I am using CAS 4.2.x and I am exploring the Proxy feature.
But I am having difficulties setting it up by using
examples(example_proxy_GET.php) in phpCAS as starting point.
The php failed to be authenticated as proxy and output logs like this:
(in forceAuthentication() call after successful login)
.=> phpCAS::forceAuthentication() [example_proxy_GET.php:40]
ACC1 .| => CAS_Client::forceAuthentication() [CAS.php:1080]
ACC1 .| | => CAS_Client::isAuthenticated() [Client.php:1249]
ACC1 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.
php:1362]
ACC1 .| | | | neither user nor PGT found [Client.php:1581]
ACC1 .| | | <= false
ACC1 .| | | CAS 2.0 ticket
`ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org'
is present [Client.php:1415]
ACC1 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false)
[Client.php:1417]
ACC1 .| | | | [Client.php:3127]
ACC1 .| | | | => CAS_Client::getServerServiceValidateURL()
[Client.php:3134]
ACC1 .| | | | | => CAS_Client::getURL() [Client.php:453]
ACC1 .| | | | | | Final URI:
https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
[Client.php:3497]
ACC1 .| | | | | <=
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
ACC1 .| | | | <=
'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php'
ACC1 .| | | | =>
CAS_Client::_readURL('https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php',
NULL, NULL, NULL) [Client.php:3149]
ACC1 .| | | | | => CAS_Request_CurlRequest::sendRequest()
[AbstractRequest.php:242]
ACC1 .| | | | | | Response Body:
ACC1 .| | | | | |
ACC1 .| | | | | |
ACC1 .| | | | | | <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
ACC1 .| | | | | | <cas:authenticationFailure
code='INVALID_PROXY_CALLBACK'>
ACC1 .| | | | | | The supplied proxy callback
url
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
could not be authenticated.
ACC1 .| | | | | | </cas:authenticationFailure>
ACC1 .| | | | | | </cas:serviceResponse>
ACC1 .| | | | | |
ACC1 .| | | | | | [CurlRequest.php:84]
ACC1 .| | | | | <= true
ACC1 .| | | | <= true
ACC1 .| | | | =>
CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not
validated',
'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php',
false, false, '<cas:serviceResponse
xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationFailure
code=\'INVALID_PROXY_CALLBACK\'> The supplied proxy callback url
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
could not be authenticated.
</cas:authenticationFailure></cas:serviceResponse>',
'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url
\'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php\'
could not be authenticated.') [Client.php:3239]
ACC1 .| | | | | => CAS_Client::getURL()
[AuthenticationException.php:76]
ACC1 .| | | | | <=
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
ACC1 .| | | | | CAS URL:
https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php
[AuthenticationException.php:79]
ACC1 .| | | | | Authentication failure: Ticket not validated
[AuthenticationException.php:80]
ACC1 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error:
The supplied proxy callback url
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php' could
not be authenticated. [AuthenticationException.php:96]
ACC1 .| | | | | CAS response:
ACC1 .| | | | |
ACC1 .| | | | | <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
ACC1 .| | | | | <cas:authenticationFailure
code='INVALID_PROXY_CALLBACK'>
ACC1 .| | | | | The supplied proxy callback url
'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
could not be authenticated.
ACC1 .| | | | | </cas:authenticationFailure>
ACC1 .| | | | | </cas:serviceResponse>
ACC1 .| | | | | [AuthenticationException.php:101]
ACC1 .| | | | | exit()
ACC1 .| | | | | -
ACC1 .| | | | -
ACC1 .| | | -
ACC1 .| | -
ACC1 .| -
CAS log:
2017-01-27 13:04:54,819 INFO [org.jasig.cas.CentralAuthenticationServiceImpl
] - Granted ticket [ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org] for
service [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
and principal [user4]
2017-01-27 13:04:54,820 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user4
WHAT: ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org for https:
//mydomain/cas_test/php-client-examples/example_proxy_GET.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.10
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,820 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user4
WHAT: ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org for https:
//mydomain/cas_test/php-client-examples/example_proxy_GET.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.10
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,940 WARN [org.jasig.cas.authentication.handler.support.
HttpBasedServiceCredentialsAuthenticationHandler] - Proxy policy for
service [^(https?|imaps?)://.*] cannot authorize the requested callback url
[https://mydomain/cas_test/php-client-examples/example_proxy_GET.php].
2017-01-27 13:04:54,941 INFO [org.jasig.cas.authentication.
PolicyBasedAuthenticationManager] -
HttpBasedServiceCredentialsAuthenticationHandler failed authenticating https
://mydomain/cas_test/php-client-examples/example_proxy_GET.php
2017-01-27 13:04:54,941 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
WHAT: Supplied credentials: [https:
//mydomain/cas_test/php-client-examples/example_proxy_GET.php]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.60
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,941 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
WHAT: Supplied credentials: [https:
//mydomain/cas_test/php-client-examples/example_proxy_GET.php]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.60
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,941 WARN [org.jasig.cas.web.ServiceValidateController] -
Failed to authenticate service credential https:
//mydomain/cas_test/php-client-examples/example_proxy_GET.php
my service definition:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(https?|imaps?)://.*",
"name" : "test local",
"id" : 1,
"evaluationOrder" : 0,
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" :
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : true
}
}
'mydomain' is having https setup properly using letsencrypt and the cert
are imported to a custom trust store:
cas.properties
http.client.truststore.file=classpath:truststore.jks
Why CAS keep saying Proxy policy for service [^(https?|imaps?)://.*] cannot
authorize the requested callback url
[https://lockcole.acgmoe.net/cas_test/php-client-examples/example_proxy_GET.php]?
It will be grateful to have any advise on what I am missing or anything I
can do to trace the problem.
Thanks in advance.
C.C.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a9f6a9-9828-4712-900e-e9e03ea5a972%40apereo.org.
