CAS Java Client on JBOSS
Adam Rybicki
arybicki at unicon.net
Mon Jan 7 17:31:56 EST 2008
Srikar,
Each Java CAS client application will need to be instructed to trust the
self-signed certificate. Since, as you say, your Java CAS client
applications are on different PCs, all of their trusted certificate
stores have to be updated. This is why using such certificates is only
advised in development environments. Once you start building production
applications, the CAS server they access should have a properly signed
certificate.
Personally, I prefer to work only with production CAS servers. No
matter what I do developing CAS clients, the production server should
not be negatively affected. CAS is robust enough to deal with anything
I can throw at it.
Adam
Srikar Kummamuri wrote:
> Adam,
> Thanks for the reply.
> I followed the steps in demo and crated the SSL certificate
>
> keytool -genkey -alias tomcatcert -keypass changeit -keyalg RSA
>
> keytool -export -alias tomcatcert -keypass changeit -file server.crt
>
> keytool -alias tomcatcert2 -import -file server.crt -keypass changeit -keystore C:\cacerts
>
> And I can access the CAS server from the client apps on the same PC but not from other PC. I tried to generate the cert by providing the PC name (not "localhost").
> So as long as my servers running on the same physical machine, no problems. Once my my app is on a different PC that that of CAS Server, problem starts. I tried to search the documentation with no big help.
>
> So I will wait for some body to give me a direction/clue.
>
> Thanks
> Srikar.
>
>
>
>
> ------------------------------------------------------------------------
> Srikar,
>
> This should be an FAQ, but it isn't. I have searched through the "usual
> suspects" sites:
>
> * CAS site FAQ <http://www.ja-sig.org/products/cas/client/faq.html>
> * Yale CAS Client distribution
> <http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>
> Wiki pages
> * Legacy Java CAS client
> <http://code.google.com/p/legacy-java-cas-client/> Google code page
>
> I found no information to help you address your issue. This should be
> fixed. I hope that Scott or someone else can suggest how and where to
> add this information.
>
> Anyway, it appears that you are using the Yale CAS client. The client
> attempts to verify the service ticket it received from CAS, and when it
> tries to connect to the CAS server, it encounters an
> javax.net.ssl.SSLHandshakeException. This is usually caused by using a
> self-signed SSL certificate on the CAS server. The Java process running
> JBoss does not trust the certificate presented by the CAS server. This
> is part of Java security.
>
> You can either fix it by using a properly signed certificate or work
> around the issue by telling Java to trust your self-signed certificate.
> I don't have a complete tutorial here, but you have to use Java's
> "keytool" command, its "-import" option, the "-trustcacerts" option, and
> you should add it to the Java's "cacerts" keystore file. On Linux this
> will likely require root access. I don't think that Java will trust a
> certificate added to a user-specific keystore. This message
> <http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keytool>
> in the mailing list archives starts with instructions for importing the
> self-signed certificate into "cacerts" keystore.
>
> Anyhow, please let me know if this helps.
>
>
>
> Adam.
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Monday, January 07, 2008 11:44 AM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* CAS Java Client on JBOSS
>
>
>
> I am trying to integrate and existing JBOSS application with the CAS
> client. I changed the we.xml as shown in java cas client instructions
> and added the jar file (casclient-2.1.1.jar ) in lib directory of the
> web-inf directory.
>
>
>
> As expected, upon accessing the app for the first time, user gets
> navigated to the CAS server that was installed on a Tomcat. When the
> CAS validates the user, and send the request back to JBOSS, exception
> is being thrown by CAS as follows.
>
>
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> tp.cas.client.CASReceipt -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
>
> ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[h
>
> ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.org
>
> %3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> cas.client.filter.CASFilter -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida
>
> te ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
>
> =[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.
>
> org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,120 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for
> servlet action threw exception
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[
>
> null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate]
> ticket
>
> =[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do]
> renew=false]]]
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>
> at
> edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
>
> at
> edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>
> at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
>
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
>
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>
> at
> org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
>
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
>
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>
> at
> org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
>
> at java.lang.Thread.run(Thread.java:595)
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCert
>
> PathBuilderException: unable to find valid certification path to
> requested target
>
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
>
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
>
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
>
> at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> at
> edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> ... 22 more
>
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>
> valid certification path to requested target
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
>
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
>
> at sun.security.validator.Validator.validate(Validator.java:203)
>
> at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
>
> at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
>
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
>
> ... 36 more
>
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
>
> ... 41 more
>
>
>
>
>
>
>
> My web.xml is,
>
>
>
> <filter>
>
> <filter-name>CAS Filter</filter-name>
>
>
> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>
>
> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login</param-value>
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>
>
> <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate</param-value>
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>
> <param-value>alx-dev-lap06.wwre.org:8080</param-value>
>
> </init-param>
>
> </filter>
>
>
>
>
>
>
>
> <filter-mapping>
>
> <filter-name>CAS Filter</filter-name>
>
> <url-pattern>/action/*</url-pattern>
>
> </filter-mapping>
>
>
>
>
>
>
>
> Any idea why I am getting the error here?? Is this something to do
> with SSL on the JBOSS side??
>
>
>
>
>
> Thank a lot
>
> Srikar.
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arybicki.vcf
Type: text/x-vcard
Size: 336 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3359 bytes
Desc: S/MIME Cryptographic Signature
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.bin
More information about the cas
mailing list