Login works but no Single Sign On - Help?

Russell M. Allen Russell.Allen at aebn.net
Thu Oct 16 14:24:23 EDT 2008 

Interesting...  First, enabling https fixed the problem.  It works now.
(Thanks Scott!)
 
As for the cookies, I went back to https disabled and logged into my
service through CAS.  Then I checked the cookies for the CAS server and
found the following 2 cookies:
 
Name	 CASTGC	
Value	 TGT-1-4hAPEhBJRD0MKWgGjAdGqLVjJEjKWnh9qa6b4MclwbXCkPNfwZ-cas	
Host	 localhost	
Path	 /cas	
Secure	 Yes	
Expires	 At End Of Session	
<http://example.com/>  
Name	 JSESSIONID	
Value	 abcinMKRSN3vzaZV80g0r	
Host	 localhost	
Path	 /	
Secure	 No	
Expires	 At End Of Session	
 
The second, JSESSIONID cookie is from resin (app server).  The first,
CASTGC is from CAS.  Note though, that the CASTGC cookie is marked
secure even though I have disabled https in the app server and the
request that the cookie was set on was not a secure connection.  I would
have thought that you could only set a cookie as secure if you were
setting it in the reply of a secure request.  Then again, I'm not an
HTTP protocol expert.
 
As for CAS requiring https... obviously ssl is required to prevent clear
text transmission of credentials and ensure client identity... but...
requiring https means that those of us that want an SSO solution only
(less concerned with security behind the firewall) are forced to deploy
SSL certs and enable https.  Is there no way to use CAS as a SSO server
without https?
 
[That being said, I do want to say: Great app.  It works, it's free, and
it seems to be well designed.  I read the protocol and it is simple and
effective.  That's nice to see these days.  My hat is off to the
developers.]
 
-Russell

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Andrew Ralph Feller, afelle1
Sent: Thursday, October 16, 2008 12:06 PM
To: Yale CAS mailing list
Subject: Re: Login works but no Single Sign On - Help?


Can you confirm that your web browser has accepted the CASTGC cookie?
If you use Firefox, you can find this out by going to Privacy tab under
Firefox preferences and viewing cookies.


On 10/16/08 10:40 AM, "Scott Battaglia" <scott.battaglia at gmail.com>
wrote:



	Are you running CAS over HTTP or HTTPS?
	
	The secure ticketid/cookie is only sent back over HTTPS.
	
	-Scott
	
	-Scott Battaglia
	PGP Public Key Id: 0x383733AA
	LinkedIn: http://www.linkedin.com/in/scottbattaglia
	
	
	On Thu, Oct 16, 2008 at 11:34 AM, Russell M. Allen
<Russell.Allen at aebn.net> wrote:
	

		I have CAS installed in a Resin (Caucho) app server, and
it appears to be working just fine.  I have not modified any of the
default configuration.  It is as configured out of the box.
		
		I have my service configured with a CAS client, and it
is appropriately redirecting requests to the CAS server for login.  Once
credentials are provided (username=password) the CAS server is
redirecting to the service.  The service validates the ticket and I get
the content that was originally requested from the service.  All of this
works as expected.
		
		The problem occurs when I run a second service (a copy
of the first, but on another port), and I try to hit it, I am forced to
login again.  The renew parameter to false, it's not that.  It is as if
the CAS server is not seeing the cookie with the ticket.  In fact, I put
the CAS server in debug mode and sure enough the webflow logs, if I
understand them correctly, indicate that there is no ticket:
		
		2008-10-16 11:05:10,260 DEBUG
[org.springframework.webflow.engine.DecisionState] - <Entering state
'ticketGrantingTicketExistsCheck' of flow 'login-webflow'>
		2008-10-16 11:05:10,276 DEBUG
[org.springframework.webflow.engine.Transition] - <Executing
[Transition at 1f21c50 on = *, to = gatewayRequestCheck] out of state
'ticketGrantingTicketExistsCheck'>
		2008-10-16 11:05:10,276 DEBUG
[org.springframework.webflow.engine.DecisionState] - <Entering state
'gatewayRequestCheck' of flow 'login-webflow'>
		
		 
		 
		This is almost certainly a simple newbie mistake...  I
am very grateful for any help I can get on this!  :)
		
		Thanks for your time,
		
		Russell Allen
		Data Tech Ventures, Inc.
		Development Group
		800.628.0241 x156
		russell.allen at aebn.net
		
		
		_______________________________________________
		Yale CAS mailing list
		cas at tp.its.yale.edu
		http://tp.its.yale.edu/mailman/listinfo/cas
		
		

	
	
	
________________________________

	_______________________________________________
	Yale CAS mailing list
	cas at tp.its.yale.edu
	http://tp.its.yale.edu/mailman/listinfo/cas
	


-- 
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20081016/c215841b/attachment.html

More information about the cas mailing list