CAS Java Client on JBOSS
Scott Battaglia
scott.battaglia at gmail.com
Tue Jan 8 12:35:23 EST 2008
You need to import the certificate on each CAS client's JVM. By CAS
client, we mean the application's that delegate to CAS for authentication.
-Scott
On Jan 8, 2008 12:26 PM, Srikar Kummamuri <skummamuri at agentrics.com> wrote:
> I imported the server.crt that was generated on the CAS Server on to the
> Internet Explorer on the client machine. I can see the certificate with the
> name as the first and last names given in the keytool. So the certificate
> is sucussfully imported by the browser.
>
>
>
> But the problem continues. I think importing certificate, may not solve
> the problem at the cas client level??
>
>
>
> Thanks
>
> Srikar.
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Tuesday, January 08, 2008 11:49 AM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: CAS Java Client on JBOSS
>
>
>
> Adam,
>
> Does that mean that, I need to manually import the certificates in the internet explorer(Internet Options, content, Certificates, Import)?
>
> If so, the certificate extensions that the explorer accept are .PFX, .P12, .P7B, .SST. Do I need to convert the certificate(server.crt) generated by the keytool??
>
>
>
> Thanks a lot.
>
> Srikar.
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------------------
>
>
>
> Srikar,
>
>
>
> Each Java CAS client application will need to be instructed to trust the
>
> self-signed certificate. Since, as you say, your Java CAS client
>
> applications are on different PCs, all of their trusted certificate
>
> stores have to be updated. This is why using such certificates is only
>
> advised in development environments. Once you start building production
>
> applications, the CAS server they access should have a properly signed
>
> certificate.
>
>
>
> Personally, I prefer to work only with production CAS servers. No
>
> matter what I do developing CAS clients, the production server should
>
> not be negatively affected. CAS is robust enough to deal with anything
>
> I can throw at it.
>
>
>
> Adam
>
>
>
> Srikar Kummamuri wrote:
>
> >* Adam,*
>
> >* Thanks for the reply.*
>
> >* I followed the steps in demo and crated the SSL certificate*
>
> >* *
>
> >* keytool -genkey -alias tomcatcert -keypass changeit -keyalg RSA*
>
> >* *
>
> >* keytool -export -alias tomcatcert -keypass changeit -file server.crt*
>
> >* *
>
> >* keytool -alias tomcatcert2 -import -file server.crt -keypass changeit -keystore C:\cacerts*
>
> >* *
>
> >* And I can access the CAS server from the client apps on the same PC but not from other PC. I tried to generate the cert by providing the PC name (not "localhost"). *
>
> >* So as long as my servers running on the same physical machine, no problems. Once my my app is on a different PC that that of CAS Server, problem starts. I tried to search the documentation with no big help.*
>
> >* *
>
> >* So I will wait for some body to give me a direction/clue.*
>
> >* *
>
> >* Thanks*
>
> >* Srikar.*
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* ------------------------------------------------------------------------*
>
> >* Srikar,*
>
> >* *
>
> >* This should be an FAQ, but it isn't. I have searched through the "usual *
>
> >* suspects" sites:*
>
> >* *
>
> >* * CAS site FAQ <http://www.ja-sig.org/products/cas/client/faq.html>*
>
> >* * Yale CAS Client distribution*
>
> >* <http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>*
>
> >* Wiki pages*
>
> >* * Legacy Java CAS client*
>
> >* <http://code.google.com/p/legacy-java-cas-client/> Google code page*
>
> >* *
>
> >* I found no information to help you address your issue. This should be *
>
> >* fixed. I hope that Scott or someone else can suggest how and where to *
>
> >* add this information.*
>
> >* *
>
> >* Anyway, it appears that you are using the Yale CAS client. The client *
>
> >* attempts to verify the service ticket it received from CAS, and when it *
>
> >* tries to connect to the CAS server, it encounters an *
>
> >* javax.net.ssl.SSLHandshakeException. This is usually caused by using a *
>
> >* self-signed SSL certificate on the CAS server. The Java process running *
>
> >* JBoss does not trust the certificate presented by the CAS server. This *
>
> >* is part of Java security.*
>
> >* *
>
> >* You can either fix it by using a properly signed certificate or work *
>
> >* around the issue by telling Java to trust your self-signed certificate. *
>
> >* I don't have a complete tutorial here, but you have to use Java's *
>
> >* "keytool" command, its "-import" option, the "-trustcacerts" option, and *
>
> >* you should add it to the Java's "cacerts" keystore file. On Linux this *
>
> >* will likely require root access. I don't think that Java will trust a *
>
> >* certificate added to a user-specific keystore. This message *
>
> >* <http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keytool> *
>
> >* in the mailing list archives starts with instructions for importing the *
>
> >* self-signed certificate into "cacerts" keystore.*
>
> >* *
>
> >* Anyhow, please let me know if this helps.*
>
> >* *
>
> >* *
>
> >* *
>
> >* Adam.*
>
> >* *
>
> >* *
>
> >* *
>
> >* ------------------------------------------------------------------------*
>
> >* *
>
> >* *From:* Srikar Kummamuri*
>
> >* *Sent:* Monday, January 07, 2008 11:44 AM*
>
> >* *To:* 'cas at tp.its.yale.edu <http://tp.its.yale.edu/mailman/listinfo/cas>'*
>
> >* *Subject:* CAS Java Client on JBOSS*
>
> >* *
>
> >* *
>
> >* *
>
> >* I am trying to integrate and existing JBOSS application with the CAS *
>
> >* client. I changed the we.xml as shown in java cas client instructions *
>
> >* and added the jar file (casclient-2.1.1.jar ) in lib directory of the *
>
> >* web-inf directory.*
>
> >* *
>
> >* *
>
> >* *
>
> >* As expected, upon accessing the app for the first time, user gets *
>
> >* navigated to the CAS server that was installed on a Tomcat. When the *
>
> >* CAS validates the user, and send the request back to JBOSS, exception *
>
> >* is being thrown by CAS as follows.*
>
> >* *
>
> >* *
>
> >* *
>
> >* 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR *
>
> >* tp.cas.client.CASReceipt - *
>
> >* edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate*
>
> >* *
>
> >* ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator *
>
> >* proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator *
>
> >* casValidateUrl=[h*
>
> >* *
>
> >* ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] *
>
> >* ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] *
>
> >* service=[http%3A%2F%2Falx-dev-lap06.wwre.org*
>
> >* *
>
> >* %3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]*
>
> >* *
>
> >* 11:19:41,105 INFO [STDOUT] 2008-01-07 11:19:41 ERROR *
>
> >* cas.client.filter.CASFilter - *
>
> >* edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida*
>
> >* *
>
> >* te ProxyTicketValidator *
>
> >* [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] *
>
> >* [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl*
>
> >* *
>
> >* =[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] <https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate%5d> *
>
> >* ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] *
>
> >* service=[http%3A%2F%2Falx-dev-lap06.wwre.*
>
> >* *
>
> >* org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]*
>
> >* *
>
> >* 11:19:41,120 INFO [STDOUT] 2008-01-07 11:19:41 ERROR *
>
> >* web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for *
>
> >* servlet action threw exception*
>
> >* *
>
> >* edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to *
>
> >* validate ProxyTicketValidator *
>
> >* [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[*
>
> >* *
>
> >* null] [edu.yale.its.tp.cas.client.ServiceTicketValidator *
>
> >* casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] <https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate%5d> *
>
> >* ticket*
>
> >* *
>
> >* =[ST-13-qYbLWTpYMEcATIcSlPAO] *
>
> >* service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] *
>
> >* renew=false]]]*
>
> >* *
>
> >* at *
>
> >* edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)*
>
> >* *
>
> >* at *
>
> >* edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)*
>
> >* *
>
> >* at *
>
> >* edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)*
>
> >* *
>
> >* at *
>
> >* org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)*
>
> >* *
>
> >* at *
>
> >* org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)*
>
> >* *
>
> >* at *
>
> >* org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)*
>
> >* *
>
> >* at *
>
> >* org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)*
>
> >* *
>
> >* at *
>
> >* org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)*
>
> >* *
>
> >* at *
>
> >* org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)*
>
> >* *
>
> >* at *
>
> >* org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)*
>
> >* *
>
> >* at *
>
> >* org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)*
>
> >* *
>
> >* at *
>
> >* org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)*
>
> >* *
>
> >* at java.lang.Thread.run(Thread.java:595)*
>
> >* *
>
> >* Caused by: javax.net.ssl.SSLHandshakeException: *
>
> >* sun.security.validator.ValidatorException: PKIX path building failed: *
>
> >* sun.security.provider.certpath.SunCert*
>
> >* *
>
> >* PathBuilderException: unable to find valid certification path to *
>
> >* requested target*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)*
>
> >* *
>
> >* at *
>
> >* sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)*
>
> >* *
>
> >* at *
>
> >* sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)*
>
> >* *
>
> >* at *
>
> >* sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)*
>
> >* *
>
> >* at *
>
> >* sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)*
>
> >* *
>
> >* at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)*
>
> >* *
>
> >* at *
>
> >* edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)*
>
> >* *
>
> >* at *
>
> >* edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)*
>
> >* *
>
> >* ... 22 more*
>
> >* *
>
> >* Caused by: sun.security.validator.ValidatorException: PKIX path *
>
> >* building failed: *
>
> >* sun.security.provider.certpath.SunCertPathBuilderException: unable to find*
>
> >* *
>
> >* valid certification path to requested target*
>
> >* *
>
> >* at *
>
> >* sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)*
>
> >* *
>
> >* at *
>
> >* sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)*
>
> >* *
>
> >* at sun.security.validator.Validator.validate(Validator.java:203)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)*
>
> >* *
>
> >* at *
>
> >* com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)*
>
> >* *
>
> >* ... 36 more*
>
> >* *
>
> >* Caused by: sun.security.provider.certpath.SunCertPathBuilderException: *
>
> >* unable to find valid certification path to requested target*
>
> >* *
>
> >* at *
>
> >* sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)*
>
> >* *
>
> >* at *
>
> >* java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)*
>
> >* *
>
> >* at *
>
> >* sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)*
>
> >* *
>
> >* ... 41 more*
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* My web.xml is,*
>
> >* *
>
> >* *
>
> >* *
>
> >* <filter>*
>
> >* *
>
> >* <filter-name>CAS Filter</filter-name>*
>
> >* *
>
> >* *
>
> >* <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>*
>
> >* *
>
> >* <init-param>*
>
> >* *
>
> >* *
>
> >* <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>*
>
> >* *
>
> >* *
>
> >* <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login</param-value <https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login%3c/param-value>>*
>
> >* *
>
> >* </init-param>*
>
> >* *
>
> >* <init-param>*
>
> >* *
>
> >* *
>
> >* <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>*
>
> >* *
>
> >* *
>
> >* <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate</param-value <https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate%3c/param-value>>*
>
> >* *
>
> >* </init-param>*
>
> >* *
>
> >* <init-param>*
>
> >* *
>
> >* *
>
> >* <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>*
>
> >* *
>
> >* <param-value>alx-dev-lap06.wwre.org:8080</param-value>*
>
> >* *
>
> >* </init-param>*
>
> >* *
>
> >* </filter>*
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* <filter-mapping>*
>
> >* *
>
> >* <filter-name>CAS Filter</filter-name>*
>
> >* *
>
> >* <url-pattern>/action/*</url-pattern>*
>
> >* *
>
> >* </filter-mapping>*
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* Any idea why I am getting the error here?? Is this something to do *
>
> >* with SSL on the JBOSS side?? *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* Thank a lot*
>
> >* *
>
> >* Srikar.*
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* *
>
> >* ------------------------------------------------------------------------*
>
> >* *
>
> >* _______________________________________________*
>
> >* Yale CAS mailing list*
>
> >* cas at tp.its.yale.edu <http://tp.its.yale.edu/mailman/listinfo/cas>*
>
> >* http://tp.its.yale.edu/mailman/listinfo/cas*
>
> >* *
>
> -------------- next part --------------
>
> An HTML attachment was scrubbed...
>
> URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.html
>
> -------------- next part --------------
>
> A non-text attachment was scrubbed...
>
> Name: arybicki.vcf
>
> Type: text/x-vcard
>
> Size: 336 bytes
>
> Desc: not available
>
> Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.vcf
>
> -------------- next part --------------
>
> A non-text attachment was scrubbed...
>
> Name: smime.p7s
>
> Type: application/x-pkcs7-signature
>
> Size: 3359 bytes
>
> Desc: S/MIME Cryptographic Signature
>
> Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080107/8de32a3b/attachment-0001.bin
>
> <hr size=2 width="100%" align=center>
>
> - Previous message: CAS Java Client on JBOSS
> <http://tp.its.yale.edu/pipermail/cas/2008-January/007093.html>
> - Next message: OpenID
> <http://tp.its.yale.edu/pipermail/cas/2008-January/007097.html>
> - *Messages sorted by:* [ date ]<http://tp.its.yale.edu/pipermail/cas/2008-January/date.html#7095> [
> thread ]<http://tp.its.yale.edu/pipermail/cas/2008-January/thread.html#7095> [
> subject ]<http://tp.its.yale.edu/pipermail/cas/2008-January/subject.html#7095> [
> author ]<http://tp.its.yale.edu/pipermail/cas/2008-January/author.html#7095>
>
> ------------------------------
>
> More information about the cas mailing
> <http://tp.its.yale.edu/mailman/listinfo/cas>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080108/01c22ce3/attachment-0001.html
More information about the cas
mailing list