I'm using CAS 3.3.5 (which we're unfortunately stuck on due to some vendor compatibility issues) with Apache 2.2.3 and mod_auth_cas 1.0.9.1 to try and protect a directory so I can do some testing with SAML attributes. What I'm actually getting is the protected directory failing with HTTP401 and the CAS ticket being left in the URL. There are no other authentication mechanisms in any higher directory. I'm not sure what information would be useful, so if I've missed something important please let me know.
In auth_cas.conf I've set these server directives: LoadModule auth_cas_module modules/mod_auth_cas.so CASVersion 2 CASLoginURL https://fortran.its.unb.ca/cas/login CASValidateURL https://fortran.its.unb.ca/cas/serviceValidate CASProxyValidateURL https://fortran.its.unb.ca/cas/proxyValidate CASCookiePath /var/cache/apache/mod_auth_cas/ CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASAllowWildcardCert On CASValidateServer Off CASValidateSAML On CASDebug On In ssl.conf, at the VirtualHost level, I set "LogLevel debug" to get debug logs printed out. I have the following Location directive for the protected directory: <Location /cas-dev> Options +ExecCGI AuthType CAS CASScope / Require valid-user AddHandler cgi-script .cgi </Location> When I try to access this directory, Apache's logs (filtered for mod_auth_cas) give me: === Initial request: === [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client 131.202.75.5] Entering cas_authenticate() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client 131.202.75.5] entering getCASService() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi' [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(485): [client 131.202.75.5] entering getCASLoginURL() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(462): [client 131.202.75.5] entering getCASGateway() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(555): [client 131.202.75.5] entering redirectRequest() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(567): [client 131.202.75.5] Adding outgoing header: Location: https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi === After successful authentication and redirection from CAS === [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client 131.202.75.5] Entering cas_authenticate() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(607): [client 131.202.75.5] Modified r->args (old 'ticket=ST-3-eiSBy0oqb2BBL2df7gDc-cas', new '') [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1600): [client 131.202.75.5] entering getResponseFromServer() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client 131.202.75.5] entering getCASService() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi' [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1674): [client 131.202.75.5] Validation response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1293): [client 131.202.75.5] entering isValidCASTicket() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1299): [client 131.202.75.5] MOD_AUTH_CAS: response = <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> On the CAS server, I have these logging properties set: log4j.rootLogger=INFO, logfile log4j.appender.logfile=org.apache.log4j.RollingFileAppender log4j.appender.logfile.File=/var/log/tomcat6/cas.log log4j.appender.logfile.MaxFileSize=10120KB log4j.appender.logfile.MaxBackupIndex=10 log4j.appender.logfile.layout=org.apache.log4j.PatternLayout log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n log4j.logger.org.springframework=WARN log4j.logger.org.jasig=INFO log4j.logger.org.jasig.cas.web.flow=INFO log4j.logger.org.jasig.cas=DEBUG All I get in cas.log when I authenticate is this: 2012-01-17 11:04:17,166 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://webtest.its.unb.ca/cas-dev/index.cgi 2012-01-17 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] 2012-01-17 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in registry. 2012-01-17 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-3-eiSBy0oqb2BBL2df7gDc-cas] to registry. 2012-01-17 11:04:17,168 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-eiSBy0oqb2BBL2df7gDc-cas] for service [https://webtest.its.unb.ca/cas-dev/index.cgi] for user [jgoguen] 2012-01-17 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] 2012-01-17 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in registry. 2012-01-17 11:04:17,238 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. I have two services defined currently, https://fortran.its.unb.ca/cas/services/** and https://webtest.its.unb.ca/**, but I get the same result (except the first cas.log line is the same as the last line) if I remove all service definitions. Any assistance with getting authentication working would be greatly appreciated. -- Joel Goguen Developer Enterprise Solutions Information Technology Services University of New Brunswick E-mail: [email protected] Phone: (506) 453-4872 Fax: (506) 453-3590 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
