[cas-user] https via Nginx says Bad response from server

Fri, 06 Aug 2010 10:22:33 -0700 

Hi, two questions for you guys :

I'm on a symfony application that need to be a CAS proxy.
This application is http:// on port 80.
I need it to be https on port 443 to be trusted by cas server.
So we installed Nginx which is a reverse https proxy server and the result is great! But... I now have an https://satice3.ac-versailles.fr/ instead of http://mysite.com/. The authorized application in CAS is https://mysite.com/** and it is allowed to grant tickets. 

When I try to make phpCAS::proxy, I get no CAS redirection.
Worst of all, the manual link made by the CAS server is :
https://cas.mysitedomain.com/cas/login?service=http://mysite.com
In place of :
https://cas.mysitedomain.com/cas/login?service=https://mysite.com


1) Why is it so? Is it because the web server and the CAS server are on 
the same network? Why http althought the phpCAS script url is https?



I thought the setFixedServiceURL() Method would solve my problem, so 
this code is part of my symfony filter (mysite is based on symfony) :


require_once('DB.php');
require_once('phpCAS/CAS.php');
phpCAS::setDebug('/home/web/sftice/log/phpcas.log');

$request=$this->getContext()->getRequest(); //this is a symfony specific 
way to retrieve request parameters

phpCAS::proxy(CAS_VERSION_2_0,'cas.crdp.ac-versailles.fr',443,'/cas/',false);
phpCAS::setFixedServiceURL('https://'.$_SERVER['SERVER_NAME'].'/'.$request->getParameter('module').'/'.$request->getParameter('action'));
phpCAS::setPGTStorageFile('xml',session_save_path());
phpCAS::setLang('french');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();


And it almost did, I finally got the redirection and put my 
login/password with the right https:// service url, but then, I got that 
response :


Authentication failure: PT not validated [client.php:2715]
Reason: bad response from the CAS server [client.php:2720]

You can read the whole response below.


Althought Authentication succeeded, isn't that strange... So I really 
feel like I'm about to make it work, but I don't understand that Nginx 
problem.
I have no other way to make it https, and the fact that I got all user 
Attributes (I crypted mail and telephone obviously) make me think it's 
not a SSL problem.


2) Any idea about what's wrong with this code above?


D809 .START phpCAS-1.1.2 ****************** [CAS.php:494]

D809 .=> phpCAS::proxy('2.0', 'cas.crdp.ac-versailles.fr', 443, '/cas/', 
false) [sfCASRequiredFilter.class.php:28]
D809 .| => CASClient::CASClient('2.0', true, 
'cas.crdp.ac-versailles.fr', 443, '/cas/', false) [CAS.php:446]

D809 .| | ST or PT 'ST-274-NWFhJtYyExOSEvLr1ez4-cas' found [client.php:676]
D809 .| <= ''
D809 .<= ''

D809 .=> 
phpCAS::setFixedServiceURL('https://satice3.ac-versailles.fr/portail/index') 
[sfCASRequiredFilter.class.php:29]

D809 .<= ''

D809 .=> phpCAS::setPGTStorageFile('xml', '/var/lib/php5') 
[sfCASRequiredFilter.class.php:30]
D809 .| => PGTStorageFile::PGTStorageFile(CASClient::__set_state(array( 
'_output_header' => '', '_output_footer' => '', '_lang' => '', 
'_strings' => NULL, '_server' => array ( 'version' => '2.0', 'hostname' 
=> 'cas.crdp.ac-versailles.fr', 'port' => 443, 'uri' => '/cas/', ), 
'_curl_options' => array ( ), '_start_session' => false, '_user' => '', 
'_attributes' => array ( ), '_cache_times_for_auth_recheck' => 0, '_st' 
=> '', '_cas_server_cert' => '', '_cas_server_ca_cert' => '', 
'_no_cas_server_validation' => false, '_proxy' => true, '_pgt' => '', 
'_callback_mode' => false, '_callback_url' => '', '_pgt_storage' => 
NULL, '_curl_headers' => array ( ), '_pt' => 
'ST-274-NWFhJtYyExOSEvLr1ez4-cas', '_url' => 
'https://satice3.ac-versailles.fr/portail/index',)), 'xml', 
'/var/lib/php5') [client.php:1937]
D809 .| | => PGTStorage::PGTStorage(CASClient::__set_state(array( 
'_output_header' => '', '_output_footer' => '', '_lang' => '', 
'_strings' => NULL, '_server' => array ( 'version' => '2.0', 'hostname' 
=> 'cas.crdp.ac-versailles.fr', 'port' => 443, 'uri' => '/cas/', ), 
'_curl_options' => array ( ), '_start_session' => false, '_user' => '', 
'_attributes' => array ( ), '_cache_times_for_auth_recheck' => 0, '_st' 
=> '', '_cas_server_cert' => '', '_cas_server_ca_cert' => '', 
'_no_cas_server_validation' => false, '_proxy' => true, '_pgt' => '', 
'_callback_mode' => false, '_callback_url' => '', '_pgt_storage' => 
NULL, '_curl_headers' => array ( ), '_pt' => 
'ST-274-NWFhJtYyExOSEvLr1ez4-cas', '_url' => 
'https://satice3.ac-versailles.fr/portail/index',))) [pgt-file.php:138]

D809 .| | <= ''
D809 .| <= ''
D809 .<= ''

D809 .=> phpCAS::setNoCasServerValidation() 
[sfCASRequiredFilter.class.php:32]

D809 .<= ''
D809 .=> phpCAS::forceAuthentication() [sfCASRequiredFilter.class.php:33]
D809 .| => CASClient::forceAuthentication() [CAS.php:969]
D809 .| | => CASClient::isAuthenticated() [client.php:868]
D809 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:973]
D809 .| | | | neither user not PGT found [client.php:1091]
D809 .| | | <= false

D809 .| | | PT `ST-274-NWFhJtYyExOSEvLr1ez4-cas' is present 
[client.php:1002]

D809 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:1003]
D809 .| | | | => CASClient::getURL() [client.php:480]
D809 .| | | | <= 'https://satice3.ac-versailles.fr/portail/index'

D809 .| | | | => 
CASClient::readURL('https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex', 
'', NULL, NULL, NULL) [client.php:2504]

D809 .| | | | <= true

D809 .| | | | => CASClient::authError('PT not validated', 
'https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex', 
false, true, '<cas:serviceResponse 
xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationSuccess> 
<cas:user>cochennec</cas:user> <cas:attribute name="fonction" 
value="Enseignant/D�veloppeur Web"/> <cas:attribute name="cn" 
value="Cochennec Julien"/> <cas:attribute name="login" 
value="cochennec"/> <cas:attribute name="memberof" 
value="cn=SATICE_CB"/> <cas:attribute name="memberof" 
value="ou=applications"/> <cas:attribute name="memberof" 
value="ou=crdp"/> <cas:attribute name="memberof" 
value="ou=ac-versailles"/> <cas:attribute name="memberof" 
value="ou=education"/> <cas:attribute name="memberof" value="o=gouv"/> 
<cas:attribute name="memberof" value="c=fr"/> <cas:attribute 
name="prenom" value="Julien"/> <cas:attribute name="mob" 
value="*******"/> <cas:attribute name="mail" value="***********"/> 
<cas:attribute name="tel" value="*******"/> <cas:attribute name="nom" 
value="Cochennec"/> </cas:authenticationSuccess></cas:serviceResponse>') 
[client.php:2518]

D809 .| | | | | => CASClient::getURL() [client.php:2713]
D809 .| | | | | <= 'https://satice3.ac-versailles.fr/portail/index'

D809 .| | | | | CAS URL: 
https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex 
[client.php:2714]

D809 .| | | | | Authentication failure: PT not validated [client.php:2715]
D809 .| | | | | Reason: bad response from the CAS server [client.php:2720]

D809 .| | | | | CAS response: <cas:serviceResponse 
xmlns:cas='http://www.yale.edu/tp/cas'>

<cas:authenticationSuccess>
<cas:user>cochennec</cas:user>





<cas:attribute name="fonction" value="Enseignant/D�veloppeur Web"/>





<cas:attribute name="cn" value="Cochennec Julien"/>





<cas:attribute name="login" value="cochennec"/>





<cas:attribute name="memberof" value="cn=SATICE_CB"/>

<cas:attribute name="memberof" value="ou=applications"/>

<cas:attribute name="memberof" value="ou=crdp"/>

<cas:attribute name="memberof" value="ou=ac-versailles"/>

<cas:attribute name="memberof" value="ou=education"/>

<cas:attribute name="memberof" value="o=gouv"/>

<cas:attribute name="memberof" value="c=fr"/>





<cas:attribute name="prenom" value="Julien"/>





<cas:attribute name="mob" value="0604193102"/>





<cas:attribute name="mail" value="[email protected]"/>





<cas:attribute name="tel" value="0130429332"/>





<cas:attribute name="nom" value="Cochennec"/>







</cas:authenticationSuccess>
</cas:serviceResponse>

[client.php:2734]
D809 .| | | | | exit()
D809 .| | | | | -
D809 .| | | | -
D809 .| | | -
D809 .| | -
D809 .| -

--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to