On Wed, Mar 11, 2009 at 1:48 PM, tedzo <[email protected]> wrote: > I removed the servlet and it still works. Perhaps I made another change at > the time I added the servlet which caused my setup to work and I wrongly > concluded that the servlet fixed the issue. > > I apologize for being dense here, please bear with me- > From what I see, I can configure the proxyCallbackUrl to be anything and it > works. CAS doesn't seem to care that the URL is actually valid or that it > exists or anything. After I get authenticated, I am able to access a proxy > ticket for any service that I need, meaning, I can use AttributePrinciple > available within the session and call getProxyTicketFor() for any service > without referring to the original proxyValidateUrl anywhere. So, whats the > purpose of the proxyCallbackUrl? >
The Proxy Callback Url is the fully qualified url that CAS will send back the PGTIOU/PGT combination to. After the initial validation and sending of the PGTIOU/PGT combination, CAS will never refer back to it (though it will be displayed as part of the proxy list to someone that validates the proxy ticket). We've done all the hard work of retreiving the PGTIOU and PGT and making it easy for you to get new proxy tickets without caring about all that stuff. Apparently we made it too easy for you, and you wanted to do more work! :-) > It appears to be useless and that means I don't understand how it works. > What am I missing here? > Its not useless. If you don't configure it you'll never get the PGTIOU and PGT :-) > > Thanks for your time. > > ------------------------------ > *From:* "[email protected]" <[email protected]> > *To:* [email protected] > *Sent:* Tuesday, March 10, 2009 2:35:58 PM > > *Subject:* Re: [cas-user] Proxy validation question > > You don't need a servlet, which I told you already. Please configure you > filter correctly instead of telling it your proxy callback url is an > endpoint you are not listening on. Make sure you configure the receptor and > callback url correctly. The documentation specifies how to do it in its > description of the parameters. > > Sent from my Verizon Wireless BlackBerry > > ------------------------------ > *From*: tedzo > *Date*: Tue, 10 Mar 2009 14:28:02 -0700 (PDT) > *To*: <[email protected]> > *Subject*: Re: [cas-user] Proxy validation question > > Ok, I am almost there now. > I implemented and configured a servlet at the proxyCallbackUrl and now CAS > responds fine with a PGTIOU/PGT. > > The ProxyGrantingTicketStorageImpl seems to have saved the pair. Now I need > to figure out to access ProxyGrantingTicketStorageImpl from my code. How do > I retrieve it from ProxyGrantingTicketStorage? Also, once I retrieve it from > ProxyGrantingTicketStorage, can I save the IOU and reuse it? The code says > ProxyGrantingTicketStorageImpl removes the IOU/PGT once retrieved... > > Thanks for your time. > > > ------------------------------ > *From:* tedzo <[email protected]> > *To:* [email protected] > *Sent:* Tuesday, March 10, 2009 1:28:53 PM > *Subject:* Re: [cas-user] Proxy validation question > > Thanks for the response. > > It looks like CAS is getting a 404 when it hits the proxyCallbackUrl (I > changed the name from PGTReceive to proxyValidate in my config). > > So, this is kind of where I started from in my first message. I thought I > needed to implement a servlet and map/configure it to the the > proxyCallbackUrl. And I thought that class (the one mapped to > /proxyValidate) would implement HttpServlet with doGet() and doPost() > methods and CAS would call it with the PGTIOU/PGT pair. However, Scott's > response seemed to suggest such a servlet is not required. So, what is CAS > now not finding (404)? > > 2009-03-10 13:01:34,864 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated > service for: http://tedzo-wxp01.bling.com:8080/Test/Test.jsp > 2009-03-10 13:01:34,864 DEBUG > [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] > - Attempting to resolve credentials for [callbackUrl: > https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] > 2009-03-10 13:01:34,896 DEBUG [org.jasig.cas.util.HttpClient] - Response > Code did not match any of the acceptable response codes. Code returned was > 404 > 2009-03-10 13:01:34,896 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > failed to authenticate the user which provided the following credentials: > [callbackUrl: https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] > 2009-03-10 13:01:34,911 ERROR [org.jasig.cas.web.ServiceValidateController] > - TicketException generating ticket for: [callbackUrl: > https://tedzo-wxp01.bling.com:8443/Test/proxyValidate] > org.jasig.cas.ticket.TicketCreationException: > error.authentication.credentials.bad > > > Thank you for your time. > > > ------------------------------ > *From:* Scott Battaglia <[email protected]> > *To:* [email protected] > *Sent:* Tuesday, March 10, 2009 11:55:47 AM > *Subject:* Re: [cas-user] Proxy validation question > > Increase the DEBUG log for CAS and you'll find out why the proxy callback > is failing. Log4j settings are in WEB-INF/classes/log4j.properties > > -Scott > > > On Tue, Mar 10, 2009 at 2:21 PM, tedzo <[email protected]> wrote: > >> You saying that I don't need a seperate servlet. Then who receives the >> PGTIOU/PGT pair? Does proxyCallbackUrl have to be a valid URL or not is what >> I don't understand. >> >> I tried logging in with my setup and I can authenticate fine, but I don't >> see PGTIOU mentioned anywhere in the logs and I see a wierd exception. I >> think I haven't configured something right. Could you kindly verify my >> config values for Cas20ProxyReceivingTicketValidationFilter? Specifically, >> <filter> >> <filter-name>CAS Cas20ProxyReceivingTicketValidation >> Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> <init-param> >> <param-name>casServerUrlPrefix</param-name> >> <param-value>https://tedzo-wxp01.bling.com:8443/cas-server-3.3 >> </param-value> >> </init-param> >> <init-param> >> <param-name>serverName</param-name> >> <param-value>http://tedzo-wxp01.bling.com:8080</param-value> >> </init-param> >> <init-param> >> <param-name>proxyCallbackUrl</param-name> >> <param-value>https://tedzo-wxp01.bling.com:8443/Test/PGTReceive >> </param-value> >> </init-param> >> <init-param> >> <param-name>proxyReceptorUrl</param-name> >> <param-value>/PGTReceive</param-value> >> </init-param> >> <init-param> >> <param-name>acceptAnyProxy</param-name> >> <param-value>true</param-value> >> </init-param> >> </filter> >> >> In the logs I see an exception- >> >> 2009-03-10 10:59:57,343 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyTicketV >> alidator] - <Constructing validation url: >> https://tedzo-wxp01.bling.com:8443/ >> cas-server-3.3/proxyValidate?pgtUrl=https%3A%2F%2Ftedzo-wxp01.bling.com<http://2ftedzo-wxp01.bling.com/> >> %3A844 >> >> 3%2FTest%2FPGTReceive&ticket=ST-1-CugnMIPTShfY2NtGKPSN-cas&service=http%3A%2F%2F >> tedzo-wxp01.bling.com%3A8080%2FTest%2FTest.jsp> >> 2009-03-10 10:59:57,343 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyTicketV >> alidator] - <Retrieving response from server.> >> <--------------lot of ssl stuff-----------------> >> 2009-03-10 11:13:56,509 ERROR >> [org.jasig.cas.web.ServiceValidateController] - <T >> icketException generating ticket for: [callbackUrl: >> https://tedzo-wxp01.bling >> .com:8443/Test/PGTReceive]> >> org.jasig.cas.ticket.TicketCreationException: >> error.authentication.credentials.u >> nsupported >> at >> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting >> Ticket(CentralAuthenticationServiceImpl.java:291) >> at >> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Ser >> viceValidateController.java:126) >> Caused by: error.authentication.credentials.unsupported >> at >> org.jasig.cas.authentication.handler.UnsupportedCredentialsException. >> <clinit>(UnsupportedCredentialsException.java:21) >> at >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(A >> uthenticationManagerImpl.java:116) >> at >> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting >> Ticket(CentralAuthenticationServiceImpl.java:262) >> What credentials are unsupported? >> >> Thanks for your time. >> ------------------------------ >> *From:* Scott Battaglia <[email protected]> >> *To:* [email protected] >> *Sent:* Monday, March 9, 2009 8:11:28 PM >> *Subject:* Re: [cas-user] Proxy validation question >> >> You shouldn't be configuring a separate servlet. We don't even include >> one. All the logic is built into the filter. Proxy Callback Url is the >> fully qualified URL that is sent to the CAS server. The receptor is the >> path portion that the filter should listen for PGT/PGTIOU requests. >> >> >> >> On Mon, Mar 9, 2009 at 11:05 PM, tedzo <[email protected]> wrote: >> >>> I am trying to setup proxy validation and despite all the messages on >>> this list, I am lost (or maybe I am just too tired). Kindly bear with me- >>> >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive>I am trying to >>> access <https://tedzo-wxp01.bling.com:8443/Test/Test.jsp> >>> https://tedzo-wxp01.bling.com:8443/Test/<https://tedzo-wxp01.bling.com:8443/Test/Test.jsp>Test.jsp >>> to begin with. >>> 1. I modify web.xml to add Cas20ProxyReceivingTicketValidationFilter >>> (among others. This client 3.1.3). >>> >>> 2. I add the init param proxyCallbackUrl ( >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive> >>> https://tedzo-wxp01.bling.com:8443/Test/PGTReceive ) >>> PGTReceive is a Servlet that will receive the PGTIOU/PGT pair. >>> >>> 3. Set allowAnyProxy to true, for now. >>> >>> 4. Now, PGTReceive is a servlet with a doGet and doPost methods. CAS will >>> POST/GET the PGTIOU/PGT pair to this servlet? How do I extract it? (session >>> variable? name of variable?) >>> >>> 5. Originally, I was trying to reach >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive> >>> https://tedzo-wxp01.bling.com:8443/Test/<https://tedzo-wxp01.bling.com:8443/Test/Test.jsp>Test.jsp. >>> I should be able to have access to half (PGTIOU) of the PGTIOU/PGT pair from >>> Test.jsp, so that I could get the PGT from PGTReceive servlet. How do I >>> access the PGTIOU from Test.jsp? Is it in the session or something? >>> >>> 6. Is the PGT from the PGTIOU/PGT pair a one time use only kind of ticket >>> or can I use it multiple times? Meaning, I get to the PGT somehow and then I >>> pass it on the the proxied application. Then can I pass the same PGT to >>> different proxied application? >>> >>> 7. I couldn't understand the difference between proxyReceptorUrl and >>> proxyCallbackUrl. Both seem to be receiving the PGTIOU/PGT pair.... >>> >>> Greatly appreciate your thoughts (or pointers to any documentation). >>> >>> Thanks. >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > ------------------------------ > *From:* Scott Battaglia <[email protected]> > *To:* [email protected] > *Sent:* Tuesday, March 10, 2009 11:55:47 AM > *Subject:* Re: [cas-user] Proxy validation question > > Increase the DEBUG log for CAS and you'll find out why the proxy callback > is failing. Log4j settings are in WEB-INF/classes/log4j.properties > > -Scott > > > On Tue, Mar 10, 2009 at 2:21 PM, tedzo <[email protected]> wrote: > >> You saying that I don't need a seperate servlet. Then who receives the >> PGTIOU/PGT pair? Does proxyCallbackUrl have to be a valid URL or not is what >> I don't understand. >> >> I tried logging in with my setup and I can authenticate fine, but I don't >> see PGTIOU mentioned anywhere in the logs and I see a wierd exception. I >> think I haven't configured something right. Could you kindly verify my >> config values for Cas20ProxyReceivingTicketValidationFilter? Specifically, >> <filter> >> <filter-name>CAS Cas20ProxyReceivingTicketValidation >> Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> <init-param> >> <param-name>casServerUrlPrefix</param-name> >> <param-value>https://tedzo-wxp01.bling.com:8443/cas-server-3.3 >> </param-value> >> </init-param> >> <init-param> >> <param-name>serverName</param-name> >> <param-value>http://tedzo-wxp01.bling.com:8080</param-value> >> </init-param> >> <init-param> >> <param-name>proxyCallbackUrl</param-name> >> <param-value>https://tedzo-wxp01.bling.com:8443/Test/PGTReceive >> </param-value> >> </init-param> >> <init-param> >> <param-name>proxyReceptorUrl</param-name> >> <param-value>/PGTReceive</param-value> >> </init-param> >> <init-param> >> <param-name>acceptAnyProxy</param-name> >> <param-value>true</param-value> >> </init-param> >> </filter> >> >> In the logs I see an exception- >> >> 2009-03-10 10:59:57,343 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyTicketV >> alidator] - <Constructing validation url: >> https://tedzo-wxp01.bling.com:8443/ >> cas-server-3.3/proxyValidate?pgtUrl=https%3A%2F%2Ftedzo-wxp01.bling.com<http://2ftedzo-wxp01.bling.com/> >> %3A844 >> >> 3%2FTest%2FPGTReceive&ticket=ST-1-CugnMIPTShfY2NtGKPSN-cas&service=http%3A%2F%2F >> tedzo-wxp01.bling.com%3A8080%2FTest%2FTest.jsp> >> 2009-03-10 10:59:57,343 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyTicketV >> alidator] - <Retrieving response from server.> >> <--------------lot of ssl stuff-----------------> >> 2009-03-10 11:13:56,509 ERROR >> [org.jasig.cas.web.ServiceValidateController] - <T >> icketException generating ticket for: [callbackUrl: >> https://tedzo-wxp01.bling >> .com:8443/Test/PGTReceive]> >> org.jasig.cas.ticket.TicketCreationException: >> error.authentication.credentials.u >> nsupported >> at >> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting >> Ticket(CentralAuthenticationServiceImpl.java:291) >> at >> org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Ser >> viceValidateController.java:126) >> Caused by: error.authentication.credentials.unsupported >> at >> org.jasig.cas.authentication.handler.UnsupportedCredentialsException. >> <clinit>(UnsupportedCredentialsException.java:21) >> at >> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(A >> uthenticationManagerImpl.java:116) >> at >> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGranting >> Ticket(CentralAuthenticationServiceImpl.java:262) >> What credentials are unsupported? >> >> Thanks for your time. >> ------------------------------ >> *From:* Scott Battaglia <[email protected]> >> *To:* [email protected] >> *Sent:* Monday, March 9, 2009 8:11:28 PM >> *Subject:* Re: [cas-user] Proxy validation question >> >> You shouldn't be configuring a separate servlet. We don't even include >> one. All the logic is built into the filter. Proxy Callback Url is the >> fully qualified URL that is sent to the CAS server. The receptor is the >> path portion that the filter should listen for PGT/PGTIOU requests. >> >> >> >> On Mon, Mar 9, 2009 at 11:05 PM, tedzo <[email protected]> wrote: >> >>> I am trying to setup proxy validation and despite all the messages on >>> this list, I am lost (or maybe I am just too tired). Kindly bear with me- >>> >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive>I am trying to >>> access <https://tedzo-wxp01.bling.com:8443/Test/Test.jsp> >>> https://tedzo-wxp01.bling.com:8443/Test/<https://tedzo-wxp01.bling.com:8443/Test/Test.jsp>Test.jsp >>> to begin with. >>> 1. I modify web.xml to add Cas20ProxyReceivingTicketValidationFilter >>> (among others. This client 3.1.3). >>> >>> 2. I add the init param proxyCallbackUrl ( >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive> >>> https://tedzo-wxp01.bling.com:8443/Test/PGTReceive ) >>> PGTReceive is a Servlet that will receive the PGTIOU/PGT pair. >>> >>> 3. Set allowAnyProxy to true, for now. >>> >>> 4. Now, PGTReceive is a servlet with a doGet and doPost methods. CAS will >>> POST/GET the PGTIOU/PGT pair to this servlet? How do I extract it? (session >>> variable? name of variable?) >>> >>> 5. Originally, I was trying to reach >>> <https://tedzo-wxp01.bling.com:8443/Test/PGTReceive> >>> https://tedzo-wxp01.bling.com:8443/Test/<https://tedzo-wxp01.bling.com:8443/Test/Test.jsp>Test.jsp. >>> I should be able to have access to half (PGTIOU) of the PGTIOU/PGT pair from >>> Test.jsp, so that I could get the PGT from PGTReceive servlet. How do I >>> access the PGTIOU from Test.jsp? Is it in the session or something? >>> >>> 6. Is the PGT from the PGTIOU/PGT pair a one time use only kind of ticket >>> or can I use it multiple times? Meaning, I get to the PGT somehow and then I >>> pass it on the the proxied application. Then can I pass the same PGT to >>> different proxied application? >>> >>> 7. I couldn't understand the difference between proxyReceptorUrl and >>> proxyCallbackUrl. Both seem to be receiving the PGTIOU/PGT pair.... >>> >>> Greatly appreciate your thoughts (or pointers to any documentation). >>> >>> Thanks. >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
