I know it is not safe to turn certificate validation off for production. I was testing in dev environment where I don't have a valid CA certificate and dev server is not accessible outside the company. Anyways thanks for the concern and sharing it.
On Tuesday, October 4, 2016 at 5:59:36 AM UTC-7, waldbiec wrote: > > > This could actually be bad advice, depending on you CAS environment. > In a development scenario, this may not be so bad. In a production > scenario where your CAS client needs to cross an untrusted network to > validate the CAS service ticket, you are leaving the validation open to a > MITM attacks. > > If mod_auth_cas isn't validating the certificate, you should find out why > instead of turning off peer verification. > Since it is using the cURL library, it seems like you could use command > line cURL to test the cert. You should try to run the command as the same > user mod_auth_cas runs as, as the issue could just be a permission issue on > the PEM file. > > Thanks, > Carl Waldbieser > ITS Systems Programmer > Lafayette College > > ----- Original Message ----- > From: "pouria Mahmoudi" <[email protected] <javascript:>> > To: "CAS Community" <[email protected] <javascript:>> > Sent: Monday, October 3, 2016 5:19:28 PM > Subject: [cas-user] Re: "401 Authorization Required" > > Ok I have figured out the issue. I needed to setup HTTPS for apache to be > able to see the logs and when I installed HTTPS for apache I saw the 401 > Authorization problem which was related to SSL certificate non CA . > So what I did to fix the issue was to open up mod_auth.cas.c file and > replace this line: > > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); > with > curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); > > and bingo. It fixed the issue. > > > On Saturday, October 1, 2016 at 12:52:25 PM UTC-7, pouria Mahmoudi wrote: > > > > Hi, > > I setup apache httpd (2.2.15) and tomcat 8 and also downloaded cas > server > > war file as explained in this document: > > > > > https://www.howtoforge.com/how-to-set-up-apache-tomcat-mod_jk-sso-cas-mod_auth_cas > > > > > Everything was good, so when I try to access a secured page, I correctly > > redirected to CAS server, but when I enter user/pass and expected to see > > the secured pages, I see "401 Authorization Required" page. > > > > There is not much helpful information in the apache log, neither in cas > > server. however I added the log here: > > > > CAS server log: > > > > 2016-10-01 12:43:47,648 INFO > > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service > ticket > > [ST-2-icfYsgQpiaNi4qC5oPC1-its.cas] for service [ > > http://localhost/examples/] for user [casuser]> > > 2016-10-01 12:43:47,648 INFO > > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > <Audit > > trail record BEGIN > > ============================================================= > > WHO: casuser > > WHAT: ST-2-icfYsgQpiaNi4qC5oPC1-its.cas for http://localhost/examples/ > > ACTION: SERVICE_TICKET_CREATED > > APPLICATION: CAS > > WHEN: Sat Oct 01 12:43:47 PDT 2016 > > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > ============================================================= > > > > > > Apache httpd log: > > > > error_log: > > > > [Sat Oct 01 12:35:02 2016] [notice] SELinux policy enabled; httpd > running > > as context unconfined_u:system_r:httpd_t:s0 > > [Sat Oct 01 12:35:02 2016] [notice] suEXEC mechanism enabled (wrapper: > > /usr/sbin/suexec) > > [Sat Oct 01 12:35:02 2016] [notice] Digest: generating secret for digest > > authentication ... > > [Sat Oct 01 12:35:02 2016] [notice] Digest: done > > [Sat Oct 01 12:35:02 2016] [info] APR LDAP: Built with OpenLDAP LDAP SDK > > [Sat Oct 01 12:35:02 2016] [info] LDAP: SSL support available > > [Sat Oct 01 12:35:02 2016] [warn] ./mod_dnssd.c: No services found to > > register > > [Sat Oct 01 12:35:02 2016] [notice] Apache/2.2.15 (Unix) DAV/2 > > mod_jk/1.2.32 SVN/1.6.11 configured -- resuming normal operations > > [Sat Oct 01 12:35:02 2016] [info] Server built: Jul 18 2016 15:24:00 > > > > access_log: > > ::1 - - [01/Oct/2016:12:43:39 -0700] "GET /examples/ HTTP/1.1" 302 336 > "-" > > "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" > > ::1 - - [01/Oct/2016:12:43:47 -0700] "GET > > /examples/?ticket=ST-2-icfYsgQpiaNi4qC5oPC1-its.cas HTTP/1.1" 401 476 > "-" > > "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" > > > > > > I am really confused. Any help will be much appreciated. > > > > > > This is cas.config: > > > > LoadModule auth_cas_module /usr/lib64/httpd/modules/mod_auth_cas.so > > CASCookiePath /var/cache/httpd/mod_auth_cas/ > > CASLoginURL https://localhost:9443/cas/login > > CASValidateURL https://localhost:9443/cas/serviceValidate > > <Location /examples> > > AuthType CAS > > require valid-user > > </Location> > > > > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a936356-1d94-41c0-a95e-7d2f9d0f6e49%40apereo.org. > > > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/030fba89-24e3-4457-a5dd-d5ebf06a4cbb%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
