Ok, I am almost there now. I implemented and configured a servlet at the proxyCallbackUrl and now CAS responds fine with a PGTIOU/PGT.
The ProxyGrantingTicketStorageImpl seems to have saved the pair. Now I need to figure out to access ProxyGrantingTicketStorageImpl from my code. How do I retrieve it from ProxyGrantingTicketStorage? Also, once I retrieve it from ProxyGrantingTicketStorage, can I save the IOU and reuse it? The code says ProxyGrantingTicketStorageImpl removes the IOU/PGT once retrieved... Thanks for your time. ________________________________ From: tedzo <[email protected]> To: [email protected] Sent: Tuesday, March 10, 2009 1:28:53 PM Subject: Re: [cas-user] Proxy validation question Thanks for the response. It looks like CAS is getting a 404 when it hits the proxyCallbackUrl (I changed the name from PGTReceive to proxyValidate in my config). So, this is kind of where I started from in my first message. I thought I needed to implement a servlet and map/configure it to the the proxyCallbackUrl. And I thought that class (the one mapped to /proxyValidate) would implement HttpServlet with doGet() and doPost() methods and CAS would call it with the PGTIOU/PGT pair. However, Scott's response seemed to suggest such a servlet is not required. So, what is CAS now not finding (404)? 2009-03-10 13:01:34,864 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://tedzo-wxp01.bling.com:8080/Test/Test.jsp 2009-03-10 13:01:34,864 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - Attempting to resolve credentials for [callbackUrl: https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] 2009-03-10 13:01:34,896 DEBUG [org.jasig.cas.util.HttpClient] - Response Code did not match any of the acceptable response codes. Code returned was 404 2009-03-10 13:01:34,896 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: [callbackUrl: https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] 2009-03-10 13:01:34,911 ERROR [org.jasig.cas.web.ServiceValidateController] - TicketException generating ticket for: [callbackUrl: https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad Thank you for your time. ________________________________ From: Scott Battaglia <[email protected]> To: [email protected] Sent: Tuesday, March 10, 2009 11:55:47 AM Subject: Re: [cas-user] Proxy validation question Increase the DEBUG log for CAS and you'll find out why the proxy callback is failing. Log4j settings are in WEB-INF/classes/log4j.properties -Scott On Tue, Mar 10, 2009 at 2:21 PM, tedzo <[email protected]> wrote: You saying that I don't need a seperate servlet. Then who receives the PGTIOU/PGT pair? Does proxyCallbackUrl have to be a valid URL or not is what I don't understand. I tried logging in with my setup and I can authenticate fine, but I don't see PGTIOU mentioned anywhere in the logs and I see a wierd exception. I think I haven't configured something right. Could you kindly verify my config values for Cas20ProxyReceivingTicketValidationFilter? Specifically, <filter> <filter-name>CAS Cas20ProxyReceivingTicketValidation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://tedzo-wxp01.bling.com:8443/cas-server-3.3</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://tedzo-wxp01.bling.com:8080</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://tedzo-wxp01.bling.com:8443/Test/PGTReceive</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/PGTReceive</param-value> </init-param> <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> </filter> In the logs I see an exception- 2009-03-10 10:59:57,343 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketV alidator] - <Constructing validation url: https://tedzo-wxp01.bling.com:8443/ cas-server-3.3/proxyValidate?pgtUrl=https%3A%2F%2Ftedzo-wxp01.bling.com%3A844 3%2FTest%2FPGTReceive&ticket=ST-1-CugnMIPTShfY2NtGKPSN-cas&service=http%3A%2F%2F tedzo-wxp01.bling.com%3A8080%2FTest%2FTest.jsp> 2009-03-10 10:59:57,343 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketV alidator] - <Retrieving response from server.> <--------------lot of ssl stuff-----------------> 2009-03-10 11:13:56,509 ERROR [org.jasig.cas.web.ServiceValidateController] - <T icketException generating ticket for: [callbackUrl: https://tedzo-wxp01.bling .com:8443/Test/PGTReceive]> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.u nsupported at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting Ticket(CentralAuthenticationServiceImpl.java:291) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Ser viceValidateController.java:126) Caused by: error.authentication.credentials.unsupported at org.jasig.cas.authentication.handler.UnsupportedCredentialsException. <clinit>(UnsupportedCredentialsException.java:21) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(A uthenticationManagerImpl.java:116) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting Ticket(CentralAuthenticationServiceImpl.java:262) What credentials are unsupported? Thanks for your time. ________________________________ From: Scott Battaglia <[email protected]> To: [email protected] Sent: Monday, March 9, 2009 8:11:28 PM Subject: Re: [cas-user] Proxy validation question You shouldn't be configuring a separate servlet. We don't even include one. All the logic is built into the filter. Proxy Callback Url is the fully qualified URL that is sent to the CAS server. The receptor is the path portion that the filter should listen for PGT/PGTIOU requests. On Mon, Mar 9, 2009 at 11:05 PM, tedzo <[email protected]> wrote: I am trying to setup proxy validation and despite all the messages on this list, I am lost (or maybe I am just too tired). Kindly bear with me- I am trying to access https://tedzo-wxp01.bling.com:8443/Test/Test.jsp to begin with. 1. I modify web.xml to add Cas20ProxyReceivingTicketValidationFilter (among others. This client 3.1.3). 2. I add the init param proxyCallbackUrl ( https://tedzo-wxp01.bling.com:8443/Test/PGTReceive ) PGTReceive is a Servlet that will receive the PGTIOU/PGT pair. 3. Set allowAnyProxy to true, for now. 4. Now, PGTReceive is a servlet with a doGet and doPost methods. CAS will POST/GET the PGTIOU/PGT pair to this servlet? How do I extract it? (session variable? name of variable?) 5. Originally, I was trying to reach https://tedzo-wxp01.bling.com:8443/Test/Test.jsp. I should be able to have access to half (PGTIOU) of the PGTIOU/PGT pair from Test.jsp, so that I could get the PGT from PGTReceive servlet. How do I access the PGTIOU from Test.jsp? Is it in the session or something? 6. Is the PGT from the PGTIOU/PGT pair a one time use only kind of ticket or can I use it multiple times? Meaning, I get to the PGT somehow and then I pass it on the the proxied application. Then can I pass the same PGT to different proxied application? 7. I couldn't understand the difference between proxyReceptorUrl and proxyCallbackUrl. Both seem to be receiving the PGTIOU/PGT pair.... Greatly appreciate your thoughts (or pointers to any documentation). Thanks. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user ________________________________ From: Scott Battaglia <[email protected]> To: [email protected] Sent: Tuesday, March 10, 2009 11:55:47 AM Subject: Re: [cas-user] Proxy validation question Increase the DEBUG log for CAS and you'll find out why the proxy callback is failing. Log4j settings are in WEB-INF/classes/log4j.properties -Scott On Tue, Mar 10, 2009 at 2:21 PM, tedzo <[email protected]> wrote: You saying that I don't need a seperate servlet. Then who receives the PGTIOU/PGT pair? Does proxyCallbackUrl have to be a valid URL or not is what I don't understand. I tried logging in with my setup and I can authenticate fine, but I don't see PGTIOU mentioned anywhere in the logs and I see a wierd exception. I think I haven't configured something right. Could you kindly verify my config values for Cas20ProxyReceivingTicketValidationFilter? Specifically, <filter> <filter-name>CAS Cas20ProxyReceivingTicketValidation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://tedzo-wxp01.bling.com:8443/cas-server-3.3</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://tedzo-wxp01.bling.com:8080</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://tedzo-wxp01.bling.com:8443/Test/PGTReceive</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/PGTReceive</param-value> </init-param> <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> </filter> In the logs I see an exception- 2009-03-10 10:59:57,343 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketV alidator] - <Constructing validation url: https://tedzo-wxp01.bling.com:8443/ cas-server-3.3/proxyValidate?pgtUrl=https%3A%2F%2Ftedzo-wxp01.bling.com%3A844 3%2FTest%2FPGTReceive&ticket=ST-1-CugnMIPTShfY2NtGKPSN-cas&service=http%3A%2F%2F tedzo-wxp01.bling.com%3A8080%2FTest%2FTest.jsp> 2009-03-10 10:59:57,343 DEBUG [org.jasig.cas.client.validation.Cas20ProxyTicketV alidator] - <Retrieving response from server.> <--------------lot of ssl stuff-----------------> 2009-03-10 11:13:56,509 ERROR [org.jasig.cas.web.ServiceValidateController] - <T icketException generating ticket for: [callbackUrl: https://tedzo-wxp01.bling .com:8443/Test/PGTReceive]> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.u nsupported at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting Ticket(CentralAuthenticationServiceImpl.java:291) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Ser viceValidateController.java:126) Caused by: error.authentication.credentials.unsupported at org.jasig.cas.authentication.handler.UnsupportedCredentialsException. <clinit>(UnsupportedCredentialsException.java:21) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(A uthenticationManagerImpl.java:116) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting Ticket(CentralAuthenticationServiceImpl.java:262) What credentials are unsupported? Thanks for your time. ________________________________ From: Scott Battaglia <[email protected]> To: [email protected] Sent: Monday, March 9, 2009 8:11:28 PM Subject: Re: [cas-user] Proxy validation question You shouldn't be configuring a separate servlet. We don't even include one. All the logic is built into the filter. Proxy Callback Url is the fully qualified URL that is sent to the CAS server. The receptor is the path portion that the filter should listen for PGT/PGTIOU requests. On Mon, Mar 9, 2009 at 11:05 PM, tedzo <[email protected]> wrote: I am trying to setup proxy validation and despite all the messages on this list, I am lost (or maybe I am just too tired). Kindly bear with me- I am trying to access https://tedzo-wxp01.bling.com:8443/Test/Test.jsp to begin with. 1. I modify web.xml to add Cas20ProxyReceivingTicketValidationFilter (among others. This client 3.1.3). 2. I add the init param proxyCallbackUrl ( https://tedzo-wxp01.bling.com:8443/Test/PGTReceive ) PGTReceive is a Servlet that will receive the PGTIOU/PGT pair. 3. Set allowAnyProxy to true, for now. 4. Now, PGTReceive is a servlet with a doGet and doPost methods. CAS will POST/GET the PGTIOU/PGT pair to this servlet? How do I extract it? (session variable? name of variable?) 5. Originally, I was trying to reach https://tedzo-wxp01.bling.com:8443/Test/Test.jsp. I should be able to have access to half (PGTIOU) of the PGTIOU/PGT pair from Test.jsp, so that I could get the PGT from PGTReceive servlet. How do I access the PGTIOU from Test.jsp? Is it in the session or something? 6. Is the PGT from the PGTIOU/PGT pair a one time use only kind of ticket or can I use it multiple times? Meaning, I get to the PGT somehow and then I pass it on the the proxied application. Then can I pass the same PGT to different proxied application? 7. I couldn't understand the difference between proxyReceptorUrl and proxyCallbackUrl. Both seem to be receiving the PGTIOU/PGT pair.... Greatly appreciate your thoughts (or pointers to any documentation). Thanks. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
