote from catalina logs:

2008-03-01 00:34:40,310 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-11-SWXHLHRjFR9mKuZl6cOP-cas] for service 
[https://compA:8443/AnotherTestClient/] for user [asd]>
2008-03-01 00:38:53,103 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting cleaning of expired tickets from ticket registry 
at [Sat Mar 01 00:38:53 GMT+01:00 2008]>
2008-03-01 00:38:53,104 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <1 found to be removed.  Removing now.>
2008-03-01 00:38:53,117 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished cleaning of expired tickets from ticket registry 
at [Sat Mar 01 00:38:53 GMT+01:00 2008]>



--------------------------

PROBLEM 3 - PKIX

If the client is using Saml11TicketValidationFilter, it can be successfully deployed onto compB. It start successfully, redirects the browser to CAS, but when 
the browser is returning from CAS, an SSL handshake exception is thrown.

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

With test certificates, this should be expected. However, the funny thing is, I've read http://www.ja-sig.org/wiki/display/CASUM/Demo and the more detailed 
http://blogs.sun.com/andreas/entry/no_more_unable_to_find, and followed their instructions.

I've even verified that compB's cacerts store contains compA, see below:

* compA keystore: (tomcat is configured to use this)
compA:~# keytool -list -keystore ~/.keystore -v
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: 2008.02.26.
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=compA, OU=...
Issuer: CN=compA, OU=...
Serial number: 47c34dad
Valid from: Tue Feb 26 00:22:21 GMT+01:00 2008 until: Mon May 26 00:22:21 GMT+01:00 2008
Certificate fingerprints:
          MD5:  D0:75:F7:08:EB:EF:18:1D:3A:0A:14:7F:39:83:94:B4
          SHA1: 62:AF:2F:03:88:02:10:21:6D:2A:EF:C9:16:27:4F:4A:6F:84:B6:E7


* comB cacerts:
compB:/usr/share/glassfish# keytool -list -keystore /etc/java-6-sun/security/cacerts
...
compA-1, 2008.02.28., trustedCertEntry,
Certificate fingerprint (MD5): D0:75:F7:08:EB:EF:18:1D:3A:0A:14:7F:39:83:94:B4
...

This looks all right to me. I'm not very experienced with Java vs. PKI, what did I do wrong?


--------------------

Dear CAS community mailing list, could you please provide me any help or suggestions?

Thanks in advance,
BERGMANN Gábor, CAS newbie

More information about the cas mailing list