Hi Jérôme, On Tue, May 01, 2012 at 04:45:44AM -0500, jleleu wrote: > > A bigger stack trace would help, but I think that this error comes from > ticket validation failure. > > When you try to access to the services management web app, you are redirected > to CAS login to authenticate, then you login, finally you are redirected to > the services management web app (inside CAS) with a service ticket. > For ticket validation, the > cas.securityContext.ticketValidator.casServerUrlPrefix is used. The ticket > validation request is made by the services management web app in your server > running on your JVM and I'm not sure your url https://our.cas.hawaii.edu/cas > is properly resolved. > > I would try something like https://localhost:8443/cas or > http://localhost:8080 (It depends on the security of your network) for the > cas.securityContext.ticketValidator.casServerUrlPrefix property.
Thank for the response. I did manage to get this sorted out, and it wasn't a CAS issue after all. Your suspicion that the URL wasn't being properly resolved nudged me in the right direction though. For the benefit of anyone else who might encounter this as well, the resolution is below. I had installed CAS under Tomcat, with Tomcat listening on unprivileged ports. I had also configured iptables to perform port mapping from the default http(s) ports to the unprivileged ports that Tomcat was listening to. E.g. -A PREROUTING -d 172.16.1.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -d 172.16.1.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 This worked as expected for connections where the source was an external host. After your reply above though, further troubleshooting revealed that I could't make connect to the default ports from localhost; it appeared that the iptables rules were not being invoked. I eventually learned that the PREROUTING chain only applies to incoming connections and that in this context for CAS, I also needed similar rules for the OUTPUT chain for locally generated packets as well. -A OUTPUT -d 172.16.1.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A OUTPUT -d 172.16.1.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 Aloha, -baron -- Baron Fujimoto <[email protected]> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
