This turned out to be an issue. Should be fixed in 4.1.1. - Misagh
> On Oct 13, 2015, at 9:38 AM, Nicolás <[email protected]> wrote: > > Hi Misagh, > > This happens exclusively with the Google service, when logging directly to > the Gmail service (por example). The Google service redirects the request to > our CAS and then it crashes. Any other service configured that doesn't use > SAML 2.0 works without any issue. In the moment that <ref > bean="googleAccountsArgumentExtractor" /> is added to the argumentExtractors > list, this behavior starts happening. > > I remark this is working right now with 3.5.x with a pretty similar > configuration, so I discard any Google side configuration. > > I grabbed a request, and this is the result: > login?SAMLRequest=fVJNT%2BMwEL0j8R8s35M0BbTIaoK6IEQldolo2MPejDOtpzh28Njt8u9xUxBwWK7PM%2B%2FLM7v41xu2BU%2FobMXLfMIZWOU6tOuKP7TX2Tm%2FqI%2BPZiR7M4h5DNrew3MECixtWhLjQ8Wjt8JJQhJW9kAiKLGc%2F7oV03wiBu%2BCU85wtriquDHuSTulTfe4edLQOTQGN0avtV6h3AwaEaUcJGd%2F3m1N97YWRBEWloK0IUGT8iwrJ1l50pZnYvpDnJ785ax5U%2FqJ9pDgO1uPhyESN23bZM3dsh0JttiB%2F52mK752bm0gV67fyzeSCLcJXklDwNmcCHxIBi%2BdpdiDX4LfooKH%2B9uK6xAGEkWx2%2B3yD5pCFtGYHLqYAxVSEa%2FHZsUYzn%2Bq9Hvr8l2a1x%2Fks%2BITVf32Y%2Fsgi6vGGVQvbJ663116kCGlCD6mENfO9zL8X63MyxHBLluNoyJaGkDhCqHjrKgPql9PIx3MKw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Four.google.domain%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1%26osid%3D1 > > However, I suspect this happens before the SAML request is processed, because > it's thrown just at redirect time. I even disabled the service for Google > Apps to see when does it happen, and the result is just the same. > > If you need any additional tests please let me know, we were about to put > this version into production when we detected this issue :-/ > > Thanks. > > Nicolás > > El 13/10/15 a las 15:16, Misagh Moayyed escribió: >> When do you get this error? Do you start from Google Apps or do you directly >> go to cas/login? Could you capture the Google Apps request and paste that >> back? >> >> - Misagh >> >>> On Oct 13, 2015, at 4:39 AM, [email protected] wrote: >>> >>> Hi, >>> >>> We're running CAS 4.1.0 and we also use Google Apps, so we're trying to >>> configure SAML 2.0 for this. Following this [1] document, we've made the >>> following steps: >>> >>> 1) We did NOT generate a new private/public key pair, since we already have >>> one from our previous CAS installation (3.5.x). We simply moved the >>> public/private files to the new machine to the same path. >>> >>> 2) argumentExtractorsConfiguration.xml: >>> >>> <bean id="googleAccountsArgumentExtractor" >>> >>> class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor" >>> c:servicesManager-ref="servicesManager" >>> c:privateKey-ref="privateKeyFactoryBean" >>> c:publicKey-ref="publicKeyFactoryBean" /> >>> >>> <bean id="privateKeyFactoryBean" >>> class="org.jasig.cas.util.PrivateKeyFactoryBean" >>> p:location="classpath:private.p8" >>> p:algorithm="RSA" /> >>> >>> <bean id="publicKeyFactoryBean" >>> class="org.jasig.cas.util.PublicKeyFactoryBean" >>> p:location="classpath:public.key" >>> p:algorithm="RSA" /> >>> >>> 3) Although not documented, we added <ref >>> bean="googleAccountsArgumentExtractor" /> to the argumentExtractors list: >>> >>> <util:list id="argumentExtractors"> >>> <ref bean="casArgumentExtractor" /> >>> <ref bean="samlArgumentExtractor" /> >>> <ref bean="googleAccountsArgumentExtractor" /> >>> </util:list> >>> >>> When built, the following exception is being thrown: >>> >>> GRAVE: El Servlet.service() para el servlet [cas] en el contexto con >>> ruta [/cas] lanzó la excepción [Request processing failed; nested exception >>> is org.springframework.webflow.execution.ActionExecutionException: >>> Exception thrown executing >>> org.jasig.cas.web.flow.InitialFlowSetupAction@1149cb40 in state 'null' of >>> flow 'login' -- action execution attributes were 'map[[empty]]'] con >>> causa raíz >>> java.util.zip.ZipException: incorrect header check >>> at >>> java.util.zip.InflaterOutputStream.write(InflaterOutputStream.java:273) >>> at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1793) >>> at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1769) >>> at org.apache.commons.io.IOUtils.copy(IOUtils.java:1744) >>> at >>> org.jasig.cas.util.CompressionUtils.inflate_aroundBody0(CompressionUtils.java:66) >>> at >>> org.jasig.cas.util.CompressionUtils$AjcClosure1.run_aroundBody0(CompressionUtils.java:1) >>> at >>> org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1.run_aroundBody0(CompressionUtils.java:1) >>> at >>> org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1$AjcClosure1.run(CompressionUtils.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1.run(CompressionUtils.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.util.CompressionUtils$AjcClosure1.run(CompressionUtils.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at org.jasig.cas.util.CompressionUtils.inflate(CompressionUtils.java:63) >>> at >>> org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder.decodeSamlAuthnRequest_aroundBody16(AbstractSaml20ObjectBuilder.java:262) >>> at >>> org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17.run_aroundBody0(AbstractSaml20ObjectBuilder.java:1) >>> at >>> org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17$AjcClosure1.run(AbstractSaml20ObjectBuilder.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17.run(AbstractSaml20ObjectBuilder.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder.decodeSamlAuthnRequest(AbstractSaml20ObjectBuilder.java:253) >>> at >>> org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService.createServiceFrom_aroundBody0(GoogleAccountsService.java:133) >>> at >>> org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService$AjcClosure1.run(GoogleAccountsService.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService.createServiceFrom(GoogleAccountsService.java:131) >>> at >>> org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor.extractServiceInternal_aroundBody0(GoogleAccountsArgumentExtractor.java:69) >>> at >>> org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1.run_aroundBody0(GoogleAccountsArgumentExtractor.java:1) >>> at >>> org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1$AjcClosure1.run(GoogleAccountsArgumentExtractor.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1.run(GoogleAccountsArgumentExtractor.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor.extractServiceInternal(GoogleAccountsArgumentExtractor.java:69) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor.extractService_aroundBody0(AbstractArgumentExtractor.java:43) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1.run_aroundBody0(AbstractArgumentExtractor.java:1) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1.run_aroundBody0(AbstractArgumentExtractor.java:1) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1$AjcClosure1.run(AbstractArgumentExtractor.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1.run(AbstractArgumentExtractor.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1.run(AbstractArgumentExtractor.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at >>> org.jasig.cas.web.support.AbstractArgumentExtractor.extractService(AbstractArgumentExtractor.java:43) >>> at >>> org.jasig.cas.web.support.WebUtils.getService_aroundBody4(WebUtils.java:97) >>> at org.jasig.cas.web.support.WebUtils$AjcClosure5.run(WebUtils.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at org.jasig.cas.web.support.WebUtils.getService(WebUtils.java:96) >>> at >>> org.jasig.cas.web.support.WebUtils.getService_aroundBody6(WebUtils.java:119) >>> at org.jasig.cas.web.support.WebUtils$AjcClosure7.run(WebUtils.java:1) >>> at >>> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) >>> at >>> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44) >>> at org.jasig.cas.web.support.WebUtils.getService(WebUtils.java:118) >>> at >>> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:97) >>> at >>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >>> at >>> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) >>> at >>> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) >>> at >>> org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145) >>> at >>> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) >>> at >>> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) >>> at org.springframework.webflow.engine.Flow.start(Flow.java:526) >>> at >>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) >>> at >>> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) >>> at >>> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140) >>> at >>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238) >>> at >>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) >>> at >>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) >>> at >>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966) >>> at >>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:620) >>> at >>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296) >>> at >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) >>> at >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) >>> at >>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>> at >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) >>> at >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at java.lang.Thread.run(Thread.java:745) >>> Suppressed: java.util.zip.ZipException: incorrect header check >>> at >>> java.util.zip.InflaterOutputStream.flush(InflaterOutputStream.java:169) >>> at >>> java.util.zip.InflaterOutputStream.finish(InflaterOutputStream.java:186) >>> at >>> java.util.zip.InflaterOutputStream.close(InflaterOutputStream.java:129) >>> at >>> org.jasig.cas.util.CompressionUtils.inflate_aroundBody0(CompressionUtils.java:68) >>> ... 107 more >>> >>> What could be the reason of this? The md5 checksums of the moved files seem >>> to match. >>> >>> Thanks, >>> >>> Nicolás >>> >>> [1]: >>> http://jasig.github.io/cas/4.1.x/integration/Google-Apps-Integration.html >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
