CAS Java Client on JBOSS

Srikar Kummamuri skummamuri at agentrics.com
Mon Jan 7 17:10:12 EST 2008 

Adam,
Thanks for the reply.
I followed the steps in demo and crated the SSL certificate
 
keytool -genkey -alias tomcatcert -keypass changeit -keyalg RSA
 
keytool -export -alias tomcatcert -keypass changeit -file server.crt
 
keytool -alias tomcatcert2 -import -file server.crt -keypass changeit
-keystore C:\cacerts
 
And I can access the CAS server from the client apps on the same PC but
not from other PC. I tried to generate the cert by providing the PC name
(not "localhost"). 
So as long as my servers running on the same physical machine, no
problems. Once my my app is on a different PC that that of CAS Server,
problem starts. I tried to search the documentation with no big help.
 
So I will wait for some body to give me a direction/clue.
 
Thanks
Srikar.
 
 
 
 
------------------------------------------------------------------------
Srikar,
 
This should be an FAQ, but it isn't.  I have searched through the "usual

suspects" sites:
 
    * CAS site FAQ <http://www.ja-sig.org/products/cas/client/faq.html>
    * Yale CAS Client distribution
 
<http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>
      Wiki pages
    * Legacy Java CAS client
      <http://code.google.com/p/legacy-java-cas-client/> Google code
page
 
I found no information to help you address your issue.  This should be 
fixed.  I hope that Scott or someone else can suggest how and where to 
add this information.
 
Anyway, it appears that you are using the Yale CAS client.  The client 
attempts to verify the service ticket it received from CAS, and when it 
tries to connect to the CAS server, it encounters an 
javax.net.ssl.SSLHandshakeException.  This is usually caused by using a 
self-signed SSL certificate on the CAS server.  The Java process running

JBoss does not trust the certificate presented by the CAS server.  This 
is part of Java security.
 
You can either fix it by using a properly signed certificate or work 
around the issue by telling Java to trust your self-signed certificate.

I don't have a complete tutorial here, but you have to use Java's 
"keytool" command, its "-import" option, the "-trustcacerts" option, and

you should add it to the Java's "cacerts" keystore file.  On Linux this 
will likely require root access.  I don't think that Java will trust a 
certificate added to a user-specific keystore.  This message 
<http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keyto
ol> 
in the mailing list archives starts with instructions for importing the 
self-signed certificate into "cacerts" keystore.
 
Anyhow, please let me know if this helps.

 

Adam.

 

________________________________

From: Srikar Kummamuri 
Sent: Monday, January 07, 2008 11:44 AM
To: 'cas at tp.its.yale.edu'
Subject: CAS Java Client on JBOSS

 

I am trying to integrate and existing JBOSS application with the CAS
client.  I changed the we.xml as shown in java cas client instructions
and added the jar file (casclient-2.1.1.jar ) in lib directory of the
web-inf directory.

 

As expected, upon accessing the app for the first time, user gets
navigated to the CAS server that was installed on a Tomcat. When the CAS
validates the user, and send the request back to JBOSS, exception is
being thrown by CAS as follows.

 

11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR
tp.cas.client.CASReceipt -
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate

ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[h

ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValida
te] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
service=[http%3A%2F%2Falx-dev-lap06.wwre.org

%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]

11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR
cas.client.filter.CASFilter -
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida

te ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl

=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceVal
idate] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
service=[http%3A%2F%2Falx-dev-lap06.wwre.

org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]

11:19:41,120 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR
web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for
servlet action threw exception

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[

null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.
1.1/serviceValidate] ticket

=[ST-13-qYbLWTpYMEcATIcSlPAO]
service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Fac
tion%2FreportingHome.do] renew=false]]]

        at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)

        at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)

        at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)

        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)

        at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilte
r.java:96)

        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)

        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)

        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:213)

        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)

        at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
sociationValve.java:175)

        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:432)

        at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
ava:74)

        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)

        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)

        at
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnecti
onValve.java:156)

        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)

        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)

        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
9)

        at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:664)

        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)

        at
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorker
Thread.java:112)

        at java.lang.Thread.run(Thread.java:595)

Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCert

PathBuilderException: unable to find valid certification path to
requested target

        at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)

        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518
)

        at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)

        at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)

        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:848)

        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
haker.java:106)

        at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)

        at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
33)

        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:818)

        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
cketImpl.java:1030)

        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1057)

        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1041)

        at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402
)

        at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab
stractDelegateHttpsURLConnection.java:166)

        at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnec
tion.java:934)

        at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsUR
LConnectionImpl.java:234)

        at
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)

        at
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicket
Validator.java:212)

        at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)

        ... 22 more

Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find

valid certification path to requested target

        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)

        at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1
45)

        at sun.security.validator.Validator.validate(Validator.java:203)

        at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9TrustManagerImpl.java:172)

        at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSL
ContextImpl.java:320)

        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:841)

        ... 36 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
hBuilder.java:236)

        at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)

        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)

        ... 41 more

 

 

 

My web.xml is,

 

             <filter>

                  <filter-name>CAS Filter</filter-name>

 
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>

                  <init-param>

 
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

 
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1
/login</param-value>

                  </init-param>

                  <init-param>

 
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

 
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1
/serviceValidate</param-value>

                  </init-param>

                  <init-param>

 
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>

 
<param-value>alx-dev-lap06.wwre.org:8080</param-value>

                  </init-param>

                </filter>

 

 

 

   <filter-mapping>

                  <filter-name>CAS Filter</filter-name>

                  <url-pattern>/action/*</url-pattern>

    </filter-mapping>

 

 

 

Any idea why I am getting the error here??  Is this something to do with
SSL on the JBOSS side??  

 

 

Thank a lot

Srikar.

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080107/a017807f/attachment.html

More information about the cas mailing list