> In Step 2.b shouldn't you use proxyValidate
instead of serviceValidate?
> but I expect you won't get a PGTIOU unless
you use proxyValidate.
Whether you get a PGTIOU or not is not governed by whether you use
serviceValidate or proxyValidate.
The /serviceValidate and /proxyValidate callbacks for validating
tickets differ only in the scope of ticket they will successfully
validate. /serviceValidate will only validate service tickets (tickets
with zero entries in the proxy chain). /proxyValidate will validate
both these service tickets and "proxy tickets" (sometimes called "proxy
service tickets") which have one or more entries in the proxy chain.
Whether you validate tickets against /serviceValidate or
/proxyValidate, you can obtain a proxy granting ticket by specifying
the pgtUrl parameter with a valid https: URL value.
For excruciatingly detailed discussion of the CAS protocol, see the
protocol document:
http://www.ja-sig.org/products/cas/overview/protocol/index.html
Andrew
Dale Ogilvie wrote:
In Step 2.b shouldn't you
use proxyValidate instead of serviceValidate? That said, the
walkthrough specifies serviceValidate, so maybe its OK, but I expect
you won't get a PGTIOU unless you use proxyValidate.
Also, cas.zenvoo.ch must
trust the certificate for the server specified to receive the PGT https://voot.zenvoo.ch/,
are you sure that the voot cert is signed by a CA trusted on
cas.zenvoo.ch?
Your pgtUrl looks a bit
suspect, as it should be a servlet on voot.zenvoo.ch waiting to receive
the PGT...
Hello
everybody,
I'm
developing a virtual desktop system and I want to cas-ify it.
I'm
trying to enable the CAS proxy mechanism, but it seems that I can't
receive any PGTIOU (and neither PGT). Referring to Proxy CAS
walkthrough (http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough),
I can successfully accomplish step 1 and 2.a. Then, I repeat step 1
and successfully generate a new ticket, but when I try step 2.b I can
only get a partial response.
Here
are the steps in more details:
</cas:authenticationSuccess>
</cas:serviceResponse>
As
you can see, PGTIOU is missing.
- The
CAS server log file gives me the following
error:
2007-11-29 15:25:18,731 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
failed to authenticate the user which provided the following
credentials: https://voot.zenvoo.ch/help.php>
2007-11-29 15:25:18,731 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://voot.zenvoo.ch/help.php>
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:271)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:125)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:857)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:475)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430)
at javax.servlet.http.HttpServlet.service(Unknown Source)
at javax.servlet.http.HttpServlet.service(Unknown Source)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
Source)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown
Source)
at org.apache.catalina.core.StandardContextValve.invoke(Unknown
Source)
at org.apache.catalina.core.StandardHostValve.invoke(Unknown
Source)
at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown
Source)
at org.apache.catalina.core.StandardEngineValve.invoke(Unknown
Source)
at org.apache.catalina.connector.CoyoteAdapter.service(Unknown
Source)
at org.apache.coyote.http11.Http11Processor.process(Unknown
Source)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Unknown
Source)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(Unknown
Source)
at java.lang.Thread.run(Thread.java:595)
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:108)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:242)
... 22 more
Seemingly,
we've got a credential problem here, but I've dug a little into CAS server source
code and found that
HttpBasedServiceCredentialsAuthenticationHandler.authenticate() calls
HttpClient.isValidEndPoint( url ), that at the end of the day creates
an HttpURLConnection object and calls its connect() method. I did the
same in a litte test servlet, and I can successfully connect to the
url https://voot.zenvoo.ch/help.php.
So my certificate should be ok. Yet, I can't make it working in the
Proxy mechanism.
Anybody could help me?
Thanks in
advance
Dario Gallicchio
Zenvoo team
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
|
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
