Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry + CasServer 3.0.7
Rahul Bhardwaj
RBhardwaj at Tier.com
Wed Jun 4 03:02:02 EDT 2008
I tried with the DefaultTicketRegistry and I still get a similar error.
Here are some more details for a better understanding of the situation (when used with the default ticket registry):
- We are using Spring/Acegi in the project with Websphere 6.0.2.19 and JDK 1.4.2
- User tries to access AppA
- It results in redirecting to CAS
- On successful login, user is redirected to AppA - During this step I noticed that when I was using the JdbcTicketRegistry, the addTicket method was called thrice. none of those calls were for pgtIou
- AppA makes a request to AppB from server side logic and provides the CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from CasAuthenticationToken.getProxyGrantingTicketIou()
- AppB reports the error of invalid token. During debug mode I can see that the proxy granting ticket looked like a valid token. Also if you see my previous email, CAS complained that "Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket". This to me suggests that CAS is receiving the correct ticket but somehow not finding it.
I will appreciate any help on this.
Please find attached the case-servlet.xml file and applicationContext.xml files
Thanks
Rahul
[6/4/08 2:42:49:795 EDT] 00000055 SystemOut O org.jasig.cas.event.AuthenticationEvent at 1c1d1c1d[successfulAuthentication=true,authenticationHandlerClass=interface org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780]
[6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: rbhardwaj
[6/4/08 2:42:49:920 EDT] 00000055 SystemOut O org.jasig.cas.event.TicketEvent at 41554155[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920]
[6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for service [https://localhost:9444/AppA/j_acegi_cas_security_check] for user [rbhardwaj]
[6/4/08 2:42:50:014 EDT] 00000055 SystemOut O org.jasig.cas.event.TicketEvent at 51925192[ticketEventType=CREATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014]
[6/4/08 2:42:50:170 EDT] 00000048 SystemOut O org.jasig.cas.event.AuthenticationEvent at 33c033c[successfulAuthentication=true,authenticationHandlerClass=interface org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170]
[6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/App/casProxy/receptor
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O org.jasig.cas.event.TicketEvent at 4c9f4c9f[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280]
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O org.jasig.cas.event.TicketEvent at 5e225e22[ticketEventType=VALIDATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq : org.jasig.cas.authentication.ImmutableAuthentication at 12931293[authenticatedDate=Wed Jun 04 02:42:49 EDT 2008,principal=rbhardwaj,attributes={}]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request : PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O assertion.chainedAuthentications[chainSize-1].principal.id) rbhardwaj
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is : rbhardwaj
[6/4/08 2:43:15:014 EDT] 00000048 SystemOut O org.jasig.cas.event.AuthenticationEvent at 28122812[successfulAuthentication=true,authenticationHandlerClass=interface org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014]
[6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/AppB/casProxy/receptor
[6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E org.jasig.cas.web.ServiceValidateController handleRequestInternal TicketException generating ticket for: https://localhost:9444/AppB/casProxy/receptor
org.jasig.cas.ticket.InvalidTicketException
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy216.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
________________________________
From: cas-bounces at tp.its.yale.edu on behalf of Rahul Bhardwaj
Sent: Wed 6/4/2008 12:50 AM
To: cas at tp.its.yale.edu
Subject: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry + CasServer 3.0.7
Hi Everyone,
In my project, we use Cas Server 3.0.7. Since we have a clustered environment we are using JDBCTicketRegistry as documented on CAS confluence.
I am trying to secure remote invocations from App A to App B by relying on the proxy ticket. The problem is that the CAS server always errors out with the exception given below. The basic problem is that although the CAS Server webapp is generating and passing the PGTIOU ticket, it is never saved in the database. When App B tries to authenticate the user with the PGTIOU ticket, since it is not present in the database, the JdbcTicketRegistry class creates an expired ticket. All this is happening in my development desktop and there is no clustering in there.
I have the following queries:
1 - Since database is not used for storing PGTIOUs, why is CAS trying to read it from JDBCTicketRegistry on validation? Am I doing something wrong?
2 - How can I configure/customize CAS to use JDBCTicketRegistry for proxy tickets as well
Thanks
Rahul
PS: Please ignore the ClassCastException for org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. The root problem is that the JdbcTicketRegistry is being invoked but the ticket was never saved in the database in the first place. I also confirmed this by debugging the registry and seeing all the tickets that were saved using it.
[6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could not invoke the service() method on servlet cas. Exception thrown : org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket
Caused by: java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket
at org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy1.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080604/91a3574b/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cas-servlet.xml
Type: text/xml
Size: 9589 bytes
Desc: cas-servlet.xml
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080604/91a3574b/attachment.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: applicationContext.xml
Type: text/xml
Size: 5362 bytes
Desc: applicationContext.xml
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080604/91a3574b/attachment-0001.xml
More information about the cas
mailing list