Hi Scott,
I'm not sure I actually understand what you mean. In my example, there
was no url to call back, as I was trying invoking the logout entrypoint
directly from the browser. The same however happens when I do logout
from an application (hence providing a callback url). I haven't said it
doesn't work: it logs out, it always did, but I can see from the server
logs that I get that exception and was trying to discover what's going on.
I'm probably missing something in here wrt cas/certificate issues, but I
can't find extensive documentation on this. Could you please give me
pointers to CAS documentation?
Thanks,
Giuseppe
Scott Battaglia wrote:
On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo
<[email protected] <mailto:[email protected]>> wrote:
Maybe I'm missing something here so forgive my possibly stupid
issue :-)
I'm actually calling the logout entrypoint directly from the
browser, to test it, entering
https://myserver/cas-server-webapp-3.3.3/logout. There's no
application involved. Isn't it supposed to work anyway?
Who ever said it didn't work? Part of the process is calling BACK to
your applications programmatically to let them know the session
ended. CAS doesn't trust the application endpoint when its trying to
call back (i.e. you're using a self-signed certificate).
Giuseppe
Scott Battaglia wrote:
What you're seeing is CAS trying to call back to your services
to let them know that the CAS session ended. One of the
endpoints for your applications has a certificate that
disagrees with CAS :-)
On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Hi everyone,
I've got a seemingly working install of CAS on Moodle now,
after
solving some issues with phpCAS.
Nonetheless I get an exception when using logout from CAS,
invoking https://myserver/cas-server-webapp-3.3.3/logout
I guess this is related to using
phpCAS::setNoCasServerValidation()?
Thanks,
Giuseppe
2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
<javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this
cert
must be the last cert in the certification path>
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this
cert
must be the last cert in the certification path
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at
sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown
Source)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200)
at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown
Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path
validation failed:
java.security.cert.CertPathValidatorException:
basic constraints check failed: pathLenConstraint violated
- this
cert must be the last cert in the certification path
at
sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at
sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at
sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 20 more
Caused by: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this
cert
must be the last cert in the certification path
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
Source)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown
Source)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
Source)
at java.security.cert.CertPathValidator.validate(Unknown
Source)
... 27 more
-- Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
-- You are currently subscribed to
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> as:
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected]
<mailto:[email protected]> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected]
<mailto:[email protected]> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
