Howdy Jeff, Much angst has been created in the world by issues of what meta-characters to use to end lines, and the fact that these differ across platforms. Trailing slashes on URLs haven't been much better for mankind.
My guess is that this problem is one of trailing slashes, with the trailing slash failing to appear on the cas/login "service" request parameter value but appearing on the cas/serviceValidate "service" request parameter value. You can avoid this sort of problem by using a more specific URL in your back-end application to be requested by your front-end application. "https://abc.vt.edu/CasProxyDemo-BackEnd/"; is easier to have problems with than is "https://abc.vt.edu/CasProxyDemo-BackEnd/proxy_me"; or the like. (This isn't to say that you *can't* sucessfully proxy CAS authenticate to URLs with trailing slashes, only that it's easier to goof up the configuration of doing so and so I try to avoid it when I can.) Specifically, I see in your front-end JSP you get a proxy ticket for URL "https://abc.vt.edu/CasProxyDemo-BackEnd";. In your back-end CASFilter logging, I see that it tried to validate with the trailing slash, service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F] . Since these don't exactly match, the ticket fails to validate for the reason that they don't exactly match. [ <cas:authenticationFailure code='INVALID_SERVICE'> ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied service </cas:authenticationFailure> ] PS: I would like to see CAS server have a configuration (turned on by default), to make this authentication failure message much more explicit, naming in the error message both the service URL presented at ticket validation and at ticket acquisition, so that this problem is much easier to debug for application developers. I have entered this feature request as CAS Server Jira ticket CAS-536 http://www.ja-sig.org/issues/browse/CAS-536 This issue in CAS integrations seems to come up over and over and a more generous error response to application developers could go a long way to help them cope with this configuration nuance. PPS: The next problem once you fix the service parameter problem is that you haven't named your front end application's proxy ticket receptor URL as the authorized proxy to your back-end application. The back-end application configuration has authorized "https://abc.vt.edu/CasProxyDemo-FrontEnd"; yet the front-end callback URL is "https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServlet";. That's not going to work until the back-end application authorizes the full URL "https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServlet";. Andrew > Hi all, > > > > I am attempting to set up proxy authentication using CAS. I have two > simplified > > servlet applications; "CasProxyDemo-FrontEnd" and > "CasProxyDemo-BackEnd". > > I am also using a local instance of CAS. I want to log into > > CasProxyDemo-FrontEnd and have a jsp page that includes a page from > > "CasProxyDemo-BackEnd". I am using a servlet in CasProxyDemo-FrontEnd > > to get the proxyTicket like so: > > > > CASReceipt receipt = > > (CASReceipt)request.getSession(). > > getAttribute("edu.yale.its.tp.cas.client.filter.receipt"); > > > > String proxyTicket = > > ProxyTicketReceptor.getProxyTicket(receipt.getPgtIou(), > > "https://abc.vt.edu/CasProxyDemo-BackEnd";); > > > > I then pass the value of proxyTicket to my jsp page which does the > import like: > > <c:import > url="https://abc.vt.edu/CasProxyDemo-BackEnd/?ticket=ST-3-QE511caPVASyag > y1l2ElXfdQXe7PWD0KgtV-20" /> > > > > > > My descriptors are: > > > > ---------------------------------------------------------------- > > CasProxyDemo-FrontEnd Descriptor > > ---------------------------------------------------------------- > > > > <filter> > > <filter-name>CAS Filter</filter-name> > > > <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> > > <param-value>https://abc.vt.edu/cas/login</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> > > <param-value>https://abc.vt.edu/cas/proxyValidate</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> > > <param-value>abc.vt.edu</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-na > me> > > > <param-value>https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServlet</p > aram-value> > > </init-param> > > </filter> > > > > <filter-mapping> > > <filter-name>CAS Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > ..... > > > > <servlet> > > <servlet-name>ProxyTicketReceptor</servlet-name> > > > <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-cl > ass> > > <init-param> > > <param-name>edu.yale.its.tp.cas.proxyUrl</param-name> > > <param-value>https://abc.vt.edu/cas/proxy</param-value> > > </init-param> > > </servlet> > > > > <servlet-mapping> > > <servlet-name>ProxyTicketReceptor</servlet-name> > > <url-pattern>/CasProxyServlet</url-pattern> > > </servlet-mapping> > > > > ---------------------------------------------------------------- > > CasProxyDemo-BackEnd Descriptor > > ---------------------------------------------------------------- > > > > <filter> > > <filter-name>CAS Filter</filter-name> > > > <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> > > <param-value>https://abc.vt.edu/cas/login</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> > > <param-value>https://abc.vt.edu/cas/proxyValidate</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> > > <param-value>abc.iad.vt.edu</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > > <param-name>edu.yale.its.tp.cas.client.filter.authorizedProxy</param-nam > e> > > > <param-value>https://abc.vt.edu/CasProxyDemo-FrontEnd</param-value> > > </init-param> > > </filter> > > > > <filter-mapping> > > <filter-name>CAS Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > ---------------------------------------------------------------- > > This is my log output from CasProxyDemo-FrontEnd.log > > ---------------------------------------------------------------- > > > > 2007-07-12 11:34:05,523 [main] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - CASFilter initialized as: > [[CASFilter: casGateway=false wrapRequest=false > casAuthorizedProxies=[[]] casLogin=[https://abc.vt.edu/cas/login] > casProxyCallbackUrl=[https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxySe > rvlet] casServerName=[abc.vt.edu] > casValidate=[https://abc.vt.edu/cas/proxyValidate]] > > 2007-07-12 11:35:16,507 [http-443-Processor25] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - Redirecting browser to > [https://abc.vt.edu/cas/login?service=https%3A%2F%2Fabc.vt.edu%2FCasProx > yDemo-FrontEnd%2Fstart) > > 2007-07-12 11:35:21,757 [http-443-Processor25] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - about to validate > ProxyTicketValidator: [[edu.yale.its.tp.cas.client.ProxyTicketValidator > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://abc.vt.edu/cas/proxyValidate] > proxyCallbackUrl=[https://abc.vt.edu/CasProxyDemo-FrontEnd/CasProxyServl > et] ticket=[ST-2-sSvi3zj7SoF1fwJniuTcyScbhMyuYBuUPaK-20] > service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-FrontEnd%2Fstart] > renew=false]]] > > 2007-07-12 11:35:22,445 [http-443-Processor22] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - Redirecting browser to > [https://abc.vt.edu/cas/login?service=https%3A%2F%2Fabc.vt.edu%2FCasProx > yDemo-FrontEnd%2FCasProxyServlet) > > 2007-07-12 11:35:22,523 [http-443-Processor22] DEBUG > edu.yale.its.tp.cas.proxy.ProxyTicketReceptor - adding > pgtIou=[PGTIOU-2-t42nPMmVDtvhYobbW6ziKASIzJ3IV4t27B0], > pgt=[edu.yale.its.tp.cas.proxy.ProxyGrantingTicket > pgtId=[TGT-3-g3Pba5bNRg64HeMEnR99dyeuWHSvrjtbapa-50] > casProxyUrl=[https://abc.vt.edu/cas/proxy]] to the cache. > > 2007-07-12 11:35:23,117 [http-443-Processor24] ERROR > org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/CasProxy > Demo-FrontEnd].[jsp] - Servlet.service() for servlet jsp threw > exception > > java.io.IOException: Server returned HTTP response code: 500 for URL: > https://abc.vt.edu/CasProxyDemo-BackEnd/?ticket=ST-3-QE511caPVASyagy1l2E > lXfdQXe7PWD0KgtV-20 > > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnec > tion.java:1149) > > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsUR > LConnectionImpl.java:234) > > at > org.apache.taglibs.standard.tag.common.core.ImportSupport.acquireReader( > ImportSupport.java:331) > > at > org.apache.taglibs.standard.tag.common.core.ImportSupport.acquireString( > ImportSupport.java:241) > > at > org.apache.taglibs.standard.tag.common.core.ImportSupport.doEndTag(Impor > tSupport.java:161) > > at > org.apache.jsp.frontEnd_jsp._jspx_meth_c_005fimport_005f0(frontEnd_jsp.j > ava:119) > > at org.apache.jsp.frontEnd_jsp._jspService(frontEnd_jsp.java:91) > > at > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > > at > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja > va:328) > > at > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:315) > > at > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > tionFilterChain.java:269) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > erChain.java:188) > > at > edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:317) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > tionFilterChain.java:215) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > erChain.java:188) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv > e.java:210) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv > e.java:174) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > :127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > :117) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. > java:108) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 > 51) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87 > 0) > > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc > essConnection(Http11BaseProtocol.java:665) > > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint > .java:528) > > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow > erWorkerThread.java:81) > > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool > .java:685) > > at java.lang.Thread.run(Thread.java:595) > > > > ---------------------------------------------------------------- > > And here is my log output from CasProxyDemo-BackEnd.log. > > ---------------------------------------------------------------- > > > > 2007-07-12 11:34:06,070 [main] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - CASFilter initialized as: > [[CASFilter: casGateway=false wrapRequest=true > casAuthorizedProxies=[[https://abc.vt.edu/CasProxyDemo-FrontEnd]] > casLogin=[https://abc.vt.edu/cas/login] casServerName=[abc.vt.edu] > casValidate=[https://abc.vt.edu/cas/proxyValidate]] > > 2007-07-12 11:35:22,898 [http-443-Processor23] DEBUG > edu.yale.its.tp.cas.client.filter.CASFilter - about to validate > ProxyTicketValidator: [[edu.yale.its.tp.cas.client.ProxyTicketValidator > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://abc.vt.edu/cas/proxyValidate] > ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20] > service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F] > renew=false]]] > > 2007-07-12 11:35:22,976 [http-443-Processor23] ERROR > edu.yale.its.tp.cas.client.CASReceipt - validation of > [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://abc.vt.edu/cas/proxyValidate] > ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20] > service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F] > errorCode=[INVALID_SERVICE] errorMessage=[ticket > 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied > service] renew=false entireResponse=[<cas:serviceResponse > xmlns:cas='http://www.yale.edu/tp/cas'> > > <cas:authenticationFailure code='INVALID_SERVICE'> > > ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does > not match supplied service > > </cas:authenticationFailure> > > </cas:serviceResponse> > > ]]]] was not successful. > > 2007-07-12 11:35:22,976 [http-443-Processor23] ERROR > edu.yale.its.tp.cas.client.filter.CASFilter - > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator > [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://abc.vt.edu/cas/proxyValidate] > ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20] > service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F] > errorCode=[INVALID_SERVICE] errorMessage=[ticket > 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied > service] renew=false entireResponse=[<cas:serviceResponse > xmlns:cas='http://www.yale.edu/tp/cas'> > > <cas:authenticationFailure code='INVALID_SERVICE'> > > ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does > not match supplied service > > </cas:authenticationFailure> > > </cas:serviceResponse> > > ]]]] > > 2007-07-12 11:35:22,992 [http-443-Processor23] ERROR > org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/CasProxy > Demo-BackEnd].[jsp] - Servlet.service() for servlet jsp threw exception > > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator > [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://abc.vt.edu/cas/proxyValidate] > ticket=[ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20] > service=[https%3A%2F%2Fabc.vt.edu%2FCasProxyDemo-BackEnd%2F] > errorCode=[INVALID_SERVICE] errorMessage=[ticket > 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does not match supplied > service] renew=false entireResponse=[<cas:serviceResponse > xmlns:cas='http://www.yale.edu/tp/cas'> > > <cas:authenticationFailure code='INVALID_SERVICE'> > > ticket 'ST-3-QE511caPVASyagy1l2ElXfdQXe7PWD0KgtV-20' does > not match supplied service > > </cas:authenticationFailure> > > </cas:serviceResponse> > > ]]]] > > at > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62) > > at > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilt > er.java:455) > > at > edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > tionFilterChain.java:215) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > erChain.java:188) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv > e.java:210) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv > e.java:174) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > :127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > :117) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. > java:108) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 > 51) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87 > 0) > > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc > essConnection(Http11BaseProtocol.java:665) > > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint > .java:528) > > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow > erWorkerThread.java:81) > > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool > .java:685) > > at java.lang.Thread.run(Thread.java:595) > > > > Judging by the log output, I think things are working as expected up to > the > > point at which the CasProxyDemo-BackEnd app. trys to validate the ticket > I appended to the > > url. It states that ticket is not valid for the service - > CasProxyDemo-BackEnd. > > My hope is that this is just a simple config param issue. Any help would > be greatly appreciated. > > Thanks in advance. > > > > Jeff Brewster > > Virginia Tech > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
