Scott,
The response that's causing the exception at:
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:221)
is literally "yes\ntms64\n", which is obviously not xml.
Tim
Can you see what the XML response back from CAS was? There may be an
invalid character in there (as evidenced by Content is not allowed in
prolog.).
-Scott
On 5/17/07, * Tim Speevack* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Apologies to all who have answered these questions a billion
times, but...
I'm trying to get tomcat/spring/acegi to talk to CAS. I've gotten it
working to some degree, but am now stuck on the following error:
[Fatal Error] :1:1: Content is not allowed in prolog.
May 17, 2007 2:06:14 PM edu.yale.its.tp.cas.client.CASReceipt
getReceipt
SEVERE: edu.yale.its.tp.cas.client.CASAuthenticationException:
Unable to validate ProxyTicketValidator
[ [edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://secure.its.yale.edu/cas/servlet/validate
<https://secure.its.yale.edu/cas/servlet/validate>]
ticket=[ST-11059954-4vXxKMmEaRychGbtR62b]
service=[http%3A%2F%2Fyag-client-36.art.yale.edu%3A8080%2Fyuagit%2Fsecure%2Ftest.jsp]
renew=false
entireResponse=[yes
<my netid>
]]]]
I've gone through all the online references I can find, but can't get
past this error. Clearly I'm getting a valid ticket & login succeeds,
so I'm assuming that this has something to do with SSL &
Tomcat. I've
followed all the posts related to keytool, but still no luck.
Here's how things are configured:
JVM: JAVA_HOME=C:\jdk1.6.0
TOMCAT: CATALINA_HOME=C:\tomcat
server.xml was modified to enable SSL, and keystore & trust are
explicitly defined:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\DOCUME~1\<my netid>\.keystore"
keystorePass="changeit"
truststoreFile="C:/jdk1.6.0/jre/lib/security/cacerts"
/>
KEYSTORE: I created a batch file since I had to run this more than
once:
@echo off
set USERKEYSTORE=C:\DOCUME~1\tms64\.keystore
set JVMKEYSTORE=%JAVA_HOME%\jre\lib\security\cacerts
keytool -delete -alias tomcat -keystore "%USERKEYSTORE%" \
-keypass changeit -storepass changeit -keyalg RSA
keytool -delete -alias tomcat -keystore "%JVMKEYSTORE%" \
-keypass changeit -storepass changeit -keyalg RSA
keytool -genkey -alias tomcat -keystore %USERKEYSTORE% \
-validity 9999 -keypass changeit -storepass changeit -keyalg
RSA \
-dname "CN=<mymachinename>.art.yale.edu, OU=artgallery, O=yale,
L=newhaven, S=ct, C=us"
keytool -export -alias tomcat -keystore %USERKEYSTORE% \
-file server.crt -keypass changeit -storepass changeit -keyalg
RSA
keytool -import -file server.crt -alias tomcat -keystore
%JVMKEYSTORE% \
-keypass changeit -storepass changeit -keyalg RSA
All references I found on this process were somewhat vague. For
example
http://www.ja-sig.org/products/cas/server/ssl/index.html shows:
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file
%FILE_NAME%
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
It's not clear from this example whether %FILE_NAME% and
server.crt are
intended to be the same files, though after reading
http://tp.its.yale.edu/pipermail/cas-dev/2007-April/001751.html it
would
appear that that is the intention.
I'm sure I've missed a critical point somewhere, but I'm not at all
familiar with ssl setup so it's not obvious. I'm fairly sure that the
remainder of the setup is correct, but I can provide gory details
of the
webapp configuration, spring, acegi, etc.
Any help will be much appreciated!
Tim
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
