CAS Java Client on JBOSS
Andrew Petro
apetro at unicon.net
Mon Jan 7 17:12:14 EST 2008
Adam, Srikar,
Does the Solving SSL Issues page help any?
http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
Andrew
On Jan 7, 2008, at 10:54 AM, Adam Rybicki wrote:
> Srikar,
>
> This should be an FAQ, but it isn't. I have searched through the
> "usual suspects" sites:
> CAS site FAQ
> Yale CAS Client distribution Wiki pages
> Legacy Java CAS client Google code page
> I found no information to help you address your issue. This should
> be fixed. I hope that Scott or someone else can suggest how and
> where to add this information.
>
> Anyway, it appears that you are using the Yale CAS client. The
> client attempts to verify the service ticket it received from CAS,
> and when it tries to connect to the CAS server, it encounters an
> javax.net.ssl.SSLHandshakeException. This is usually caused by
> using a self-signed SSL certificate on the CAS server. The Java
> process running JBoss does not trust the certificate presented by
> the CAS server. This is part of Java security.
>
> You can either fix it by using a properly signed certificate or work
> around the issue by telling Java to trust your self-signed
> certificate. I don't have a complete tutorial here, but you have to
> use Java's "keytool" command, its "-import" option, the "-
> trustcacerts" option, and you should add it to the Java's "cacerts"
> keystore file. On Linux this will likely require root access. I
> don't think that Java will trust a certificate added to a user-
> specific keystore. This message in the mailing list archives starts
> with instructions for importing the self-signed certificate into
> "cacerts" keystore.
>
> Anyhow, please let me know if this helps.
>
> Adam
>
> Srikar Kummamuri wrote:
>>
>> I am trying to integrate and existing JBOSS application with the
>> CAS client. I changed the we.xml as shown in java cas client
>> instructions and added the jar file (casclient-2.1.1.jar ) in lib
>> directory of the web-inf directory.
>>
>> As expected, upon accessing the app for the first time, user gets
>> navigated to the CAS server that was installed on a Tomcat. When
>> the CAS validates the user, and send the request back to JBOSS,
>> exception is being thrown by CAS as follows.
>>
>> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
>> tp.cas.client.CASReceipt -
>> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
>> validate
>> ProxyTicketValidator
>> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
>> [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[h
>> ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/
>> serviceValidate] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http
>> %3A%2F%2Falx-dev-lap06.wwre.org
>> %3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
>> cas.client.filter.CASFilter -
>> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
>> valida
>> te ProxyTicketValidator
>> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
>> [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
>> =[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate
>> ] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http%3A%2F%2Falx-dev-
>> lap06.wwre.
>> org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do]
>> renew=false]]]
>> 11:19:41,120 INFO [STDOUT] 2008-01-07 11:19:41 ERROR web].
>> [localhost].[/MGS-Reporting].[action] - Servlet.service() for
>> servlet action threw exception
>> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
>> validate ProxyTicketValidator
>> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[
>> null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
>> casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate
>> ] ticket
>> =[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http%3A%2F%2Falx-dev-
>> lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do]
>> renew=false]]]
>> at
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>> at
>> edu
>> .yale
>> .its
>> .tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:
>> 455)
>> at
>> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:
>> 378)
>> at
>> org
>> .apache
>> .catalina
>> .core
>> .ApplicationFilterChain
>> .internalDoFilter(ApplicationFilterChain.java:202)
>> at
>> org
>> .apache
>> .catalina
>> .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
>> 173)
>> at
>> org
>> .jboss
>> .web
>> .tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>> at
>> org
>> .apache
>> .catalina
>> .core
>> .ApplicationFilterChain
>> .internalDoFilter(ApplicationFilterChain.java:202)
>> at
>> org
>> .apache
>> .catalina
>> .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
>> 173)
>> at
>> org
>> .apache
>> .catalina
>> .core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>> at
>> org
>> .apache
>> .catalina
>> .core.StandardContextValve.invoke(StandardContextValve.java:178)
>> at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke
>> (SecurityAssociationValve.java:175)
>> at
>> org
>> .apache
>> .catalina
>> .authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
>> at
>> org
>> .jboss
>> .web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:
>> 74)
>> at
>> org
>> .apache
>> .catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>> at
>> org
>> .apache
>> .catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>> at
>> org
>> .jboss
>> .web
>> .tomcat
>> .tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
>> at
>> org
>> .apache
>> .catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
>> 107)
>> at
>> org
>> .apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
>> 148)
>> at
>> org
>> .apache.coyote.http11.Http11Processor.process(Http11Processor.java:
>> 869)
>> at org.apache.coyote.http11.Http11BaseProtocol
>> $Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
>> 664)
>> at
>> org
>> .apache
>> .tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
>> 527)
>> at
>> org
>> .apache
>> .tomcat
>> .util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:
>> 112)
>> at java.lang.Thread.run(Thread.java:595)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCert
>> PathBuilderException: unable to find valid certification path to
>> requested target
>> at
>> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>> at
>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
>> 1518)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal
>> .ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:
>> 106)
>> at
>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:
>> 495)
>> at
>> com
>> .sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:
>> 433)
>> at
>> com
>> .sun
>> .net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:
>> 818)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal
>> .ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
>> at
>> com
>> .sun
>> .net
>> .ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
>> 1057)
>> at
>> com
>> .sun
>> .net
>> .ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
>> 1041)
>> at
>> sun
>> .net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:
>> 402)
>> at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
>> (AbstractDelegateHttpsURLConnection.java:166)
>> at
>> sun
>> .net
>> .www
>> .protocol
>> .http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
>> (HttpsURLConnectionImpl.java:234)
>> at
>> edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>> at
>> edu
>> .yale
>> .its
>> .tp
>> .cas
>> .client.ServiceTicketValidator.validate(ServiceTicketValidator.java:
>> 212)
>> at
>> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>> ... 22 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find
>> valid certification path to requested target
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
>> at
>> sun
>> .security.validator.PKIXValidator.engineValidate(PKIXValidator.java:
>> 145)
>> at sun.security.validator.Validator.validate(Validator.java:
>> 203)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal
>> .ssl
>> .X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:
>> 172)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal
>> .ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
>> at
>> com
>> .sun
>> .net
>> .ssl
>> .internal
>> .ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
>> ... 36 more
>> Caused by:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at
>> sun
>> .security
>> .provider
>> .certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>> at
>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>> at
>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
>> ... 41 more
>>
>>
>>
>> My web.xml is,
>>
>> <filter>
>> <filter-name>CAS Filter</filter-name>
>> <filter-
>> class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>> <init-param>
>> <param-
>> name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login
>> </param-value>
>> </init-param>
>> <init-param>
>> <param-
>> name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate
>> </param-value>
>> </init-param>
>> <init-param>
>> <param-
>> name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>> <param-value>alx-dev-lap06.wwre.org:8080</param-
>> value>
>> </init-param>
>> </filter>
>>
>>
>>
>> <filter-mapping>
>> <filter-name>CAS Filter</filter-name>
>> <url-pattern>/action/*</url-pattern>
>> </filter-mapping>
>>
>>
>>
>> Any idea why I am getting the error here?? Is this something to do
>> with SSL on the JBOSS side??
>>
>>
>> Thank a lot
>> Srikar.
>>
>>
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
> <arybicki.vcf>_______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080107/a2676566/attachment.html
More information about the cas
mailing list