Ross, There is an inconsistency in the service url provided at login time and at validation time:
The original service was 'http://localhost:8080/casSample/index.html?' and the supplied service was 'http://localhost:8080/casSample/index.html'. You appear to have an extra "?". -Scott On 9/12/07, Ross Bleakney <[EMAIL PROTECTED]> wrote: > > Excellent. That did point out my problem. The certificate says > "gammel1.devqa.sersol.il.pqe" but I was using "gammel1.devqa". So, I > changed my filter to use "gammel1.devqa.sersol.il.pqe", but now I get a > different error: > > javax.servlet.ServletException: Unable to validate ProxyTicketValidator > [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[ > https://gammel1.devqa.sersol.il.pqe:8443/cas/serviceValidate] > ticket=[ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20] > service=[http%3A%2F%2Flocalhost%3A8080%2FcasSample%2Findex.html] > errorCode=[INVALID_SERVICE] errorMessage=[ticket > 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match supplied > service. The original service was > 'http://localhost:8080/casSample/index.html?' and the supplied service was > 'http://localhost:8080/casSample/index.html'.] renew=false > entireResponse=[<cas:serviceResponse xmlns:cas=' > http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code='INVALID_SERVICE'> > ticket 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does > not match > supplied service. The original service was > 'http://localhost:8080/casSample/index.html?' and the supplied service was > 'http://localhost:8080/casSample/index.html'. > </cas:authenticationFailure> > </cas:serviceResponse> > > > Any ideas? > Thanks, > Ross > > Andrew Petro wrote: > > > Is there a way to check this? > > > >Yes. View something served by that machine over https:// in your web > >browser and use its SSL certificate inspection features (typically > >available by clicking the "lock icon"). > > > > > > > > > >RossBleakney wrote: > >>I believe it was "gammel1.devqa" (if I understand how this is set). I > >>don't know a lot about SSL, so I asked one of our admin guys (who has a > >>lot more experience setting up SSL) to configure that server. I > >>specifically asked him what he answered when prompted for first name, > last > >>name, etc. and he said "gammel1.devqa". Is there a way to check this? I > am > >>at home now, so I can't access the code (or the two machines) so I'll > >>probably bug the list again tomorrow. But if you know of something to > try > >>in the morning, I very much appreciate it. > >>Thanks, > >>Ross > >> > >> ----- Original Message ----- > >> *From:* Scott Battaglia <mailto:[EMAIL PROTECTED]> > >> *To:* Yale CAS mailing list <mailto:[email protected]> > >> *Sent:* Tuesday, September 11, 2007 7:56 PM > >> *Subject:* Re: java.io.IOException: HTTPS hostname wrong > >> > >> Ross, > >> > >> When you created your certificates via the keytool, what did you > >> choose as the CN? > >> > >> -Scott > >> > >> <snip> > >> > >>------------------------------------------------------------------------ > >> > >>_______________________________________________ > >>Yale CAS mailing list > >>[email protected] > >>http://tp.its.yale.edu/mailman/listinfo/cas > >> > > > >------------------------------------------------------------------------ > > > >_______________________________________________ > >Yale CAS mailing list > >[email protected] > >http://tp.its.yale.edu/mailman/listinfo/cas > > > > _________________________________________________________________ > Can you find the hidden words? Take a break and play Seekadoo! > http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1 > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
