If you want SSO to work then your redirect to login MUST be over HTTPS. It won't work under HTTP as that's insecure.
On Wed, Jun 24, 2009 at 6:22 PM, Gerald D. Anderson <[email protected]> wrote: > Right, SSO isn't working, it's asking me to authenticate (sending me back > to cas/login) for the application after I've already authenticated to the > portal. Hrm, are there particular parameters that should be HTTPS? With > the testing environment I have going I can do SSL between the applications > (server-side, in other words), but not from the outside development box. > That makes sense? > Thanks Scott! > > Gerald > > ----- Original Message ----- > From: "Scott Battaglia" <[email protected]> > To: [email protected] > Sent: Wednesday, June 24, 2009 8:23:36 PM GMT -06:00 US/Canada Central > Subject: Re: [cas-user] SSO Not So SSO > > I'm not sure I see a question in here. Are you saying your SSO is not > working? Try running CAS over SSL and not just HTTP. The cookies won't > transmit over HTTP unless you change the CAS configuration, but that's > insecure. > > -Scott > > > On Wed, Jun 24, 2009 at 6:08 PM, Gerald D. Anderson <[email protected]>wrote: > >> >> Greetings all, >> >> >> So I finally got far enough that I can authenticate my applications with >> CAS, it all works perfectly. . .well, almost. Here's the lowdown: >> >> >> I have a company that has a Liferay 5.2.2 portal configured to >> authenticate against a CAS 3.3.2 server. Here's that configuration: >> >> >> ========BEGIN CODE========= >> Login URL = http://www.mysite.com/cas/login >> Logout URL = http://www.mysite.com/cas/logout >> Server Name = http://www.mysite.com >> Service URL = http://www.mysite.com/portal/c/portal/login >> Validate URL = https://www.mysite.com:8443/cas/proxyValidate >> =========END CODE========= >> >> This seems to work fine itself and I receive the following when >> authenticating: >> >> ========BEGIN CODE========= >> 2009-06-25 00:49:08,231 INFO [STDOUT] 2009-06-25 00:49:08,230 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully >> authenticated the user which provided the following credentials: [username: >> bart_simpson]> >> 2009-06-25 00:49:08,232 INFO [STDOUT] 2009-06-25 00:49:08,232 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket >> [ST-24-oXp1xSrR2ZP4Skfwp9pe-cas] for service [ >> http://www.mysite.com/portal/c/portal/login] for user [bart_simpson]> >> 2009-06-25 00:49:08,454 INFO [STDOUT] 00:49:08,453 ERROR >> [SerializableSessionAttributeListener:48] >> edu.yale.its.tp.cas.client.CASReceipt is not serializable and will prevent >> this session from being replicated >> =========END CODE========= >> >> >> I also have a JBoss Seam 2.1.2/Icefaces 1.8.1 application that I've >> written that needs to be integrated into the above portal. I don't really >> want to portlet-ize the application so I've decided to run it in an IFrame >> portlet on liferay. My answer to the authentication/authorization issues >> was just to use the CAS server and SSO the application. Thus, the theory >> was that when they logged into the portal, and went to the portal page that >> contained the iframe with the application they'd already be authenticated >> and life would be good. The good news is that the application can/will >> authenticate against CAS just fine as an independent entity. Below is what >> I get: >> >> ========BEGIN CODE========= >> 2009-06-25 01:00:53,585 DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no >> assertion found >> 2009-06-25 01:00:53,623 DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed >> service url: http://www.mysite.com/myApp/applicationPage.seam >> 2009-06-25<http://www.mysite.com/myApp/applicationPage.seam%0A2009-06-25>01:00:53,623 >> DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " >> http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam >> " >> 2009-06-25 01:01:02,558 INFO [STDOUT] 2009-06-25 01:01:02,558 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <AuthenticationHandler: >> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully >> authenticated the user which provided the following credentials: [username: >> bart_simpson]> >> 2009-06-25 01:01:02,559 INFO [STDOUT] 2009-06-25 01:01:02,559 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket >> [ST-25-BhteqnB7WCgewymVQ0kn-cas] for service [ >> http://www.mysite.com/myApp/applicationPage.seam] for user >> [bart_simpson]> >> 2009-06-25 01:01:02,634 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] >> Attempting to validate ticket: ST-25-BhteqnB7WCgewymVQ0kn-cas >> 2009-06-25 01:01:02,634 DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Placing URL >> parameters in map. >> 2009-06-25 01:01:02,634 DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Calling >> template URL attribute map. >> 2009-06-25 01:01:02,634 DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Loading custom >> parameters from configuration. >> 2009-06-25 01:01:02,634 DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Constructing >> validation url: >> http://www.mysite.com/cas/serviceValidate?&ticket=ST-25-BhteqnB7WCgewymVQ0kn-cas&service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam >> 2009-06-25<http://www.mysite.com/cas/serviceValidate?&ticket=ST-25-BhteqnB7WCgewymVQ0kn-cas&service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam%0A2009-06-25>01:01:02,634 >> DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Retrieving >> response from server. >> 2009-06-25 01:01:02,637 WARN [org.apache.tomcat.util.http.Parameters] >> Parameters: Invalid chunk ignored. >> 2009-06-25 01:01:02,642 DEBUG >> [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Server >> response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> <cas:authenticationSuccess> >> <cas:user>bart_simpson</cas:user> >> >> >> </cas:authenticationSuccess> >> </cas:serviceResponse> >> >> 2009-06-25 01:01:02,646 INFO >> [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket >> found for >> 2009-06-25 01:01:02,646 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] >> Successfully authenticated user: bart_simpson >> 2009-06-25 01:01:02,648 DEBUG >> [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] >> Redirecting after successful ticket validation. >> =========END CODE========= >> >> >> Remember, that's authenticating the application as itself from scratch, >> not through the portal. Now, logout, restart the browser, whatever. When I >> log into the portal and navigate to the page with the iframe it's still >> redirecting me back to the cas login page with the following logs: >> >> >> ========BEGIN CODE========= >> 2009-06-25 00:49:42,076 DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no >> assertion found >> 2009-06-25 00:49:42,076 DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed >> service url: http://www.mysite.com/myApp/applicationPage.seam >> 2009-06-25 00:49:42,076 DEBUG >> [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " >> http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam >> " >> =========END CODE========= >> >> Forcing me to log in again thus defeating the entire purpose of the SSO. >> I'm sure I've got something set up wrong, but can't find it and am looking >> for any help I can get. I'm a little over my head with this stuff as I have >> less than a week (6/30) to get all this stuff up and running having never >> messed with CAS or SSO before. >> >> Below is the web.xml for the application: >> >> ========BEGIN CODE========= >> <filter> >> <filter-name>CAS Authentication Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> >> <init-param> >> <param-name>casServerLoginUrl</param-name> >> <param-value>http://www.mysite.com/cas/login >> </param-value> >> </init-param> >> <init-param> >> <param-name>service</param-name> >> <param-value> >> http://www.mysite.com/myApp/applicationPage.seam</param-value> >> </init-param> >> </filter> >> >> <filter> >> <filter-name>CAS Validation Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> <init-param> >> <param-name>casServerUrlPrefix</param-name> >> <param-value>http://www.mysite.com/cas >> </param-value> >> </init-param> >> <init-param> >> <param-name>service</param-name> >> <param-value> >> http://www.mysite.com/myApp/applicationPage.seam</param-value> >> </init-param> >> </filter> >> >> <filter> >> <filter-name>CAS HttpServletRequest Wrapper >> Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >> </filter> >> >> <filter-mapping> >> <filter-name>CAS Authentication Filter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <filter-mapping> >> <filter-name>CAS Validation Filter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <filter-mapping> >> <filter-name>CAS HttpServletRequest Wrapper >> Filter</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> =========END CODE========= >> >> As stated earlier the CAS Server is 3.3.2, Liferay, I believe uses Yale >> CAS 2.0 and my application is using ja-sig java client 3.1.6. I don't >> suspect that any of that should be an issue, but there it is in case ; ) >> >> Thanks!! >> >> Gerald >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
