I imported our root CA, issuing CA and the cert for the CAS server itself with 'keytool --import ... -file [the 3 files.cer]'
This is the error I see in the logs (server names changed the theCASserver and theAPP): Feb 12, 2009 1:49:18 PM org.jasig.cas.client.validation.AbstractCasProtocolUrlBa sedTicketValidator retrieveResponseFromServer SEVERE: java.io.IOException: Server returned HTTP response code: 500 for URL: ht tps://theCASserver:8443/cas/serviceValidate?service=http%3A%2F%2FtheAPP%3A8080%2Fjsp-examples%2Fnum%2Fnumguess.jsp&ticket=ST-9-EJePacM2bwZ0DM 0uebEv-cas& java.io.IOException: Server returned HTTP response code: 500 for URL: https://theCASserver:8443/cas/serviceValidate?service=http%3A%2F%2FtheAPP%3A8080%2Fjsp-examples%2Fnum%2Fnumguess.jsp&ticket=ST-9-EJePacM2bwZ0DM0uebEv-c as& at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLCon nection.java:1153) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Http sURLConnectionImpl.java:234) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketVali dator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator..java :35) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.valid ate(AbstractUrlBasedTicketValidator.java:178) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilt er(AbstractTicketValidationFilter.java:132) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:188) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(Aut henticationFilter.java:111) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:210) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:174) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica torBase.java:433) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:151) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :870) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p rocessConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo int.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol lowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:685) at java.lang.Thread.run(Thread.java:595) --- On Thu, 2/12/09, Scott Battaglia <[email protected]> wrote: From: Scott Battaglia <[email protected]> Subject: Re: [cas-user] Basic CAS question - auths every request? To: [email protected] Date: Thursday, February 12, 2009, 1:25 PM Do you have your certificates set up correctly so that the application trusts the CAS cert? On Thu, Feb 12, 2009 at 2:18 PM, schneisc <[email protected]> wrote: The article that you reference is what I started working from, but I'm still having difficulties. When I have the validation filter enabled, I get this exception: javax.servlet.ServletException: The CAS server returned no response. org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:155) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111) root cause org.jasig.cas.client.validation.TicketValidationException: The CAS server returned no response. org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:181) org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132) org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111) This is the entry in web.xml that I removed for my previous post: <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://theCASserver:8443/cas</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/num/*</url-pattern> </filter-mapping> Any ideas on what the config should look like if my app needs this validation filter setup? Thanks, Sam --- On Thu, 2/12/09, Scott Battaglia <[email protected]> wrote: From: Scott Battaglia <[email protected]> Subject: Re: [cas-user] Basic CAS question - auths every request? To: [email protected] Date: Thursday, February 12, 2009, 10:45 AM Please follow this example which is for the web application and what I directed you to before: http://www.ja-sig.org/wiki/display/CASC/web.xml+for+Tomcat+5.5+Tomcat+Manager This works. If you choose to ignore it and remove validation filters, then its not going to work. -Scott On Thu, Feb 12, 2009 at 11:37 AM, schneisc <[email protected]> wrote: I'm guessing I have a small error somewhere, but I don't see it. Here's the web.xml edited with "theCASserver" and "theAPP" as the two hosts (otherwise all is the same). What I see is this: 1) First request gets forwarded to CAS for login 1a) << successful login happens >> 1b) redirect to app: http://theAPP:8080/jsp-examples/num/numguess.jsp?ticket=ST-6-LQm9NC4DQMTbbNOGbTBx-cas 2) every subsequent request redirects to the the CAS server and gets bounced back to the the theAPP with a new ticket: http://theAPP:8080/jsp-examples/num/numguess.jsp?ticket=ST-6-LQm9NC4DQMTbbNOGbTBx-cas some web.xml snippets: <context-param> <param-name>serverName</param-name> <param-value>http://theAPP:8080</param-value> </context-param> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://theCASserver:8443/cas/login</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/num/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/num/*</url-pattern> </filter-mapping> I originally had the CAS validation Filter setup in "theAPP" as well, but I took it out thinking that should actually be running on "theCASserver" so I took it out. <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> It's a bit confusing following the example web.xml since the CAS server and the secured app are the same host and it's not entirely clear which filters and config params belong to which "app" (I'm running on two different hosts). Any help would be greatly appreciated. -Sam --- On Wed, 2/11/09, Scott Battaglia <[email protected]> wrote: From: Scott Battaglia <[email protected]> Subject: Re: [cas-user] Basic CAS question - auths every request? To: [email protected] Date: Wednesday, February 11, 2009, 9:10 PM You've probably misconfigured the client or disabled sessions. That example Tomcat 5.5 Tomcat Manager web.xml should work fine and only go to CAS once. -Scott On Wed, Feb 11, 2009 at 5:26 PM, Sam <[email protected]> wrote: I have configured CAS and a single client app (configure being used rather loosely, as I didn't configure much). What I did was setup the client app similar to http://www.ja-sig.org/wiki/display/CASC/web.xml+for+Tomcat+5.5+Tomcat+Manager (I am running tomcat 5.5 as well). CAS is running on a separate server with a valid cert (this is dev environment). I created my own password validator that seems to be working just fine. I have the app running under HTTP for now and I have noticed that it sends a request to CAS with every request to the server. It gets a new ticket to validate and calls the CAS validation service (and succeeds without a problem). The first request through it presents a login screen - subsequent requests simply validate the new ticket. My question is this: Should the app be sending a request to CAS with every request it gets? This is what seems to be happening and is very noticeable because it switches back and forth between HTTP & HTTPS because I'm running the app under HTTP. It seems a bit inefficient to validate the user with every request and I'm wondering if I've misconfigured something (I'm using the CAS 3 client and associated filters). -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
