Re: [cas-user] https via Nginx says Bad response from server

Joachim Fritschi Fri, 06 Aug 2010 13:42:09 -0700

Hi Julien,

could you please disabled the attributes on the server. I have thefeeling that the


<cas:attribute name="fonction"
> value="Enseignant/D�veloppeur Web"/>

with the accent could be the problem. Please check the web server log ifyou have any xml parsing problems. Another helpful idea might be tocheck wich part of the ticket validation fails even though the responseis valid. The "PT not validated" is used in several places so i can'ttell from here where the validations fails. :(



Cheers,

Joachim

Am 06.08.2010 19:11, schrieb Julien Cochennec:

Hi, two questions for you guys :

I'm on a symfony application that need to be a CAS proxy.
This application is http:// on port 80.
I need it to be https on port 443 to be trusted by cas server.
So we installed Nginx which is a reverse https proxy server and the
result is great! But...
I now have an https://satice3.ac-versailles.fr/ instead of
http://mysite.com/.
The authorized application in CAS is https://mysite.com/** and it is
allowed to grant tickets.

When I try to make phpCAS::proxy, I get no CAS redirection.
Worst of all, the manual link made by the CAS server is :
https://cas.mysitedomain.com/cas/login?service=http://mysite.com
In place of :
https://cas.mysitedomain.com/cas/login?service=https://mysite.com

1) Why is it so? Is it because the web server and the CAS server are on
the same network? Why http althought the phpCAS script url is https?

I thought the setFixedServiceURL() Method would solve my problem, so
this code is part of my symfony filter (mysite is based on symfony) :

require_once('DB.php');
require_once('phpCAS/CAS.php');
phpCAS::setDebug('/home/web/sftice/log/phpcas.log');
$request=$this->getContext()->getRequest(); //this is a symfony specific
way to retrieve request parameters
phpCAS::proxy(CAS_VERSION_2_0,'cas.crdp.ac-versailles.fr',443,'/cas/',false);

phpCAS::setFixedServiceURL('https://'.$_SERVER['SERVER_NAME'].'/'.$request->getParameter('module').'/'.$request->getParameter('action'));

phpCAS::setPGTStorageFile('xml',session_save_path());
phpCAS::setLang('french');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();

And it almost did, I finally got the redirection and put my
login/password with the right https:// service url, but then, I got that
response :

Authentication failure: PT not validated [client.php:2715]
Reason: bad response from the CAS server [client.php:2720]

You can read the whole response below.

Althought Authentication succeeded, isn't that strange... So I really
feel like I'm about to make it work, but I don't understand that Nginx
problem.
I have no other way to make it https, and the fact that I got all user
Attributes (I crypted mail and telephone obviously) make me think it's
not a SSL problem.

2) Any idea about what's wrong with this code above?


D809 .START phpCAS-1.1.2 ****************** [CAS.php:494]
D809 .=> phpCAS::proxy('2.0', 'cas.crdp.ac-versailles.fr', 443, '/cas/',
false) [sfCASRequiredFilter.class.php:28]
D809 .| => CASClient::CASClient('2.0', true,
'cas.crdp.ac-versailles.fr', 443, '/cas/', false) [CAS.php:446]
D809 .| | ST or PT 'ST-274-NWFhJtYyExOSEvLr1ez4-cas' found [client.php:676]
D809 .| <= ''
D809 .<= ''
D809 .=>
phpCAS::setFixedServiceURL('https://satice3.ac-versailles.fr/portail/index')
[sfCASRequiredFilter.class.php:29]
D809 .<= ''
D809 .=> phpCAS::setPGTStorageFile('xml', '/var/lib/php5')
[sfCASRequiredFilter.class.php:30]
D809 .| => PGTStorageFile::PGTStorageFile(CASClient::__set_state(array(
'_output_header' => '', '_output_footer' => '', '_lang' => '',
'_strings' => NULL, '_server' => array ( 'version' => '2.0', 'hostname'
=> 'cas.crdp.ac-versailles.fr', 'port' => 443, 'uri' => '/cas/', ),
'_curl_options' => array ( ), '_start_session' => false, '_user' => '',
'_attributes' => array ( ), '_cache_times_for_auth_recheck' => 0, '_st'
=> '', '_cas_server_cert' => '', '_cas_server_ca_cert' => '',
'_no_cas_server_validation' => false, '_proxy' => true, '_pgt' => '',
'_callback_mode' => false, '_callback_url' => '', '_pgt_storage' =>
NULL, '_curl_headers' => array ( ), '_pt' =>
'ST-274-NWFhJtYyExOSEvLr1ez4-cas', '_url' =>
'https://satice3.ac-versailles.fr/portail/index',)), 'xml',
'/var/lib/php5') [client.php:1937]
D809 .| | => PGTStorage::PGTStorage(CASClient::__set_state(array(
'_output_header' => '', '_output_footer' => '', '_lang' => '',
'_strings' => NULL, '_server' => array ( 'version' => '2.0', 'hostname'
=> 'cas.crdp.ac-versailles.fr', 'port' => 443, 'uri' => '/cas/', ),
'_curl_options' => array ( ), '_start_session' => false, '_user' => '',
'_attributes' => array ( ), '_cache_times_for_auth_recheck' => 0, '_st'
=> '', '_cas_server_cert' => '', '_cas_server_ca_cert' => '',
'_no_cas_server_validation' => false, '_proxy' => true, '_pgt' => '',
'_callback_mode' => false, '_callback_url' => '', '_pgt_storage' =>
NULL, '_curl_headers' => array ( ), '_pt' =>
'ST-274-NWFhJtYyExOSEvLr1ez4-cas', '_url' =>
'https://satice3.ac-versailles.fr/portail/index',))) [pgt-file.php:138]
D809 .| | <= ''
D809 .| <= ''
D809 .<= ''
D809 .=> phpCAS::setNoCasServerValidation()
[sfCASRequiredFilter.class.php:32]
D809 .<= ''
D809 .=> phpCAS::forceAuthentication() [sfCASRequiredFilter.class.php:33]
D809 .| => CASClient::forceAuthentication() [CAS.php:969]
D809 .| | => CASClient::isAuthenticated() [client.php:868]
D809 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:973]
D809 .| | | | neither user not PGT found [client.php:1091]
D809 .| | | <= false
D809 .| | | PT `ST-274-NWFhJtYyExOSEvLr1ez4-cas' is present
[client.php:1002]
D809 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:1003]
D809 .| | | | => CASClient::getURL() [client.php:480]
D809 .| | | | <= 'https://satice3.ac-versailles.fr/portail/index'
D809 .| | | | =>
CASClient::readURL('https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex',
'', NULL, NULL, NULL) [client.php:2504]
D809 .| | | | <= true
D809 .| | | | => CASClient::authError('PT not validated',
'https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex',
false, true, '<cas:serviceResponse
xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationSuccess>
<cas:user>cochennec</cas:user> <cas:attribute name="fonction"
value="Enseignant/D�veloppeur Web"/> <cas:attribute name="cn"
value="Cochennec Julien"/> <cas:attribute name="login"
value="cochennec"/> <cas:attribute name="memberof"
value="cn=SATICE_CB"/> <cas:attribute name="memberof"
value="ou=applications"/> <cas:attribute name="memberof"
value="ou=crdp"/> <cas:attribute name="memberof"
value="ou=ac-versailles"/> <cas:attribute name="memberof"
value="ou=education"/> <cas:attribute name="memberof" value="o=gouv"/>
<cas:attribute name="memberof" value="c=fr"/> <cas:attribute
name="prenom" value="Julien"/> <cas:attribute name="mob"
value="*******"/> <cas:attribute name="mail" value="***********"/>
<cas:attribute name="tel" value="*******"/> <cas:attribute name="nom"
value="Cochennec"/> </cas:authenticationSuccess></cas:serviceResponse>')
[client.php:2518]
D809 .| | | | | => CASClient::getURL() [client.php:2713]
D809 .| | | | | <= 'https://satice3.ac-versailles.fr/portail/index'
D809 .| | | | | CAS URL:
https://cas.crdp.ac-versailles.fr:443/cas/proxyValidate?service=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex&ticket=ST-274-NWFhJtYyExOSEvLr1ez4-cas&pgtUrl=https%3A%2F%2Fsatice3.ac-versailles.fr%2Fportail%2Findex
[client.php:2714]
D809 .| | | | | Authentication failure: PT not validated [client.php:2715]
D809 .| | | | | Reason: bad response from the CAS server [client.php:2720]
D809 .| | | | | CAS response: <cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>cochennec</cas:user>





<cas:attribute name="fonction" value="Enseignant/D�veloppeur Web"/>





<cas:attribute name="cn" value="Cochennec Julien"/>





<cas:attribute name="login" value="cochennec"/>





<cas:attribute name="memberof" value="cn=SATICE_CB"/>

<cas:attribute name="memberof" value="ou=applications"/>

<cas:attribute name="memberof" value="ou=crdp"/>

<cas:attribute name="memberof" value="ou=ac-versailles"/>

<cas:attribute name="memberof" value="ou=education"/>

<cas:attribute name="memberof" value="o=gouv"/>

<cas:attribute name="memberof" value="c=fr"/>





<cas:attribute name="prenom" value="Julien"/>





<cas:attribute name="mob" value="0604193102"/>





<cas:attribute name="mail" value="[email protected]"/>





<cas:attribute name="tel" value="0130429332"/>





<cas:attribute name="nom" value="Cochennec"/>







</cas:authenticationSuccess>
</cas:serviceResponse>

[client.php:2734]
D809 .| | | | | exit()
D809 .| | | | | -
D809 .| | | | -
D809 .| | | -
D809 .| | -
D809 .| -



--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] https via Nginx says Bad response from server

Reply via email to