[long] various problems with demo installation (casServerUrlPrefix, parsing error, PKIX)

Scott Battaglia scott.battaglia at gmail.com
Mon Mar 3 09:30:17 EST 2008 

Hi,

The first two things are minor bugs in the release and are logged here:
http://www.ja-sig.org/issues/browse/CASC-42
http://www.ja-sig.org/issues/browse/CASC-41

We'll be fixing the Cas10TicketValidator but we actually recommend you use
the more recent Cas20 Ticket Validation Filters.

As for your certificate issue, if you're sure you've added the appropriate
certs to the keystores I would next suggest just double checking that you're
using the right JVM (I've seen people add it to one JVM cacerts file and
then start up Tomcat with another...I've done it myself once or twice ;-)).

-Scott

On Fri, Feb 29, 2008 at 7:20 PM, Bergmann Gábor <zerobaba at gmail.com> wrote:

> Hi!
>
> I'm absolutely new to CAS (and single sign-on). I'm trying to establish a
> demo setup not entirely unlike the Demo featured in the User's Manual Wiki
> (http://www.ja-sig.org/wiki/display/CASUM/Demo). I've run into three
> show-stopping problems, and would like to kindly ask for any assistance or
> wisdom to share
> on whether I made trivial mistakes or stumbled upon actual bugs. The first
> one is Cas10TicketValidationFilter requesting casServerUrlPrefix even though
> it is
> specified; the second one is a SAML parsing error, and the third one is an
> SSLHandshake/PKIX failure.
>
> For the sake of simplicity, let's call the machines compA and compB. The
> first one runs the CAS server, both of them aim to run trivial CAS client
> applications.
> compA runs debian etch (stable), Sun java 5  and tomcat 5.5.20 (listening
> on ports 8180 and 8443) with cas-server-3.2 deployed.
> compB runs debian lenny (testing), Sun java 6 and glassfish v2ur1
> (listening on ports 8080 and 8181).
> Client projects are simple Java web applications using
> cas-client-core-3.1.1.jar, commons-codec-1.3.jar, commons-logging-1.1.jar,
> log4j-1.2.15.jar,
> opensaml-1.1b.jar, xmlsec-1.3.0.jar, xalan-j 2.7.1.
>
>
>
> --------------------------
>
> PROBLEM 1 - casServerUrlPrefix
> If I try to configure the client services with a
> Cas10TicketValidationFilter, they wouldn't even deploy on either machine,
> complaining that the parameter
> casServerUrlPrefix is unspecified, regardless whether it was provided as
> an init-param, context-param, or even both. How come?
>
> * Exception received on deploying:
>
> Exception starting filter CAS Validation Filter
> java.lang.IllegalArgumentException: casServerUrlPrefix cannot be null. at
> org.jasig.cas.client.util.CommonUtils.assertNotNull(CommonUtils.java:42)
> at
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.<init>(
> AbstractUrlBasedTicketValidator.java:53) at
> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator
> .<init>(AbstractCasProtocolUrlBasedTicketValidator.java:24) at
> org.jasig.cas.client.validation.Cas10TicketValidator.<init>(
> Cas10TicketValidator.java:22) at
> ....
>
> * web.xml:
>
> <context-param>
>         <param-name>serverName</param-name>
>         <param-value>https://compA:8443 OR https://compB:8181, WHICHEVER
> APPLIES</param-value>
> </context-param>
> <filter>
>        <filter-name>CAS Authentication Filter</filter-name>
>        <filter-class>
> org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
>        <init-param>
>                <param-name>casServerLoginUrl</param-name>
>                <param-value>https://compA:8443/cas/login</param-value>
>        </init-param>
> </filter>
> <filter>
>        <filter-name>CAS Validation Filter</filter-name>
>        <!--<filter-class>
> org.jasig.cas.client.validation.Saml11TicketValidationFilter
> </filter-class>-->
>        <filter-class>
> org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
>         <init-param>
>                <param-name>casServerUrlPrefix</param-name>
>                <param-value>https://compA:8443/cas</param-value>
>        </init-param>
> </filter>
> <filter>
>         <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
>        <filter-class>
> org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
> </filter>
> <filter>
>        <filter-name>CAS Single Sign Out Filter</filter-name>
>        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter
> </filter-class>
> </filter>
> <!-- filter-mappings, listeners, etc omitted -->
>
> --------------------------
>
> PROBLEM 2 - parsing error
>
> If the client is using Saml11TicketValidationFilter, it can be
> successfully deployed onto compA. It start successfully, redirects the
> browser to CAS, but when
> the browser is returning from CAS, a parsing error exception is thrown.
> What could be wrong?
>
> * exception received when delivering the ticket to
> https://compA:8443/AnotherTestClient/?ticket=ST-11-SWXHLHRjFR9mKuZl6cOP-cas
> :
>
> java.lang.NumberFormatException: For input string: ""
>        java.lang.NumberFormatException.forInputString(
> NumberFormatException.java:48)
>        java.lang.Integer.parseInt(Integer.java:468)
>        java.lang.Integer.parseInt(Integer.java:497)
>        org.opensaml.SAMLResponse.fromDOM(Unknown Source)
>        org.opensaml.SAMLResponse.<init>(Unknown Source)
>
> org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer
> (Saml11TicketValidator.java:46)
> ...
>
> * quote from catalina logs:
>
> 2008-03-01 00:34:40,310 INFO [
> org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
> [ST-11-SWXHLHRjFR9mKuZl6cOP-cas] for service
> [https://compA:8443/AnotherTestClient/] for user [asd]>
> 2008-03-01 00:38:53,103 INFO [
> org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> <Starting cleaning of expired tickets from ticket registry
> at [Sat Mar 01 00:38:53 GMT+01:00 2008]>
> 2008-03-01 00:38:53,104 INFO [
> org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <1
> found to be removed.  Removing now.>
> 2008-03-01 00:38:53,117 INFO [
> org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> <Finished cleaning of expired tickets from ticket registry
> at [Sat Mar 01 00:38:53 GMT+01:00 2008]>
>
>
>
> --------------------------
>
> PROBLEM 3 - PKIX
>
> If the client is using Saml11TicketValidationFilter, it can be
> successfully deployed onto compB. It start successfully, redirects the
> browser to CAS, but when
> the browser is returning from CAS, an SSL handshake exception is thrown.
>
> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> With test certificates, this should be expected. However, the funny thing
> is, I've read http://www.ja-sig.org/wiki/display/CASUM/Demo and the more
> detailed
> http://blogs.sun.com/andreas/entry/no_more_unable_to_find, and followed
> their instructions.
>
> I've even verified that compB's cacerts store contains compA, see below:
>
> * compA keystore: (tomcat is configured to use this)
> compA:~# keytool -list -keystore ~/.keystore -v
> Enter keystore password:  changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: tomcat
> Creation date: 2008.02.26.
> Entry type: keyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: CN=compA, OU=...
> Issuer: CN=compA, OU=...
> Serial number: 47c34dad
> Valid from: Tue Feb 26 00:22:21 GMT+01:00 2008 until: Mon May 26 00:22:21
> GMT+01:00 2008
> Certificate fingerprints:
>          MD5:  D0:75:F7:08:EB:EF:18:1D:3A:0A:14:7F:39:83:94:B4
>          SHA1: 62:AF:2F:03:88:02:10:21:6D:2A:EF:C9:16:27:4F:4A:6F:84:B6:E7
>
>
> * comB cacerts:
> compB:/usr/share/glassfish# keytool -list -keystore
> /etc/java-6-sun/security/cacerts
> ...
> compA-1, 2008.02.28., trustedCertEntry,
> Certificate fingerprint (MD5):
> D0:75:F7:08:EB:EF:18:1D:3A:0A:14:7F:39:83:94:B4
> ...
>
> This looks all right to me. I'm not very experienced with Java vs. PKI,
> what did I do wrong?
>
>
> --------------------
>
> Dear CAS community mailing list, could you please provide me any help or
> suggestions?
>
> Thanks in advance,
> BERGMANN Gábor, CAS newbie
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080303/4a428aba/attachment.html

More information about the cas mailing list