David,
Following your advice I increased the logging. I'm not seeing anything else that's telling me anything. Here are the logs, first piece is when I log into the portal, and the second piece is when I go to the application and it tries to verify authentication. Is it possible I'm having some sort of problem with the portal using a Yale client and the application using the ja-sig client? David and Scott: I'm going to go through the mess of having the network sandbox my development stuff is in to allow me to hit 443 from the outside and try SSL to see if that makes any difference next. Thanks! Gerald =========BEGIN CODE========= 2009-06-25 11:20:46,921 INFO [STDOUT] 2009-06-25 11:20:46,920 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas> 2009-06-25 11:20:47,600 INFO [STDOUT] 2009-06-25 11:20:47,590 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'flowExecutionContext' of type [org.springframework.webflow.engine.impl.FlowExecutionImpl] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'service' of type [org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'commandName' of type [java.lang.String] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'credentials' of type [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'currentFormObject' of type [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'flowExecutionKey' of type [java.lang.String] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'warnCookieValue' of type [java.lang.Boolean] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,601 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Removed model object 'ticketGrantingTicketId' from request in view with name 'casLoginView'> 2009-06-25 11:20:47,602 INFO [STDOUT] 2009-06-25 11:20:47,601 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'org.springframework.validation.BindException.currentFormObject' of type [org.springframework.validation.BindException] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,602 INFO [STDOUT] 2009-06-25 11:20:47,602 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'org.springframework.validation.BindException.credentials' of type [org.springframework.validation.BindException] to request in view with name 'casLoginView'> 2009-06-25 11:20:47,617 INFO [STDOUT] 2009-06-25 11:20:47,617 DEBUG [org.springframework.web.servlet.view.JstlView] - <Forwarding to resource [/WEB-INF/view/jsp/default/ui/casLoginView.jsp] in InternalResourceView 'casLoginView'> 2009-06-25 11:21:01,429 INFO [STDOUT] 2009-06-25 11:21:01,429 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: bart_simpson]> 2009-06-25 11:21:01,430 INFO [STDOUT] 2009-06-25 11:21:01,430 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2009-06-25 11:21:01,430 INFO [STDOUT] 2009-06-25 11:21:01,430 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [bart_simpson]> 2009-06-25 11:21:01,439 INFO [STDOUT] 2009-06-25 11:21:01,439 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-1GqXRv05Zn3e4kjf32cg-cas] for service [http://www.mysite.com/portal/c/portal/login] for user [bart_simpson]> 2009-06-25 11:21:02,605 INFO [STDOUT] 2009-06-25 11:21:02,590 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'assertion' of type [org.jasig.cas.validation.ImmutableAssertionImpl] to request in view with name 'casServiceSuccessView'> 2009-06-25 11:21:02,605 INFO [STDOUT] 2009-06-25 11:21:02,605 DEBUG [org.springframework.web.servlet.view.JstlView] - <Forwarding to resource [/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp] in InternalResourceView 'casServiceSuccessView'> 2009-06-25 11:21:02,670 INFO [STDOUT] 11:21:02,664 ERROR [SerializableSessionAttributeListener:48] edu.yale.its.tp.cas.client.CASReceipt is not serializable and will prevent this session from being replicated 2009-06-25 11:21:03,344 INFO [STDOUT] 11:21:03,343 INFO [PluginPackageUtil:1342] Checking for available updates 2009-06-25 11:21:05,206 INFO [STDOUT] 11:21:05,205 INFO [PluginPackageUtil:1386] Finished checking for available updates in 1860 ms =========END CODE========= =========BEGIN CODE========= 2009-06-25 11:22:01,554 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no assertion found 2009-06-25 11:22:01,555 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed service url: http://www.mysite.com/myApp/applicationPage.seam 2009-06-25 11:22:01,555 DEBUG [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to "http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam"; 2009-06-25 11:22:01,605 INFO [STDOUT] 2009-06-25 11:22:01,605 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'flowExecutionContext' of type [org.springframework.webflow.engine.impl.FlowExecutionImpl] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,605 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'service' of type [org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'commandName' of type [java.lang.String] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'credentials' of type [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'currentFormObject' of type [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'flowExecutionKey' of type [java.lang.String] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'warnCookieValue' of type [java.lang.Boolean] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Removed model object 'ticketGrantingTicketId' from request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'org.springframework.validation.BindException.currentFormObject' of type [org.springframework.validation.BindException] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,606 INFO [STDOUT] 2009-06-25 11:22:01,606 DEBUG [org.springframework.web.servlet.view.JstlView] - <Added model object 'org.springframework.validation.BindException.credentials' of type [org.springframework.validation.BindException] to request in view with name 'casLoginView'> 2009-06-25 11:22:01,607 INFO [STDOUT] 2009-06-25 11:22:01,607 DEBUG [org.springframework.web.servlet.view.JstlView] - <Forwarding to resource [/WEB-INF/view/jsp/default/ui/casLoginView.jsp] in InternalResourceView 'casLoginView'> =========END CODE========= ----- Original Message ----- From: "David Ruwoldt" <[email protected]> To: [email protected] Sent: Wednesday, June 24, 2009 8:51:07 PM GMT -06:00 US/Canada Central Subject: Re: [cas-user] SSO Not So SSO Dear Gerald, You can turn on greater debugging in /cas/WEB-INF/classes/log4j.properties Fro example # For JBoss: Avoid to setup Log4J outside $JBOSS_HOME/server/default/deploy/log4j.xml! # For all other servers: Comment out the Log4J listener in web.xml to activate Log4J. log4j.rootLogger=ERROR, stdout, logfile log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - <%m>%n log4j.appender.logfile=org.apache.log4j.RollingFileAppender log4j.appender.logfile.File=/var/lib/tomcat5/webapps/cas/log/cas.log log4j.appender.logfile.MaxFileSize=512KB # Keep three backup files. log4j.appender.logfile.MaxBackupIndex=3 # Pattern to output: date priority [category] - message log4j.appender.logfile.layout=org.apache.log4j.PatternLayout log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n # WARNING: Setting the org.springframework logger to DEBUG displays debug information about # the request parameter values being bound to the command objects. This could expose your # password in the log file. If you are sharing your log files, it is recommend you selectively # apply DEBUG level logging on a an org.springframework.* package level (i.e. org.springframework.dao) log4j.logger.org.springframework=WARN log4j.logger.org.springframework.web.servlet.i18n=DEBUG log4j.logger.org.springframework.web.servlet.view=DEBUG log4j.logger.org.quartz=DEBUG log4j.logger.org.jasig=INFO # WARNING: Setting the flow package to DEBUG will display # the parameters posted to the login servlet including # cleartext authentication credentials log4j.logger.org.jasig.cas.web.flow=INFO log4j.logger.org.jasig.cas.authentication=DEBUG log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG log4j.logger.org.jasig.cas.services=DEBUG Note you will see passwords in the log file if you use this. So make sure you turn it off after you have your information and wipe the log file. Then you should see TGT and ST being requested and sent. Yours sincerely David Ruwoldt Gerald D. Anderson wrote: > Sorry folks, another thought. After I authenticate it knows it's > authenticated and everything works just fine, so it would seem I'm getting > what I need back from the server. I fully understand that I could be woefully > wrong and not understanding anything ; ) > > > Also, I get the feeling that this: > > > 2009-06-25 00:49:42,076 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no > assertion found > > > is significant when the 2nd app tries to authenticate. Google tells me that > it's something to do with service urls, but from any documentation I've found > I THINK they're correct. > > > Gerald > > > P.S. Really sorry, I don't mean to spam, I'll shut up now. > > ----- Original Message ----- > From: "Scott Battaglia" <[email protected]> > To: [email protected] > Sent: Wednesday, June 24, 2009 8:23:36 PM GMT -06:00 US/Canada Central > Subject: Re: [cas-user] SSO Not So SSO > > I'm not sure I see a question in here. Are you saying your SSO is not > working? Try running CAS over SSL and not just HTTP. The cookies won't > transmit over HTTP unless you change the CAS configuration, but that's > insecure. > > -Scott > > > > On Wed, Jun 24, 2009 at 6:08 PM, Gerald D. Anderson < [email protected] > > wrote: > > > > Greetings all, > > > So I finally got far enough that I can authenticate my applications with CAS, > it all works perfectly. . .well, almost. Here's the lowdown: > > > I have a company that has a Liferay 5.2.2 portal configured to authenticate > against a CAS 3.3.2 server. Here's that configuration: > > > ========BEGIN CODE========= > Login URL = http://www.mysite.com/cas/login > Logout URL = http://www.mysite.com/cas/logout > Server Name = http://www.mysite.com > Service URL = http://www.mysite.com/portal/c/portal/login > Validate URL = https://www.mysite.com:8443/cas/proxyValidate > =========END CODE========= > > This seems to work fine itself and I receive the following when > authenticating: > > ========BEGIN CODE========= > 2009-06-25 00:49:08,231 INFO [STDOUT] 2009-06-25 00:49:08,230 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > bart_simpson]> > 2009-06-25 00:49:08,232 INFO [STDOUT] 2009-06-25 00:49:08,232 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-24-oXp1xSrR2ZP4Skfwp9pe-cas] for service [ > http://www.mysite.com/portal/c/portal/login ] for user [bart_simpson]> > 2009-06-25 00:49:08,454 INFO [STDOUT] 00:49:08,453 ERROR > [SerializableSessionAttributeListener:48] > edu.yale.its.tp.cas.client.CASReceipt is not serializable and will prevent > this session from being replicated > =========END CODE========= > > > I also have a JBoss Seam 2.1.2/Icefaces 1.8.1 application that I've written > that needs to be integrated into the above portal. I don't really want to > portlet-ize the application so I've decided to run it in an IFrame portlet on > liferay. My answer to the authentication/authorization issues was just to use > the CAS server and SSO the application. Thus, the theory was that when they > logged into the portal, and went to the portal page that contained the iframe > with the application they'd already be authenticated and life would be good. > The good news is that the application can/will authenticate against CAS just > fine as an independent entity. Below is what I get: > > ========BEGIN CODE========= > 2009-06-25 01:00:53,585 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no > assertion found > 2009-06-25 01:00:53,623 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed > service url: http://www.mysite.com/myApp/applicationPage.seam > 2009-06-25 01:00:53,623 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " > http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam > " > 2009-06-25 01:01:02,558 INFO [STDOUT] 2009-06-25 01:01:02,558 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > bart_simpson]> > 2009-06-25 01:01:02,559 INFO [STDOUT] 2009-06-25 01:01:02,559 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-25-BhteqnB7WCgewymVQ0kn-cas] for service [ > http://www.mysite.com/myApp/applicationPage.seam ] for user [bart_simpson]> > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] > Attempting to validate ticket: ST-25-BhteqnB7WCgewymVQ0kn-cas > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Placing URL > parameters in map. > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Calling > template URL attribute map. > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Loading custom > parameters from configuration. > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Constructing > validation url: > http://www.mysite.com/cas/serviceValidate?&ticket=ST-25-BhteqnB7WCgewymVQ0kn-cas&service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam > > 2009-06-25 01:01:02,634 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Retrieving > response from server. > 2009-06-25 01:01:02,637 WARN [org.apache.tomcat.util.http.Parameters] > Parameters: Invalid chunk ignored. > 2009-06-25 01:01:02,642 DEBUG > [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] Server > response: <cas:serviceResponse xmlns:cas=' http://www.yale.edu/tp/cas '> > <cas:authenticationSuccess> > <cas:user>bart_simpson</cas:user> > > > </cas:authenticationSuccess> > </cas:serviceResponse> > > 2009-06-25 01:01:02,646 INFO > [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] No Proxy Ticket > found for > 2009-06-25 01:01:02,646 DEBUG > [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] > Successfully authenticated user: bart_simpson > 2009-06-25 01:01:02,648 DEBUG > [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] > Redirecting after successful ticket validation. > =========END CODE========= > > > Remember, that's authenticating the application as itself from scratch, not > through the portal. Now, logout, restart the browser, whatever. When I log > into the portal and navigate to the page with the iframe it's still > redirecting me back to the cas login page with the following logs: > > > ========BEGIN CODE========= > 2009-06-25 00:49:42,076 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] no ticket and no > assertion found > 2009-06-25 00:49:42,076 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] Constructed > service url: http://www.mysite.com/myApp/applicationPage.seam > 2009-06-25 00:49:42,076 DEBUG > [org.jasig.cas.client.authentication.AuthenticationFilter] redirecting to " > http://www.mysite.com/cas/login?service=http%3A%2F%2Fwww.mysite.com%2FmyApp%2FapplicationPage.seam > " > =========END CODE========= > > Forcing me to log in again thus defeating the entire purpose of the SSO. I'm > sure I've got something set up wrong, but can't find it and am looking for > any help I can get. I'm a little over my head with this stuff as I have less > than a week (6/30) to get all this stuff up and running having never messed > with CAS or SSO before. > > Below is the web.xml for the application: > > ========BEGIN CODE========= > <filter> > <filter-name>CAS Authentication Filter</filter-name> > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > > <init-param> > <param-name>casServerLoginUrl</param-name> > <param-value> http://www.mysite.com/cas/login </param-value> > </init-param> > <init-param> > <param-name>service</param-name> > <param-value> http://www.mysite.com/myApp/applicationPage.seam </param-value> > </init-param> > </filter> > > <filter> > <filter-name>CAS Validation Filter</filter-name> > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value> http://www.mysite.com/cas </param-value> > </init-param> > <init-param> > <param-name>service</param-name> > <param-value> http://www.mysite.com/myApp/applicationPage.seam </param-value> > </init-param> > </filter> > > <filter> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > > </filter> > > <filter-mapping> > <filter-name>CAS Authentication Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > =========END CODE========= > > As stated earlier the CAS Server is 3.3.2, Liferay, I believe uses Yale CAS > 2.0 and my application is using ja-sig java client 3.1.6. I don't suspect > that any of that should be an issue, but there it is in case ; ) > > Thanks!! > > Gerald > -- David Ruwoldt Senior Systems Specialist Technology Services Level 9, 9 Gawler Place ADELAIDE UNIVERSITY SA 5005 AUSTRALIA CRICOS Provider Number 00123M ----------------------------------------------------------- This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
