CAS Java Client on JBOSS
Srikar Kummamuri
skummamuri at agentrics.com
Tue Jan 8 12:26:44 EST 2008
I imported the server.crt that was generated on the CAS Server on to the
Internet Explorer on the client machine. I can see the certificate with
the name as the first and last names given in the keytool. So the
certificate is sucussfully imported by the browser.
But the problem continues. I think importing certificate, may not solve
the problem at the cas client level??
Thanks
Srikar.
________________________________
From: Srikar Kummamuri
Sent: Tuesday, January 08, 2008 11:49 AM
To: 'cas at tp.its.yale.edu'
Subject: RE: CAS Java Client on JBOSS
Adam,
Does that mean that, I need to manually import the certificates in the
internet explorer(Internet Options, content, Certificates, Import)?
If so, the certificate extensions that the explorer accept are .PFX,
.P12, .P7B, .SST. Do I need to convert the certificate(server.crt)
generated by the keytool??
Thanks a lot.
Srikar.
------------------------------------------------------------------------
------------------
Srikar,
Each Java CAS client application will need to be instructed to trust the
self-signed certificate. Since, as you say, your Java CAS client
applications are on different PCs, all of their trusted certificate
stores have to be updated. This is why using such certificates is only
advised in development environments. Once you start building production
applications, the CAS server they access should have a properly signed
certificate.
Personally, I prefer to work only with production CAS servers. No
matter what I do developing CAS clients, the production server should
not be negatively affected. CAS is robust enough to deal with anything
I can throw at it.
Adam
Srikar Kummamuri wrote:
> Adam,
> Thanks for the reply.
> I followed the steps in demo and crated the SSL certificate
>
> keytool -genkey -alias tomcatcert -keypass changeit -keyalg RSA
>
> keytool -export -alias tomcatcert -keypass changeit -file server.crt
>
> keytool -alias tomcatcert2 -import -file server.crt -keypass changeit
-keystore C:\cacerts
>
> And I can access the CAS server from the client apps on the same PC
but not from other PC. I tried to generate the cert by providing the PC
name (not "localhost").
> So as long as my servers running on the same physical machine, no
problems. Once my my app is on a different PC that that of CAS Server,
problem starts. I tried to search the documentation with no big help.
>
> So I will wait for some body to give me a direction/clue.
>
> Thanks
> Srikar.
>
>
>
>
>
------------------------------------------------------------------------
> Srikar,
>
> This should be an FAQ, but it isn't. I have searched through the
"usual
> suspects" sites:
>
> * CAS site FAQ
<http://www.ja-sig.org/products/cas/client/faq.html>
> * Yale CAS Client distribution
>
<http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>
> Wiki pages
> * Legacy Java CAS client
> <http://code.google.com/p/legacy-java-cas-client/> Google code
page
>
> I found no information to help you address your issue. This should be
> fixed. I hope that Scott or someone else can suggest how and where to
> add this information.
>
> Anyway, it appears that you are using the Yale CAS client. The client
> attempts to verify the service ticket it received from CAS, and when
it
> tries to connect to the CAS server, it encounters an
> javax.net.ssl.SSLHandshakeException. This is usually caused by using
a
> self-signed SSL certificate on the CAS server. The Java process
running
> JBoss does not trust the certificate presented by the CAS server.
This
> is part of Java security.
>
> You can either fix it by using a properly signed certificate or work
> around the issue by telling Java to trust your self-signed
certificate.
> I don't have a complete tutorial here, but you have to use Java's
> "keytool" command, its "-import" option, the "-trustcacerts" option,
and
> you should add it to the Java's "cacerts" keystore file. On Linux
this
> will likely require root access. I don't think that Java will trust a
> certificate added to a user-specific keystore. This message
>
<http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keyto
ol>
> in the mailing list archives starts with instructions for importing
the
> self-signed certificate into "cacerts" keystore.
>
> Anyhow, please let me know if this helps.
>
>
>
> Adam.
>
>
>
>
------------------------------------------------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Monday, January 07, 2008 11:44 AM
> *To:* 'cas at tp.its.yale.edu
<http://tp.its.yale.edu/mailman/listinfo/cas> '
> *Subject:* CAS Java Client on JBOSS
>
>
>
> I am trying to integrate and existing JBOSS application with the CAS
> client. I changed the we.xml as shown in java cas client instructions
> and added the jar file (casclient-2.1.1.jar ) in lib directory of the
> web-inf directory.
>
>
>
> As expected, upon accessing the app for the first time, user gets
> navigated to the CAS server that was installed on a Tomcat. When the
> CAS validates the user, and send the request back to JBOSS, exception
> is being thrown by CAS as follows.
>
>
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> tp.cas.client.CASReceipt -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate
>
> ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
> proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
> casValidateUrl=[h
>
>
ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValida
te]
<ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValid
ate%5d>
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.org
>
> %3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> cas.client.filter.CASFilter -
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
valida
>
> te ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
> [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
>
>
=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceVal
idate]
<https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceVali
date%5d>
> ticket=[ST-13-qYbLWTpYMEcATIcSlPAO]
> service=[http%3A%2F%2Falx-dev-lap06.wwre.
>
> org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
>
> 11:19:41,120 INFO [STDOUT] 2008-01-07 11:19:41 ERROR
> web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for
> servlet action threw exception
>
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
> validate ProxyTicketValidator
> [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[
>
> null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
>
casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.
1.1/serviceValidate]
<https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceVali
date%5d>
> ticket
>
> =[ST-13-qYbLWTpYMEcATIcSlPAO]
>
service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Fac
tion%2FreportingHome.do]
> renew=false]]]
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
>
> at
>
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt
er.java:455)
>
> at
>
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
>
> at
>
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilte
r.java:96)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:202)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:173)
>
> at
>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:213)
>
> at
>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)
>
> at
>
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
sociationValve.java:175)
>
> at
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:432)
>
> at
>
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
ava:74)
>
> at
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
>
> at
>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
>
> at
>
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnecti
onValve.java:156)
>
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
>
> at
>
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
>
> at
>
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86
9)
>
> at
>
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc
essConnection(Http11BaseProtocol.java:664)
>
> at
>
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:527)
>
> at
>
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorker
Thread.java:112)
>
> at java.lang.Thread.run(Thread.java:595)
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCert
>
> PathBuilderException: unable to find valid certification path to
> requested target
>
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
>
> at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518
)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
>
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
>
> at
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:848)
>
> at
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHands
haker.java:106)
>
> at
>
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
>
> at
>
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:4
33)
>
> at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java
:818)
>
> at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSo
cketImpl.java:1030)
>
> at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1057)
>
> at
>
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.
java:1041)
>
> at
>
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402
)
>
> at
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Ab
stractDelegateHttpsURLConnection.java:166)
>
> at
>
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnec
tion.java:934)
>
> at
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsUR
LConnectionImpl.java:234)
>
> at
edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
>
> at
>
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicket
Validator.java:212)
>
> at
> edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
>
> ... 22 more
>
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
find
>
> valid certification path to requested target
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
>
> at
>
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:1
45)
>
> at
sun.security.validator.Validator.validate(Validator.java:203)
>
> at
>
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X50
9TrustManagerImpl.java:172)
>
> at
>
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSL
ContextImpl.java:320)
>
> at
>
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHa
ndshaker.java:841)
>
> ... 36 more
>
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>
> at
>
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
hBuilder.java:236)
>
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
>
> ... 41 more
>
>
>
>
>
>
>
> My web.xml is,
>
>
>
> <filter>
>
> <filter-name>CAS Filter</filter-name>
>
>
>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>
>
>
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1
/login</param-value
<https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login%3c/pa
ram-value> >
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
>
>
>
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1
/serviceValidate</param-value
<https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceVali
date%3c/param-value> >
>
> </init-param>
>
> <init-param>
>
>
> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>
>
<param-value>alx-dev-lap06.wwre.org:8080</param-value>
>
> </init-param>
>
> </filter>
>
>
>
>
>
>
>
> <filter-mapping>
>
> <filter-name>CAS Filter</filter-name>
>
> <url-pattern>/action/*</url-pattern>
>
> </filter-mapping>
>
>
>
>
>
>
>
> Any idea why I am getting the error here?? Is this something to do
> with SSL on the JBOSS side??
>
>
>
>
>
> Thank a lot
>
> Srikar.
>
>
>
>
>
>
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu <http://tp.its.yale.edu/mailman/listinfo/cas>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attac
hment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arybicki.vcf
Type: text/x-vcard
Size: 336 bytes
Desc: not available
Url :
http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attac
hment-0001.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3359 bytes
Desc: S/MIME Cryptographic Signature
Url :
http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attac
hment-0001.bin
<hr size=2 width="100%" align=center>
* Previous message: CAS Java Client on JBOSS
<http://tp.its.yale.edu/pipermail/cas/2008-January/007093.html>
* Next message: OpenID
<http://tp.its.yale.edu/pipermail/cas/2008-January/007097.html>
* Messages sorted by: [ date ]
<http://tp.its.yale.edu/pipermail/cas/2008-January/date.html#7095> [
thread ]
<http://tp.its.yale.edu/pipermail/cas/2008-January/thread.html#7095> [
subject ]
<http://tp.its.yale.edu/pipermail/cas/2008-January/subject.html#7095> [
author ]
<http://tp.its.yale.edu/pipermail/cas/2008-January/author.html#7095>
________________________________
More information about the cas mailing
<http://tp.its.yale.edu/mailman/listinfo/cas>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080108/7f492c0f/attachment-0001.html
More information about the cas
mailing list