Hi, You have to establish trust between client and CAS server, in order to accomplish that you have to import CAS server certificate in cacerts keystore in client machine otherwise a PKIX Exception will be thrown.
Regards On Tue, Apr 12, 2011 at 9:15 AM, Srinivas Madhava <[email protected]>wrote: > Hi > > > > I am using CAS 3.2 and not using LDAP. Currently CAS server and Casified > client both are in same machine and same application server(JBoss), now I > want to put CAS Server on different machine example (Machine A) and deployed > in JBoss 4.2.3 and client on Machine B deployed in JBoss 4.2.3. > > What are the configurations required at client side and settings regarding > SSL certificates. > > > > Thanks in Advance > > > > Regards > > madhava > > > > *From:* J Lopez [mailto:[email protected]] > *Sent:* Tuesday, April 12, 2011 12:33 PM > *To:* [email protected] > *Subject:* Re: [cas-user] TGT expiration not triggering full > authentication flow > > > > Hi Scott, > > > > Changing flow as you mentioned did the trick. > > > > <action-state id="generateServiceTicket"> > <action bean="generateServiceTicketAction" /> > <transition on="success" to ="warn" /> > <transition on="error" to="*startAuthenticate*" /> > <transition on="gateway" to="redirect" /> > </action-state> > > > > Thank you very much. > > > > Kind Regards. > > On Fri, Apr 1, 2011 at 3:31 AM, Scott Battaglia <[email protected]> > wrote: > > The expiration will be checked when we attempt to use the service ticket. > > > > > You can try changing the "error" transition in this instance: > > <action-state id="generateServiceTicket"> > > <action bean="generateServiceTicketAction" /> > > <transition on="success" to ="warn" /> > > <transition on="error" to="viewLoginForm" /> > > <transition on="gateway" to="redirect" /> > > </action-state> > > > > to something besides viewLoginForm > > > > Let me know if that works. > > > > On Thu, Mar 31, 2011 at 6:38 AM, J Lopez <[email protected]> wrote: > > Hi Scott, > > > > I attach my login-webflow. > > > > I can not see where in the flow the TGT is checked for expiration, the > only check I see is existence of the ticked: > > > > <decision-state id="ticketGrantingTicketExistsCheck"> > <if test="${flowScope.ticketGrantingTicketId != null}" > then="hasServiceCheck" else="gatewayRequestCheck" /> > </decision-state> > > > > What I have in the logs is the following (i have remove user , service > details and SPNEGO token) > > > > First login of user -> SPNEGO used TGT is created > > > > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > successfully authenticated the user which provided the following > credentials: user> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] > - <Attempting to resolve a principal...> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] > - <Creating SimplePrincipal for [user]> > 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to > registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained > output token: <removed> > > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' completed execution; result is 'success'> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie > with name [CASTGC] and value > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in > registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.> > 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [ > http://service/j_spring_cas_security_check] for user [user]> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated > service for: http://service/j_spring_cas_security_check> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.> > 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > [ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry> > > so first login is working as expected. > > > > > > time after TGT is expired > > > > 2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from > registry> > > User that mantains browser open, tries to make other action in the app GUI > > > > 2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated > service for: http://service/j_spring_cas_security_check> > 2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > retrieve ticket > [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> > > > > but nothing more appears in logs after that > > > > It seems that browser is sending the cookie in order to retrieve TGT and > the service, the server is trying to retrieve ticket but no more traces > occurs at server side > > > > I think I'm going to enable DEBUG for web flow category just to see if any > more traces occurs. > > > > I don't know if the modifications needed in order to detect ticked > expirating are already included in CAS server 3.4.7 and the effort to > include that in CAS 3.2 are nearly the same that migrating to newer version. > > > I can not see any specific flow state to check TGT expiration in version > 3.4.7 but I have not reviewed all the code and my undestading of spring > web-flow is limited. > > > > I would be aprecciated if you could give me any more detail on the subject > or some more detailed indication in how to solve the incidence. > > > > > > Thanks in advance > > > > Regards > > > > On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia < > [email protected]> wrote: > > You're quite behind on your CAS versions so any help we give will be > limited. > > > > Its possible the "error" state of the flow is pointing to displaying the > credentials form if the TGT is expired instead of where collecting > credentials starts. You can try adjusting that. > > > > Cheers, > > Scott > > > > > > On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected]> wrote: > > Hi, > > > > I have a working CAS server (version 3.2) that uses SPNEGO,X509 > certificates and JAAS Autentication against kerberos (login creedentials > view). > > When a TGT is expired due TimeOutPolicy (default time 2 hours) the full > autentication flow is not triggered and user ends in the login creedentials > form. > > My problem is that regulars users (80% of staff) does not have > creedentials enabled, they use certificates and/or SPNEGO authentication. > > > > We are using a workaround of closing the browser and trying again an > access to the application then a correct login flow is executed and user log > into the application using SPNEGO or certificates. > > > > Is there a method to prevent this behaviour when TGT expires? > > Our security policies does not allow us to extend TGT timeout policy > > Is issue CAS-686 related to this? > > > > > thanks in advance. > -- > Saludos. > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > Saludos. > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > Saludos. > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > ------------------------------ > ::DISCLAIMER:: > > ----------------------------------------------------------------------------------------------------------------------- > > The contents of this e-mail and any attachment(s) are confidential and > intended for the named recipient(s) only. > It shall not attach any liability on the originator or HCL or its > affiliates. Any views or opinions presented in > this email are solely those of the author and may not necessarily reflect > the opinions of HCL or its affiliates. > Any form of reproduction, dissemination, copying, disclosure, modification, > distribution and / or publication of > this message without the prior written consent of the author of this e-mail > is strictly prohibited. If you have > received this email in error please delete it and notify the sender > immediately. Before opening any mail and > attachments please check them for viruses and defect. > > > ----------------------------------------------------------------------------------------------------------------------- > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Saludos. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
