Hi Matt, I am running behind Apache via AJP. Adding debug logging shows that mod_auth_cas seems to be posting to what I think is the right URL with the wrong parameters; the POST request is sent to https://fortran.its.unb.ca/cas/serviceValidate?TARGET=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2f with Content-Type text/xml and Content-Length 382, but no indication of what the content may be. I would have expected the POST request to go to https://fortran.its.unb.ca/cas/serviceValidate?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2f&ticket=ST-1-mar9N3FJDp2LbT6U274g-cas or to https://fortran.its.unb.ca/cas/serviceValidate with the service and ticket as POST data.
If I look for the ticket associated with the request in log files, all I see is this, which in context are the lines associated with my successful authentication and CAS redirecting me to the service with my shiny new ticket. /var/log/tomcat6/cas.log:2012-01-18 08:51:12,644 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-1-mar9N3FJDp2LbT6U274g-cas] to registry. /var/log/tomcat6/cas.log:2012-01-18 08:51:12,645 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-mar9N3FJDp2LbT6U274g-cas] for service [https://webtest.its.unb.ca/cas-dev/] for user [jgoguen<https://webtest.its.unb.ca/cas-dev/]%20for%20user%20[jgoguen>] /var/log/httpd/ssl_error_log:[Wed Jan 18 08:51:12 2012] [debug] ajp_header.c(599): ajp_unmarshal_response: Header[6] [Location] = [https://webtest.its.unb.ca/cas-dev/?ticket=ST-1-mar9N3FJDp2LbT6U274g-cas] Searching the Apache logs on the service's server, I only have this: /var/log/httpd/ssl_access_log:131.202.75.5 - - [18/Jan/2012:08:51:12 -0400] "GET /cas-dev/?ticket=ST-1-mar9N3FJDp2LbT6U274g-cas HTTP/1.1" 401 486 /var/log/httpd/ssl_error_log:[Wed Jan 18 08:51:12 2012] [debug] mod_auth_cas.c(607): [client 131.202.75.5] Modified r->args (old 'ticket=ST-1-mar9N3FJDp2LbT6U274g-cas', new ''), referer: https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2f I realized a crucial difference between our production environment and development: production does not have "CASValidateSAML On" in auth_cas.conf while the development environment does. If I remove CASValidateSAML from the development service, everything works perfectly and the serviceValidate POST request is done exactly as I would have expected. Is there perhaps an issue with newer versions of mod_auth_cas (I'm using 1.0.9.1) with CAS Server 3.3.5 when enabling SAML? On 2012-01-17, at 20:14, Matt Smith wrote: Joel, Is your CAS server running behind an Apache server (via AJP)? It appears that the ticket is somehow being dropped from the validation request. Could you increase either the CAS logging or the Apache logging (if CAS is behind Apache) to show the parameters of the validation request? -Matt On Jan 17, 2012 10:14 AM, "Joel Goguen" <[email protected]<mailto:[email protected]>> wrote: I'm using CAS 3.3.5 (which we're unfortunately stuck on due to some vendor compatibility issues) with Apache 2.2.3 and mod_auth_cas 1.0.9.1 to try and protect a directory so I can do some testing with SAML attributes. What I'm actually getting is the protected directory failing with HTTP401 and the CAS ticket being left in the URL. There are no other authentication mechanisms in any higher directory. I'm not sure what information would be useful, so if I've missed something important please let me know. In auth_cas.conf I've set these server directives: LoadModule auth_cas_module modules/mod_auth_cas.so CASVersion 2 CASLoginURL https://fortran.its.unb.ca/cas/login CASValidateURL https://fortran.its.unb.ca/cas/serviceValidate CASProxyValidateURL https://fortran.its.unb.ca/cas/proxyValidate CASCookiePath /var/cache/apache/mod_auth_cas/ CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt CASAllowWildcardCert On CASValidateServer Off CASValidateSAML On CASDebug On In ssl.conf, at the VirtualHost level, I set "LogLevel debug" to get debug logs printed out. I have the following Location directive for the protected directory: <Location /cas-dev> Options +ExecCGI AuthType CAS CASScope / Require valid-user AddHandler cgi-script .cgi </Location> When I try to access this directory, Apache's logs (filtered for mod_auth_cas) give me: === Initial request: === [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client 131.202.75.5] Entering cas_authenticate() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client 131.202.75.5] entering getCASService() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca<http://2fwebtest.its.unb.ca/>%2fcas-dev%2findex.cgi' [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(485): [client 131.202.75.5] entering getCASLoginURL() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(462): [client 131.202.75.5] entering getCASGateway() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(555): [client 131.202.75.5] entering redirectRequest() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(567): [client 131.202.75.5] Adding outgoing header: Location: https://fortran.its.unb.ca/cas/login?service=https%3a%2f%2fwebtest.its.unb.ca%2fcas-dev%2findex.cgi === After successful authentication and redirection from CAS === [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1745): [client 131.202.75.5] Entering cas_authenticate() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(607): [client 131.202.75.5] Modified r->args (old 'ticket=ST-3-eiSBy0oqb2BBL2df7gDc-cas', new '') [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1600): [client 131.202.75.5] entering getResponseFromServer() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(519): [client 131.202.75.5] entering getCASService() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(539): [client 131.202.75.5] CAS Service 'https%3a%2f%2fwebtest.its.unb.ca<http://2fwebtest.its.unb.ca/>%2fcas-dev%2findex.cgi' [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1674): [client 131.202.75.5] Validation response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1293): [client 131.202.75.5] entering isValidCASTicket() [Tue Jan 17 11:04:17 2012] [debug] mod_auth_cas.c(1299): [client 131.202.75.5] MOD_AUTH_CAS: response = <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationFailure code='INVALID_REQUEST'>\n\t\t'service' and 'ticket' parameters are both required\n\t</cas:authenticationFailure>\n</cas:serviceResponse> On the CAS server, I have these logging properties set: log4j.rootLogger=INFO, logfile log4j.appender.logfile=org.apache.log4j.RollingFileAppender log4j.appender.logfile.File=/var/log/tomcat6/cas.log log4j.appender.logfile.MaxFileSize=10120KB log4j.appender.logfile.MaxBackupIndex=10 log4j.appender.logfile.layout=org.apache.log4j.PatternLayout log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n log4j.logger.org.springframework=WARN log4j.logger.org.jasig=INFO log4j.logger.org.jasig.cas.web.flow=INFO log4j.logger.org.jasig.cas=DEBUG All I get in cas.log when I authenticate is this: 2012-01-17 11<tel:2012-01-17%2011>:04:17,166 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://webtest.its.unb.ca/cas-dev/index.cgi 2012-01-17<https://webtest.its.unb.ca/cas-dev/index.cgi2012-01-17> 11:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] 2012-01-17 11<tel:2012-01-17%2011>:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in registry. 2012-01-17 11<tel:2012-01-17%2011>:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-3-eiSBy0oqb2BBL2df7gDc-cas] to registry. 2012-01-17 11<tel:2012-01-17%2011>:04:17,168 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-eiSBy0oqb2BBL2df7gDc-cas] for service [https://webtest.its.unb.ca/cas-dev/index.cgi] for user [jgoguen] 2012-01-17 11<tel:2012-01-17%2011>:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] 2012-01-17 11<tel:2012-01-17%2011>:04:17,168 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-cyZZbf6fjsz6tWtEPZYJ00bmkVLSwSg5INB7Dr03uRGXxCvDNN-cas] found in registry. 2012-01-17 11<tel:2012-01-17%2011>:04:17,238 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service. I have two services defined currently, https://fortran.its.unb.ca/cas/services/** and https://webtest.its.unb.ca/**, but I get the same result (except the first cas.log line is the same as the last line) if I remove all service definitions. Any assistance with getting authentication working would be greatly appreciated. -- Joel Goguen Developer Enterprise Solutions Information Technology Services University of New Brunswick E-mail: [email protected]<mailto:[email protected]> Phone: (506) 453-4872<tel:%28506%29%20453-4872> Fax: (506) 453-3590<tel:%28506%29%20453-3590> -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Joel Goguen Developer Enterprise Solutions Information Technology Services University of New Brunswick E-mail: [email protected]<mailto:[email protected]> Phone: (506) 453-4872 Fax: (506) 453-3590 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
