I turned up logging on org.springframework.webflow and can confirm a redirect is being attempted. It also appears that CAS ended up as the destination...In my overlay I see spring-webflow-2.3.0.RELEASE.jar in my WEB-INF/lib folder.
2013-04-10 09:04:23,420 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerAdapter] - <Sending external redirect to ' httPs://wiki-test.cache.denison.edu/?ticket=ST-1-iZthignY1GwhMTRaeI2x-login-dev.cache.denison.edu '> 2013-04-10 09:04:23,643 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping request with URI '/cas/login' to flow with id 'login'> 2013-04-10 09:04:23,643 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new execution of flow 'login' with input map['ticket' -> ' ST-1-iZthignY1GwhMTRaeI2x-login-dev.cache.denison.edu']> Thanks for the help, -Michael On Wed, Apr 10, 2013 at 8:48 AM, Scott Battaglia <[email protected]>wrote: > Do you know if the flow is getting to the external redirect portion? You > may want to turn up logging for org.springframework.webflow and see if its > struggling there. > > The CAS code basically hands off redirection via the "externalRedirect:" > in web flow so it would be good to know if the hand-off succeeded. If it > did, then our issue lies in the Spring code. > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > On Wed, Apr 10, 2013 at 8:36 AM, Michael Herring <[email protected]>wrote: > >> Jérôme, >> >> Thanks for your help. I'm using the default ant pattern matching service >> definition syntax. Here is my service definition: >> https://wiki-test.cache.denison.edu/** >> >> If I type a service URL that does not match the ant pattern I get the >> following and correct log message and the user sees an error page >> stating "Application Not Authorized to Use CAS": >> 2013-04-10 08:06:45,984 WARN >> [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - <Unauthorized Service >> Access for Service: [ https://wiki-test.cache.denison.edeu/ ] - service >> is not defined in the service registry.> >> >> Where it gets interesting is when the pattern matches case insensitively. >> CAS will allow the service, authenticate the user, grant the ST and TGT (if >> needed), and then appears to do a case sensitive service lookup which fails >> leaving the user on the CAS server. >> >> Below is a log snippet showing that behaviour: >> 2013-04-10 08:07:21,138 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated >> service for: hTtPs://WiKi-test.cache.denison.edu/> >> 2013-04-10 08:07:51,142 DEBUG >> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing >> LDAP bind with credential: [snipped]> >> 2013-04-10 08:07:51,201 DEBUG >> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Password >> change not required for testuser> >> 2013-04-10 08:07:51,202 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >> authenticated [username: testuser]> >> 2013-04-10 08:07:51,202 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Attempting to resolve a principal...> >> 2013-04-10 08:07:51,202 DEBUG >> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >> - <Attempting to resolve a principal...> >> 2013-04-10 08:07:51,203 DEBUG >> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >> - <Creating SimplePrincipal for [testuser]> >> 2013-04-10 08:07:51,203 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Resolved testuser. Trying LDAP resolve now...> >> 2013-04-10 08:07:51,214 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <LDAP search with filter "(uid=testuser)"> >> 2013-04-10 08:07:51,214 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <returning searchcontrols: scope=2; search base=[snipped]; >> attributes=[uid]; timeout=1000> >> 2013-04-10 08:07:51,269 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Resolved testuser to testuser> >> 2013-04-10 08:07:51,269 DEBUG >> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >> - <Creating SimplePrincipal for [testuser]> >> 2013-04-10 08:07:51,324 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved >> principal testuser> >> 2013-04-10 08:07:51,324 INFO >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@436567b9authenticated >> testuser with credential [username: testuser].> >> 2013-04-10 08:07:51,324 DEBUG >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map >> for testuser: {UDC_IDENTIFIER=[snipped], uid=testuser}> >> Audit trail record BEGIN >> ============================================================= >> WHO: [username: testuser] >> WHAT: supplied credentials: [username: testuser] >> ACTION: AUTHENTICATION_SUCCESS >> APPLICATION: CAS >> WHEN: Wed Apr 10 08:07:51 EDT 2013 >> CLIENT IP ADDRESS: [snipped] >> SERVER IP ADDRESS: unknown >> ============================================================= >> >> 2013-04-10 08:07:51,332 DEBUG >> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ >> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu] >> to registry.> >> Audit trail record BEGIN >> ============================================================= >> WHO: [username: testuser] >> WHAT: >> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >> ACTION: TICKET_GRANTING_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Wed Apr 10 08:07:51 EDT 2013 >> CLIENT IP ADDRESS: [snipped] >> SERVER IP ADDRESS: unknown >> ============================================================= >> >> 2013-04-10 08:07:51,367 DEBUG >> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed >> cookie with name [CASPRIVACY]> >> 2013-04-10 08:07:51,368 DEBUG >> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search >> with searchFilter: (uid=testuser)> >> 2013-04-10 08:07:51,368 DEBUG >> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning >> attributes pwdChangedTime:pwdExpireWarning:pwdMaxAge:hasSubordinates> >> 2013-04-10 08:07:51,424 DEBUG >> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <No warning >> attribute value for hasSubordinates is set to: FALSE> >> 2013-04-10 08:07:51,424 DEBUG >> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Account >> password will never expire. Skipping password warning check...> >> 2013-04-10 08:07:51,425 DEBUG >> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie >> with name [CASTGC] and value [ >> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >> ]> >> 2013-04-10 08:07:51,441 DEBUG >> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Updated ticket [ >> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >> ].> >> 2013-04-10 08:07:51,443 DEBUG >> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ >> ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] to registry.> >> 2013-04-10 08:07:51,445 INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ >> ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] for service [ >> hTtPs://WiKi-test.cache.denison.edu/] for user [testuser]> >> Audit trail record BEGIN >> ============================================================= >> WHO: testuser >> WHAT: ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu for >> hTtPs://WiKi-test.cache.denison.edu/ >> ACTION: SERVICE_TICKET_CREATED >> APPLICATION: CAS >> WHEN: Wed Apr 10 08:07:51 EDT 2013 >> CLIENT IP ADDRESS: [snipped] >> SERVER IP ADDRESS: unknown >> ============================================================= >> >> 2013-04-10 08:07:51,508 DEBUG >> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not >> generate service.> >> 2013-04-10 08:07:51,508 DEBUG >> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not >> generate service.> >> 2013-04-10 08:07:51,509 DEBUG >> [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor >> did not generate service.> >> >> On Wed, Apr 10, 2013 at 6:26 AM, jleleu <[email protected]> wrote: >> >>> Hi, >>> >>> Your problem is very strange. Doing some basic tests, I get an >>> "unauthorized screen" as I have defined an in memory regexp service : >>> http*://**. >>> >>> Can you turn on DEBUG logs on org.jasig.cas and post them ? >>> >>> Thanks, >>> Jérôme >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> >> >> -- >> Michael Herring >> Information Technology Services >> Web Developer >> Denison University >> 740-587-6360 >> [email protected] >> >> -- >> >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Michael Herring Information Technology Services Web Developer Denison University 740-587-6360 [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
