Re: CAS Java Client on JBOSS

Mon, 07 Jan 2008 10:04:43 -0800 

Srikar,
This should be an FAQ, but it isn't. I have searched through the "usual suspects" sites: 

   * CAS site FAQ <http://www.ja-sig.org/products/cas/client/faq.html>
   * Yale CAS Client distribution
     <http://www.ja-sig.org/wiki/display/CASC/Yale+CAS+client+distribution>
     Wiki pages
   * Legacy Java CAS client
     <http://code.google.com/p/legacy-java-cas-client/> Google code page


I found no information to help you address your issue.  This should be 
fixed.  I hope that Scott or someone else can suggest how and where to 
add this information.



Anyway, it appears that you are using the Yale CAS client.  The client 
attempts to verify the service ticket it received from CAS, and when it 
tries to connect to the CAS server, it encounters an 
javax.net.ssl.SSLHandshakeException.  This is usually caused by using a 
self-signed SSL certificate on the CAS server.  The Java process running 
JBoss does not trust the certificate presented by the CAS server.  This 
is part of Java security.



You can either fix it by using a properly signed certificate or work 
around the issue by telling Java to trust your self-signed certificate.  
I don't have a complete tutorial here, but you have to use Java's 
"keytool" command, its "-import" option, the "-trustcacerts" option, and 
you should add it to the Java's "cacerts" keystore file.  On Linux this 
will likely require root access.  I don't think that Java will trust a 
certificate added to a user-specific keystore.  This message 
<http://article.gmane.org/gmane.comp.java.jasig.cas.user/458/match=keytool> 
in the mailing list archives starts with instructions for importing the 
self-signed certificate into "cacerts" keystore.


Anyhow, please let me know if this helps.

Adam

Srikar Kummamuri wrote:



I am trying to integrate and existing JBOSS application with the CAS 
client.  I changed the we.xml as shown in java cas client instructions 
and added the jar file (casclient-2.1.1.jar ) in lib directory of the 
web-inf directory.



 

As expected, upon accessing the app for the first time, user gets 
navigated to the CAS server that was installed on a Tomcat. When the 
CAS validates the user, and send the request back to JBOSS, exception 
is being thrown by CAS as follows.



 

11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  
tp.cas.client.CASReceipt - 
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate



ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator 
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator 
casValidateUrl=[h



ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] 
ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] 
service=[http%3A%2F%2Falx-dev-lap06.wwre.org


%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]


11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  
cas.client.filter.CASFilter - 
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida



te ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] 
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl



=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] 
ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] 
service=[http%3A%2F%2Falx-dev-lap06.wwre.


org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]


11:19:41,120 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  
web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for 
servlet action threw exception



edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to 
validate ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[



null] [edu.yale.its.tp.cas.client.ServiceTicketValidator 
casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] 
ticket



=[ST-13-qYbLWTpYMEcATIcSlPAO] 
service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] 
renew=false]]]



        at 
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)



        at 
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)



        at 
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)



        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)



        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)



        at 
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)



        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)



        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)



        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)



        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)



        at 
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)



        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)



        at 
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)



        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)



        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)



        at 
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)



        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)



        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)



        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)



        at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)



        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)



        at 
org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)


        at java.lang.Thread.run(Thread.java:595)


Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCert



PathBuilderException: unable to find valid certification path to 
requested target



        at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)



        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)



        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)



        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)



        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)



        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)



        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)



        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)



        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)



        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)



        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)



        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)



        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)



        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)



        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)



        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)


        at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)


        at 
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)



        at 
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)


        ... 22 more


Caused by: sun.security.validator.ValidatorException: PKIX path 
building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find


valid certification path to requested target


        at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)



        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)


        at sun.security.validator.Validator.validate(Validator.java:203)


        at 
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)



        at 
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)



        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)


        ... 36 more


Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target



        at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)



        at 
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)



        at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)


        ... 41 more


 

 

 


My web.xml is,


 


             <filter>

                  <filter-name>CAS Filter</filter-name>


                  
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>


                  <init-param>


                    
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>



                    
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login</param-value>


                  </init-param>

                  <init-param>


                   
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>



                   
<param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate</param-value>


                  </init-param>

                  <init-param>


                   
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>


                   <param-value>alx-dev-lap06.wwre.org:8080</param-value>

                  </init-param>

                </filter>


 

 

 


   <filter-mapping>

                  <filter-name>CAS Filter</filter-name>

                  <url-pattern>/action/*</url-pattern>

    </filter-mapping>


 

 

 

Any idea why I am getting the error here??  Is this something to do 
with SSL on the JBOSS side?? 

 

 


Thank a lot

Srikar.


 

 

 

 


------------------------------------------------------------------------

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

  

begin:vcard
fn:Adam Rybicki
n:Rybicki;Adam
org:Unicon, Inc.;Professional Services
adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States
email;internet:[EMAIL PROTECTED]
tel;work:+1-480-558-2400
tel;home:+1-310-265-8286
tel;cell:+1-310-980-2758
x-mozilla-html:FALSE
url:http://www.unicon.net/
version:2.1
end:vcard




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas






















					Reply via email to