Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +CasServer 3.0.7
Scott Battaglia
scott.battaglia at gmail.com
Wed Jun 4 13:20:19 EDT 2008
I don't know what you're doing that your applications are sending PGTIOUs to
the CAS server and why the CAS server is attempting to retrieve them.
If you're not familiar with it, you should read the protocol document on how
CAS works:
http://www.ja-sig.org/products/cas/overview/protocol/index.html
-Scott
On Wed, Jun 4, 2008 at 1:09 PM, Rahul Bhardwaj <RBhardwaj at tier.com> wrote:
> Scott,
>
> Can you please point me to the documentation that talks about how to
> request PGTs?
>
> Thanks for your prompt help
> Rahul
>
> ________________________________
>
> From: cas-bounces at tp.its.yale.edu on behalf of Scott Battaglia
> Sent: Wed 6/4/2008 10:34 AM
> To: Yale CAS mailing list
> Subject: Re: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry
> +CasServer 3.0.7
>
>
> PGTIOUs are not valid ticket identifiers. You should be requesting PGTs
>
> -Scott
>
>
> 2008/6/4 Rahul Bhardwaj <RBhardwaj at tier.com>:
>
>
> I tried with the DefaultTicketRegistry and I still get a similar
> error.
>
> Here are some more details for a better understanding of the
> situation (when used with the default ticket registry):
> - We are using Spring/Acegi in the project with Websphere 6.0.2.19<
> http://6.0.2.19/> and JDK 1.4.2
> - User tries to access AppA
> - It results in redirecting to CAS
> - On successful login, user is redirected to AppA - During this step
> I noticed that when I was using the JdbcTicketRegistry, the addTicket method
> was called thrice. none of those calls were for pgtIou
> - AppA makes a request to AppB from server side logic and provides
> the CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from
> CasAuthenticationToken.getProxyGrantingTicketIou()
> - AppB reports the error of invalid token. During debug mode I can
> see that the proxy granting ticket looked like a valid token. Also if you
> see my previous email, CAS complained that "Ticket
> [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
> org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we
> were expecting interface org.jasig.cas.ticket.ServiceTicket". This to me
> suggests that CAS is receiving the correct ticket but somehow not finding
> it.
>
> I will appreciate any help on this.
>
> Please find attached the case-servlet.xml file and
> applicationContext.xml files
>
> Thanks
> Rahul
>
>
> [6/4/08 2:42:49:795 EDT] 00000055 SystemOut O
> org.jasig.cas.event.AuthenticationEvent at 1c1d1c1d[successfulAuthentication=true,authenticationHandlerClass=interface
> <mailto:org.jasig.cas.event.AuthenticationEvent at 1c1d1c1d%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface>
> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780]
> [6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I
> org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
> AuthenticationHandler: $Proxy215 successfully authenticated the user which
> provided the following credentials: rbhardwaj
> [6/4/08 2:42:49:920 EDT] 00000055 SystemOut O
> org.jasig.cas.event.TicketEvent at 41554155[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920
> <mailto:org.jasig.cas.event.TicketEvent at 41554155%5BticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920>
> ]
> [6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I
> org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted
> service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for
> service [https://localhost:9444/AppA/j_acegi_cas_security_check] for user
> [rbhardwaj]
> [6/4/08 2:42:50:014 EDT] 00000055 SystemOut O
> org.jasig.cas.event.TicketEvent at 51925192[ticketEventType=CREATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014
> <mailto:org.jasig.cas.event.TicketEvent at 51925192%5BticketEventType=CREATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014>
> ]
> [6/4/08 2:42:50:170 EDT] 00000048 SystemOut O
> org.jasig.cas.event.AuthenticationEvent at 33c033c[successfulAuthentication=true,authenticationHandlerClass=interface
> <mailto:org.jasig.cas.event.AuthenticationEvent at 33c033c%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface>
> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170]
> [6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I
> org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
> AuthenticationHandler: $Proxy215 successfully authenticated the user which
> provided the following credentials:
> https://localhost:9444/App/casProxy/receptor
> [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O
> org.jasig.cas.event.TicketEvent at 4c9f4c9f[ticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280
> <mailto:org.jasig.cas.event.TicketEvent at 4c9f4c9f%5BticketEventType=CREATE_TICKET_GRANTING_TICKET,ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280>
> ]
> [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O
> org.jasig.cas.event.TicketEvent at 5e225e22[ticketEventType=VALIDATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280
> <mailto:org.jasig.cas.event.TicketEvent at 5e225e22%5BticketEventType=VALIDATE_SERVICE_TICKET,ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280>
> ]
> [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1
> [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq
> : org.jasig.cas.authentication.ImmutableAuthentication at 12931293[authenticatedDate=Wed
> <mailto:org.jasig.cas.authentication.ImmutableAuthentication at 12931293%5BauthenticatedDate=Wed>
> Jun 04 02:42:49 EDT 2008,principal=rbhardwaj,attributes={}]
> [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request
> : PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost
> [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O
> assertion.chainedAuthentications[chainSize-1].principal.id <
> http://principal.id/> ) rbhardwaj
> [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is :
> rbhardwaj
>
> [6/4/08 2:43:15:014 EDT] 00000048 SystemOut O
> org.jasig.cas.event.AuthenticationEvent at 28122812[successfulAuthentication=true,authenticationHandlerClass=interface
> <mailto:org.jasig.cas.event.AuthenticationEvent at 28122812%5BsuccessfulAuthentication=true,authenticationHandlerClass=interface>
> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014]
> [6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I
> org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
> AuthenticationHandler: $Proxy215 successfully authenticated the user which
> provided the following credentials:
> https://localhost:9444/AppB/casProxy/receptor
> [6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E
> org.jasig.cas.web.ServiceValidateController handleRequestInternal
> TicketException generating ticket for:
> https://localhost:9444/AppB/casProxy/receptor
>
> org.jasig.cas.ticket.InvalidTicketException
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
> at java.lang.reflect.Method.invoke(Method.java:391)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
> at
> org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
>
> at $Proxy216.delegateTicketGrantingTicket(Unknown Source)
>
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
> at
> com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
> at
> com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
> at
> com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
> at
> com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
> at
> com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
> at
> com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
>
> at
> com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657)
> at
> com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364)
> at
> com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760)
> at
> com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70)
>
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
>
>
> ________________________________
>
> From: cas-bounces at tp.its.yale.edu on behalf of Rahul Bhardwaj
> Sent: Wed 6/4/2008 12:50 AM
> To: cas at tp.its.yale.edu
> Subject: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +
> CasServer 3.0.7
>
>
> Hi Everyone,
>
> In my project, we use Cas Server 3.0.7. <http://3.0.7./> Since we
> have a clustered environment we are using JDBCTicketRegistry as documented
> on CAS confluence.
>
> I am trying to secure remote invocations from App A to App B by
> relying on the proxy ticket. The problem is that the CAS server always
> errors out with the exception given below. The basic problem is that
> although the CAS Server webapp is generating and passing the PGTIOU ticket,
> it is never saved in the database. When App B tries to authenticate the user
> with the PGTIOU ticket, since it is not present in the database, the
> JdbcTicketRegistry class creates an expired ticket. All this is happening in
> my development desktop and there is no clustering in there.
>
> I have the following queries:
> 1 - Since database is not used for storing PGTIOUs, why is CAS
> trying to read it from JDBCTicketRegistry on validation? Am I doing
> something wrong?
> 2 - How can I configure/customize CAS to use JDBCTicketRegistry for
> proxy tickets as well
>
> Thanks
> Rahul
>
> PS: Please ignore the ClassCastException for
> org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. The root
> problem is that the JdbcTicketRegistry is being invoked but the ticket was
> never saved in the database in the first place. I also confirmed this by
> debugging the registry and seeing all the tickets that were saved using it.
>
>
> [6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could
> not invoke the service() method on servlet cas. Exception thrown :
> org.springframework.web.util.NestedServletException: Request processing
> failed; nested exception is java.lang.ClassCastException: Ticket
> [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
> org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we
> were expecting interface org.jasig.cas.ticket.ServiceTicket
> Caused by: java.lang.ClassCastException: Ticket
> [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
> org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we
> were expecting interface org.jasig.cas.ticket.ServiceTicket
> at
> org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
> at java.lang.reflect.Method.invoke(Method.java:391)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
> at
> org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
> at $Proxy1.delegateTicketGrantingTicket(Unknown Source)
> at
> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
> at
> com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
> at
> com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
> at
> com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
> at
> com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
> at
> com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
> at
> com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
> at
> com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
> at
> com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
> at
> com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
> at
> com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080604/4d7095b4/attachment.html
More information about the cas
mailing list