One more question about the response So, I performed all of the steps described in the documentation: https://wiki.jasig.org/display/CASUM/ClearPass
I tested the proxy ticket against the clearPass url but I'm still receiving the following response: <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure> </cas:clearPassResponse> Below is what I used in the url after I logged into my uPortal instance, is this the correct? https://servername/cas/clearPass?pgt=TGT-2-ablahblah-servername&service=https%3A%2F%2Fservernane%2Fcas%2FclearPass Here's a sample of my access log: "POST /cas/login?service=https://servername/uPortal/Login HTTP/1.1" 302 - "GET /uPortal/CasProxyServlet HTTP/1.1" 200 - "GET /uPortal/CasProxyServlet?pgtIou=PGTIOU-1-yaddayadda-servername&pgtId=TGT-2-ablahblah-servername HTTP/1.1" 200 98 "GET /cas/proxyValidate?pgtUrl=https%3A%2F%2Fservername%2FuPortal%2FCasProxyServlet&ticket=ST-1-COLAgdfgdggdgdg-servername&service=https%3A%2F%2Fservername%2FuPortal%2FLogin HTTP/1.1" 200 287 "GET /uPortal/Login?ticket=ST-1-COLAgdfgdggdgdg-servernameHTTP/1.1" 302 - "GET /cas/proxy?pgt=TGT-2-ablahblah-servername&targetService=https%3A%2F%2Fservername%2Fcas%2FclearPass HTTP/1.1" 200 215 "GET /cas/proxyValidate?ticket=ST-2-sdadadad-servername&service=https%3A%2F%2Fservername%2Fcas%2FclearPass HTTP/1.1" 200 297 "GET /cas/clearPass?ticket=ST-2-sdadadad-servername HTTP/1.1" 200 182 I'm not sure what else I should be looking at for troubleshooting purposes. Thanks Again, Laura On 11/18/10 11:06 AM, Laura McCord wrote: > UGH!!! I could just kick myself. I found this in my localhost > logs.... Apparently, my service that I entered in cas/services for > uPortal wasn't right because once I just let everything have access, > it worked. So, I guess I just need to fix the service url string for > uPortal and it should work. Thanks. > > Nov 18, 2010 10:56:19 AM org.apache.catalina.core.StandardWrapperValve > invoke > SEVERE: Servlet.service() for servlet cas threw exception > org.jasig.cas.services.UnauthorizedServiceException: > service.not.authorized > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody2(CentralAuthenticationServiceImpl.java:190) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody3$advice(CentralAuthenticationServiceImpl.java:44) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody4(CentralAuthenticationServiceImpl.java:244) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody5$advice(CentralAuthenticationServiceImpl.java:44) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) > at > org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) > at > org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:71) > at sun.reflect.GeneratedMethodAccessor178.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:622) > at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:611) > at > org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) > at $Proxy128.grantServiceTicket(Unknown Source) > at > org.jasig.cas.web.ProxyController.handleRequestInternal(ProxyController.java:72) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > > > > On 11/18/10 10:43 AM, Scott Battaglia wrote: >> If you're getting a response code of 500 for /proxy then there should >> be a corresponding error on the server side. >> >> >> >> On Thu, Nov 18, 2010 at 11:40 AM, Laura McCord >> <[email protected] <mailto:[email protected]>> wrote: >> >> Nevermind... I'm STILL having a problem with getting the >> clearPass intergrated with uPortal 3.2.2. The specs are listed in >> my original email. NO accounts can get past the guest layout of >> my uportal instance. The problem seems to be stemming from the >> PasswordCachingCasAssertionSecurityContext because if I replace >> it back with the original cas context in my security.properties >> file it works fine. >> >> I'm receiving the following errors: >> >> ERROR [TP-Processor13] Nov/18 10:23:58,641 >> provider.UnionSecurityContext.[] - Exception authenticating >> subcontext >> >> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContext >> assertion:org.jasig.cas.client.validation.assertioni...@427a9f36 >> java.lang.RuntimeException: java.io.IOException: Server returned >> HTTP response code: 500 for URL: >> >> https://my-server/cas/proxy?pgt=TGT-2-gdHkBVgLhvri9QTzucfTAfKURJtcp3HK5geQE31TwizFqcGkOt-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass >> >> <https://my-server/cas/proxy?pgt=TGT-2-gdHkBVgLhvri9QTzucfTAfKURJtcp3HK5geQE31TwizFqcGkOt-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass> >> at >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:322) >> at >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:285) >> at >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:338) >> at >> >> org.jasig.cas.client.proxy.Cas20ProxyRetriever.getProxyTicketIdFor(Cas20ProxyRetriever.java:65) >> at >> >> org.jasig.cas.client.authentication.AttributePrincipalImpl.getProxyTicketFor(AttributePrincipalImpl.java:87) >> at >> >> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContext.postAuthenticate(PasswordCachingCasAssertionSecurityContext.java:49) >> at >> >> org.jasig.portal.security.provider.cas.CasAssertionSecurityContext.authenticate(CasAssertionSecurityContext.java:68) >> at >> >> org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:105) >> at >> >> org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:47) >> at >> >> org.jasig.portal.services.Authentication.authenticate(Authentication.java:98) >> at org.jasig.portal.LoginServlet.service(LoginServlet.java:210) >> .... >> Caused by: java.io.IOException: Server returned HTTP response >> code: 500 for URL: >> >> https://my-server/cas/proxy?pgt=TGT-4-KsBFUIPXEfcktwcZbyr6JNQljfRIXyYqyVUkcrsb3itrIUuPGn-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass >> >> <https://my-server/cas/proxy?pgt=TGT-4-KsBFUIPXEfcktwcZbyr6JNQljfRIXyYqyVUkcrsb3itrIUuPGn-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass> >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1313) >> at >> >> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204) >> at >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> ... 46 more >> ERROR [TP-Processor18] Nov/18 10:33:57,641 portal.LoginServlet.[] >> - Exception authenticating the request >> org.jasig.portal.security.PortalSecurityException: One of the >> security subcontexts threw an exception >> at >> >> org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:123) >> at >> >> org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:47) >> at >> >> org.jasig.portal.services.Authentication.authenticate(Authentication.java:98) >> at org.jasig.portal.LoginServlet.service(LoginServlet.java:210) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.jasig.services.persondir.support.web.RequestAttributeSourceFilter.doFilter(RequestAttributeSourceFilter.java:316) >> at >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) >> at >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:112) >> at >> >> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.jasig.portal.security.MaxInactiveFilter.doFilter(MaxInactiveFilter.java:77) >> at >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) >> at >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.jasig.cas.client.util.AssertionThreadLocalFilter.doFilter(AssertionThreadLocalFilter.java:40) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:196) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> at >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> at >> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) >> at >> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) >> at >> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) >> at >> >> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) >> at >> >> org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) >> at >> >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) >> at java.lang.Thread.run(Thread.java:619) >> WARN [TP-Processor18] Nov/18 10:33:57,642 >> web.RequestAttributeSourceFilter.[] - No username found for >> attribute 'null' among {serverName=[my-server]} >> >> Please help. >> >> Thanks, >> Laura >> >> >> >> >> On 11/12/10 4:00 PM, Laura McCord wrote: >> >> Okay I think I solved my problem. I discovered that there was >> more than one cas-client-core jar file in my cas lib >> directory. Once I removed it I was able to authenticate >> successfully. >> >> Now, I have one more question. How to test for clearPass >> correctly. After I authenticate through cas I go to this url >> : http://mycasserver/cas/clearPass but I get an error "No >> authentication information provided". Am I testing this >> incorrectly? I think it's working because the portlets that >> need the clearPass are working now but just for peace of mind >> I wanted to test it through the clearPass url. >> >> Thanks, >> Laura >> >> >> On 11/12/10 1:42 PM, Laura McCord wrote: >> >> I have a uPortal 3.2.2 install and I removed the bundled >> cas server and I am using an external 3.4.2 cas server now. >> >> The problem that I am seeing is that when I click on the >> "Sign In with CAS" button from uPortal I enter my >> username/password in cas and then I'm redirected to >> uPortal's GUEST unauthenticated layout. I was able to >> authenticate through cas before I made any changes so I >> can confirm that it did work prior to any clearPass >> adjustments. >> >> I can tell that when I change the >> >> root.cas=org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory >> back to the original state I'm at least able to >> authenticate and I'm given my authenticated uPortal >> layout, if that helps. >> >> I'm not sure if I'm having a versioning issue. The >> modifications that I have made are below. >> >> Thank You, >> Laura McCord >> >> >> - In the uportal-source-directory/pom.xml I added the >> following dependencies: >> <casclient.version>3.1.11</casclient.version> >> >> <cas-clearpass.version>1.0.5.GA >> <http://1.0.5.GA></cas-clearpass.version> >> <dependency> >> <groupId>org.jasig.cas.client</groupId> >> <artifactId>cas-client-core</artifactId> >> <version>${casclient.version}</version> >> </dependency> >> <dependency> >> <groupId>org.jasig.cas3.extensions</groupId> >> <artifactId>clearpass-integration-uportal</artifactId> >> <version>${cas-clearpass.version}</version> >> </dependency> >> >> -In uportal-impl/pom.xml >> <!-- ===== Runtime Dependencies >> ======================================= --> >> <dependency> >> <groupId>org.jasig.cas3.extensions</groupId> >> <artifactId>clearpass-integration-uportal</artifactId> >> <scope>runtime</scope> >> </dependency> >> <dependency> >> <groupId>org.jasig.cas.client</groupId> >> <artifactId>cas-client-core</artifactId> >> </dependency> >> >> -In >> uportal-impl/src/main/resources/properties/security.properties >> ## This is the factory that supplies the concrete >> authentication class >> >> >> root=org.jasig.portal.security.provider.UnionSecurityContextFactory >> >> >> root.cas=org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory >> >> >> >> #root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory >> >> >> >> root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory >> >> >> ## URL of the CAS cleartext password service >> >> >> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl=https://myServer/cas/clearPass >> >> >> -In >> >> uportal-impl/src/main/resources/properties/context/portletContainerContext.xml >> >> <bean id="cachedPasswordUserInfoService" >> >> class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService"> >> >> <property name="userInstanceManager" >> ref="userInstanceManager" /> >> <property name="portletWindowRegistry" >> ref="portletWindowRegistry" /> >> <property name="portletEntityRegistry" >> ref="portletEntityRegistry" /> >> <property name="portletDefinitionRegistry" >> ref="portletDefinitionRegistry" /> >> <property name="portalRequestUtils" >> ref="portalRequestUtils" /> >> <property name="decryptPassword" value="false" /> >> </bean> >> >> - In cas/pom.xml >> <dependency> >> <groupId>org.jasig.cas3.extensions</groupId> >> <artifactId>clearpass-webapp</artifactId> >> <version>1.0.5.GA <http://1.0.5.GA></version> >> <scope>runtime</scope> >> <type>war</type> >> </dependency> >> >> -In cas/src/main/webapp/WEB-INF/deployerConfigContext.xml >> <property name="authenticationMetaDataPopulators"> >> <list> >> <bean >> >> class="org.jasig.cas3.extensions.clearpass.CacheCredentialsMetaDataPopulator"> >> >> <constructor-arg index="0" ref="credentialsCache" /> >> </bean> >> </list> >> </property> >> >> -In cas/src/main/webapp/WEB-INF/web.xml >> <filter> >> <filter-name>CAS Validation Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> >> <init-param> >> <param-name>casServerUrlPrefix</param-name> >> <param-value>https:/mycas-server/cas</param-value> >> </init-param> >> <init-param> >> <param-name>serverName</param-name> >> <param-value>https://mycas-server</param-value> >> </init-param> >> <init-param> >> <param-name>exceptionOnValidationFailure</param-name> >> <param-value>true</param-value> >> </init-param> >> <init-param> >> <param-name>allowedProxyChains</param-name> >> <param-value> >> https://my-portal-server/uPortal/CasProxyServlet >> </param-value> >> </init-param> >> <init-param> >> <param-name>useSession</param-name> >> <param-value>false</param-value> >> </init-param> >> <init-param> >> <param-name>redirectAfterValidation</param-name> >> <param-value>false</param-value> >> </init-param> >> </filter> >> >> <filter> >> <filter-name>CAS HttpServletRequest Wrapper >> Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >> >> </filter> >> >> <filter-mapping> >> <filter-name>CAS Validation Filter</filter-name> >> <url-pattern>/clearPass</url-pattern> >> </filter-mapping> >> >> <filter-mapping> >> <filter-name>CAS HttpServletRequest Wrapper >> Filter</filter-name> >> <url-pattern>/clearPass</url-pattern> >> </filter-mapping> >> >> <servlet-mapping> >> <servlet-name>cas</servlet-name> >> <url-pattern>/clearPass</url-pattern> >> </servlet-mapping> >> >> >> >> >> >> >> -- >> You are currently subscribed to [email protected] >> <mailto:[email protected]> as: [email protected] >> <mailto:[email protected]> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed [email protected] >> as:[email protected] >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
