I was able to resolve this on my own:
In my CAS server, I had to edit my cas-servlet.xml file and make the
following change:
Default/Old value:
<bean id="serviceValidateController"
class="org.jasig.cas.web.ServiceValidateController"
*
p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification
**"*
p:centralAuthenticationService-ref="centralAuthenticationService"
p:proxyHandler-ref="proxy20Handler"
p:argumentExtractor-ref="casArgumentExtractor" />
Changed to:
<bean id="serviceValidateController"
class="org.jasig.cas.web.ServiceValidateController"
*
p:validationSpecificationClass="org.jasig.cas.validation.Cas20ProtocolValidationSpecification
**"*
p:centralAuthenticationService-ref="centralAuthenticationService"
p:proxyHandler-ref="proxy20Handler"
p:argumentExtractor-ref="casArgumentExtractor" />
Once I made that change then both proxy and service tickets could be
validated by the /serviceValidate action.
Question: are there any security concerns with using the *
Cas20ProtocolValidationSpecification* validation specification?
Thanks
Venka
2009/7/31 Venka Ashtakala <[email protected]>
> Hi everyone,
> I am running into this error when I try to execute a back-channel
> communication between 2 CASified applications:
>
> Ticket failed validation specification. Possible errors could include
> attempting to validate a Proxy Ticket via a Service Ticket validator, or not
> complying with the renew true request.
>
> Some background:
> I've got 2 web applications, P1 and C1, both are CASified and both of them
> have their proxy call back urls defined, both proxy call back urls are
> listening on an HTTPS port, and both of them have valid, non-null PGTs in
> the session. P1 is trying to do a POST to C1. P1 is a rails application
> using the *gunark-rubycas-client* while C1 is a Java application using the
> Java CAS Client 3.1.6. P1 is using the PGT in its session along with the
> target url on C1 to generate a proxy ticket and then is including the proxy
> ticket in the POST to C1. I can verify this because I see the proxy ticket
> being received by the target url on C1.
>
> What I think is happening is that C1 is thinking this is a service ticket
> and is attempting to validate it in the CAS server by calling the
> /cas/serviceValidate action and serviceValidate is not accepting the ticket
> and giving back the error I identified above. From doing some reading of
> this document: http://www.jasig.org/cas/protocol it seems that
> /serviceValidate should not be used to validate a proxy ticket, just a
> service ticket. The CAS Protocol document mentions that there is a
> /proxyValidate function that should be used to validate proxy tickets, but,
> how
>
> So what are my options here? Any ideas? Is there a way to differentiate
> between a Proxy Ticket and a Service Ticket?
>
> Thanks for your help,
> Venka
>
> --
> Venka Ashtakala, B.Eng, G.C. Eng
> Venka Ashtakala & Associates
> Software Development Consultants
> Office: +1-703-596-0287
> Fax: +1-815-550-1356
> Mobile: +91 9886304317
> [email protected]
>
>
--
Venka Ashtakala, B.Eng, G.C. Eng
Venka Ashtakala & Associates
Software Development Consultants
Office: +1-703-596-0287
Fax: +1-815-550-1356
Mobile: +91 9886304317
[email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
