You supply ClearPass with a PT not a PGT. PGT is only used to get a proxy ticket. ClearPass is protected by the Java CAS Client and acts accordingly.
Cheers, Scott On Thu, Nov 18, 2010 at 4:10 PM, Laura McCord <[email protected]>wrote: > One more question about the response > > So, I performed all of the steps described in the documentation: > https://wiki.jasig.org/display/CASUM/ClearPass > > I tested the proxy ticket against the clearPass url but I'm still receiving > the following response: > > <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:clearPassFailure>No authentication information > provided.</cas:clearPassFailure> > </cas:clearPassResponse> > > > Below is what I used in the url after I logged into my uPortal instance, is > this the correct? > https://servername/cas/clearPass?pgt=TGT-2-ablahblah-servername&service=https%3A%2F%2Fservernane%2Fcas%2FclearPass > > Here's a sample of my access log: > > "POST /cas/login?service=https://servername/uPortal/Login HTTP/1.1" 302 - > "GET /uPortal/CasProxyServlet HTTP/1.1" 200 - > "GET > /uPortal/CasProxyServlet?pgtIou=PGTIOU-1-yaddayadda-servername&pgtId=TGT-2-ablahblah-servername > HTTP/1.1" 200 98 > "GET > /cas/proxyValidate?pgtUrl=https%3A%2F%2Fservername%2FuPortal%2FCasProxyServlet&ticket=ST-1-COLAgdfgdggdgdg-servername&service=https%3A%2F%2Fservername%2FuPortal%2FLogin > HTTP/1.1" 200 287 > "GET /uPortal/Login?ticket=ST-1-COLAgdfgdggdgdg-servernameHTTP/1.1" 302 - > "GET > /cas/proxy?pgt=TGT-2-ablahblah-servername&targetService=https%3A%2F%2Fservername%2Fcas%2FclearPass > HTTP/1.1" 200 215 > "GET > /cas/proxyValidate?ticket=ST-2-sdadadad-servername&service=https%3A%2F%2Fservername%2Fcas%2FclearPass > HTTP/1.1" 200 297 > "GET /cas/clearPass?ticket=ST-2-sdadadad-servername HTTP/1.1" 200 182 > > > I'm not sure what else I should be looking at for troubleshooting purposes. > > Thanks Again, > Laura > > > > > On 11/18/10 11:06 AM, Laura McCord wrote: > > UGH!!! I could just kick myself. I found this in my localhost logs.... > Apparently, my service that I entered in cas/services for uPortal wasn't > right because once I just let everything have access, it worked. So, I guess > I just need to fix the service url string for uPortal and it should work. > Thanks. > > Nov 18, 2010 10:56:19 AM org.apache.catalina.core.StandardWrapperValve > invoke > SEVERE: Servlet.service() for servlet cas threw exception > org.jasig.cas.services.UnauthorizedServiceException: service.not.authorized > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody2(CentralAuthenticationServiceImpl.java:190) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody3$advice(CentralAuthenticationServiceImpl.java:44) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody4(CentralAuthenticationServiceImpl.java:244) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody5$advice(CentralAuthenticationServiceImpl.java:44) > at > org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) > at > org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80) > at > org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:71) > at sun.reflect.GeneratedMethodAccessor178.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:622) > at > org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:611) > at > org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) > at $Proxy128.grantServiceTicket(Unknown Source) > at > org.jasig.cas.web.ProxyController.handleRequestInternal(ProxyController.java:72) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > > > > On 11/18/10 10:43 AM, Scott Battaglia wrote: > > If you're getting a response code of 500 for /proxy then there should be a > corresponding error on the server side. > > > > On Thu, Nov 18, 2010 at 11:40 AM, Laura McCord > <[email protected]>wrote: > >> Nevermind... I'm STILL having a problem with getting the clearPass >> intergrated with uPortal 3.2.2. The specs are listed in my original email. >> NO accounts can get past the guest layout of my uportal instance. The >> problem seems to be stemming from the >> PasswordCachingCasAssertionSecurityContext because if I replace it back with >> the original cas context in my security.properties file it works fine. >> >> I'm receiving the following errors: >> >> ERROR [TP-Processor13] Nov/18 10:23:58,641 >> provider.UnionSecurityContext.[] - Exception authenticating subcontext >> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContext >> assertion:org.jasig.cas.client.validation.assertioni...@427a9f36 >> java.lang.RuntimeException: java.io.IOException: Server returned HTTP >> response code: 500 for URL: >> https://my-server/cas/proxy?pgt=TGT-2-gdHkBVgLhvri9QTzucfTAfKURJtcp3HK5geQE31TwizFqcGkOt-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass >> at >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:322) >> at >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:285) >> at >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:338) >> at >> org.jasig.cas.client.proxy.Cas20ProxyRetriever.getProxyTicketIdFor(Cas20ProxyRetriever.java:65) >> at >> org.jasig.cas.client.authentication.AttributePrincipalImpl.getProxyTicketFor(AttributePrincipalImpl.java:87) >> at >> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContext.postAuthenticate(PasswordCachingCasAssertionSecurityContext.java:49) >> at >> org.jasig.portal.security.provider.cas.CasAssertionSecurityContext.authenticate(CasAssertionSecurityContext.java:68) >> at >> org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:105) >> at >> org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:47) >> at >> org.jasig.portal.services.Authentication.authenticate(Authentication.java:98) >> at org.jasig.portal.LoginServlet.service(LoginServlet.java:210) >> .... >> Caused by: java.io.IOException: Server returned HTTP response code: 500 >> for URL: >> https://my-server/cas/proxy?pgt=TGT-4-KsBFUIPXEfcktwcZbyr6JNQljfRIXyYqyVUkcrsb3itrIUuPGn-my-server&targetService=https%3A%2F%2Fmy-server%2Fcas%2FclearPass >> at >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1313) >> at >> com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204) >> at >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> ... 46 more >> ERROR [TP-Processor18] Nov/18 10:33:57,641 portal.LoginServlet.[] - >> Exception authenticating the request >> org.jasig.portal.security.PortalSecurityException: One of the security >> subcontexts threw an exception >> at >> org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:123) >> at >> org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:47) >> at >> org.jasig.portal.services.Authentication.authenticate(Authentication.java:98) >> at org.jasig.portal.LoginServlet.service(LoginServlet.java:210) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.jasig.services.persondir.support.web.RequestAttributeSourceFilter.doFilter(RequestAttributeSourceFilter.java:316) >> at >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) >> at >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:112) >> at >> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.jasig.portal.security.MaxInactiveFilter.doFilter(MaxInactiveFilter.java:77) >> at >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) >> at >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.jasig.cas.client.util.AssertionThreadLocalFilter.doFilter(AssertionThreadLocalFilter.java:40) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:196) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) >> at >> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) >> at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) >> at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) >> at >> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) >> at >> org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) >> at >> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) >> at java.lang.Thread.run(Thread.java:619) >> WARN [TP-Processor18] Nov/18 10:33:57,642 >> web.RequestAttributeSourceFilter.[] - No username found for attribute 'null' >> among {serverName=[my-server]} >> >> Please help. >> >> Thanks, >> Laura >> >> >> >> >> On 11/12/10 4:00 PM, Laura McCord wrote: >> >>> Okay I think I solved my problem. I discovered that there was more than >>> one cas-client-core jar file in my cas lib directory. Once I removed it I >>> was able to authenticate successfully. >>> >>> Now, I have one more question. How to test for clearPass correctly. After >>> I authenticate through cas I go to this url : >>> http://mycasserver/cas/clearPass but I get an error "No authentication >>> information provided". Am I testing this incorrectly? I think it's working >>> because the portlets that need the clearPass are working now but just for >>> peace of mind I wanted to test it through the clearPass url. >>> >>> Thanks, >>> Laura >>> >>> >>> On 11/12/10 1:42 PM, Laura McCord wrote: >>> >>>> I have a uPortal 3.2.2 install and I removed the bundled cas server and >>>> I am using an external 3.4.2 cas server now. >>>> >>>> The problem that I am seeing is that when I click on the "Sign In with >>>> CAS" button from uPortal I enter my username/password in cas and then I'm >>>> redirected to uPortal's GUEST unauthenticated layout. I was able to >>>> authenticate through cas before I made any changes so I can confirm that it >>>> did work prior to any clearPass adjustments. >>>> >>>> I can tell that when I change the >>>> root.cas=org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory >>>> back to the original state I'm at least able to authenticate and I'm given >>>> my authenticated uPortal layout, if that helps. >>>> >>>> I'm not sure if I'm having a versioning issue. The modifications that I >>>> have made are below. >>>> >>>> Thank You, >>>> Laura McCord >>>> >>>> >>>> - In the uportal-source-directory/pom.xml I added the following >>>> dependencies: >>>> <casclient.version>3.1.11</casclient.version> >>>> >>>> <cas-clearpass.version>1.0.5.GA</cas-clearpass.version> >>>> <dependency> >>>> <groupId>org.jasig.cas.client</groupId> >>>> <artifactId>cas-client-core</artifactId> >>>> <version>${casclient.version}</version> >>>> </dependency> >>>> <dependency> >>>> <groupId>org.jasig.cas3.extensions</groupId> >>>> <artifactId>clearpass-integration-uportal</artifactId> >>>> <version>${cas-clearpass.version}</version> >>>> </dependency> >>>> >>>> -In uportal-impl/pom.xml >>>> <!-- ===== Runtime Dependencies ======================================= >>>> --> >>>> <dependency> >>>> <groupId>org.jasig.cas3.extensions</groupId> >>>> <artifactId>clearpass-integration-uportal</artifactId> >>>> <scope>runtime</scope> >>>> </dependency> >>>> <dependency> >>>> <groupId>org.jasig.cas.client</groupId> >>>> <artifactId>cas-client-core</artifactId> >>>> </dependency> >>>> >>>> -In uportal-impl/src/main/resources/properties/security.properties >>>> ## This is the factory that supplies the concrete authentication >>>> class >>>> root=org.jasig.portal.security.provider.UnionSecurityContextFactory >>>> >>>> >>>> root.cas=org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory >>>> >>>> >>>> >>>> #root.cas=org.jasig.portal.security.provider.cas.CasAssertionSecurityContextFactory >>>> >>>> >>>> >>>> root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory >>>> >>>> >>>> ## URL of the CAS cleartext password service >>>> >>>> >>>> org.jasig.cas3.extensions.clearpass.integration.uportal.PasswordCachingCasAssertionSecurityContextFactory.clearPassCasUrl= >>>> https://myServer/cas/clearPass >>>> >>>> -In >>>> uportal-impl/src/main/resources/properties/context/portletContainerContext.xml >>>> >>>> <bean id="cachedPasswordUserInfoService" >>>> class="org.jasig.portal.portlet.container.services.CachedPasswordUserInfoService"> >>>> >>>> <property name="userInstanceManager" ref="userInstanceManager" /> >>>> <property name="portletWindowRegistry" ref="portletWindowRegistry" /> >>>> <property name="portletEntityRegistry" ref="portletEntityRegistry" /> >>>> <property name="portletDefinitionRegistry" >>>> ref="portletDefinitionRegistry" /> >>>> <property name="portalRequestUtils" ref="portalRequestUtils" /> >>>> <property name="decryptPassword" value="false" /> >>>> </bean> >>>> >>>> - In cas/pom.xml >>>> <dependency> >>>> <groupId>org.jasig.cas3.extensions</groupId> >>>> <artifactId>clearpass-webapp</artifactId> >>>> <version>1.0.5.GA</version> >>>> <scope>runtime</scope> >>>> <type>war</type> >>>> </dependency> >>>> >>>> -In cas/src/main/webapp/WEB-INF/deployerConfigContext.xml >>>> <property name="authenticationMetaDataPopulators"> >>>> <list> >>>> <bean >>>> class="org.jasig.cas3.extensions.clearpass.CacheCredentialsMetaDataPopulator"> >>>> >>>> <constructor-arg index="0" ref="credentialsCache" /> >>>> </bean> >>>> </list> >>>> </property> >>>> >>>> -In cas/src/main/webapp/WEB-INF/web.xml >>>> <filter> >>>> <filter-name>CAS Validation Filter</filter-name> >>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >>>> >>>> <init-param> >>>> <param-name>casServerUrlPrefix</param-name> >>>> <param-value>https:/mycas-server/cas</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>serverName</param-name> >>>> <param-value>https://mycas-server</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>exceptionOnValidationFailure</param-name> >>>> <param-value>true</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>allowedProxyChains</param-name> >>>> <param-value> >>>> >>>> https://my-portal-server/uPortal/CasProxyServlet >>>> </param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>useSession</param-name> >>>> <param-value>false</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>redirectAfterValidation</param-name> >>>> <param-value>false</param-value> >>>> </init-param> >>>> </filter> >>>> >>>> <filter> >>>> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> >>>> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >>>> >>>> </filter> >>>> >>>> <filter-mapping> >>>> <filter-name>CAS Validation Filter</filter-name> >>>> <url-pattern>/clearPass</url-pattern> >>>> </filter-mapping> >>>> >>>> <filter-mapping> >>>> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> >>>> <url-pattern>/clearPass</url-pattern> >>>> </filter-mapping> >>>> >>>> <servlet-mapping> >>>> <servlet-name>cas</servlet-name> >>>> <url-pattern>/clearPass</url-pattern> >>>> </servlet-mapping> >>>> >>>> >>>> >>>> >>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
