Vincent, That's actually a bug that that the handler can execute that code (note it can only execute the code if you don't provide an HttpClient instance). I've logged a bug report and it will be fixed for 3.0.7 and 3.1 M2.
Thanks -Scott On 1/29/07, Vincent MATHIEU <[EMAIL PROTECTED]> wrote:
Thank's Scott, but this modification is not sufficient. HttpBasedServiceCredentialsAuthenticationHandler class is loaded after HttpClient3FactoryBean class. HttpBasedServiceCredentialsAuthenticationHandler make also call to StrictSSLProtocolSocketFactory class, and crush initialization of property useStrictHostNameChecking. And it is dangerous to complete deactive hostname certificate control. I will probably patch StrictSSLProtocolSocketFactory class to permit generic certificates working. With CAS V2 server, I controled certificate with a keystore on tomcat startup : CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore" ; that doesn't work now. Vincent Scott Battaglia a écrit : CAS 3 checks the host name very strictly (i.e. * doesn't work). You can disable this check by setting the property useStrictHostNameChecking to false on the HttpClient3FactoryBean. However, that means while it will check that the certificate is valid, it will not match the host name to the host name on the certificate. -Scott On 1/8/07, Vincent MATHIEU <[EMAIL PROTECTED]> wrote: > > Hello, > > > We used cas-server V2 for several years, and we would like to migrate > towards cas-server V3. > > cas-server V3 work's correctly fot authenticating (via LDAP), but > doesn't work in CAS proxy mode. > > Here is a log (catalina.out) from cas V3 server : > > 2007-01-08 21:25:22,248 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler > successfully authenticated the user which provided the following > credentials: vmathieu> > > 2007-01-08 21:25:22,279 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service > ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service > [http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]> > > 2007-01-08 21:25:26,974 ERROR > [ > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] > - <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: > expected 'esupdev1.univ-nancy2.fr', received '*.univ-nancy2.fr '> > javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid: > expected 'esupdev1.univ-nancy2.fr', received '*.univ- nancy2.fr' at > > org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname > (StrictSSLProtocolSocketFactory.java:303) > > We use 'generic' ssl certificate for our https server : > CN=*.univ-nancy2.fr (and not CN=auth.univ-nancy2.fr). > > The problem seems to come from. > CAS serveur V2 work's correctly with same certificates. > Is there a simple solution to treat the problem, or do I have to patch > the code ? > > > Thank's > > > Vincent > > -- > Vincent MATHIEU > Université Nancy 2 - CRI > Equipe système et réseaux > tel : 03 54 50 36 56 > coordonnées : > http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
