Hello, I'm trying to install a CAS server (v7) on a Debian 12 host. I using the Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS server run well, but I have problem with the authentication of the management app. I use a CAS Initializr overlay for the CAS management 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the same context. I configure CAS client in the management app :
cas.server.name=https://idp.example.tld cas.server.prefix=${cas.server.name}/cas When I try to access to the management app, I'm entering in a loop : I'm redirect to the CAS server that authenticate me and redirect me to the management app on its callback URL with a ticket (https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) and I'm redirect again to the CAS server for authentication, that redirect me back with a new ticket and etc. I have no error in logs and I tried to enable debugging and I can't find any indication about my problem (see logs below). Do you have any idea ? Futhermore, It's a good idea for you to run CAS server & management apps version 7 in production or I have to use version 6 ? Thanks ! 2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] 2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext 2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked} 2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]] 2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY === 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient] 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))] 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): [] 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication 2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient 2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/486e209b-0e6a-4e45-9623-279aae796506n%40apereo.org.
