Do you know if the flow is getting to the external redirect portion? You may want to turn up logging for org.springframework.webflow and see if its struggling there.
The CAS code basically hands off redirection via the "externalRedirect:" in web flow so it would be good to know if the hand-off succeeded. If it did, then our issue lies in the Spring code. -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Wed, Apr 10, 2013 at 8:36 AM, Michael Herring <[email protected]>wrote: > Jérôme, > > Thanks for your help. I'm using the default ant pattern matching service > definition syntax. Here is my service definition: > https://wiki-test.cache.denison.edu/** > > If I type a service URL that does not match the ant pattern I get the > following and correct log message and the user sees an error page > stating "Application Not Authorized to Use CAS": > 2013-04-10 08:06:45,984 WARN > [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - <Unauthorized Service > Access for Service: [ https://wiki-test.cache.denison.edeu/ ] - service > is not defined in the service registry.> > > Where it gets interesting is when the pattern matches case insensitively. > CAS will allow the service, authenticate the user, grant the ST and TGT (if > needed), and then appears to do a case sensitive service lookup which fails > leaving the user on the CAS server. > > Below is a log snippet showing that behaviour: > 2013-04-10 08:07:21,138 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated > service for: hTtPs://WiKi-test.cache.denison.edu/> > 2013-04-10 08:07:51,142 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing > LDAP bind with credential: [snipped]> > 2013-04-10 08:07:51,201 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Password > change not required for testuser> > 2013-04-10 08:07:51,202 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > authenticated [username: testuser]> > 2013-04-10 08:07:51,202 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Attempting to resolve a principal...> > 2013-04-10 08:07:51,202 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - <Attempting to resolve a principal...> > 2013-04-10 08:07:51,203 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] > - <Creating SimplePrincipal for [testuser]> > 2013-04-10 08:07:51,203 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Resolved testuser. Trying LDAP resolve now...> > 2013-04-10 08:07:51,214 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <LDAP search with filter "(uid=testuser)"> > 2013-04-10 08:07:51,214 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <returning searchcontrols: scope=2; search base=[snipped]; > attributes=[uid]; timeout=1000> > 2013-04-10 08:07:51,269 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Resolved testuser to testuser> > 2013-04-10 08:07:51,269 DEBUG > [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] > - <Creating SimplePrincipal for [testuser]> > 2013-04-10 08:07:51,324 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved > principal testuser> > 2013-04-10 08:07:51,324 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@436567b9authenticated > testuser with credential [username: testuser].> > 2013-04-10 08:07:51,324 DEBUG > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map > for testuser: {UDC_IDENTIFIER=[snipped], uid=testuser}> > Audit trail record BEGIN > ============================================================= > WHO: [username: testuser] > WHAT: supplied credentials: [username: testuser] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Wed Apr 10 08:07:51 EDT 2013 > CLIENT IP ADDRESS: [snipped] > SERVER IP ADDRESS: unknown > ============================================================= > > 2013-04-10 08:07:51,332 DEBUG > [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ > TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu] > to registry.> > Audit trail record BEGIN > ============================================================= > WHO: [username: testuser] > WHAT: > TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Apr 10 08:07:51 EDT 2013 > CLIENT IP ADDRESS: [snipped] > SERVER IP ADDRESS: unknown > ============================================================= > > 2013-04-10 08:07:51,367 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed > cookie with name [CASPRIVACY]> > 2013-04-10 08:07:51,368 DEBUG > [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search > with searchFilter: (uid=testuser)> > 2013-04-10 08:07:51,368 DEBUG > [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning > attributes pwdChangedTime:pwdExpireWarning:pwdMaxAge:hasSubordinates> > 2013-04-10 08:07:51,424 DEBUG > [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <No warning > attribute value for hasSubordinates is set to: FALSE> > 2013-04-10 08:07:51,424 DEBUG > [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Account > password will never expire. Skipping password warning check...> > 2013-04-10 08:07:51,425 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie > with name [CASTGC] and value [ > TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu > ]> > 2013-04-10 08:07:51,441 DEBUG > [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Updated ticket [ > TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu > ].> > 2013-04-10 08:07:51,443 DEBUG > [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ > ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] to registry.> > 2013-04-10 08:07:51,445 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ > ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] for service [ > hTtPs://WiKi-test.cache.denison.edu/] for user [testuser]> > Audit trail record BEGIN > ============================================================= > WHO: testuser > WHAT: ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu for > hTtPs://WiKi-test.cache.denison.edu/ > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Apr 10 08:07:51 EDT 2013 > CLIENT IP ADDRESS: [snipped] > SERVER IP ADDRESS: unknown > ============================================================= > > 2013-04-10 08:07:51,508 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not > generate service.> > 2013-04-10 08:07:51,508 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not > generate service.> > 2013-04-10 08:07:51,509 DEBUG > [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor > did not generate service.> > > On Wed, Apr 10, 2013 at 6:26 AM, jleleu <[email protected]> wrote: > >> Hi, >> >> Your problem is very strange. Doing some basic tests, I get an >> "unauthorized screen" as I have defined an in memory regexp service : >> http*://**. >> >> Can you turn on DEBUG logs on org.jasig.cas and post them ? >> >> Thanks, >> Jérôme >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > > -- > Michael Herring > Information Technology Services > Web Developer > Denison University > 740-587-6360 > [email protected] > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
