This is extremely dangerous, your service is now vulnerable to HTTPS / man-in-the-middle style attacks. In fact, we explicitly removed this feature several years ago because of this:
https://github.com/Jasig/mod_auth_cas/commit/1b1032c230a3ddf9db9004326bd4d075ab602c0e Please instead consider using 'http://' as a validation URL - this should remove any certificate misconfiguration issues to help facilitate any debugging. If that resolves the issue, you need to fix your configuration directives to point them at the right certificate chain. If you can't access the CAS server over https, you should be able to start diagnosing from the debug logs based on the curl_easy_perform() return value here: "MOD_AUTH_CAS: curl_easy_perform()" to figure out why the connection is failing. -Phil On Mon, Oct 3, 2016 at 2:19 PM, pouria Mahmoudi <[email protected]> wrote: > Ok I have figured out the issue. I needed to setup HTTPS for apache to be > able to see the logs and when I installed HTTPS for apache I saw the 401 > Authorization problem which was related to SSL certificate non CA . > So what I did to fix the issue was to open up mod_auth.cas.c file and > replace this line: > > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); > with > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); > > and bingo. It fixed the issue. > > > On Saturday, October 1, 2016 at 12:52:25 PM UTC-7, pouria Mahmoudi wrote: >> >> Hi, >> I setup apache httpd (2.2.15) and tomcat 8 and also downloaded cas server >> war file as explained in this document: >> https://www.howtoforge.com/how-to-set-up-apache-tomcat-mod_ >> jk-sso-cas-mod_auth_cas >> >> Everything was good, so when I try to access a secured page, I correctly >> redirected to CAS server, but when I enter user/pass and expected to see >> the secured pages, I see "401 Authorization Required" page. >> >> There is not much helpful information in the apache log, neither in cas >> server. however I added the log here: >> >> CAS server log: >> >> 2016-10-01 12:43:47,648 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] >> - <Granted service ticket [ST-2-icfYsgQpiaNi4qC5oPC1-its.cas] for >> service [http://localhost/examples/] for user [casuser]> >> 2016-10-01 12:43:47,648 INFO [com.github.inspektr.audit.sup >> port.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN >> ============================================================= >> WHO: casuser >> WHAT: ST-2-icfYsgQpiaNi4qC5oPC1-its.cas for http://localhost/examples/ >> ACTION: SERVICE_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Sat Oct 01 12:43:47 PDT 2016 >> CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 >> SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 >> ============================================================= >> >> >> Apache httpd log: >> >> error_log: >> >> [Sat Oct 01 12:35:02 2016] [notice] SELinux policy enabled; httpd running >> as context unconfined_u:system_r:httpd_t:s0 >> [Sat Oct 01 12:35:02 2016] [notice] suEXEC mechanism enabled (wrapper: >> /usr/sbin/suexec) >> [Sat Oct 01 12:35:02 2016] [notice] Digest: generating secret for digest >> authentication ... >> [Sat Oct 01 12:35:02 2016] [notice] Digest: done >> [Sat Oct 01 12:35:02 2016] [info] APR LDAP: Built with OpenLDAP LDAP SDK >> [Sat Oct 01 12:35:02 2016] [info] LDAP: SSL support available >> [Sat Oct 01 12:35:02 2016] [warn] ./mod_dnssd.c: No services found to >> register >> [Sat Oct 01 12:35:02 2016] [notice] Apache/2.2.15 (Unix) DAV/2 >> mod_jk/1.2.32 SVN/1.6.11 configured -- resuming normal operations >> [Sat Oct 01 12:35:02 2016] [info] Server built: Jul 18 2016 15:24:00 >> >> access_log: >> ::1 - - [01/Oct/2016:12:43:39 -0700] "GET /examples/ HTTP/1.1" 302 336 >> "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" >> ::1 - - [01/Oct/2016:12:43:47 -0700] "GET >> /examples/?ticket=ST-2-icfYsgQpiaNi4qC5oPC1-its.cas >> HTTP/1.1" 401 476 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) >> Gecko/20100101 Firefox/45.0" >> >> >> I am really confused. Any help will be much appreciated. >> >> >> This is cas.config: >> >> LoadModule auth_cas_module /usr/lib64/httpd/modules/mod_auth_cas.so >> CASCookiePath /var/cache/httpd/mod_auth_cas/ >> CASLoginURL https://localhost:9443/cas/login >> CASValidateURL https://localhost:9443/cas/serviceValidate >> <Location /examples> >> AuthType CAS >> require valid-user >> </Location> >> >> -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/9a936356-1d94-41c0-a95e- > 7d2f9d0f6e49%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a936356-1d94-41c0-a95e-7d2f9d0f6e49%40apereo.org?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG6FFF9XMEBaQTMAyhoFkFXwPjX4Mu48BuOcAQgc3mpn6_od7w%40mail.gmail.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
