Thank you for your quick reply !
Ok, good news for the optional PGT, I've modified accordingly my filter.
I also modified the proxychain (no more acceptAnyProxy). But the "bogus"
log entry is still present.
Thanks for the explanation on proxyCallbackUrl and proxyReceptorUrl,
it's much more understandable for me :-)
I use the latest Java cas client (3.2.1) with commons-logging 1.1 and
log4j 1.2.15. (that's the only jars in lib folder)
Any hint ?
----------
Log excerpt
2012-01-10 10:56:26,612 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyTicketValidator] -<Server
response:<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
xmlns:smacl='http://www.smacl.fr/protocols/cas'>
<cas:authenticationSuccess>
<cas:user>o-daroux</cas:user>
<cas:proxies>
<cas:proxy>https://servssi.smacl.lan:8443/mywebapp/proxyCallback</cas:proxy>
</cas:proxies>
</cas:authenticationSuccess>
</cas:serviceResponse>
>
2012-01-10 10:56:26,619 INFO
[org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] -<No Proxy Ticket
found for [].>
2012-01-10 10:56:26,627 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter]
-<Successfully authenticated user: o-daroux>
2012-01-10 10:56:26,627 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter]
-<Redirecting after successful ticket validation.>
Le 06/01/2012 20:11, Andrew Petro a écrit :
> Olivier,
>
> Is it possible not to ask for a PGT on a proxied service?
>
>
> Yes. Very much so. Asking for a PGT is the infrequent rather than
> the common configuration.
>
> You shouldn't set acceptAnyProxy unless something else other than the
> CAS20ProxyReceivingTicketValidationFilter is validating the proxy
> chain. Accepting any proxy chain without validating that chain
> anywhere is a way to accidentally allow illicit delegated access to
> your service, e.g., by any other service using CAS that is able to
> obtain a PGT. Actually accepting any proxy chain is seldom
> appropriate -- the acceptAnyProxy feature is more there so that this
> specific filter will accept any proxy chain, allowing something
> downstream to (presumably, dynamically rather than statically)
> scrutinize the chain.
>
> Instead of accepting any proxy, you can use allowedProxyChains to
> specify explicitly the proxy chains characterizing proxy tickets you
> mean to be accepting.
>
> If the service running the filter doesn't need to itself obtain and
> use proxy tickets, then it doesn't need (and shouldn't have) a
> proxyCallbackUrl and a proxyReceptorUrl. Without a proxyCallbackUrl,
> the filter won't request a PGT on ticket validation and so your
> application won't have to cope with receiving one. Without a
> proxyReceptorUrl, the filter won't be watching to intercept those CAS
> PGTIO/PGTID callbacks that aren't going to come because without the
> proxyCallbackUrl they're not requested.
>
> In the case where you don't need proxy granting tickets, you don't
> need a proxyGrantingTicketStorageClass either.
>
> That's odd that you're seeing log entries when you're trying not to
> use PGTs. Could you post your web.xml that configures the filter
> where you're seeing these log entries, sanitized of any passwords or
> other private information of course? And precisely what version of
> the Java CAS Client are you seeing this in?
>
> Kind regards,
>
> Andrew
>
>
>
>
>
>
> On Jan 6, 2012, at 11:32 AM, Olivier Daroux wrote:
>
>> Hi,
>>
>> I've got a question about proxy system. Is it possible to not ask for
>> a PGT on a proxied service ?
>>
>> I've got an app, protected by java cas filter, using
>> CAS20ProxyReceivingTicketValidationFilter, with according params
>> (acceptAnyProxy, proxyReceptorUrl and proxyCallbackUrl (never found
>> if the two are needed)).
>> This app call a webservice, also protected by cas, accepting a proxy
>> ticket. So I set acceptAnyProxy to true.
>>
>> What I don't know is, if it's possible to not set proxyReceptorUrl
>> and proxyCallbackUrl, so that my webservice can't do proxying (cause
>> it don't need it) ? When I don't set this params, cas client log
>> shows "Proxy ticket not found for []" (from
>> proxygrantingticketStorageImpl).
>>
>> The goal is to have better performance (no more call from CAS server
>> to WS to give PGT), and lesser configuration (no more need of WS
>> server certificate into CAS server keystore).
>>
>> I don't know if I'm understandable :-P
>>
>> Really appreciate some help.
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2008, Martin W. Kirst
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Martin W. Kirst nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<display-name>mywebapp</display-name>
<description>
Simple sample, how to use CAS Java Client 3.x.
In this sample exists a public area (/)
and a private area (/protected/*).
</description>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://servcasintdev.smacl.lan:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://servssi.smacl.lan:8080</param-value>
</init-param>
<init-param>
<param-name>allowedProxyChains</param-name>
<param-value>
https://servssi.smacl.lan:8443/mywebapp/proxyCallback
https://servssi.smacl.lan:8443/mywebapp2/proxyCallback
</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://servcasintdev.smacl.lan:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://servssi.smacl.lan:8080</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- ************************* -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- *********************** -->
<!-- Sign out not yet implemented -->
<!--
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
-->
<!-- *********************** -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
