Joel, Is your CAS server running behind an Apache server (via AJP)? It appears that the ticket is somehow being dropped from the validation request. Could you increase either the CAS logging or the Apache logging (if CAS is behind Apache) to show the parameters of the validation request? -Matt On Jan 17, 2012 10:14 AM, "Joel Goguen" <[email protected]> wrote:
> I'm using CAS 3.3.5 (which we're unfortunately stuck on due to some vendor > compatibility issues) with Apache 2.2.3 and mod_auth_cas 1.0.9.1 to try and > protect a directory so I can do some testing with SAML attributes. What I'm > actually getting is the protected directory failing with HTTP401 and the > CAS ticket being left in the URL. There are no other authentication > mechanisms in any higher directory. I'm not sure what information would be > useful, so if I've missed something important please let me know. > > In auth_cas.conf I've set these server directives: > LoadModule auth_cas_module modules/mod_auth_cas.so > CASVersion 2 > CASLoginURL https://fortran.its.unb.ca/cas/login > CASValidateURL https://fortran.its.unb.ca/cas/serviceValidate > CASProxyValidateURL https://fortran.its.unb.ca/cas/proxyValidate > CASCookiePath /var/cache/apache/mod_auth_cas/ > CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt > CASAllowWildcardCert On > CASValidateServer Off > CASValidateSAML On > CASDebug On > > In ssl.conf, at the VirtualHost level, I set "LogLevel debug" to get debug > logs printed out. I have the following Location directive for the protected > directory: > <Location /cas-dev> > Options +ExecCGI > AuthType CAS > CASScope / > Require valid-user > AddHandler cgi-script .cgi > </Location> > > When I try to access this directory, Apache's logs (filtered for > mod_auth_cas) give me: > === Initial request: === > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client > 131.202.75.5] Entering cas_authenticate() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client > 131.202.75.5] entering getCASService() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client > 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca > %2fcas-dev%2findex.cgi' > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(485): [client > 131.202.75.5] entering getCASLoginURL() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(462): [client > 131.202.75.5] entering getCASGateway() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(555): [client > 131.202.75.5] entering redirectRequest() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(567): [client > 131.202.75.5] Adding outgoing header: Location: > https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi > > === After successful authentication and redirection from CAS === > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client > 131.202.75.5] Entering cas_authenticate() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(607): [client > 131.202.75.5] Modified r->args (old 'ticket=ST-3-eiSBy0oqb2BBL2df7gDc-cas', > new '') > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1600): [client > 131.202.75.5] entering getResponseFromServer() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client > 131.202.75.5] entering getCASService() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client > 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca > %2fcas-dev%2findex.cgi' > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1674): [client > 131.202.75.5] Validation response: <cas:serviceResponse xmlns:cas=' > http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure > code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' > parameters are both > required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1293): [client > 131.202.75.5] entering isValidCASTicket() > [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1299): [client > 131.202.75.5] MOD_AUTH_CAS: response = <cas:serviceResponse xmlns:cas=' > http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure > code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' > parameters are both > required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> > > On the CAS server, I have these logging properties set: > log4j.rootLogger=INFO, logfile > log4j.appender.logfile=org.apache.log4j.RollingFileAppender > log4j.appender.logfile.File=/var/log/tomcat6/cas.log > log4j.appender.logfile.MaxFileSize=10120KB > log4j.appender.logfile.MaxBackupIndex=10 > log4j.appender.logfile.layout=org.apache.log4j.PatternLayout > log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n > log4j.logger.org.springframework=WARN > log4j.logger.org.jasig=INFO > log4j.logger.org.jasig.cas.web.flow=INFO > log4j.logger.org.jasig.cas=DEBUG > > All I get in cas.log when I authenticate is this: > 2012-01-17 11:04:17,166 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated > service for: https://webtest.its.unb.ca/cas-dev/index.cgi > 2012-01-17 11:04:17,168 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to > retrieve ticket > [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] > 2012-01-17 11:04:17,168 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket > [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in > registry. > 2012-01-17 11:04:17,168 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket > [ST-3-eiSBy0oqb2BBL2df7gDc-cas] to registry. > 2012-01-17 11:04:17,168 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > [ST-3-eiSBy0oqb2BBL2df7gDc-cas] for service [ > https://webtest.its.unb.ca/cas-dev/index.cgi] for user [jgoguen] > 2012-01-17 11:04:17,168 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to > retrieve ticket > [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] > 2012-01-17 11:04:17,168 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket > [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in > registry. > 2012-01-17 11:04:17,238 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not > generate service. > > I have two services defined currently, > https://fortran.its.unb.ca/cas/services/** and > https://webtest.its.unb.ca/**, but I get the same result (except the > first cas.log line is the same as the last line) if I remove all service > definitions. Any assistance with getting authentication working would be > greatly appreciated. > > -- > Joel Goguen > Developer > Enterprise Solutions > Information Technology Services > University of New Brunswick > E-mail: [email protected] > Phone: (506) 453-4872 > Fax: (506) 453-3590 > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
