I tried it, but I get nothing more in logs. May be its due to the fact I'm not using the integrated Tomcat but the Debian one ? May be my problem its due to somethings else than CAS related parameters. May be something related to the authorization process ? I can't find a complete documentation of parameters accepted (and may be required ?) by the CAS management app, even less for the version 7. Do you know where I can find it ?
My configuration today: cas.server.name=https://idp.example.tld cas.server.prefix=${cas.server.name}/cas mgmt.server-name=https://idp.example.tld mgmt.user-properties-file=file:/etc/cas/config/users.json logging.config=file:/etc/cas/config/log4j2-management.xml spring.security.user.name=myuser spring.security.user.password=mypassword And my /etc/cas/config/users.json file: { "brenard" : { "@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition", "roles" : [ "ROLE_ADMIN" ] } } Note: brenard is my CAS username. Le mercredi 27 mars 2024 à 15:13:49 UTC+1, Ray Bon a écrit : > Benjamin, > > Try this logger (in both cas and cas management). Note > > <!-- DEBUG outbound and inbound headers and response as it is sent --> > <Logger name="org.apache.http.wire" level="debug" /> > > Ray > > On Wed, 2024-03-27 at 02:13 -0700, Benjamin Renard wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > Thanks for you return. Yes, I firstly think like you, but I have no error > in logs and I use a valid SSL certificate. Just to be sure, I tried to add > it in the keystore files (/etc/cas/thekeystore & > $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The > keystore file (and its password) is correctly specified in my tomcat AJP > connector configuration. Futhermore, I can't see trace of request on the > *serviceValidate* CAS server endpoint (just have trace on the *login* > endpoint). > > > Do you have any other ideas of what could cause this problem or how to > debug it ? > > Thanks ! > Le mardi 26 mars 2024 à 19:40:57 UTC+1, Ray Bon a écrit : > > Benjamin, > > The behaviour you describe happens when the service ticket can not be > validated. > cas management submits the ST to cas through a back channel over https. > If there is nothing in cas audit log about validation / failed validation > (which would give a reason for failure), it could be a certificate problem. > > Do you have a proper/valid certificate for idp.example.tld (i.e. cert > signed by an authority)? > > If not, you may have to add it to the java keystore (assuming you have > already added it to tomcat config). > > Ray > > On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > I'm trying to install a CAS server (v7) on a Debian 12 host. I using the > Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK > 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS > server run well, but I have problem with the authentication of the > management app. I use a CAS Initializr overlay for the CAS management > 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the > same context. I configure CAS client in the management app : > > cas.server.name=https://idp.example.tld > cas.server.prefix=${cas.server.name}/cas > > When I try to access to the management app, I'm entering in a loop : I'm > redirect to the CAS server that authenticate me and redirect me to the > management app on its callback URL with a ticket ( > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) > > and I'm redirect again to the CAS server for authentication, that redirect > me back with a new ticket and etc. > > I have no error in logs and I tried to enable debugging and I can't find > any indication about my problem (see logs below). Do you have any idea ? > > Futhermore, It's a good idea for you to run CAS server & management apps > version 7 in production or I have to use version 6 ? > > Thanks ! > > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.FilterChainProxy] - Securing GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.access.channel.ChannelProcessingFilter] - > Request: filter invocation [GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; > > ConfigAttributes: [REQUIRES_SECURE_CHANNEL] > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] > > - Set SecurityContextHolder to anonymous SecurityContext > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.FilterChainProxy] - Secured GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,510 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - GET > "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", > > parameters={masked} > 2024-03-26 12:45:29,512 DEBUG > [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped > to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]] > 2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - === SECURITY === > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - url: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - clients: null | matchers: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided > clientNames: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default > security clients: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: > CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - > clientNameOnRequest: Optional.empty > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found > client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: > [CasClient] > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - currentClients: > [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null))] > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: > 0D8A24DA3779DDC589CC82A00D7121ED > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 > -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: > 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous > CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - > generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken > for value: 2af42c4e87984404bcc144ac7034dbc3 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jCsrfTokenExpirationDate for value: 1711467929514 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: > CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, > > domain=null, path=/, httpOnly=true, secure=true, maxAge=null, > sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, > addTokenAsCookie=true) -> true > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > pac4jUserProfiles > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Loaded profiles (from session: true): [] > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Starting authentication > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - > requestedUrl: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jRequestedUrl for value: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > CasClient$attemptedAuthentication > 2024-03-26 12:45:29,515 DEBUG > [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: > https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient > 2024-03-26 12:45:29,515 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdda8edc-2404-47ab-a761-13cba6312a59n%40apereo.org.
