Yes, thanks, I noticed that and I think I figured out why that is so.
The short answer is, bad tomcat. Here is the long answer: My web.xml
contains:
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
The service is set within edu/yale/its/tp/cas/client/Util.getService()
when the filter is called. Inside there, the server comes in as
"localhost:8080". Right before being encoded, the return buffer gets set
to "http://localhost:8080/casSample/index.html?" (I added a bunch of log
statements). The trailing "?" is added because of the block:
if (request.getQueryString() != null) {
is true. It is true, even though the query string is empty and the url
contains no "?" (bad tomcat -- I confirmed this behavior by writing a
little servlet -- tomcat returns an empty string even if there is no "?"
or nothing after the "?"). When Util.getService sees that ticketLoc is
null, the query string is appended wholesale (to quote the comments).
The problem is, the query string is an empty string, so I get
"http://localhost:8080/casSample/index.html?" (before it is encoded).
I'm using Tomcat 5.5.16. I'll see if there a different version of tomcat
that doesn't have this problem. I'll post an update when I find a better
tomcat. I think I'll post this whole message over again on a different
thread, since it significantly different than my original problem (which
was caused by a bit of miscommunication and solved by looking at the
certificate).
Thanks everyone.
Ross
Scott Battaglia wrote:
Ross,
There is an inconsistency in the service url provided at login time and at
validation time:
The original service was
' http://localhost:8080/casSample/index.html?' and the supplied service was
'http://localhost:8080/casSample/index.html
<http://localhost:8080/casSample/index.html>'.
You appear to have an extra "?".
-Scott
On 9/12/07, *Ross Bleakney* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Excellent. That did point out my problem. The certificate says
" gammel1.devqa.sersol.il.pqe" but I was using "gammel1.devqa". So, I
changed my filter to use "gammel1.devqa.sersol.il.pqe", but now I
get a
different error:
javax.servlet.ServletException : Unable to validate
ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[
https://gammel1.devqa.sersol.il.pqe:8443/cas/serviceValidate]
ticket=[ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20]
service=[http%3A%2F%2Flocalhost%3A8080%2FcasSample%2Findex.html]
errorCode=[INVALID_SERVICE] errorMessage=[ticket
'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match supplied
service. The original service was
'http://localhost:8080/casSample/index.html
<http://localhost:8080/casSample/index.html>?' and the supplied
service was
'http://localhost:8080/casSample/index.html'.
<http://localhost:8080/casSample/index.html%27.>] renew=false
entireResponse=[<cas:serviceResponse xmlns:cas='
http://www.yale.edu/tp/cas' <http://www.yale.edu/tp/cas%27>>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match
supplied service. The original service was
'http://localhost:8080/casSample/index.html?' and the supplied
service was
' http://localhost:8080/casSample/index.html'.
</cas:authenticationFailure>
</cas:serviceResponse>
Any ideas?
Thanks,
Ross
Andrew Petro wrote:
> > Is there a way to check this?
>
>Yes. View something served by that machine over https:// in your web
>browser and use its SSL certificate inspection features (typically
>available by clicking the "lock icon").
>
>
>
>
>RossBleakney wrote:
>>I believe it was "gammel1.devqa" (if I understand how this is
set). I
>>don't know a lot about SSL, so I asked one of our admin guys
(who has a
>>lot more experience setting up SSL) to configure that server. I
>>specifically asked him what he answered when prompted for first
name, last
>>name, etc. and he said "gammel1.devqa". Is there a way to check
this? I am
>>at home now, so I can't access the code (or the two machines) so
I'll
>>probably bug the list again tomorrow. But if you know of
something to try
>>in the morning, I very much appreciate it.
>>Thanks,
>>Ross
>>
>> ----- Original Message -----
>> *From:* Scott Battaglia <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
>> *To:* Yale CAS mailing list <mailto:[email protected]
<mailto:[email protected]>>
>> *Sent:* Tuesday, September 11, 2007 7:56 PM
>> *Subject:* Re: java.io.IOException : HTTPS hostname wrong
>>
>> Ross,
>>
>> When you created your certificates via the keytool, what did you
>> choose as the CN?
>>
>> -Scott
>>
>> <snip>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Yale CAS mailing list
>>[email protected] <mailto:[email protected]>
>>http://tp.its.yale.edu/mailman/listinfo/cas
>>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Yale CAS mailing list
>[email protected] <mailto:[email protected]>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
_________________________________________________________________
Can you find the hidden words? Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
<http://www.linkedin.com/in/scottbattaglia>
------------------------------------------------------------------------
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_________________________________________________________________
Get a FREE small business Web site and more from Microsoft® Office Live!
http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas