Re: [Acegisecurity-developer] CAS problem

[Ben Alex]

Julien Herfurth wrote:
Julien Herfurth wrote:
Hello,
I've made a simple setup with Acegi security and CAS. When I try to 
access a secured object
(in my case a method of a dao), the browser is redirected to the cas 
login page as expected, but
when the browser is redireted back to

https://localhost:8443/sample/j_acegi_cas_security_check?ticket=blahblahblah, 

I get this error :
15:41:08.393 WARN!! Exception for 
/sample/j_acegi_cas_security_check?ticket=ST-0-fvOFl0bCOjCZNuz4CPeO
java.lang.IllegalArgumentException: Cannot pass null or empty values 
to constructor
       at 
net.sf.acegisecurity.providers.cas.CasAuthenticationToken.<init>(CasAuthenticationToken.java:70) 

       at 
net.sf.acegisecurity.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:226) 

       at 
net.sf.acegisecurity.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:181) 

It seems that there are missing parameters when the 
CasAuthenticationProvider tries to instantiate a new
CasAuthenticationToken. Is it something someone already see ? Does 
anyone have a quick hint about that ?

Thanks,
Julien

In the call to CasAuthenticationToken.authenticateNow(), the proxyList 
and the proxyGrantingTicketIou
parameters of the CasAuthenticationToken constructor are empty. This 
raise the IllegalArgumentException,
but usage of proxy is optionnal ... Is this a bug or I am missing 
something ?

Hi Julien
This is very strange, for several reasons. Here is the code from 
CasAuthenticationProvider:

   private CasAuthenticationToken authenticateNow(
       Authentication authentication) throws AuthenticationException {
       // Validate
       TicketResponse response = 
ticketValidator.confirmTicketValid(authentication.getCredentials()
                                                                                  
.toString());

       // Check proxy list is trusted
       
this.casProxyDecider.confirmProxyListTrusted(response.getProxyList());

       // Build list of granted authorities
       GrantedAuthority[] ga = 
this.casAuthoritiesPopulator.getAuthorities(response
               .getUser());

       // Construct CasAuthenticationToken
       return new CasAuthenticationToken(this.key, response.getUser(),
           authentication.getCredentials(), ga, response.getProxyList(),
           response.getProxyGrantingTicketIou());
   }
What you're seeing is odd because for the method to get to the point of 
trying to construct CasAuthenticationToken, it has already used the 
casProxyDecider. If you're using any of the Acegi Security-provided 
implementations of CasProxyDecider, they use the code:

       if (proxyList == null) {
           throw new IllegalArgumentException("proxyList cannot be null");
       }
So I'm unsure how you even get to the point of CasAuthenticationToken 
being constructed if the TicketResponse.proxyList is null. Curiously, 
your stack trace refers to CasAuthenticationProvider.java:226. In CVS 
HEAD the file stops at line 222. I'm guessing you've added some debug 
lines, but have you changed any actual code?

It's true that CasAuthenticationToken, CasProxyDecider and others all 
expect the TicketResponse to contain no null values. Even if you're not 
using the proxy callback capabilities, the TicketValidator constructor 
sets up sensible non-null defaults if null is passed in:

   public TicketResponse(String user, List proxyList,
       String proxyGrantingTicketIou) {
       if (proxyList == null) {
           proxyList = new Vector();
       }
       if (proxyGrantingTicketIou == null) {
           proxyGrantingTicketIou = "";
       }
So, how you're ending up with a null in TicketResponse is of interest. 
There is even a unit test which checks it works (TicketResponseTests):

   public void testConstructorAcceptsNullProxyGrantingTicketIOU() {
       TicketResponse ticket = new TicketResponse("marissa", new 
Vector(), null);
       assertEquals("", ticket.getProxyGrantingTicketIou());
   }

   public void testConstructorAcceptsNullProxyList() {
       TicketResponse ticket = new TicketResponse("marissa", null,
               
"PGTIOU-0-R0zlgrl4pdAQwBvJWO3vnNpevwqStbSGcq3vKB2SqSFFRnjPHt");
       assertEquals(new Vector(), ticket.getProxyList());
   }

I think it would help if you could confirm your 
CasAuthenticationToken.authenticateNow method looks like the block 
above. Then add in a logger.debug(response.toString()) after the 
ticketValidator.confirmTicketValid line. It will shed some light on 
whether the TicketResponse contains a null to begin with. It might also 
help to checkout CVS HEAD (or 0.51 should be fine as the CAS code hasn't 
changed since then), to ensure we're both using the same code.

Best regards
Ben

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer