CAS Java Client on JBOSS
Adam Rybicki
arybicki at unicon.net
Mon Jan 7 12:54:25 EST 2008
Srikar,
This should be an FAQ, but it isn't. I have searched through the "usual
suspects" sites:
* CAS site FAQ <http://www.ja-sig.org/products/cas/client/faq.html>
* Yale CAS Client distribution
<http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>
Wiki pages
* Legacy Java CAS client
<http://code.google.com/p/legacy-java-cas-client/> Google code page
I found no information to help you address your issue. This should be
fixed. I hope that Scott or someone else can suggest how and where to
add this information.
Anyway, it appears that you are using the Yale CAS client. The client
attempts to verify the service ticket it received from CAS, and when it
tries to connect to the CAS server, it encounters an
javax.net.ssl.SSLHandshakeException. This is usually caused by using a
self-signed SSL certificate on the CAS server. The Java process running
JBoss does not trust the certificate presented by the CAS server. This
is part of Java security.
You can either fix it by using a properly signed certificate or work
around the issue by telling Java to trust your self-signed certificate.
I don't have a complete tutorial here, but you have to use Java's
"keytool" command, its "-import" option, the "-trustcacerts" option, and
you should add it to the Java's "cacerts" keystore file. On Linux this
will likely require root access. I don't think that Java will trust a
certificate added to a user-specific keystore. This message
<http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keytool>
in the mailing list archives starts with instructions for importing the
self-signed certificate into "cacerts" keystore.
Anyhow, please let me know if this helps.
Adam
Srikar Kummamuri wrote:
>
> I am trying to integrate and existing JBOSS application with the CAS
> client. I changed the we.xml as shown in java cas client instructions
> and added the jar file (casclient-2.1.1.jar ) in lib directory of the
> web-inf directory.
>
>
>
> As expected, upon accessing the app for the first time, user gets
> navigated to the CAS server that was installed on a Tomcat. When the
> CAS validates the user, and send the request back to JBOSS, exception
> is being thrown by CAS as follows.
>
>
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> tp.cas.client.CASReceipt -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
>
> ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[h
>
> ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.org
>
> %3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> cas.client.filter.CASFilter -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida
>
> te ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
>
> =[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.
>
> org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,120 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for
> servlet action threw exception
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[
>
> null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket
>
> =[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do]
> renew=false]]]
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>
> at
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
> at
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>
> at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
>
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
>
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>
> at
> org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
>
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
>
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>
> at
> org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
>
> at java.lang.Thread.run(Thread.java:595)
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCert
>
> PathBuilderException: unable to find valid certification path to
> requested target
>
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
>
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
>
> at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> at
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> ... 22 more
>
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>
> valid certification path to requested target
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
>
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
>
> at sun.security.validator.Validator.validate(Validator.java:203)
>
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
>
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
>
> ... 36 more
>
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
>
> ... 41 more
>
>
>
>
>
>
>
> My web.xml is,
>
>
>
> <filter>
>
> <filter-name>CAS Filter</filter-name>
>
>
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>
>
> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login</param-value>
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>
>
> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate</param-value>
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>
> <param-value>alx-dev-lap06.wwre.org:8080</param-value>
>
> </init-param>
>
> </filter>
>
>
>
>
>
>
>
> <filter-mapping>
>
> <filter-name>CAS Filter</filter-name>
>
> <url-pattern>/action/*</url-pattern>
>
> </filter-mapping>
>
>
>
>
>
>
>
> Any idea why I am getting the error here?? Is this something to do
> with SSL on the JBOSS side??
>
>
>
>
>
> Thank a lot
>
> Srikar.
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080107/baa7521e/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arybicki.vcf
Type: text/x-vcard
Size: 336 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/baa7521e/attachment.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3359 bytes
Desc: S/MIME Cryptographic Signature
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/baa7521e/attachment.bin
More information about the cas
mailing list