Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +CasServer 3.0.7
Rahul Bhardwaj
RBhardwaj at Tier.com
Wed Jun 4 13:09:23 EDT 2008
Scott,
Can you please point me to the documentation that talks about how to request PGTs?
Thanks for your prompt help
Rahul
________________________________
From: cas-bounces at tp.its.yale.edu on behalf of Scott Battaglia
Sent: Wed 6/4/2008 10:34 AM
To: Yale CAS mailing list
Subject: Re: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +CasServer 3.0.7
PGTIOUs are not valid ticket identifiers. You should be requesting PGTs
-Scott
2008/6/4 Rahul Bhardwaj <RBhardwaj at tier.com>:
I tried with the DefaultTicketRegistry and I still get a similar error.
Here are some more details for a better understanding of the situation (when used with the default ticket registry):
- We are using Spring/Acegi in the project with Websphere 6.0.2.19 <http://6.0.2.19/> and JDK 1.4.2
- User tries to access AppA
- It results in redirecting to CAS
- On successful login, user is redirected to AppA - During this step I noticed that when I was using the JdbcTicketRegistry, the addTicket method was called thrice. none of those calls were for pgtIou
- AppA makes a request to AppB from server side logic and provides the CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from CasAuthenticationToken.getProxyGrantingTicketIou()
- AppB reports the error of invalid token. During debug mode I can see that the proxy granting ticket looked like a valid token. Also if you see my previous email, CAS complained that "Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket". This to me suggests that CAS is receiving the correct ticket but somehow not finding it.
I will appreciate any help on this.
Please find attached the case-servlet.xml file and applicationContext.xml files
Thanks
Rahul
[6/4/08 2:42:49:795 EDT] 00000055 SystemOut O org.jasig.cas.event.AuthenticationEvent at 1c1d1c1d[successfulAuthentication=true,authenticationHandlerClass=interface <mailto:org.jasig.cas.event.AuthenticationEvent at 1c1d1c1d%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780]
[6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: rbhardwaj
[6/4/08 2:42:49:920 EDT] 00000055 SystemOut O org.jasig.cas.event.TicketEvent at 41554155[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920 <mailto:org.jasig.cas.event.TicketEvent at 41554155%5BticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920> ]
[6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for service [https://localhost:9444/AppA/j_acegi_cas_security_check] for user [rbhardwaj]
[6/4/08 2:42:50:014 EDT] 00000055 SystemOut O org.jasig.cas.event.TicketEvent at 51925192[ticketEventType=CREATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014 <mailto:org.jasig.cas.event.TicketEvent at 51925192%5BticketEventType=CREATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014> ]
[6/4/08 2:42:50:170 EDT] 00000048 SystemOut O org.jasig.cas.event.AuthenticationEvent at 33c033c[successfulAuthentication=true,authenticationHandlerClass=interface <mailto:org.jasig.cas.event.AuthenticationEvent at 33c033c%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170]
[6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/App/casProxy/receptor
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O org.jasig.cas.event.TicketEvent at 4c9f4c9f[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280 <mailto:org.jasig.cas.event.TicketEvent at 4c9f4c9f%5BticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280> ]
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O org.jasig.cas.event.TicketEvent at 5e225e22[ticketEventType=VALIDATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280 <mailto:org.jasig.cas.event.TicketEvent at 5e225e22%5BticketEventType=VALIDATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280> ]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq : org.jasig.cas.authentication.ImmutableAuthentication at 12931293[authenticatedDate=Wed <mailto:org.jasig.cas.authentication.ImmutableAuthentication at 12931293%5BauthenticatedDate=Wed> Jun 04 02:42:49 EDT 2008,principal=rbhardwaj,attributes={}]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request : PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O assertion.chainedAuthentications[chainSize-1].principal.id <http://principal.id/> ) rbhardwaj
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is : rbhardwaj
[6/4/08 2:43:15:014 EDT] 00000048 SystemOut O org.jasig.cas.event.AuthenticationEvent at 28122812[successfulAuthentication=true,authenticationHandlerClass=interface <mailto:org.jasig.cas.event.AuthenticationEvent at 28122812%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014]
[6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/AppB/casProxy/receptor
[6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E org.jasig.cas.web.ServiceValidateController handleRequestInternal TicketException generating ticket for: https://localhost:9444/AppB/casProxy/receptor
org.jasig.cas.ticket.InvalidTicketException
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy216.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
________________________________
From: cas-bounces at tp.its.yale.edu on behalf of Rahul Bhardwaj
Sent: Wed 6/4/2008 12:50 AM
To: cas at tp.its.yale.edu
Subject: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry + CasServer 3.0.7
Hi Everyone,
In my project, we use Cas Server 3.0.7. <http://3.0.7./> Since we have a clustered environment we are using JDBCTicketRegistry as documented on CAS confluence.
I am trying to secure remote invocations from App A to App B by relying on the proxy ticket. The problem is that the CAS server always errors out with the exception given below. The basic problem is that although the CAS Server webapp is generating and passing the PGTIOU ticket, it is never saved in the database. When App B tries to authenticate the user with the PGTIOU ticket, since it is not present in the database, the JdbcTicketRegistry class creates an expired ticket. All this is happening in my development desktop and there is no clustering in there.
I have the following queries:
1 - Since database is not used for storing PGTIOUs, why is CAS trying to read it from JDBCTicketRegistry on validation? Am I doing something wrong?
2 - How can I configure/customize CAS to use JDBCTicketRegistry for proxy tickets as well
Thanks
Rahul
PS: Please ignore the ClassCastException for org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. The root problem is that the JdbcTicketRegistry is being invoked but the ticket was never saved in the database in the first place. I also confirmed this by debugging the registry and seeing all the tickets that were saved using it.
[6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could not invoke the service() method on servlet cas. Exception thrown : org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket
Caused by: java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket
at org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy1.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 15671 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080604/6c4317f5/attachment.bin
More information about the cas
mailing list