Right, SSO isn't working, it's asking me to authenticate (sending me back to cas/login) for the application after I've already authenticated to the portal. Hrm, are there particular parameters that should be HTTPS? With the testing environment I have going I can do SSL between the applications (server-side, in other words), but not from the outside development box. That makes sense?
Thanks Scott! Gerald ----- Original Message ----- From: "Scott Battaglia" <[email protected]> To: [email protected] Sent: Wednesday, June 24, 2009 8:23:36 PM GMT -06:00 US/Canada Central Subject: Re: [cas-user] SSO Not So SSO I'm not sure I see a question in here. Are you saying your SSO is not working? Try running CAS over SSL and not just HTTP. The cookies won't transmit over HTTP unless you change the CAS configuration, but that's insecure. -Scott On Wed, Jun 24, 2009 at 6:08 PM, Gerald D. Anderson < [email protected] > wrote: Greetings all, So I finally got far enough that I can authenticate my applications with CAS, it all works perfectly. . .well, almost. Here's the lowdown: I have a company that has a Liferay 5.2.2 portal configured to authenticate against a CAS 3.3.2 server. Here's that configuration: ========BEGIN CODE========= Login URL = http://www.mysite.com/cas/login Logout URL = http://www.mysite.com/cas/logout Server Name = http://www.mysite.com Service URL = http://www.mysite.com/portal/c/portal/login Validate URL = https://www.mysite.com:8443/cas/proxyValidate =========END CODE========= This seems to work fine itself and I receive the following when authenticating: ========BEGIN CODE========= 2009-06-25 00:49:08,231 INFO [STDOUT] 2009-06-25 00:49:08,230 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: bart_simpson]> 2009-06-25 00:49:08,232 INFO [STDOUT] 2009-06-25 00:49:08,232 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-24-oXp1xSrR2ZP4Skfwp9pe-cas] for service [ http://www.mysite.com/portal/c/portal/login ] for user [bart_simpson]> 2009-06-25 00:49:08,454 INFO [STDOUT] 00:49:08,453 ERROR [SerializableSessionAttributeListener:48] edu.yale.its.tp.cas.client.CASReceipt is not serializable and will prevent this session from being replicated =========END CODE========= I also have a JBoss Seam 2.1.2/Icefaces 1.8.1 application that I've written that needs to be integrated into the above portal. I don't really want to portlet-ize the application so I've decided to run it in an IFrame portlet on liferay. My answer to the authentication/authorization issues was just to use the CAS server and SSO the application. Thus, the theory was that when they logged into the portal, and went to the portal page that contained the iframe with the application they'd already be authenticated and life would be good. The good news is that the application can/will authenticate against CAS just fine as an independent entity. Below is what I get: ========BEGIN CODE========= 2009-06-25 01:00:53,585 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no assertion found 2009-06-25 01:00:53,623 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed service url: http://www.mysite.com/myApp/applicationPage.seam 2009-06-25 01:00:53,623 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam " 2009-06-25 01:01:02,558 INFO [STDOUT] 2009-06-25 01:01:02,558 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: bart_simpson]> 2009-06-25 01:01:02,559 INFO [STDOUT] 2009-06-25 01:01:02,559 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-25-BhteqnB7WCgewymVQ0kn-cas] for service [ http://www.mysite.com/myApp/applicationPage.seam ] for user [bart_simpson]> 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] Attempting to validate ticket: ST-25-BhteqnB7WCgewymVQ0kn-cas 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Placing URL parameters in map. 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Calling template URL attribute map. 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Loading custom parameters from configuration. 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Constructing validation url: http://www.mysite.com/cas/serviceValidate?&ticket=ST-25-BhteqnB7WCgewymVQ0kn-cas&service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam 2009-06-25 01:01:02,634 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Retrieving response from server. 2009-06-25 01:01:02,637 WARN [org.apache.tomcat.util.http.Parameters] Parameters: Invalid chunk ignored. 2009-06-25 01:01:02,642 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Server response: <cas:serviceResponse xmlns:cas=' http://www.yale.edu/tp/cas '> <cas:authenticationSuccess> <cas:user>bart_simpson</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> 2009-06-25 01:01:02,646 INFO [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket found for 2009-06-25 01:01:02,646 DEBUG [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] Successfully authenticated user: bart_simpson 2009-06-25 01:01:02,648 DEBUG [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] Redirecting after successful ticket validation. =========END CODE========= Remember, that's authenticating the application as itself from scratch, not through the portal. Now, logout, restart the browser, whatever. When I log into the portal and navigate to the page with the iframe it's still redirecting me back to the cas login page with the following logs: ========BEGIN CODE========= 2009-06-25 00:49:42,076 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no assertion found 2009-06-25 00:49:42,076 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed service url: http://www.mysite.com/myApp/applicationPage.seam 2009-06-25 00:49:42,076 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam " =========END CODE========= Forcing me to log in again thus defeating the entire purpose of the SSO. I'm sure I've got something set up wrong, but can't find it and am looking for any help I can get. I'm a little over my head with this stuff as I have less than a week (6/30) to get all this stuff up and running having never messed with CAS or SSO before. Below is the web.xml for the application: ========BEGIN CODE========= <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value> http://www.mysite.com/cas/login </param-value> </init-param> <init-param> <param-name>service</param-name> <param-value> http://www.mysite.com/myApp/applicationPage.seam </param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value> http://www.mysite.com/cas </param-value> </init-param> <init-param> <param-name>service</param-name> <param-value> http://www.mysite.com/myApp/applicationPage.seam </param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> =========END CODE========= As stated earlier the CAS Server is 3.3.2, Liferay, I believe uses Yale CAS 2.0 and my application is using ja-sig java client 3.1.6. I don't suspect that any of that should be an issue, but there it is in case ; ) Thanks!! Gerald -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
