On Thu, Jan 21, 2010 at 4:43 AM, Giuseppe Sollazzo
<[email protected] <mailto:[email protected]>> wrote:
Hi Scott,
I'm not sure I actually understand what you mean. In my example,
there was no url to call back, as I was trying invoking the logout
entrypoint directly from the browser.
Yes, and as I've said the logout process calls back to your
applications programmatically to let them know that the session has
ended. It happens on the server side. Its single sign out.
The same however happens when I do logout from an application
(hence providing a callback url). I haven't said it doesn't work:
it logs out, it always did, but I can see from the server logs
that I get that exception and was trying to discover what's going on.
That callback is different than what I am talking about. The error
you are seeing is because CAS is trying to notify the application that
the session ended and CAS does not trust the certificate of the
application its trying to notify. It does this notification via back
channels.
I'm probably missing something in here wrt cas/certificate issues,
but I can't find extensive documentation on this. Could you please
give me pointers to CAS documentation?
Thanks,
Giuseppe
Scott Battaglia wrote:
On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Maybe I'm missing something here so forgive my possibly stupid
issue :-)
I'm actually calling the logout entrypoint directly from the
browser, to test it, entering
https://myserver/cas-server-webapp-3.3.3/logout. There's no
application involved. Isn't it supposed to work anyway?
Who ever said it didn't work? Part of the process is calling
BACK to your applications programmatically to let them know
the session ended. CAS doesn't trust the application endpoint
when its trying to call back (i.e. you're using a self-signed
certificate).
Giuseppe
Scott Battaglia wrote:
What you're seeing is CAS trying to call back to your
services
to let them know that the CAS session ended. One of the
endpoints for your applications has a certificate that
disagrees with CAS :-)
On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
Hi everyone,
I've got a seemingly working install of CAS on
Moodle now,
after
solving some issues with phpCAS.
Nonetheless I get an exception when using logout
from CAS,
invoking https://myserver/cas-server-webapp-3.3.3/logout
I guess this is related to using
phpCAS::setNoCasServerValidation()?
Thanks,
Giuseppe
2010-01-20 10:55:49,626 ERROR
[org.jasig.cas.util.HttpClient] -
<javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
validation
failed:
java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated
- this
cert
must be the last cert in the certification path>
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path
validation
failed:
java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated
- this
cert
must be the last cert in the certification path
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at
sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown
Source)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200)
at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160)
at
java.util.concurrent.FutureTask$Sync.innerRun(Unknown
Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
Caused by:
sun.security.validator.ValidatorException: PKIX path
validation failed:
java.security.cert.CertPathValidatorException:
basic constraints check failed: pathLenConstraint
violated
- this
cert must be the last cert in the certification path
at
sun.security.validator.PKIXValidator.doValidate(Unknown
Source)
at
sun.security.validator.PKIXValidator.doValidate(Unknown
Source)
at
sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
at
sun.security.validator.Validator.validate(Unknown Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 20 more
Caused by:
java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated
- this
cert
must be the last cert in the certification path
at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
Source)
at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown
Source)
at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
Source)
at
java.security.cert.CertPathValidator.validate(Unknown
Source)
... 27 more
-- Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
-- You are currently subscribed to
[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>> as:
[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> as: [email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
-- You are currently subscribed to
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>> as:
[email protected] <mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected]
<mailto:[email protected]> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Giuseppe Sollazzo
Systems Developer / Administrator
Computing Services
St. George's, University of London
--
You are currently subscribed to [email protected]
<mailto:[email protected]> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
