This could actually be bad advice, depending on you CAS environment. In a development scenario, this may not be so bad. In a production scenario where your CAS client needs to cross an untrusted network to validate the CAS service ticket, you are leaving the validation open to a MITM attacks.
If mod_auth_cas isn't validating the certificate, you should find out why instead of turning off peer verification. Since it is using the cURL library, it seems like you could use command line cURL to test the cert. You should try to run the command as the same user mod_auth_cas runs as, as the issue could just be a permission issue on the PEM file. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "pouria Mahmoudi" <[email protected]> To: "CAS Community" <[email protected]> Sent: Monday, October 3, 2016 5:19:28 PM Subject: [cas-user] Re: "401 Authorization Required" Ok I have figured out the issue. I needed to setup HTTPS for apache to be able to see the logs and when I installed HTTPS for apache I saw the 401 Authorization problem which was related to SSL certificate non CA . So what I did to fix the issue was to open up mod_auth.cas.c file and replace this line: curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); and bingo. It fixed the issue. On Saturday, October 1, 2016 at 12:52:25 PM UTC-7, pouria Mahmoudi wrote: > > Hi, > I setup apache httpd (2.2.15) and tomcat 8 and also downloaded cas server > war file as explained in this document: > > https://www.howtoforge.com/how-to-set-up-apache-tomcat-mod_jk-sso-cas-mod_auth_cas > > Everything was good, so when I try to access a secured page, I correctly > redirected to CAS server, but when I enter user/pass and expected to see > the secured pages, I see "401 Authorization Required" page. > > There is not much helpful information in the apache log, neither in cas > server. however I added the log here: > > CAS server log: > > 2016-10-01 12:43:47,648 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-2-icfYsgQpiaNi4qC5oPC1-its.cas] for service [ > http://localhost/examples/] for user [casuser]> > 2016-10-01 12:43:47,648 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: casuser > WHAT: ST-2-icfYsgQpiaNi4qC5oPC1-its.cas for http://localhost/examples/ > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Sat Oct 01 12:43:47 PDT 2016 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > ============================================================= > > > Apache httpd log: > > error_log: > > [Sat Oct 01 12:35:02 2016] [notice] SELinux policy enabled; httpd running > as context unconfined_u:system_r:httpd_t:s0 > [Sat Oct 01 12:35:02 2016] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Sat Oct 01 12:35:02 2016] [notice] Digest: generating secret for digest > authentication ... > [Sat Oct 01 12:35:02 2016] [notice] Digest: done > [Sat Oct 01 12:35:02 2016] [info] APR LDAP: Built with OpenLDAP LDAP SDK > [Sat Oct 01 12:35:02 2016] [info] LDAP: SSL support available > [Sat Oct 01 12:35:02 2016] [warn] ./mod_dnssd.c: No services found to > register > [Sat Oct 01 12:35:02 2016] [notice] Apache/2.2.15 (Unix) DAV/2 > mod_jk/1.2.32 SVN/1.6.11 configured -- resuming normal operations > [Sat Oct 01 12:35:02 2016] [info] Server built: Jul 18 2016 15:24:00 > > access_log: > ::1 - - [01/Oct/2016:12:43:39 -0700] "GET /examples/ HTTP/1.1" 302 336 "-" > "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" > ::1 - - [01/Oct/2016:12:43:47 -0700] "GET > /examples/?ticket=ST-2-icfYsgQpiaNi4qC5oPC1-its.cas HTTP/1.1" 401 476 "-" > "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" > > > I am really confused. Any help will be much appreciated. > > > This is cas.config: > > LoadModule auth_cas_module /usr/lib64/httpd/modules/mod_auth_cas.so > CASCookiePath /var/cache/httpd/mod_auth_cas/ > CASLoginURL https://localhost:9443/cas/login > CASValidateURL https://localhost:9443/cas/serviceValidate > <Location /examples> > AuthType CAS > require valid-user > </Location> > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a936356-1d94-41c0-a95e-7d2f9d0f6e49%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/681722017.7154088.1475585973011.JavaMail.zimbra%40lafayette.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
