This may help:

http://forum.springframework.org/showthread.php?t=30094

-Scott

On 6/20/07, Bill Bailey <[EMAIL PROTECTED]> wrote:

 Hi Jens,



I can't see any similar problems with DNS lookup. The hostname resolves to
the proper IP address and if I do a reverse on the IP I get the correct
hostname.



And no, I am not requiring client certificates. I have clientAuth=false in
both server.xml files. Interestingly, I have now managed to break things
to the point that it is failing one step sooner than before … and even
though I would swear I have returned everything to the point it was when I
started, it is still failing with a different error. Before, at least the
Acegi client was able to call proxyValidate, but CAS was failing when it
tried to invoke the proxyCallbackUrl. Now I can't even get the proxyValidate
call to succeed. It fails every time with
"InvalidAlgorithmParameterException : trustAnchors parameter must be
non-empty".



This is the single most frustrating experience I can remember configuring
something and I've had some pretty bad experiences before.



Bill



*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On
Behalf Of *Hausherr, Jens
*Sent:* Wednesday, June 20, 2007 3:47 AM
*To:* Yale CAS mailing list
*Subject:* AW: ACEGI, proxyValidate and PGTIOU



Hi Bill,

I encountered some problems with SSL certificates also – but mine were a
result of broken DNS entries: the reverse lookup used in certificate
validation resulted in random hostnames returned for the IP address %-).

Does your tomcat installation (the SSL connector) require client
certificates? The exception "javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated" seems to point in this direction. I do not know if
commons-httpclient supports client authentication for SSL.

Just a wild guess…

Jens


 ------------------------------

*Von:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Im
Auftrag von *Bill Bailey
*Gesendet:* Dienstag, 19. Juni 2007 15:50
*An:* Yale CAS mailing list
*Betreff:* RE: ACEGI, proxyValidate and PGTIOU



Thanks, Scott.



However, I guess I am still a little confused. I have Tomcat 6.0 and
Tomcat 5.5 running on the same machine (my development machine). I ran
into some issues earlier with Tomcat finding the right keystore with my
certificates so I added keystoreFile=C:\keystore\.keystore to the
server.xml in both versions of Tomcat. So I thought both JVM's would be
using the same keystore file. This works fine for allowing me to connect via
SSL to both Tomcat instances. Is there a problem with what I am doing from a
CAS perspecive? Is there another keystore beyond the ones configured in
server.xml that I need to be populating?



Bill




 ------------------------------

*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On
Behalf Of *Scott Battaglia
*Sent:* Tuesday, June 19, 2007 9:40 AM
*To:* Yale CAS mailing list
*Subject:* Re: ACEGI, proxyValidate and PGTIOU



CAS's JVM does not trust your client application's certificate.

If you've added the certificate to CAS's JVM, that most likely means the
hostname does not match the cn.

If you haven't added the certificate, you need to do so :-)

-Scott

On 6/19/07, *Bill Bailey* <[EMAIL PROTECTED]> wrote:

Hi,



I am using CAS with ACEGI security and I have the basics working. But when
I try to add the proxyCallbackUrl to the CasProxyTicketValidator (see
below), it only partly works. I am able to still authenticate through CAS,
but the resulting authentication token does not have the PGTIOU set … it is
an empty string.



I have checked the log files on the Tomcat instance hosting the CAS server
and I find the following exceptions which seem to relate to the proxy
callback URL. Any idea what is wrong?



2007-06-19 09:25:58,812 ERROR [
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
- <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

            at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown
Source)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
(StrictSSLProtocolSocketFactory.java:280)

            at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.createSocket
(StrictSSLProtocolSocketFactory.java:223)

            at org.apache.commons.httpclient.HttpConnection.open(
HttpConnection.java:706)

            at
org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open
(MultiThreadedHttpConnectionManager.java:1321)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(
HttpMethodDirector.java:386)

            at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(
HttpMethodDirector.java:170)

            at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:396)

            at org.apache.commons.httpclient.HttpClient.executeMethod(
HttpClient.java:324)

            at
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate
(HttpBasedServiceCredentialsAuthenticationHandler.java:75)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:79)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)

            at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)

            at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:690)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:803)

            at org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)

            at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)

            at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)

            at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128)

            at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:104)

            at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)

            at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:216)

            at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:844)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

2007-06-19 09:25:58,812 INFO [
org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandlerfailed
 to authenticate the user which provided the following credentials:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

2007-06-19 09:25:58,812 ERROR [org.jasig.cas.web.ServiceValidateController]
- <TicketException generating ticket for:
https://nacdnws002l.northlandcc.net:8443/casProxy/receptor>

org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:215)

            at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(
ServiceValidateController.java:159)

            at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(
AbstractController.java:153)

            at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(
SimpleControllerHandlerAdapter.java:48)

            at
org.springframework.web.servlet.DispatcherServlet.doDispatch(
DispatcherServlet.java:819)

            at org.springframework.web.servlet.DispatcherServlet.doService
(DispatcherServlet.java:754)

            at
org.springframework.web.servlet.FrameworkServlet.processRequest(
FrameworkServlet.java:399)

            at org.springframework.web.servlet.FrameworkServlet.doGet(
FrameworkServlet.java:354)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:690)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java
:803)

            at org.jasig.cas.web.init.SafeDispatcherServlet.service(
SafeDispatcherServlet.java:115)

            at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:290)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:206)

            at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:228)

            at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:175)

            at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:128)

            at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:104)

            at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:109)

            at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:216)

            at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:844)

            at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:634)

            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(
JIoEndpoint.java:445)

            at java.lang.Thread.run(Unknown Source)

Caused by: error.authentication.credentials.bad

            at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException
.<clinit>(BadCredentialsAuthenticationException.java:25)

            at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
AuthenticationManagerImpl.java:105)

            at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket
(CentralAuthenticationServiceImpl.java:194)

            ... 22 more


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas




--
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas




--
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to