It looks like Spring is case sensitive possibly: https://github.com/SpringSource/spring-webflow/blob/49fe4b49a9c5c284d9af909ecd70b7b862366da7/spring-webflow/src/main/java/org/springframework/webflow/mvc/servlet/FlowHandlerAdapter.java
-Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Wed, Apr 10, 2013 at 9:15 AM, Michael Herring <[email protected]>wrote: > I turned up logging on org.springframework.webflow and can confirm a > redirect is being attempted. It also appears that CAS ended up as the > destination...In my overlay I see spring-webflow-2.3.0.RELEASE.jar in my > WEB-INF/lib folder. > > 2013-04-10 09:04:23,420 DEBUG > [org.springframework.webflow.mvc.servlet.FlowHandlerAdapter] - <Sending > external redirect to ' > httPs://wiki-test.cache.denison.edu/?ticket=ST-1-iZthignY1GwhMTRaeI2x-login-dev.cache.denison.edu > '> > 2013-04-10 09:04:23,643 DEBUG > [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - <Mapping > request with URI '/cas/login' to flow with id 'login'> > 2013-04-10 09:04:23,643 DEBUG > [org.springframework.webflow.executor.FlowExecutorImpl] - <Launching new > execution of flow 'login' with input map['ticket' -> ' > ST-1-iZthignY1GwhMTRaeI2x-login-dev.cache.denison.edu']> > Thanks for the help, > -Michael > On Wed, Apr 10, 2013 at 8:48 AM, Scott Battaglia < > [email protected]> wrote: > >> Do you know if the flow is getting to the external redirect portion? You >> may want to turn up logging for org.springframework.webflow and see if its >> struggling there. >> >> The CAS code basically hands off redirection via the "externalRedirect:" >> in web flow so it would be good to know if the hand-off succeeded. If it >> did, then our issue lies in the Spring code. >> >> -Scott Battaglia >> PGP Public Key Id: 0x383733AA >> LinkedIn: http://www.linkedin.com/in/scottbattaglia >> >> >> On Wed, Apr 10, 2013 at 8:36 AM, Michael Herring <[email protected]>wrote: >> >>> Jérôme, >>> >>> Thanks for your help. I'm using the default ant pattern matching service >>> definition syntax. Here is my service definition: >>> https://wiki-test.cache.denison.edu/** >>> >>> If I type a service URL that does not match the ant pattern I get the >>> following and correct log message and the user sees an error page >>> stating "Application Not Authorized to Use CAS": >>> 2013-04-10 08:06:45,984 WARN >>> [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - <Unauthorized Service >>> Access for Service: [ https://wiki-test.cache.denison.edeu/ ] - service >>> is not defined in the service registry.> >>> >>> Where it gets interesting is when the pattern matches case >>> insensitively. CAS will allow the service, authenticate the user, grant the >>> ST and TGT (if needed), and then appears to do a case sensitive service >>> lookup which fails leaving the user on the CAS server. >>> >>> Below is a log snippet showing that behaviour: >>> 2013-04-10 08:07:21,138 DEBUG >>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated >>> service for: hTtPs://WiKi-test.cache.denison.edu/> >>> 2013-04-10 08:07:51,142 DEBUG >>> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing >>> LDAP bind with credential: [snipped]> >>> 2013-04-10 08:07:51,201 DEBUG >>> [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Password >>> change not required for testuser> >>> 2013-04-10 08:07:51,202 INFO >>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >>> <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully >>> authenticated [username: testuser]> >>> 2013-04-10 08:07:51,202 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Attempting to resolve a principal...> >>> 2013-04-10 08:07:51,202 DEBUG >>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >>> - <Attempting to resolve a principal...> >>> 2013-04-10 08:07:51,203 DEBUG >>> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] >>> - <Creating SimplePrincipal for [testuser]> >>> 2013-04-10 08:07:51,203 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Resolved testuser. Trying LDAP resolve now...> >>> 2013-04-10 08:07:51,214 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <LDAP search with filter "(uid=testuser)"> >>> 2013-04-10 08:07:51,214 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <returning searchcontrols: scope=2; search base=[snipped]; >>> attributes=[uid]; timeout=1000> >>> 2013-04-10 08:07:51,269 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Resolved testuser to testuser> >>> 2013-04-10 08:07:51,269 DEBUG >>> [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] >>> - <Creating SimplePrincipal for [testuser]> >>> 2013-04-10 08:07:51,324 INFO >>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved >>> principal testuser> >>> 2013-04-10 08:07:51,324 INFO >>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >>> <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@436567b9authenticated >>> testuser with credential [username: testuser].> >>> 2013-04-10 08:07:51,324 DEBUG >>> [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map >>> for testuser: {UDC_IDENTIFIER=[snipped], uid=testuser}> >>> Audit trail record BEGIN >>> ============================================================= >>> WHO: [username: testuser] >>> WHAT: supplied credentials: [username: testuser] >>> ACTION: AUTHENTICATION_SUCCESS >>> APPLICATION: CAS >>> WHEN: Wed Apr 10 08:07:51 EDT 2013 >>> CLIENT IP ADDRESS: [snipped] >>> SERVER IP ADDRESS: unknown >>> ============================================================= >>> >>> 2013-04-10 08:07:51,332 DEBUG >>> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ >>> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu] >>> to registry.> >>> Audit trail record BEGIN >>> ============================================================= >>> WHO: [username: testuser] >>> WHAT: >>> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >>> ACTION: TICKET_GRANTING_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Apr 10 08:07:51 EDT 2013 >>> CLIENT IP ADDRESS: [snipped] >>> SERVER IP ADDRESS: unknown >>> ============================================================= >>> >>> 2013-04-10 08:07:51,367 DEBUG >>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed >>> cookie with name [CASPRIVACY]> >>> 2013-04-10 08:07:51,368 DEBUG >>> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search >>> with searchFilter: (uid=testuser)> >>> 2013-04-10 08:07:51,368 DEBUG >>> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning >>> attributes pwdChangedTime:pwdExpireWarning:pwdMaxAge:hasSubordinates> >>> 2013-04-10 08:07:51,424 DEBUG >>> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <No warning >>> attribute value for hasSubordinates is set to: FALSE> >>> 2013-04-10 08:07:51,424 DEBUG >>> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Account >>> password will never expire. Skipping password warning check...> >>> 2013-04-10 08:07:51,425 DEBUG >>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie >>> with name [CASTGC] and value [ >>> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >>> ]> >>> 2013-04-10 08:07:51,441 DEBUG >>> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Updated ticket [ >>> TGT-2-ia4HoDtcXN29T7bTAQIzGQA3O7co1gelse2HOQWSKkQoynQ2ow-login-dev.cache.denison.edu >>> ].> >>> 2013-04-10 08:07:51,443 DEBUG >>> [org.jasig.cas.ticket.registry.JpaTicketRegistry] - <Added ticket [ >>> ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] to registry.> >>> 2013-04-10 08:07:51,445 INFO >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ >>> ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu] for service [ >>> hTtPs://WiKi-test.cache.denison.edu/] for user [testuser]> >>> Audit trail record BEGIN >>> ============================================================= >>> WHO: testuser >>> WHAT: ST-2-oLbFoymioi9ebZ2TSGwq-login-dev.cache.denison.edu for >>> hTtPs://WiKi-test.cache.denison.edu/ >>> ACTION: SERVICE_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Apr 10 08:07:51 EDT 2013 >>> CLIENT IP ADDRESS: [snipped] >>> SERVER IP ADDRESS: unknown >>> ============================================================= >>> >>> 2013-04-10 08:07:51,508 DEBUG >>> [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not >>> generate service.> >>> 2013-04-10 08:07:51,508 DEBUG >>> [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not >>> generate service.> >>> 2013-04-10 08:07:51,509 DEBUG >>> [org.jasig.cas.web.support.GoogleAccountsArgumentExtractor] - <Extractor >>> did not generate service.> >>> >>> On Wed, Apr 10, 2013 at 6:26 AM, jleleu <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> Your problem is very strange. Doing some basic tests, I get an >>>> "unauthorized screen" as I have defined an in memory regexp service : >>>> http*://**. >>>> >>>> Can you turn on DEBUG logs on org.jasig.cas and post them ? >>>> >>>> Thanks, >>>> Jérôme >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>> >>> >>> >>> -- >>> Michael Herring >>> Information Technology Services >>> Web Developer >>> Denison University >>> 740-587-6360 >>> [email protected] >>> >>> -- >>> >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Michael Herring > Information Technology Services > Web Developer > Denison University > 740-587-6360 > [email protected] > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
