Folks,In our organization we are using CAS with X509 (preferred) then login/password (fall-back) authentications.
We got aware of the same problem mentioned here a few days ago, I've just applied this modification and it seems to work perfectly now :-)
Thank you ! Should we modify the wiki to add this new modification to login-webflow.xml ? Rgds. Le 12/04/2011 09:02, J Lopez a écrit :
Hi Scott, Changing flow as you mentioned did the trick. <action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction" /> <transition on="success" to ="warn" /> <transition on="error" to="*startAuthenticate*" /> <transition on="gateway" to="redirect" /> </action-state> Thank you very much. Kind Regards.On Fri, Apr 1, 2011 at 3:31 AM, Scott Battaglia <[email protected] <mailto:[email protected]>> wrote:The expiration will be checked when we attempt to use the service ticket. You can try changing the "error" transition in this instance: <action-state id="generateServiceTicket"> <action bean="generateServiceTicketAction"/> <transition on="success" to ="warn" /> <transition on="error"to="viewLoginForm"/> <transition on="gateway" to="redirect" /> </action-state> to something besides viewLoginForm Let me know if that works. On Thu, Mar 31, 2011 at 6:38 AM, J Lopez <[email protected] <mailto:[email protected]>> wrote: Hi Scott, I attach my login-webflow.I can not see where in the flow the TGT is checked for expiration, the only check I see is existence of the ticked:<decision-state id="ticketGrantingTicketExistsCheck"> <if test="${flowScope.ticketGrantingTicketId != null}" then="hasServiceCheck" else="gatewayRequestCheck" /> </decision-state> What I have in the logs is the following (i have remove user , service details and SPNEGO token) First login of user -> SPNEGO used TGT is created 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler successfully authenticated the user which provided the following credentials: user> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [user]> 2011-03-29 08:32:56,807 INFO [STDOUT] 2011-03-29 08:32:56,807 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] to registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained output token: <removed> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'success'> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] found in registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] to registry.> 2011-03-29 08:32:56,808 INFO [STDOUT] 2011-03-29 08:32:56,808 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] for service [http://service/j_spring_cas_security_check] for user [user]> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://service/j_spring_cas_security_check> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas]> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] found in registry.> 2011-03-29 08:32:56,959 INFO [STDOUT] 2011-03-29 08:32:56,959 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-192-VqPUouVAzfP9UdSZeYeO-cas] from registry> so first login is working as expected. time after TGT is expired 2011-03-29 11:11:10,267 INFO [STDOUT] 2011-03-29 11:11:10,267 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas] from registry> User that mantains browser open, tries to make other action in the app GUI 2011-03-29 12:08:06,110 INFO [STDOUT] 2011-03-29 12:08:06,110 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://service/j_spring_cas_security_check> 2011-03-29 12:08:06,111 INFO [STDOUT] 2011-03-29 12:08:06,111 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-149-D63yUimrbMxAbt2cFmanPbxxtgu6EXBhmzOdkG3NvFJncUeK2R-cas]> but nothing more appears in logs after that It seems that browser is sending the cookie in order to retrieve TGT and the service, the server is trying to retrieve ticket but no more traces occurs at server side I think I'm going to enable DEBUG for web flow category just to see if any more traces occurs. I don't know if the modifications needed in order to detect ticked expirating are already included in CAS server 3.4.7 and the effort to include that in CAS 3.2 are nearly the same that migrating to newer version. I can not see any specific flow state to check TGT expiration in version 3.4.7 but I have not reviewed all the code and my undestading of spring web-flow is limited. I would be aprecciated if you could give me any more detail on the subject or some more detailed indication in how to solve the incidence. Thanks in advance Regards On Thu, Mar 31, 2011 at 3:25 AM, Scott Battaglia <[email protected] <mailto:[email protected]>> wrote: You're quite behind on your CAS versions so any help we give will be limited. Its possible the "error" state of the flow is pointing to displaying the credentials form if the TGT is expired instead of where collecting credentials starts. You can try adjusting that. Cheers, Scott On Wed, Mar 30, 2011 at 8:58 AM, J Lopez <[email protected] <mailto:[email protected]>> wrote: Hi, I have a working CAS server (version 3.2) that uses SPNEGO,X509 certificates and JAAS Autentication against kerberos (login creedentials view). When a TGT is expired due TimeOutPolicy (default time 2 hours) the full autentication flow is not triggered and user ends in the login creedentials form. My problem is that regulars users (80% of staff) does not have creedentials enabled, they use certificates and/or SPNEGO authentication. We are using a workaround of closing the browser and trying again an access to the application then a correct login flow is executed and user log into the application using SPNEGO or certificates. Is there a method to prevent this behaviour when TGT expires? Our security policies does not allow us to extend TGT timeout policy Is issue CAS-686 related to this? thanks in advance.-- Saludos.-- You are currently subscribed [email protected] <mailto:[email protected]> as:[email protected] <mailto:[email protected]>To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed [email protected] <mailto:[email protected]> as:[email protected] <mailto:[email protected]>To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- Saludos.-- You are currently subscribed [email protected] <mailto:[email protected]> as:[email protected] <mailto:[email protected]>To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed [email protected] <mailto:[email protected]> as:[email protected] <mailto:[email protected]>To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user -- Saludos. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
