Thank you for your quick reply !
Ok, good news for the optional PGT, I've modified accordingly my
filter. I also modified the proxychain (no more acceptAnyProxy). But
the "bogus" log entry is still present.
Thanks for the explanation on proxyCallbackUrl and proxyReceptorUrl,
it's much more understandable for me :-)
I use the latest Java cas client (3.2.1) with commons-logging 1.1
and log4j 1.2.15. (that's the only jars in lib folder)
Any hint ?
Thanks.
Olivier
----------
Log excerpt
2012-01-10 10:56:26,612 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyTicketValidator] - <Server response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
xmlns:smacl='http://www.smacl.fr/protocols/cas'>
<cas:authenticationSuccess>
<cas:user>o-daroux</cas:user>
<cas:proxies>
<cas:proxy>https://servssi.smacl.lan:8443/mywebapp/proxyCallback</cas:proxy>
</cas:proxies>
</cas:authenticationSuccess>
</cas:serviceResponse>
>
2012-01-10 10:56:26,619 INFO
[org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] - <No Proxy Ticket
found for [].>
2012-01-10 10:56:26,627 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -
<Successfully authenticated user: o-daroux>
2012-01-10 10:56:26,627 DEBUG
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] -
<Redirecting after successful ticket validation.>
---------
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2008, Martin W. Kirst
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Martin W. Kirst nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
<display-name>mywebapp</display-name>
<description>
Simple sample, how to use CAS Java Client
3.x.
In this sample exists a public area (/)
and a private area (/protected/*).
</description>
<filter>
<filter-name>CAS Single Sign Out
Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Validation
Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://servcasintdev.smacl.lan:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://servssi.smacl.lan:8080</param-value>
</init-param>
<init-param>
<param-name>allowedProxyChains</param-name>
<param-value>
https://servssi.smacl.lan:8443/mywebapp/proxyCallback
https://servssi.smacl.lan:8443/mywebapp2/proxyCallback
</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Authentication
Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://servcasintdev.smacl.lan:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://servssi.smacl.lan:8080</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest
Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local
Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- ************************* -->
<filter-mapping>
<filter-name>CAS Single Sign Out
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication
Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest
Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- *********************** -->
<!-- Sign out not yet implemented -->
<!--
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
-->
<!-- *********************** -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
A : [email protected]
De : Andrew Petro <[email protected]>
Date : 06/01/2012 20h11
Objet : Re: [cas-user] Stop proxy chain
Olivier,
Is it possible not to ask for a PGT on a proxied service?
Yes. Very much so. Asking for a PGT is the infrequent rather than
the common configuration.
You shouldn't set acceptAnyProxy unless something else other than the
CAS20ProxyReceivingTicketValidationFilter is validating the proxy chain.
Accepting any proxy chain without validating that chain anywhere is a way
to accidentally allow illicit delegated access to your service, e.g., by any
other service using CAS that is able to obtain a PGT. Actually accepting
any proxy chain is seldom appropriate -- the acceptAnyProxy feature is more
there so that this specific filter will accept any proxy chain, allowing
something downstream to (presumably, dynamically rather than statically)
scrutinize the chain.
Instead of accepting any proxy, you can use allowedProxyChains to specify
explicitly the proxy chains characterizing proxy tickets you mean to be
accepting.
If the service running the filter doesn't need to itself obtain and use proxy
tickets, then it doesn't need (and shouldn't have) a proxyCallbackUrl and a
proxyReceptorUrl. Without a proxyCallbackUrl, the filter won't request a
PGT on ticket validation and so your application won't have to cope with
receiving one. Without a proxyReceptorUrl, the filter won't be watching
to intercept those CAS PGTIO/PGTID callbacks that aren't going to come because
without the proxyCallbackUrl they're not requested.
In the case where you don't need proxy granting tickets, you don't need a
proxyGrantingTicketStorageClass either.
That's odd that you're seeing log entries when you're trying not to use PGTs.
Could you post your web.xml that configures the filter where you're
seeing these log entries, sanitized of any passwords or other private
information of course? And precisely what version of the Java CAS Client
are you seeing this in?
Kind regards,
Andrew
On Jan 6, 2012, at 11:32 AM, Olivier Daroux wrote:
Hi,
I've got a question about proxy system. Is it possible to not ask for a PGT on
a proxied service ?
I've got an app, protected by java cas filter, using
CAS20ProxyReceivingTicketValidationFilter, with according params
(acceptAnyProxy, proxyReceptorUrl and proxyCallbackUrl (never found if the two
are needed)).
This app call a webservice, also protected by cas, accepting a proxy ticket. So
I set acceptAnyProxy to true.
What I don't know is, if it's possible to not set proxyReceptorUrl and
proxyCallbackUrl, so that my webservice can't do proxying (cause it don't need
it) ? When I don't set this params, cas client log shows "Proxy ticket not
found for []" (from proxygrantingticketStorageImpl).
The goal is to have better performance (no more call from CAS server to WS to
give PGT), and lesser configuration (no more need of WS server certificate into
CAS server keystore).
I don't know if I'm understandable :-P
Really appreciate some help.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
