I have successfully configured Apache Tomcat to use X.509 certificate based
authentication. My certificate is on a smart card which is inserted into my
laptop. I am trying now to pass this authentication to CAS, loaded into
the Apache Tomcat instance, but it fails.
Here is what the debug output looks like. I have replaced some information
with XXXXX. I have also included the contents of the login-webflow.xml
file.
Does anyone have an idea of what the problem might be?
Thanks in advance!
>From Output with Debug Turned On
2013-04-26 14:54:28,502 DEBUG
[org.springframework.webflow.execution.ActionExecu
tor] - <Executing
org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredential
sNonInteractiveAction@2673b2>
2013-04-26 14:54:28,502 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: CN=MICHAEL COLBURN + UID=XXXXXXXXXXX, OU=XXXXXXX, OU=XXXXXXX,
O=XXXXXXXXXXXX, C=US, SerialNumber=XXXXXXXXXX
WHAT: supplied credentials: CN=MICHAEL COLBURN + UID=XXXXXXXXX, OU=XXXXXXXX,
OU=XXXXXXXXX, O=XXXXXXXXXX, C=US, Serial
Number=XXXXXXXXXX
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Apr 26 14:54:28 MDT 2013
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2013-04-26 14:54:28,502 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: CN=MICHAEL COLBURN + UID=XXXXXXXXXXXXX, OU=XXXXX, OU=XXXXXXXXXXX,
O=XXXXXXXXXXXXX, C=US, SerialNumber=XXXXXXXXXXXXXX
WHAT: error.authentication.credentials.unsupported
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Fri Apr 26 14:54:28 MDT 2013
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2013-04-26 14:54:28,502 DEBUG
[org.springframework.webflow.execution.ActionExecu
tor] - <Finished executing
org.jasig.cas.adaptors.x509.web.flow.X509CertificateC
redentialsNonInteractiveAction@2673b2; result = error>
In pom.xml I have this dependency defined:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-x509</artifactId>
<version>${cas.version}</version>
</dependency>
Here is what the login-webflow.xml file contains:
<?xml version="1.0" encoding="UTF-8"?>
<flow xmlns="http://www.springframework.org/schema/webflow";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/webflow
http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";>
<var name="credentials"
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentials"
/>
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId != null"
then="hasServiceCheck"
else="gatewayRequestCheck" />
</decision-state>
<decision-state id="gatewayRequestCheck">
<if test="requestParameters.gateway != '' and
requestParameters.gateway !=
null and flowScope.service != null" then="gatewayServicesManagementCheck"
else="startX509Authenticate" />
</decision-state>
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck"
else="viewGenericLoginSuccess" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="requestParameters.renew != '' and
requestParameters.renew !=
null" then="startX509Authenticate" else="generateServiceTicket" />
</decision-state>
<action-state id="serviceAuthorizationCheck">
<evaluate expression="serviceAuthorizationCheck"/>
<transition to="generateLoginTicket"/>
</action-state>
<decision-state id="warn">
<if test="flowScope.warnCookieValue" then="showWarningView"
else="redirect" />
</decision-state>
<action-state id="startX509Authenticate">
<evaluate expression="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="generateLoginTicket" />
</action-state>
<action-state id="passwordPolicyCheck">
<evaluate expression="passwordPolicyAction" />
<transition on="showWarning" to="passwordServiceCheck" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
<action-state id="passwordServiceCheck">
<evaluate expression="sendTicketGrantingTicketAction" />
<transition to="passwordPostCheck" />
</action-state>
<decision-state id="passwordPostCheck">
<if test="flowScope.service != null" then="warnPassRedirect"
else="pwdWarningPostView" />
</decision-state>
<action-state id="warnPassRedirect">
<evaluate expression="generateServiceTicketAction" />
<transition on="success" to="pwdWarningPostView" />
<transition on="error" to="generateLoginTicket" />
<transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>
<end-state id="pwdWarningAbstractView">
<on-entry>
<set name="flowScope.passwordPolicyUrl"
value="passwordPolicyAction.getPasswordPolicyUrl()" />
</on-entry>
</end-state>
<end-state id="pwdWarningPostView" view="casWarnPassView"
parent="#pwdWarningAbstractView" />
<end-state id="casExpiredPassView" view="casExpiredPassView"
parent="#pwdWarningAbstractView" />
<end-state id="casMustChangePassView" view="casMustChangePassView"
parent="#pwdWarningAbstractView" />
<end-state id="casAccountDisabledView" view="casAccountDisabledView" />
<end-state id="casAccountLockedView" view="casAccountLockedView" />
<end-state id="casBadHoursView" view="casBadHoursView" />
<end-state id="casBadWorkstationView" view="casBadWorkstationView" />
<action-state id="generateLoginTicket">
<evaluate
expression="generateLoginTicketAction.generate(flowRequestContext)" />
<transition on="generated" to="viewLoginForm" />
</action-state>
<view-state id="viewLoginForm" view="casLoginView" model="credentials">
<binder>
<binding property="username" />
<binding property="password" />
</binder>
<on-entry>
<set name="viewScope.commandName" value="'credentials'" />
</on-entry>
<transition on="submit" bind="true" validate="true"
to="realSubmit">
<evaluate
expression="authenticationViaFormAction.doBind(flowRequestContext,
flowScope.credentials)" />
</transition>
</view-state>
<action-state id="realSubmit">
<evaluate
expression="authenticationViaFormAction.submit(flowRequestContext,
flowScope.credentials, messageContext)" />
<transition on="warn" to="warn" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="generateLoginTicket" />
<transition on="accountDisabled" to="casAccountDisabledView" />
<transition on="mustChangePassword" to="casMustChangePassView" />
<transition on="accountLocked" to="casAccountLockedView" />
<transition on="badHours" to="casBadHoursView" />
<transition on="badWorkstation" to="casBadWorkstationView" />
<transition on="passwordExpired" to="casExpiredPassView" />
</action-state>
<action-state id="sendTicketGrantingTicket">
<evaluate expression="sendTicketGrantingTicketAction" />
<transition to="serviceCheck" />
</action-state>
<decision-state id="serviceCheck">
<if test="flowScope.service != null"
then="generateServiceTicket"
else="viewGenericLoginSuccess" />
</decision-state>
<action-state id="generateServiceTicket">
<evaluate expression="generateServiceTicketAction" />
<transition on="success" to ="warn" />
<transition on="error" to="generateLoginTicket" />
<transition on="gateway" to="gatewayServicesManagementCheck" />
</action-state>
<action-state id="gatewayServicesManagementCheck">
<evaluate expression="gatewayServicesManagementCheck" />
<transition on="success" to="redirect" />
</action-state>
<action-state id="redirect">
<evaluate
expression="flowScope.service.getResponse(requestScope.serviceTicketId)"
result-type="org.jasig.cas.authentication.principal.Response"
result="requestScope.response" />
<transition to="postRedirectDecision" />
</action-state>
<decision-state id="postRedirectDecision">
<if test="requestScope.response.responseType.name() == 'POST'"
then="postView" else="redirectView" />
</decision-state>
<end-state id="viewGenericLoginSuccess"
view="casLoginGenericSuccessView"
/>
<end-state id="showWarningView" view="casLoginConfirmView" />
<end-state id="postView" view="postResponseView">
<on-entry>
<set name="requestScope.parameters"
value="requestScope.response.attributes" />
<set name="requestScope.originalUrl"
value="flowScope.service.id" />
</on-entry>
</end-state>
<end-state id="redirectView"
view="externalRedirect:${requestScope.response.url}" />
<end-state id="viewServiceErrorView" view="viewServiceErrorView" />
<end-state id="viewServiceSsoErrorView" view="viewServiceSsoErrorView"
/>
<global-transitions>
<transition to="viewLoginForm"
on-exception="org.jasig.cas.services.UnauthorizedSsoServiceException"/>
<transition to="viewServiceErrorView"
on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException"
/>
<transition to="viewServiceErrorView"
on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
</global-transitions>
</flow>
-----
- Michael Colburn
--
View this message in context:
http://jasig.275507.n4.nabble.com/X509-Authentication-Fails-tp4659376.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
