Make sure not to apply the authentication filter to the proxy endpoint. You could also try putting the validation filter first. I haven't tried that so I haven't really thought through on whether there are security ramifications to that.
On Wed, Oct 7, 2009 at 4:39 AM, kevin kevin <[email protected]> wrote: > Scott,Thank you for the hint . > I have debuged the code , it seems the serverA's certificate is OK. > > when i access the url "http://serverA:8080/appA/serviceA",the log will be > list like below. > > 1. Enter into AuthenticationFilter > serviceUrl:http://serverA:8080/appA/serviceA > assertion:null > ticket:null > redirecting to > https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2FserviceA > 2009-10-07 16:17:11,493 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler > successfully authenticated the user which provided the following > credentials: [username: admin]> > 2009-10-07 16:17:11,493 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-11-luecr2dLyBYYJFy6Sx4x-cas] for service [ > http://serverA:8080/appA/serviceA] for user [admin]> > > //after the cas login ,redirect to the http://serverA:8080/appA/serviceAwith > ticket > 2. Enter into AuthenticationFilter > serviceUrl:http://serverA:8080/appA/serviceA > assertion:null > ticket:ST-11-luecr2dLyBYYJFy6Sx4x-cas > > 3 Enter into Cas20ProxyReceivingTicketValidationFilter > > //then do the validation in cas server. > //the callbackUrl was called two times ,can be seen in the 3.1 and 3.3 > > //the callbackUrl was called first without pgtIou and pgtId > 3.1 Enter into AuthenticationFilter > serviceUrl:http://serverA:8080/appA/proxy/test.jsp > assertion:null > ticket:null > redirecting to > https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp > > //because the the correct response code was returned ,CAS server validation > is continued. > 3.2. 2009-10-07 16:17:11,524 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > successfully authenticated the user which provided the following > credentials: [callbackUrl: https://serverA:8443/appA/proxy/test.jsp]> > > //the callbackUrl was called second with pgtIou and pgtId > 3.3 Enter AuthenticationFilter > serviceUrl: > http://serverA:8080/appA/proxy/test.jsp?pgtIou=PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas&pgtId=TGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas > assertion:null > ticket:null > redirecting to > https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas > > //return to cas client validate > 4. 2009/10/07 16:17:15 > org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl retrieve > INFO: No Proxy Ticket found for PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas > > //after the successfully validate,redirect to > http://serverA:8080/appA/serviceA > 5.Enter AuthenticationFilter > serviceUrl:http://serverA:8080/appA/serviceA > assertion:org.apache.catalina.session.standardsessionfac...@afc7a9 > Enter into Cas20ProxyReceivingTicketValidationFilter > RequestUri:/appA/serviceA > > //because serviceA has been logined,now can execute the serviceA > 6.Enter serviceA > AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor(" > http://serverB:8080/appB/serviceB";) is null. > can't get the ticket. > ..... > > The problem is that when executing the "redirecting to > https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas > " > (we can see in 3.3) ,the CAS server is not return and reenter into cas > client validation filter which will set the proxyGrantingTicketIou and > proxyGrantingTicket to local. > > it seems that when call the "callbackUrl" in CAS server ,it just enter into > AuthenticationFilter and can't enter into cas client validate filter. > > why this happend ,could you get me a hit for that. > thank you very much. > > your friend > > ---- > kevin > > > > 2009/10/7 Scott Battaglia <[email protected]> > >> On Tue, Oct 6, 2009 at 10:55 PM, kevin kevin <[email protected]> wrote: >> >>> Scott,thank you very much! >>> >>> >You need both the receptor and the callback in A. >>> is it means i could modified the web.mxl in A like this below and do >>> nothing for web.xml in B >>> web.mxl in A:<snip /> >>> >>> by the way ,is the suffix of "proxyCallbackUrl" must match the >>> "proxyReceptorUrl"? >>> >> >> Yes it should. >> >> >>> >>> >>> >>> >>> >Then you'll need to call the API to get the ticket. >>> before I call the serviceB from A ,i must add the pt to the URL of >>> serviceB ,is that right? >>> >>> String pt = >>> AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor(" >>> http://serverB:8080/appB/serviceB";) >>> >>> URL urlB= new URL("http://serverB:8080/appB/serviceB?pt="+pt); >>> >> >> You should be passing it as "ticket". >> >>> .... >>> >>> but when i access "http://serverA:8080/appA/serviceA";, >>> then CAS login first,then run the service A and can't get the servcieB >>> yet. >>> >>> in the log i can see the the value of "pt" is null and "No Proxy Ticket >>> found for PGTIOU-7-hkxtdSxngYiu6RxkbVLP-cas" was output. >>> >> >> That means the ticket was not sent back. Check your CAS server logs to >> find out why. The most likely reason is that it didn't like serverA's >> certificate when it did the callback. >> >> Cheers, >> Scott >> >> >> >>> >>> >>> thanks again. >>> >>> yours >>> ------- >>> kevin >>> >>> >>> 2009/10/7 Scott Battaglia <[email protected]> >>> >>>> You need both the receptor and the callback in A. >>>> >>>> Then you'll need to call the API to get the ticket. >>>> >>>> Cheers, >>>> Scott >>>> >>>> >>>> On Tue, Oct 6, 2009 at 9:46 PM, kevin kevin <[email protected]> wrote: >>>> >>>>> Hi,all >>>>> I'm a newbee and puzzled for the CAS proxy. >>>>> the CAS server:cas-server-3.3.3 >>>>> the CAS client:cas-client-3.1.8 >>>>> >>>>> The application flow is like the below. >>>>> Brower -> the service of Web application A -> the service of Web >>>>> application B >>>>> >>>>> Both of Web application "A" and "B" are protected by CAS. >>>>> >>>>> The user access the the service of th Web application A used by brower >>>>> . >>>>> the service of "A" needs access the the service of "B" for getting the >>>>> data. >>>>> >>>>> for example: >>>>> access the url "http://serverA:8080/appA/serviceA";, >>>>> then the serviceA get the data from serviceB( >>>>> http://serverB:8080/appB/serviceB) >>>>> serviceA is a servlet and get the service B in servlet like this: >>>>> .... >>>>> URL urlB= new URL("http://serverB:8080/appB/serviceB";); >>>>> >>>>> //then get the data according stream >>>>> BufferedReader br = new BufferedReader(new >>>>> InputStreamReader(urlB.openStream(),"UTF-8")); >>>>> ... >>>>> >>>>> So I think that i need the CAS Proxy to correctly get the data from "B" >>>>> in the service of "A". >>>>> >>>>> The problem is that i can't clearly known how to configure the web.xml >>>>> in the "A" and "B". >>>>> >>>>> I just put the property "proxyCallbackUrl" in the "B" and put the >>>>> property "proxyReceptorUrl" in the "A". >>>>> the value of "proxyCallbackUrl " is " >>>>> https://serverA:8443/appA/proxy/test.jsp"; and it exist in the "A". >>>>> the "test.jsp" just a exist file and do nothing in it. >>>>> >>>>> when i configure that ,but it seems don't work for me while accessing >>>>> the servceA and can't get the data from serviceB. >>>>> I think the main difference is in the configureation of CAS Validation >>>>> Filter,so i list the segment of web.xml. >>>>> Is it right for CAS proxy?what's the difference between "A" and "B" >>>>> when I used the CAS Proxy? >>>>> >>>>> the web.xml of Web application "A": >>>>> >>>>> <filter> >>>>> <filter-name>CAS Validation Filter</filter-name> >>>>> >>>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >>>>> <init-param> >>>>> <param-name>casServerUrlPrefix</param-name> >>>>> <param-value>https://casserver:8443/cas</param-value> >>>>> </init-param> >>>>> <init-param> >>>>> <param-name>serverName</param-name> >>>>> <param-value>http://serverA:8080</param-value> >>>>> </init-param> >>>>> <init-param> >>>>> <param-name>proxyReceptorUrl</param-name> >>>>> <param-value>/proxy/test.jsp</param-value> >>>>> </init-param> >>>>> </filter> >>>>> >>>>> >>>>> the web.xml of Web application "B" : >>>>> <filter> >>>>> <filter-name>CAS Validation Filter</filter-name> >>>>> >>>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >>>>> <init-param> >>>>> <param-name>casServerUrlPrefix</param-name> >>>>> <param-value>https://casserver:8443/cas</param-value> >>>>> </init-param> >>>>> <init-param> >>>>> <param-name>serverName</param-name> >>>>> <param-value>http://serverB:8080</param-value> >>>>> </init-param> >>>>> <init-param> >>>>> <param-name>acceptAnyProxy</param-name> >>>>> <param-value>true</param-value> >>>>> </init-param> >>>>> <init-param> >>>>> <param-name>proxyCallbackUrl </param-name> >>>>> <param-value>https://serverA:8443/appA/proxy/test.jsp >>>>> </param-value> >>>>> </init-param> >>>>> </filter> >>>>> >>>>> >>>>> Thanks in advance >>>>> >>>>> ---- >>>>> kevin >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
