CAS Client 3.1 Spring configuration and PGT

Mathieu ROUSSELLE mathieu.rousselle at NIJI.FR
Thu Jun 26 09:18:57 EDT 2008 

Andrew,

 

Thank you for your answer, setting service property instead of serverName does not resolved my issue, but I have found a solution. I have declared a proxyGrantingTicketStorage and passed its reference to the Filter and the Validator and it works.

 

I don't have to use CAS20ProxyTicketValidator because the service I want to proxy authenticate use pam_cas mechanism.

 

The above listing contains the working configuration :

 

<!-- PGT Storage shared instance -->

  <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>

  

  <!-- Validation Filter Bean -->

  <bean     

      id="casValidationFilter"

            class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">

            

            <property name="proxyReceptorUrl" value="/proxy/receptor"/>

            <property name="serverName" value="${cas.client.serverName}" />

            <property name="redirectAfterValidation" value="true"/>

            <!-- PGT Storage shared instance -->

            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>

            <property name="ticketValidator">

                  <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">

                        <constructor-arg index="0" value="${cas.server.url}" />

                        <property name="proxyCallbackUrl" value="https://myservice:8443/mycontect/proxy/receptor"/>

                        <!-- PGT Storage shared instance -->

                        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>

                  </bean>

            </property>

  </bean>

 

Mathieu

 

De : cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] De la part de Andrew Ralph Feller, afelle1
Envoyé : jeudi 26 juin 2008 14:30
À : Yale CAS mailing list
Objet : Re: CAS Client 3.1 Spring configuration and PGT

 

Mathieu,

On comparing your config against the wiki article for JA-SIG CAS 3.1 ( http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring), the only discrepancy I find is that you declared the serverName property vs the service property on the Cas20ProxyReceivingTicketValidationFilter.  Hrmmm, in your config you are using the Cas20ServiceTicketValidator.  Have you configured the CAS client on the service that should accept proxy tickets with the Cas20ProxyTicketValidator? 


On 6/26/08 5:04 AM, "Mathieu ROUSSELLE" <mathieu.rousselle at NIJI.FR> wrote:

Hello,
 
I have configured the CAS Client with spring configuration to use a Cas20ProxyReceivingTicketValidationFilter.
 
 <bean     
      name="casValidationFilter"
            class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
           
            <property name="proxyReceptorUrl" value="/proxy/receptor"/>
           <property name="serverName" value="${cas.client.serverName}" />
           <property name="redirectAfterValidation" value="true"/>
           <property name="ticketValidator">
                 <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                       <constructor-arg index="0" value="${cas.server.url}" />
                       <property name="proxyCallbackUrl" value="https://myservice:8443/mycontext/proxy/receptor"/>
                 </bean>
           </property>
 </bean>

I make subsequent call to the Principal.GetProxyTicket(ServiceUrl) to proxy authenticate to another service and I have null return : No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.

I have made some debug to find that the  proxyGrantingTicketStorage  of the filter is not passed to the ServiceTicketValidator. That is why the PGTIOU sent back by the CAS server on ST validation does not correspond to the any PGT.
 
Did I made configuration mistake ?
 
 
I have included the log which shows that the PGT is sent by the CAS server :
 
 
26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93] - Constructed service url: http://radiomee.vmmario3.rennes.niji:8080/camcas/gateway/gateway.jsp;jsessionid=DC60F272E9B8A8BAC30C07B345DF621C
26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99] - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fgateway%2Fgateway.jsp%3Bjsessionid%3DDC60F272E9B8A8BAC30C07B345DF621C&gateway=true"
26/06/08 11:54:51.890 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107] - removing gateway attribute from session
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():84] - no ticket and no assertion found
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():234]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93] - Constructed service url: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99] - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp"
26/06/08 11:54:59.015 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107] - removing gateway attribute from session
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():128] - Attempting to validate ticket: ST-22-mzbwF9YhWaMzGFdhcq1F-cas
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209] - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():86] - Placing URL parameters in map.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():94] - Calling template URL attribute map.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():97] - Loading custom parameters from configuration.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():173] - Constructing validation url: https://vmmario3.rennes.niji:8443/cas/serviceValidate?pgtUrl=https%3A%2F%2Fmyservice%3A8443%2Fmycontext%2Fproxy%2Freceptor&ticket=ST-22-mzbwF9YhWaMzGFdhcq1F-cas&service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():177] - Retrieving response from server.
26/06/08 11:54:59.265 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.util.CommonUtils.readAndRespondToProxyReceptorRequest():164] - Received proxyGrantingTicketId [TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas] for proxyGrantingTicketIou [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas]
26/06/08 11:54:59.281 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl.save():89]  - Saving ProxyGrantingTicketIOU and ProxyGrantingTicket combo: [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas, TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas]
26/06/08 11:54:59.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():185] - Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
                <cas:authenticationSuccess>
                               <cas:user>toto</cas:user>
 
                               <cas:proxyGrantingTicket>PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas</cas:proxyGrantingTicket>
 
 
                </cas:authenticationSuccess>
</cas:serviceResponse>
 
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():137] - Successfully authenticated user: toto
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():160] - Redirecting after successful ticket validation.
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
 
Mathieu Rousselle

________________________________

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080626/2a0da027/attachment.html

More information about the cas mailing list