Hi I am using CAS 3.2 and not using LDAP. Currently CAS server and Casified client both are in same machine and same application server(JBoss), now I want to put CAS Server on different machine example (Machine A) and deployed in JBoss 4.2.3 and client on Machine B deployed in JBoss 4.2.3. What are the configurations required at client side and settings regarding SSL certificates.
Thanks in Advance Regards madhava From: J Lopez [mailto:[email protected]] Sent: Tuesday, April 12, 2011 12:33 PM To: [email protected] Subject: Re: [cas-user] TGT expiration not triggering full authentication flow Hi Scott, Changing flow as you mentioned did the trick. <action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="startAuthenticate" /> <transition on="gateway" to="redirect" /> </action-state> Thank you very much. Kind Regards. On Fri, Apr 1, 2011 at 3:31 AM, Scott Battaglia <[email protected]<mailto:[email protected]>> wrote: The expiration will be checked when we attempt to use the service ticket. You can try changing the "error" transition in this instance: <action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="viewLoginForm" /> <transition on="gateway" to="redirect" /> </action-state> to something besides viewLoginForm Let me know if that works. On Thu, Mar 31, 2011 at 6:38 AM, J Lopez <[email protected]<mailto:[email protected]>> wrote: Hi Scott, I attach my login-webflow. I can not see where in the flow the TGT is checked for expiration, the only check I see is existence of the ticked: <decision-state id="ticketGrantingTicketExistsCheck"> <if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="gatewayRequestCheck" /> </decision-state> What I have in the logs is the following (i have remove user , service details and SPNEGO token) First login of user -> SPNEGO used TGT is created 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler successfully authenticated the user which provided the following credentials: user> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [user]> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained output token: <removed> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'success'> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [http://service/j_spring_cas_security_check] for user [user]> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://service/j_spring_cas_security_check> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry> so first login is working as expected. time after TGT is expired 2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from registry> User that mantains browser open, tries to make other action in the app GUI 2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://service/j_spring_cas_security_check> 2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> but nothing more appears in logs after that It seems that browser is sending the cookie in order to retrieve TGT and the service, the server is trying to retrieve ticket but no more traces occurs at server side I think I'm going to enable DEBUG for web flow category just to see if any more traces occurs. I don't know if the modifications needed in order to detect ticked expirating are already included in CAS server 3.4.7 and the effort to include that in CAS 3.2 are nearly the same that migrating to newer version. I can not see any specific flow state to check TGT expiration in version 3.4.7 but I have not reviewed all the code and my undestading of spring web-flow is limited. I would be aprecciated if you could give me any more detail on the subject or some more detailed indication in how to solve the incidence. Thanks in advance Regards On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia <[email protected]<mailto:[email protected]>> wrote: You're quite behind on your CAS versions so any help we give will be limited. Its possible the "error" state of the flow is pointing to displaying the credentials form if the TGT is expired instead of where collecting credentials starts. You can try adjusting that. Cheers, Scott On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected]<mailto:[email protected]>> wrote: Hi, I have a working CAS server (version 3.2) that uses SPNEGO,X509 certificates and JAAS Autentication against kerberos (login creedentials view). When a TGT is expired due TimeOutPolicy (default time 2 hours) the full autentication flow is not triggered and user ends in the login creedentials form. My problem is that regulars users (80% of staff) does not have creedentials enabled, they use certificates and/or SPNEGO authentication. We are using a workaround of closing the browser and trying again an access to the application then a correct login flow is executed and user log into the application using SPNEGO or certificates. Is there a method to prevent this behaviour when TGT expires? Our security policies does not allow us to extend TGT timeout policy Is issue CAS-686 related to this? thanks in advance. -- Saludos. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Saludos. -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Saludos. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user ________________________________ ::DISCLAIMER:: ----------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any mail and attachments please check them for viruses and defect. ----------------------------------------------------------------------------------------------------------------------- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
