C.C.,
The CAS server must be able to access the callback URL. Perhaps there is
a network issue.
Ray
On 26/01/17 09:16 PM, C. C. Tang wrote:
> I am using CAS 4.2.x and I am exploring the Proxy feature.
>
>
> But I am having difficulties setting it up by using
> examples(example_proxy_GET.php) in phpCAS as starting point.
> The php failed to be authenticated as proxy and output logs like this:
>
> (in forceAuthentication() call after successful login)
>
> |
> .=>phpCAS::forceAuthentication()[example_proxy_GET.php:40]
> ACC1 .| =>CAS_Client::forceAuthentication()[CAS.php:1080]
> ACC1 .| | =>CAS_Client::isAuthenticated()[Client.php:1249]
> ACC1 .| | |
> =>CAS_Client::_wasPreviouslyAuthenticated()[Client.php:1362]
> ACC1 .| | | | neither user nor PGT found [Client.php:1581]
> ACC1 .| | | <=false
> ACC1 .| | | CAS 2.0ticket
> `ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org' is present [Client.php:1415]
> ACC1 .| | | => CAS_Client::validateCAS20('', NULL, NULL,
> false) [Client.php:1417]
> ACC1 .| | | | [Client.php:3127]
> ACC1 .| | | | => CAS_Client::getServerServiceValidateURL()
> [Client.php:3134]
> ACC1 .| | | | | => CAS_Client::getURL() [Client.php:453]
> ACC1 .| | | | | | Final URI:
> https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> [Client.php:3497]
> ACC1 .| | | | | <=
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> ACC1 .| | | | <=
> 'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php'
> ACC1 .| | | | =>
> CAS_Client::_readURL('https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php',
> NULL, NULL, NULL) [Client.php:3149]
> ACC1 .| | | | | =>
> CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
> ACC1 .| | | | | | Response Body:
> ACC1 .| | | | | |
> ACC1 .| | | | | |
> ACC1 .| | | | | | <cas:serviceResponse
> xmlns:cas='http://www.yale.edu/tp/cas'>
> ACC1 .| | | | | | <cas:authenticationFailure
> code='INVALID_PROXY_CALLBACK'>
> ACC1 .| | | | | | The supplied proxy
> callback url
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> could not be authenticated.
> ACC1 .| | | | | | </cas:authenticationFailure>
> ACC1 .| | | | | | </cas:serviceResponse>
> ACC1 .| | | | | |
> ACC1 .| | | | | | [CurlRequest.php:84]
> ACC1 .| | | | | <= true
> ACC1 .| | | | <= true
> ACC1 .| | | | =>
> CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not
> validated',
> 'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php',
> false, false, '<cas:serviceResponse
> xmlns:cas=\'http://www.yale.edu/tp/cas\'>
> <cas:authenticationFailure code=\'INVALID_PROXY_CALLBACK\'>
> The supplied proxy callback url
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> could not be authenticated.
> </cas:authenticationFailure></cas:serviceResponse>',
> 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url
> \'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php\'
> could not be authenticated.') [Client.php:3239]
> ACC1 .| | | | | => CAS_Client::getURL()
> [AuthenticationException.php:76]
> ACC1 .| | | | | <=
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> ACC1 .| | | | | CAS URL:
> https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php
> [AuthenticationException.php:79]
> ACC1 .| | | | | Authentication failure: Ticket not
> validated [AuthenticationException.php:80]
> ACC1 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS
> error: The supplied proxy callback url
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> could not be authenticated. [AuthenticationException.php:96]
> ACC1 .| | | | | CAS response:
> ACC1 .| | | | |
> ACC1 .| | | | | <cas:serviceResponse
> xmlns:cas='http://www.yale.edu/tp/cas'>
> ACC1 .| | | | | <cas:authenticationFailure
> code='INVALID_PROXY_CALLBACK'>
> ACC1 .| | | | | The supplied proxy callback
> url
> 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
> could not be authenticated.
> ACC1 .| | | | | </cas:authenticationFailure>
> ACC1 .| | | | | </cas:serviceResponse>
> ACC1 .| | | | | [AuthenticationException.php:101]
> ACC1 .| | | | | exit()
> ACC1 .| | | | | -
> ACC1 .| | | | -
> ACC1 .| | | -
> ACC1 .| | -
> ACC1 .| -
> |
>
> CAS log:
> |
> 2017-01-2713:04:54,819INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl]-Grantedticket
> [ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org]forservice
> [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
> and principal [user4]
> 2017-01-2713:04:54,820INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-Audittrail
> record BEGIN
> =============================================================
> WHO:user4
> WHAT:ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org
> forhttps://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> ACTION:SERVICE_TICKET_CREATED
> APPLICATION:CAS
> WHEN:FriJan2713:04:54CST 2017
> CLIENT IP ADDRESS:10.7.14.10
> SERVER IP ADDRESS:10.7.14.10
> =============================================================
>
>
> 2017-01-2713:04:54,820INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-Audittrail
> record BEGIN
> =============================================================
> WHO:user4
> WHAT:ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org
> forhttps://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> ACTION:SERVICE_TICKET_CREATED
> APPLICATION:CAS
> WHEN:FriJan2713:04:54CST 2017
> CLIENT IP ADDRESS:10.7.14.10
> SERVER IP ADDRESS:10.7.14.10
> =============================================================
>
>
> 2017-01-2713:04:54,940WARN
> [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]-Proxypolicy
> forservice [^(https?|imaps?)://.*] cannot authorize the requested
> callback url
> [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php].
> 2017-01-2713:04:54,941INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager]-HttpBasedServiceCredentialsAuthenticationHandlerfailed
> authenticating
> https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> 2017-01-2713:04:54,941INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-Audittrail
> record BEGIN
> =============================================================
> WHO:https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> WHAT:Suppliedcredentials:[https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
> ACTION:AUTHENTICATION_FAILED
> APPLICATION:CAS
> WHEN:FriJan2713:04:54CST 2017
> CLIENT IP ADDRESS:10.7.14.60
> SERVER IP ADDRESS:10.7.14.10
> =============================================================
>
>
> 2017-01-2713:04:54,941INFO
> [org.jasig.inspektr.audit.support.Slf4jLoggin
> gAuditTrailManager]-Audittrail record BEGIN
> =============================================================
> WHO:https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> WHAT:Suppliedcredentials:[https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
> ACTION:AUTHENTICATION_FAILED
> APPLICATION:CAS
> WHEN:FriJan2713:04:54CST 2017
> CLIENT IP ADDRESS:10.7.14.60
> SERVER IP ADDRESS:10.7.14.10
> =============================================================
>
>
> 2017-01-2713:04:54,941WARN
> [org.jasig.cas.web.ServiceValidateController]-Failedto authenticate
> service credential
> https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
> |
>
>
> my service definition:
> |
> {
> "@class":"org.jasig.cas.services.RegexRegisteredService",
> "serviceId":"^(https?|imaps?)://.*",
> "name":"test local",
> "id":1,
> "evaluationOrder":0,
> "attributeReleasePolicy":{
> "@class":"org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
> "principalAttributesRepository":{
>
> "@class":"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
> },
> "authorizedToReleaseCredentialPassword":false,
> "authorizedToReleaseProxyGrantingTicket":true
> }
> }
> |
>
>
> 'mydomain' is having https setup properly using letsencrypt and the
> cert are imported to a custom trust store:
> cas.properties
> |
> http.client.truststore.file=classpath:truststore.jks
> |
>
>
> Why CAS keep saying Proxy policy for service [^(https?|imaps?)://.*]
> cannot authorize the requested callback url
> [https://lockcole.acgmoe.net/cas_test/php-client-examples/example_proxy_GET.php]?
>
> It will be grateful to have any advise on what I am missing or
> anything I can do to trace the problem.
>
> Thanks in advance.
> C.C.
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a9f6a9-9828-4712-900e-e9e03ea5a972%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a9f6a9-9828-4712-900e-e9e03ea5a972%40apereo.org?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE C023 | [email protected]
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd802c68-e419-9162-7091-49841e66a657%40uvic.ca.
