Joe,
You attempted to get a ProxyGrantingTicket for the Webmail service and the
JVM that the CAS server is running in is unable to validate the certificate
of the Webmail server.
[org.jasig.cas.authentication
.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
- javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(
SSLSessionImpl.java:401)
Is it a non-commercial certificate? If so, it will need to be added to the
CAS JVM.
-Scott
On 6/6/07, bozhe <[EMAIL PROTECTED]> wrote:
Scott,
Thanks for the quick reply. Here is the cas.log in debug mode from the
actions outlined in my previous email ("web flow problem?"):
I turned tomcat off, deleted cas.log, and turned tomcat back on. That gave
me this:
2007-06-06 17:28:24,494 WARN
[org.springframework.ldap.support.LdapContextSource] - Property 'userName'
not set - anonymous context will be used for read-write operations
2007-06-06 17:28:24,501 INFO
[org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - No
PasswordEncoder set. Using default:
org.jasig.cas.authentication.handler.PlainTextPasswordEncoder
2007-06-06 17:28:24,501 INFO
[org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler] - No Class
to Support set. Using default:
org.jasig.cas.authentication.principal.UsernamePasswordCredentials
2007-06-06 17:28:24,518 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - No
UniqueTicketIdGenerator specified for
org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler. Using
org.jasig.cas.util.DefaultUniqueTicketIdGenerator
2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
-
No authentication specification class set. Defaulting to
org.jasig.cas.validation.Cas20ProtocolValidationSpecification
2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
-
No successView specified. Using default of casServiceSuccessView
2007-06-06 17:28:24,988 INFO [org.jasig.cas.web.ServiceValidateController]
-
No failureView specified. Using default of casServiceFailureView
2007-06-06 17:28:24,997 INFO [org.jasig.cas.web.ServiceValidateController]
-
No successView specified. Using default of casServiceSuccessView
2007-06-06 17:28:24,997 INFO [org.jasig.cas.web.ServiceValidateController]
-
No failureView specified. Using default of casServiceFailureView
2007-06-06 17:28:25,035 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not
set. Using default class of
org.jasig.cas.authentication.principal.UsernamePasswordCredentials with
formObjectName credentials and validator
org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
2007-06-06 17:28:44,580 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Starting cleaning of expired tickets from ticket registry at [Wed Jun 06
17:28:44 EDT 2007]
2007-06-06 17:28:44,580 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0
found to be removed. Removing now.
2007-06-06 17:28:44,580 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Finished cleaning of expired tickets from ticket registry at [Wed Jun 06
17:28:44 EDT 2007]
Then I logged successfully into CAS by itself (at
https://www.norwood-ma.gov/cas):
2007-06-06 17:37:04,178 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Starting cleaning of expired tickets from ticket registry at [Wed Jun 06
17:37:04 EDT 2007]
2007-06-06 17:37:04,178 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0
found to be removed. Removing now.
2007-06-06 17:37:04,178 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
Finished cleaning of expired tickets from ticket registry at [Wed Jun 06
17:37:04 EDT 2007]
2007-06-06 17:37:59,453 INFO
[org.jasig.cas.web.flow.AutomaticCookiePathSetterAction] - Setting
ContextPath for cookies to: /cas
2007-06-06 17:38:09,424 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
jsalvaggio
Then I closed and reopened my browser and attempted to log in to
webmail.norwood-ma.gov:
2007-06-06 17:41:56,850 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
jsalvaggio
2007-06-06 17:41:56,857 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket
[ST-2-IFs6D3RnhK0B2Ud92c1JifcYLfVthnARypg-20] for service
[http://webmail.norwood-ma.gov/src/login.php] for user [jsalvaggio]
2007-06-06 17:41:57,352 ERROR
[
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
]
- javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(
SSLSessionImpl.java:401)
at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
(StrictSSLProtocolSocketFactory.java:280)
at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
(StrictSSLProtocolSocketFactory.java:223)
at
org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
(MultiThreadedHttpConnectionManager.java:1321)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
HttpMethodDirector.java:386)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
HttpMethodDirector.java:170)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java
:396)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java
:324)
at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
(HttpBasedServiceCredentialsAuthenticationHandler.java:75)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:79)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(
DispatcherServlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)
at
org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java
:393)
at
org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
:216)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)
at java.lang.Thread.run(Thread.java:619)
2007-06-06 17:41:57,354 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
failed to authenticate the user which provided the following credentials:
https://webmail.norwood-ma.gov/src/login.php
2007-06-06 17:41:57,354 ERROR [org.jasig.cas.web.ServiceValidateController
]
- TicketException generating ticket for:
https://webmail.norwood-ma.gov/src/login.php
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:215)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(
DispatcherServlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)
at
org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:104)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java
:393)
at
org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
:216)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)
at java.lang.Thread.run(Thread.java:619)
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:105)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)
... 23 more
Thank you, Scott, or anyone else, who can help me figure this out.
Joe Salvaggio
Scott Battaglia-2 wrote:
>
> You should be able to tell in the CAS log file if the ticket was
> authenticated successfully or not (if you can't see it, try turning the
> logging level to DEBUG)
>
> Your "You are not authenticated" message is coming from squirrelmail not
> CAS.
>
> -Scott
>
> On 6/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> wrote:
>>
>> I'll replicate the problem in steps:
>>
>> Background: CAS Server 3.0.7
>> CAS Clients installed: esup-phpcas-0.5.1-1
>>
Pam_cas-
>> 2.0.11-esup-2.0.4
>>
>> I've followed a document on cas-ifying squirrelmail. It includes a
>> downloadable squirrelmail login.php modified with CAS .
>> When I put the url "webmail.norwood-ma.gov" in the url and hit enter it
>> takes me to the CAS login page with the following in the url:"
>>
https://www.norwood-ma.gov/cas/login?service=http%3A%2F%2Fwebmail.norwood-ma.gov%2Fsrc%2Flogin.php
>> I enter my username and password (I set it up with ldap-fastbind) hit
>> enter and it takes me to:
>> CAS Authentication failed!
>>
>> You were not authenticated.
>>
>> You may submit your request again by clicking
>> here<http://webmail.norwood-ma.gov/src/login.php>
>> .
>>
>> If the problem persists, you may contact the administrator of this
>> site<[EMAIL PROTECTED]>
>> .
>> ------------------------------
>> phpCAS 0.5.1-1 using server
>> https://www.norwood-ma.gov:443/cas/<https://www.norwood-ma.gov/cas/
>(CAS
>> 2.0)
>>
>> --with a url of "
>>
http://webmail.norwood-ma.gov/src/login.php?ticket=ST-3-aBnEtPuMqqWdyat97ywctFPe7pkHXlcgW6C-20
>> "
>>
>> When I the click the link on the bottom it takes me to this:
>> Log In Successful
>>
>> You have successfully logged into the Central Authentication Service.
>>
>> -with the url of "https://www.norwood-ma.gov/cas/login?null";
>> When I go to the CAS login page by itself
>> (https://www.norwood-ma.gov/cas)
>> I can log on with no problem .
>> Joe Salvaggio
>> _______________________________________________
>> Yale CAS mailing list
>> [email protected]
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
View this message in context:
http://www.nabble.com/web-flow-problem--tf3879194.html#a10997918
Sent from the CAS Users mailing list archive at Nabble.com.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
