On 03/11/10 16:47, Marvin Addison wrote:
>> I'm attaching TRACE log on org.jasig.
> I studied your log carefully and I see nothing that would indicate a
> server problem with attribute release. Quite the contrary, I see all
> the right signs:
>
> 1. The service is recognized and the attributes are allowed in the
> service registry:
> 2010-10-30 12:10:42,029 TRACE
> [org.jasig.cas.services.RegisteredServiceImpl] - Entering method
> [getAllowedAttributes with arguments []
> 2010-10-30 12:10:42,029 TRACE
> [org.jasig.cas.services.RegisteredServiceImpl] - Leaving method
> [getAllowedAttributes] with return value
> [[mail,cn,telephoneNumber,givenname,sn,uid]].
>
> 2. The attributes exist in the cached principal:
> 2010-10-30 12:10:42,029 TRACE
> [org.jasig.cas.authentication.principal.SimplePrincipal] - Entering
> method [getAttributes with arguments []
> 2010-10-30 12:10:42,030 TRACE
> [org.jasig.cas.authentication.principal.SimplePrincipal] - Leaving
> method [getAttributes] with return value [{uid=user,
> [email protected], sn=Καπετανάκης, cn=Καπετανάκης Γιάννης,
> telephoneNumber=4161, givenname=Γιάννης}].
>
> 3. The SAML success response is rendered:
> 2010-10-30 12:10:42,056 TRACE
> [org.jasig.cas.web.view.Saml10SuccessResponseView] - Rendering view
> with name 'casSamlServiceSuccessView' with model
> {assertion=[principals={[[[email protected],
> attributes={authenticationMethod=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler}]]}
> for service=https://www.example.com/cas/]} and static attributes {}
>
> I can't say for sure that the response contains a principal with the
> attributes in 2, but there is nothing to indicate the contrary.
> Without further evidence of a problem on the server, I'd recommend
> concentrating on hard evidence that the server is sending a response
> without attributes. I'd recommend wire capture or equivalent to
> convince yourself the server response is absent attributes. If you
> obtain such evidence, the next step will be to build a custom server
> with additional logging statements to help identify the problem. I'll
> send you a patch to apply if we make it that far.
>
> M
Thanks Marvin.
I 've installed a tcp ssl proxy listening in front of my http daemon
in order to log all traffic sent to client.
I'm posting the relevant log file indicating the SAML response without
attributes (proxy_log).
I've also put the proxy between the httpd and tomcat.
Log file is proxy2_log. No attributes there either.
I also put a sniffer on loopback between apache and tomcat
just to be sure. No attributes.
.4......HTTP/1.1.../cas/samlValidate.. 10.0.0.1....
idp.example.com......... idp.example.com..
soapaction..-http://www.oasis-open.org/committees/security..
cache-control...no-cache.....no-cache.....text/xml....
keep-alive.....text/xml.....426....target=https%3a%2f%2fwww.example.com%2fcas%2f....dhe-rsa-aes256-sha...@a3de97a7ef47537c240c830b3d3ba4fdb8cdb13b0acb60ce3434a895cd614e61......4....<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-10-uSNXTpuvRIkd3PfhN4hj-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>
AB......4....AB.M.....OK.....Content-Type...text/xml;charset=UTF-8...Content-Language...en-US.AB.....<?xml
version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2010-11-03T13:31:24.689Z" MajorVersion="1"
MinorVersion="1" Recipient="https://www.example.com/cas/";
ResponseID="_427a1be711627ae444276e334c08f70b"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_f0899f9b303be4045d867c90b1348f5a"
IssueInstant="2010-11-03T13:31:24.689Z" Issuer="localhost"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2010-11-03T13:31:24.689Z"
NotOnOrAfter="2010-11-03T13:31:54.689Z"><AudienceRestrictionCondition><Audience>https://www.example.com/cas/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2010-11-03T13:31:24.635Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>[email protected]</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>.AB......AB....
Giannis
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
------ client.example.com:40626->10.1.9.2:8443 ------
username=user%40example.com&password=*****<=e1s1&_eventId=submit&submit=LOGIN
------ 10.1.9.2:8443->client.example.com:40626 ------
HTTP/1.1 302 Moved Temporarily
Date: Wed, 03 Nov 2010 13:12:42 GMT
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: CASPRIVACY=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas
Set-Cookie:
CASTGC=TGT-10-qd6dmBf64bag20Vu9wxUxbJbK4yD4YwhkD5G6gAsr3mvOXorcM-cas;
Path=/cas; Secure
Location: https://www.example.com/cas/?ticket=ST-7-1iq1adiivAT4KPbtpsMZ-cas
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
--- 10.1.9.2:8443->client.example.com:40626 closed --
--- client.example.com:40626->10.1.9.2:8443 closed --
--- www.example.com:37279->10.1.9.2:8443 opened --
--- 10.1.9.2:8443->www.example.com:37279 opened --
------ www.example.com:37279->10.1.9.2:8443 ------
POST /cas/samlValidate?TARGET=https%3A%2F%2Fwww.example.com%2Fcas%2F HTTP/1.1
Host: idp.example.com
soapaction: http://www.oasis-open.org/committees/security
cache-control: no-cache
pragma: no-cache
accept: text/xml
connection: keep-alive
content-type: text/xml
Content-Length: 425
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-7-1iq1adiivAT4KPbtpsMZ-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>
------ 10.1.9.2:8443->www.example.com:37279 ------
HTTP/1.1 200 OK
Date: Wed, 03 Nov 2010 13:12:42 GMT
Content-Type: text/xml;charset=UTF-8
Content-Language: en-US
Connection: close
Transfer-Encoding: chunked
------ 10.1.9.2:8443->www.example.com:37279 ------
5b8
------ 10.1.9.2:8443->www.example.com:37279 ------
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2010-11-03T13:12:42.839Z" MajorVersion="1" MinorVersion="1"
Recipient="https://www.example.com/cas/";
ResponseID="_4a898d8ff6fe53f4f86be274e177bfb4"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_dd1a5444d46e9ea8a894d7ad3bc1f51b"
IssueInstant="2010-11-03T13:12:42.839Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1"><Conditions NotBefore="2010-11-03T13:12:42.839Z"
NotOnOrAfter="2010-11-03T13:13:12.839Z"><AudienceRestrictionCondition><Audience>https://www.example.com/cas/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2010-11-03T13:12:42.721Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>[email protected]</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
------ 10.1.9.2:8443->www.example.com:37279 ------
------ 10.1.9.2:8443->www.example.com:37279 ------
0
--- 10.1.9.2:8443->www.example.com:37279 closed --
--- www.example.com:37279->10.1.9.2:8443 closed --
------ localhost.localdomain:36966->localhost:8009 ------
[12]4[03]#[02040008]HTTP/1.1[0000]6/cas/login;jsessionid=83923C4D57C5C82D49AFE32E0745CD22[0000]
192.168.1.1[00FFFF00]
idp.example.com[0001BB0100]
[A00B00]
idp.example.com[00A00600]
keep-alive[00A0]
[00]Ohttps://idp.example.com/cas/login?service=https%3A%2F%2Fwww.example.com%2Fcas%2F[00A0080002]89[0000]
Cache-Control[000009]max-age=0[000006]Origin[000015]https://idp.example.com[00A00700]!application/x-www-form-urlencoded[00A00100]Zapplication/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5[00A00E00]nMozilla/5.0
(X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko)
Chrome/7.0.517.41
Safari/534.7[00A0030011]gzip,deflate,sdch[00A0040017]en,el-GR;q=0.8,el;q=0.6[00A00200]
UTF-8,*;q=0.5[00A00900]+JSESSIONID=83923C4D57C5C82D49AFE32E0745CD22[000500]/service=https%3a%2f%2fwww.example.com%2fcas%2f[00080012]dhe-rsa-aes256-sha[0009...@a75c5faef0755e3e174e56f26c90d2b22c0fa3c667fae3eff88e65ee4aefb090[000b0100ff12]4[00][[00]yusername=user%40example.com&password=*****<=e1s1&_eventId=submit&submit=LOGIN
--- localhost:8009->localhost.localdomain:36966 opened --
------ localhost:8009->localhost.localdomain:36966 ------
AB[01A80401].[0011]Moved
Temporarily[0000080006]Pragma[000008]no-cache[000007]Expires[00001D]Thu, 01 Jan
1970 00:00:00 GMT[0000]
Cache-Control[000008]no-cache[0000]
Cache-Control[000008]no-store[0000]
Set-Cookie[0000]?CASPRIVACY=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT;
Path=/cas[0000]
Set-Cookie[0000]WCASTGC=TGT-12-iTcn4sijcQV0cd4vSagwcHiACNQywDM3kDEZFpWWVQpZF3x3KG-cas;
Path=/cas;
Secure[000008]Location[0000]Bhttps://www.example.com/cas/?ticket=ST-9-26bu2GN3zeKVWKI4AnPu-cas[00000E]Content-Length[000001]0[00]AB[00020501
--- localhost.localdomain:36972->localhost:8009 opened --
------ localhost.localdomain:36972->localhost:8009 ------
[12]4[018002040008]HTTP/1.1[000011]/cas/samlValidate[0000]
10.0.0.1[00FFFF00]
idp.example.com[0001BB010008A00B00]
idp.example.com[0000]
soapaction[0000]-http://www.oasis-open.org/committees/security[0000]
cache-control[000008]no-cache[00A00C0008]no-cache[00A0010008]text/xml[00A00600]
keep-alive[00A0070008]text/xml[00a0080003]425[000500].target=https%3a%2f%2fwww.example.com%2fcas%2f[00080012]dhe-rsa-aes256-sha[0009...@b6e3b5a56394c6b96da019422b3fb37eb0a4f9f58715ae727c9020b1c596c985[000b0100ff12]4[01ab01a9]<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
MinorVersion="1" RequestID="_192.168.16.51.1024506224022"
IssueInstant="2002-06-19T17:03:44.022Z"><samlp:AssertionArtifact>ST-9-26bu2GN3zeKVWKI4AnPu-cas</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>
--- localhost:8009->localhost.localdomain:36972 opened --
------ localhost:8009->localhost.localdomain:36972 ------
AB[0003061FFA
------ localhost.localdomain:36972->localhost:8009 ------
[12]4[00020000
------ localhost:8009->localhost.localdomain:36972 ------
AB[00]M[0400C80002]OK[000002000C]Content-Type[000016]text/xml;charset=UTF-8[000010]Content-Language[000005]en-US[00]AB[05BC0305B8]<?xml
version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Header/><SOAP-ENV:Body><Response
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2010-11-03T13:26:11.018Z" MajorVersion="1" MinorVersion="1"
Recipient="https://www.example.com/cas/";
ResponseID="_4c30bdab4a04f1fe25f23cca0e7de80b"><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_aac4966b482c7db8c679dac833538492"
IssueInstant="2010-11-03T13:26:11.018Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1"><Conditions NotBefore="2010-11-03T13:26:11.018Z"
NotOnOrAfter="2010-11-03T13:26:41.018Z"><AudienceRestrictionCondition><Audience>https://www.example.com/cas/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2010-11-03T13:26:10.955Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>[email protected]</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>[00]AB[000403000000]AB[00020501
--- localhost.localdomain:36958->localhost:8009 closed --
--- localhost:8009->localhost.localdomain:36958 closed --
