On Thu, Jan 21, 2010 at 4:43 AM, Giuseppe Sollazzo <[email protected]>wrote:
> Hi Scott, > I'm not sure I actually understand what you mean. In my example, there was > no url to call back, as I was trying invoking the logout entrypoint directly > from the browser. Yes, and as I've said the logout process calls back to your applications programmatically to let them know that the session has ended. It happens on the server side. Its single sign out. > The same however happens when I do logout from an application (hence > providing a callback url). I haven't said it doesn't work: it logs out, it > always did, but I can see from the server logs that I get that exception and > was trying to discover what's going on. > That callback is different than what I am talking about. The error you are seeing is because CAS is trying to notify the application that the session ended and CAS does not trust the certificate of the application its trying to notify. It does this notification via back channels. > I'm probably missing something in here wrt cas/certificate issues, but I > can't find extensive documentation on this. Could you please give me > pointers to CAS documentation? > Thanks, > Giuseppe > > Scott Battaglia wrote: > >> On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo >> <[email protected]<mailto: >> [email protected]>> wrote: >> >> Maybe I'm missing something here so forgive my possibly stupid >> issue :-) >> >> I'm actually calling the logout entrypoint directly from the >> browser, to test it, entering >> https://myserver/cas-server-webapp-3.3.3/logout. There's no >> application involved. Isn't it supposed to work anyway? >> >> >> Who ever said it didn't work? Part of the process is calling BACK to your >> applications programmatically to let them know the session ended. CAS >> doesn't trust the application endpoint when its trying to call back (i.e. >> you're using a self-signed certificate). >> >> >> >> Giuseppe >> >> Scott Battaglia wrote: >> >> What you're seeing is CAS trying to call back to your services >> to let them know that the CAS session ended. One of the >> endpoints for your applications has a certificate that >> disagrees with CAS :-) >> >> >> >> On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> Hi everyone, >> I've got a seemingly working install of CAS on Moodle now, >> after >> solving some issues with phpCAS. >> Nonetheless I get an exception when using logout from CAS, >> invoking https://myserver/cas-server-webapp-3.3.3/logout >> >> I guess this is related to using >> phpCAS::setNoCasServerValidation()? >> >> Thanks, >> Giuseppe >> >> 2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] - >> <javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path validation >> failed: java.security.cert.CertPathValidatorException: basic >> constraints check failed: pathLenConstraint violated - this >> cert >> must be the last cert in the certification path> >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path validation >> failed: java.security.cert.CertPathValidatorException: basic >> constraints check failed: pathLenConstraint violated - this >> cert >> must be the last cert in the certification path >> at >> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown >> Source) >> at >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) >> at >> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) >> at >> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) >> at >> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown >> Source) >> at >> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown >> Source) >> at >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown >> Source) >> at >> sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown >> Source) >> at >> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown >> Source) >> at >> >> sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown >> Source) >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown >> Source) >> at >> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown >> Source) >> at >> >> org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200) >> at >> >> org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160) >> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown >> Source) >> at java.util.concurrent.FutureTask.run(Unknown Source) >> at >> >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown >> Source) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown >> Source) >> at java.lang.Thread.run(Unknown Source) >> Caused by: sun.security.validator.ValidatorException: PKIX path >> validation failed: >> java.security.cert.CertPathValidatorException: >> basic constraints check failed: pathLenConstraint violated >> - this >> cert must be the last cert in the certification path >> at >> sun.security.validator.PKIXValidator.doValidate(Unknown Source) >> at >> sun.security.validator.PKIXValidator.doValidate(Unknown Source) >> at >> sun.security.validator.PKIXValidator.engineValidate(Unknown >> Source) >> at sun.security.validator.Validator.validate(Unknown Source) >> at >> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown >> Source) >> at >> >> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown >> Source) >> ... 20 more >> Caused by: java.security.cert.CertPathValidatorException: basic >> constraints check failed: pathLenConstraint violated - this >> cert >> must be the last cert in the certification path >> at >> >> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown >> Source) >> at >> >> sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown >> Source) >> at >> >> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown >> Source) >> at java.security.cert.CertPathValidator.validate(Unknown >> Source) >> ... 27 more >> >> -- Giuseppe Sollazzo >> Systems Developer / Administrator >> >> Computing Services >> St. George's, University of London >> >> >> -- You are currently subscribed to >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> as: >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- You are currently subscribed to [email protected] >> <mailto:[email protected]> as: [email protected] >> >> <mailto:[email protected]> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- Giuseppe Sollazzo >> Systems Developer / Administrator >> >> Computing Services >> St. George's, University of London >> >> >> -- You are currently subscribed to [email protected] >> <mailto:[email protected]> as: [email protected] >> <mailto:[email protected]> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > -- > Giuseppe Sollazzo > Systems Developer / Administrator > > Computing Services > St. George's, University of London > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
