Ok..
This is the relevant portion of the log concerning that class:
2010-04-13 09:45:42,448 DEBUG
[org.springframework.webflow.engine.ActionExecutor] - Executing
[annotatedact...@1cfd7c targetActi
on =
org.jasig.cas.support.spnego.web.flow.spnegonegociatecredentialsact...@6f45d7f2,
attributes = map[[empty]]] in state 'start
in-webflow'
2010-04-13 09:45:42,448 DEBUG
[org.springframework.webflow.engine.ActionExecutor] - Executing
[annotatedact...@1cfd7c targetActi
on =
org.jasig.cas.support.spnego.web.flow.spnegonegociatecredentialsact...@6f45d7f2,
attributes = map[[empty]]] in state 'start
Authenticate' of flow 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.impl.RequestControlContextImpl] -
Signaling event 'success' in
state 'startAuthenticate' of flow 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.Transition] - Executing
[transit...@526489f0 on = [eventId = '
success'], to = spnego] out of state 'startAuthenticate'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.ActionState] - Entering state 'spnego'
of flow 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.ActionExecutor] - Executing
[annotatedact...@469c15d2 targetAc
tion =
org.jasig.cas.support.spnego.web.flow.spnegocredentialsact...@315cb235,
attributes = map[[empty]]] in state 'spnego' of f
low 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.impl.RequestControlContextImpl] -
Signaling event 'error' in s
tate 'spnego' of flow 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.Transition] - Executing
[transit...@3cb7cee4 on = [eventId = 'error'], to = viewLoginForm] out of
state 'spnego'
2010-04-13 09:45:42,449 DEBUG [org.springframework.webflow.engine.ViewState]
- Entering state 'viewLoginForm' of flow 'login-webflow'
2010-04-13 09:45:42,449 DEBUG
[org.springframework.webflow.engine.ActionExecutor] - Executing
[annotatedact...@476ff9e0 targetAction =
org.jasig.cas.web.flow.authenticationviaformact...@87e05c4, attributes =
map['method' -> 'setupForm']] in state 'viewLoginForm' of flow
'login-webflow'
2010-04-13 09:45:42,458 DEBUG
[org.springframework.webflow.engine.ActionExecutor] - Executing
[annotatedact...@32db4c8d targetAction =
org.jasig.cas.web.flow.authenticationviaformact...@87e05c4, attributes =
map['method' -> 'referenceData']] in state 'viewLoginForm' of flow
'login-webflow'
... the only thing I see is the error assertion in the spnego state of the
flow.
I don't have a "jcifs" bean... but rather a "jcifsConfig" bean defined... as
follows:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal"
value="HTTP/[email protected]" />
<property name="jcifsServicePassword" value="********" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="REALM.FOO.BAR" />
<property name="kerberosKdc" value="xxx.xxx.xxx.xxx" />
<property name="kerberosConf" value="/etc/krb5.conf" />
<property name="loginConf" value="/WEB-INF/login.conf" />
</bean>
Which is why I thought I had kerberos debugging turned on... but given you
assertion that it might be moot since the kerberos exchange might not be
happening... I think that's where I'm sitting. However, I'll try turning on
the krb5 debugging in tomcat.
Thoughts?
-Andy
On Tue, Apr 13, 2010 at 10:23 AM, William Markmann <
[email protected]> wrote:
> When you hit the protected URL of your webapp, you should be redirected to
> CAS. It will try to pick up your identity in the class
> cas.support.spnego.web.flow.SpnegoCredentialsAction
> -- are you seeing logging output from that class? That's where you'll want
> to start looking. When an actual Kerberos exchange takes place, if you have
> Kerberos debugging on, it will spit out a bunch of useful info. Getting
> THAT debugging info varies from server to server. In Tomcat, I'd check a
> couple things:
>
> - look at */WEB-INF/deployerConfigContext.xml*... You should have a
> 'jcifs' bean defined; make sure that you set a property there like:
>
> <property name="kerberosDebug" value="true" />
>
> - in Tomcat's startup, you can also set (in your JAVA_OPTS):
>
> -Dsun.security.krb5.debug=true
>
> ...but this setting might vary depending on the security manager; I think
> I've set that in the past and it dumps the Kerberos exchange debugging to
> stdout or stderr. Let me know if neither of those works, and I'll dig
> around a little more to see how I got debugging working in the past. The
> problem that I've run into several times is that a Kerberos exchange isn't
> taking place at all, making the Kerberos debugging a moot point (you can
> tell that from the logging output of SpnegoCredentialsAction, described
> above -- that why I suggest starting there).
>
> - Bill
>
> On Tue, Apr 13, 2010 at 11:05 AM, Andy Speagle <[email protected]> wrote:
>
>> Hi Bill,
>>
>> Ok, well... at least I had a good understanding of the webapp logging
>> configuration. This was already done. But yes, I'm trying to get the
>> spnego/kerberos logging information. I can't seem to reason that out. I'm
>> using tomcat5 on RHEL5. I appreciate the assist.
>>
>> -Andy
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
>
>
> --
> Bill Markmann
>
> Counterpoint Consulting, Inc.
> (p) 571-338-2455
> (f) 202-403-3425
> (e) [email protected]
> (w) http://www.counterpointconsulting.com/
>
> --
>
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
