Correct, but serviceValidate is what calls login when it was unable to verify the ST or extract a cas:user from the response (causing the loop).
I'm hoping the response from the CAS server will shed some light on why it can't do one or the other. On Mon, May 18, 2009 at 16:17, Xuejin Ruan <[email protected]> wrote: > > Actually the endless loop comes before serviceValidate function was called. > It seems it happen in the fuction "login". When I get to CAS login page, if > I enter an incorrect credential, it correctly returns me the message "The > credentials you provided cannot be determined to be authentic." But if I > enter correct credential, then you will see from Tomcat console that it > keeps generating tickets, until at last it says "Page not found" with the > address bar showing the target page > "http://dprg110.ad.co.pierce.wa.us:8500/casTesting/";. (there were occations > I got a ticket appended at the end of the URL) > > <cffunction name="login" access="public" output="no" returntype="void" > hint="Call CAS login page"> > <cfargument name="forceRenew" required="no" type="boolean" > default="false" hint="Force them to provide primary authentication" /> > <cflocation > url="#Variables.cas_server#login?service=#Variables.service##Iif(Variables.renew > OR > Arguments.forceRenew,DE('&renew=true'),DE(''))##Iif(Variables.gateway,DE('&gateway=true'),DE(''))#" > addtoken="no" /> > </cffunction> > > I did try adding cfabort after </cfhttp>, it seems never get there. > > Thanks, > > Xuejin > > > > > John Watson-13 wrote: >> >> Odd, please dump out the response that the CAS server returns. >> >> Add this: <cfdump var="#cfhttp.filecontent#" /><cfabort/> >> after </cfhttp> in the "serviceValidate" function. >> >> It will dump out the raw cas response and stop processing. >> >> On Fri, May 15, 2009 at 12:11, Xuejin Ruan <[email protected]> wrote: >>> >>> Hi John, >>> >>> Thanks so much for your reply. After I used keytool to create the >>> self-authored server certificate, I did import it to all my different >>> server's keystore, including coldfusion's keystore >>> (C:\ColdFusion8\runtime\jre\lib\security\caserts). So I am wondering why >>> Coldfusion's JRun server does not trust it. Did you do extra >>> configuration >>> for jrun.xml to enable SSL for Coldfusion? I checked the log file of >>> Tomcat, and Coldfusion, and couldn't find any hint why the infinite loop >>> was >>> there. >>> >>> The following is the error message I got from Firefox browser (by the >>> way, >>> it is not cookie issue): >>> Redirect Loop >>> Firefox has detected that the server is redirecting the request for this >>> address in a way that will never complete. >>> The browser has stopped trying to retrieve the requested item. The site >>> is >>> redirecting the request in a way that will never complete. >>> * Have you disabled or blocked cookies required by this site? >>> * NOTE: If accepting the site's cookies does not resolve the problem, >>> it >>> is likely a server configuration issue and not your computer. >>> >>> Thanks again for your time. >>> >>> Xuejin >>> >>> >>> >>> John Watson-13 wrote: >>>> >>>> Thank you for trying out the client. >>>> >>>> I think the problem you're running into is ColdFusion's JRun server >>>> does not trust your SSL cert that the tomcat server uses for CAS. So >>>> when ColdFusion tries to contact your CAS server it's not actually >>>> getting a response for CAS but rather an error about an invalid cert. >>>> So the client gets stuck in an infinite loop trying to send user to >>>> cas login, validate, fail validation, rinse and repeat. >>>> >>>> In my test environment I created my own CA and I import my CA's cert >>>> into all my different server's keystore so that any certs I sign are >>>> automatically trusted. >>>> I run CentOS and used these instructions: >>>> http://dev.antoinesolutions.com/openssl >>>> >>>> Then use: /opt/coldfusion8/runtime/jre/bin/keytool >>>> To import the cert into: >>>> /opt/coldfusion8/runtime/jre/lib/security/cacerts >>>> Detailed instructions: >>>> http://www.coldfusionmuse.com/index.cfm/2005/1/29/keystore >>>> >>>> Hope that solves your problem, >>>> >>>> John >>>> >>>> On Wed, May 13, 2009 at 12:18, Xuejin Ruan <[email protected]> >>>> wrote: >>>>> >>>>> Hi John, >>>>> >>>>> Thanks so much for sharing the Coldfusion CAS Client Component with the >>>>> community. I am new to CAS, but would like to explore the potential of >>>>> using CAS as an SSO solution to our portal (which has Coldfusion as >>>>> well >>>>> as >>>>> Java applications). This morning I was playing with CAS clients your >>>>> wrote, >>>>> and encountered some problem. I am wondering whether you could shed >>>>> some >>>>> lights on. >>>>> >>>>> The following is my basic environment: >>>>> CAS server: 3.3.2 >>>>> Coldfusion: 8 >>>>> Tomcat: 6.0.18 >>>>> >>>>> I've downloaded cas server 3.3.2 and put the war file in Tomcat webapp >>>>> directory. I also create a self-authored server certificate using >>>>> Keytool. >>>>> The CAS server is running fine. Then I download the cas.cfc component >>>>> and >>>>> put it in folder C:\ColdFusion8\CustomTags. I have a very simple >>>>> application >>>>> casTesting, which only has one file: index.cfm (output HelloWorld). I >>>>> download Application.cfc and put in in the folder of casTesting. And I >>>>> only >>>>> made the following modification in Application.cfc: >>>>> <cfset Variables.CAS_arguments = { cas_server = >>>>> "https://<myServerName>:8443/cas", >>>>> service = >>>>> "http://<myServerName>:8500/casTesting", >>>>> direct_forwarding = true } /> >>>>> >>>>> Then I tried to run the application: >>>>> http://<myServerName>:8500/casTesting >>>>> It got redirected to the CAS login page. I typed login credentials, and >>>>> after a long long while, it returned the following url: >>>>> http://<myServerName>:8500/casTesting?ticket=ST-4024-Or6y4zgpleq6MtM93qxr-cas >>>>> >>>>> And the page says: Page not found, connection failure. >>>>> >>>>> On Tomcat console window, it seems it is running a endless loop >>>>> issueing >>>>> ticket for the application until it timeouts. >>>>> >>>>> >>>>> If I tried page: http://<myServerName>:8500/casTesting without having >>>>> Application.cfc in the folder, HelloWorld did get displayed correctly. >>>>> >>>>> Am I missing something in the configuration? >>>>> >>>>> Thanks! >>>>> >>>>> Xuejin >>>>> >>>>> >>>>> >>>>> John Watson-13 wrote: >>>>>> >>>>>> I wrote a new ColdFusion CAS client in order to take advantage of >>>>>> Single >>>>>> Sign Out and Attribute releasing. Since I use an Application.cfc in my >>>>>> applications, I figured it was time to for the existing client to be >>>>>> rewritten as a ColdFusion component (CFC) and now I'm ready to release >>>>>> it >>>>>> to >>>>>> the community. >>>>>> >>>>>> I hope to hear feedback from the community and improvements/bug fixes >>>>>> are >>>>>> very welcome. >>>>>> >>>>>> http://www.ja-sig.org/wiki/display/CASC/ColdFusion+CAS+Client+Component >>>>>> John Watson >>>>>> Jr. Web Developer >>>>>> University of California, Merced >>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23526600.html >>>>> Sent from the CAS Users mailing list archive at Nabble.com. >>>>> >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23565346.html >>> Sent from the CAS Users mailing list archive at Nabble.com. >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > -- > View this message in context: > http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23607021.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
