Ross, You have sparked my memory. There was a bug in Tomcat 5.5.16 where they started returning "" instead of null. I believe they fixed it in 5.517 or higher.
-Scott On 9/12/07, Ross Bleakney <[EMAIL PROTECTED]> wrote: > > Yes, thanks, I noticed that and I think I figured out why that is so. > The short answer is, bad tomcat. Here is the long answer: My web.xml > contains: > > <init-param> > <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> > <param-value>localhost:8080</param-value> > </init-param> > > The service is set within edu/yale/its/tp/cas/client/Util.getService() > when the filter is called. Inside there, the server comes in as > "localhost:8080". Right before being encoded, the return buffer gets set > to "http://localhost:8080/casSample/index.html?"; (I added a bunch of log > statements). The trailing "?" is added because of the block: > > if (request.getQueryString() != null) { > > is true. It is true, even though the query string is empty and the url > contains no "?" (bad tomcat -- I confirmed this behavior by writing a > little servlet -- tomcat returns an empty string even if there is no "?" > or nothing after the "?"). When Util.getService sees that ticketLoc is > null, the query string is appended wholesale (to quote the comments). > The problem is, the query string is an empty string, so I get > "http://localhost:8080/casSample/index.html?"; (before it is encoded). > > I'm using Tomcat 5.5.16. I'll see if there a different version of tomcat > that doesn't have this problem. I'll post an update when I find a better > tomcat. I think I'll post this whole message over again on a different > thread, since it significantly different than my original problem (which > was caused by a bit of miscommunication and solved by looking at the > certificate). > > Thanks everyone. > Ross > > > Scott Battaglia wrote: > >Ross, > > > >There is an inconsistency in the service url provided at login time and > at > >validation time: > > > >The original service was > >' http://localhost:8080/casSample/index.html?' and the supplied service > was > >'http://localhost:8080/casSample/index.html > ><http://localhost:8080/casSample/index.html>'. > > > >You appear to have an extra "?". > > > >-Scott > > > >On 9/12/07, *Ross Bleakney* <[EMAIL PROTECTED] > ><mailto:[EMAIL PROTECTED]>> wrote: > > > > Excellent. That did point out my problem. The certificate says > > " gammel1.devqa.sersol.il.pqe" but I was using "gammel1.devqa". So, > I > > changed my filter to use "gammel1.devqa.sersol.il.pqe", but now I > > get a > > different error: > > > > javax.servlet.ServletException : Unable to validate > > ProxyTicketValidator > > [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > > [edu.yale.its.tp.cas.client.ServiceTicketValidator > > casValidateUrl=[ > > https://gammel1.devqa.sersol.il.pqe:8443/cas/serviceValidate] > > ticket=[ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20] > > service=[http%3A%2F%2Flocalhost%3A8080%2FcasSample%2Findex.html] > > errorCode=[INVALID_SERVICE] errorMessage=[ticket > > 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match > supplied > > service. The original service was > > 'http://localhost:8080/casSample/index.html > > <http://localhost:8080/casSample/index.html>?' and the supplied > > service was > > 'http://localhost:8080/casSample/index.html'. > > <http://localhost:8080/casSample/index.html%27.>] renew=false > > entireResponse=[<cas:serviceResponse xmlns:cas=' > > http://www.yale.edu/tp/cas' <http://www.yale.edu/tp/cas%27>> > > <cas:authenticationFailure code='INVALID_SERVICE'> > > ticket 'ST-7-iAwfbTJdvxggYhbfQSSkeFi2YZmbJkaFMM9-20' does not match > > supplied service. The original service was > > 'http://localhost:8080/casSample/index.html?' and the supplied > > service was > > ' http://localhost:8080/casSample/index.html'. > > </cas:authenticationFailure> > > </cas:serviceResponse> > > > > > > Any ideas? > > Thanks, > > Ross > > > > Andrew Petro wrote: > > > > Is there a way to check this? > > > > > >Yes. View something served by that machine over https:// in your > web > > >browser and use its SSL certificate inspection features (typically > > >available by clicking the "lock icon"). > > > > > > > > > > > > > > >RossBleakney wrote: > > >>I believe it was "gammel1.devqa" (if I understand how this is > > set). I > > >>don't know a lot about SSL, so I asked one of our admin guys > > (who has a > > >>lot more experience setting up SSL) to configure that server. I > > >>specifically asked him what he answered when prompted for first > > name, last > > >>name, etc. and he said "gammel1.devqa". Is there a way to check > > this? I am > > >>at home now, so I can't access the code (or the two machines) so > > I'll > > >>probably bug the list again tomorrow. But if you know of > > something to try > > >>in the morning, I very much appreciate it. > > >>Thanks, > > >>Ross > > >> > > >> ----- Original Message ----- > > >> *From:* Scott Battaglia <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> > > >> *To:* Yale CAS mailing list <mailto:[email protected] > > <mailto:[email protected]>> > > >> *Sent:* Tuesday, September 11, 2007 7:56 PM > > >> *Subject:* Re: java.io.IOException : HTTPS hostname wrong > > >> > > >> Ross, > > >> > > >> When you created your certificates via the keytool, what did you > > >> choose as the CN? > > >> > > >> -Scott > > >> > > >> <snip> > > >> > > > > > >>------------------------------------------------------------------------ > > >> > > >>_______________________________________________ > > >>Yale CAS mailing list > > >>[email protected] <mailto:[email protected]> > > >>http://tp.its.yale.edu/mailman/listinfo/cas > > >> > > > > > > > > >------------------------------------------------------------------------ > > > > > > > >_______________________________________________ > > >Yale CAS mailing list > > >[email protected] <mailto:[email protected]> > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > _________________________________________________________________ > > Can you find the hidden words? Take a break and play Seekadoo! > > http://club.live.com/seekadoo.aspx?icid=seek_hotmailtextlink1 > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] <mailto:[email protected]> > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > >-- > >-Scott Battaglia > > > >LinkedIn: http://www.linkedin.com/in/scottbattaglia > ><http://www.linkedin.com/in/scottbattaglia> > >------------------------------------------------------------------------ > > > >_______________________________________________ > >Yale CAS mailing list > >[email protected] > >http://tp.its.yale.edu/mailman/listinfo/cas > > > > _________________________________________________________________ > Get a FREE small business Web site and more from Microsoft(r) Office Live! > http://clk.atdmt.com/MRT/go/aub0930003811mrt/direct/01/ > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
