Hi!
I'm trying to configure CAS server (3.1.1 version) to be used via a
acegi-enabled web application on tomcat. I used the "contacts-cas" sample
application which is included in acegi-security version 1.0.6.
But when I login in the cas server, it redirects to "casfailed.jsp" page on the
client application (contacts-cas) and this error message is shown:
Login to CAS failed!
Your CAS credentials were rejected.
Reason: java.security.cert.CertificateException: No subject alternative names
present
I used "keytool" for generating the certificates, but I don't know what this
"subject alternative name" is, and how can I set it.
the content of the "applicationContext-acegi-security-cas.xml" file in
"contacts-cas" client is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd";>
<!--
- Application context containing authentication, channel
- security and web URI beans.
-
- Only used by "cas" artifact.
-
- $Id: applicationContext-acegi-security.xml 1409 2006-04-26 23:36:03Z
benalex $
-->
<beans>
<!-- ======================== FILTER CHAIN ======================= -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
marissa=marissa,ROLE_SUPERVISOR,ROLE_TELLER
dianne=dianne,ROLE_SUPERVISOR,ROLE_TELLER
scott=scott,ROLE_SUPERVISOR,ROLE_TELLER
peter=peter,disabled,ROLE_SUPERVISOR,ROLE_TELLER
</value>
</property>
</bean>
<bean id="basicProcessingFilter"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property name="authenticationEntryPoint"><ref
local="basicProcessingFilterEntryPoint"/></property>
</bean>
<bean id="basicProcessingFilterEntryPoint"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName"><value>Contacts Realm</value></property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
<bean id="casAuthenticationProvider"
class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator"><ref
local="casAuthoritiesPopulator"/></property>
<property name="casProxyDecider"><ref
local="casProxyDecider"/></property>
<property name="ticketValidator"><ref
local="casProxyTicketValidator"/></property>
<property name="statelessTicketCache"><ref
local="statelessTicketCache"/></property>
<property
name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>
<bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate"
value="https://192.168.241.111:8443/cas/proxyValidate"/>
<property name="proxyCallbackUrl"
value="https://192.168.241.111:8443/contacts-cas/casProxy/receptor"/>
<property name="serviceProperties"><ref
local="serviceProperties"/></property>
<!-- <property
name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property>
-->
</bean>
<bean id="cacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
<bean id="ticketCacheBackend"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager"><ref local="cacheManager"/></property>
<property name="cacheName" value="ticketCache"/>
</bean>
<bean id="statelessTicketCache"
class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache"><ref local="ticketCacheBackend"/></property>
</bean>
<bean id="casAuthoritiesPopulator"
class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">
<!-- <property name="userDetailsService"><ref
local="jdbcDaoImpl"/></property>-->
<property name="userDetailsService"><ref
local="userDetailsService"/></property>
</bean>
<bean id="casProxyDecider"
class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>
<bean id="serviceProperties"
class="org.acegisecurity.ui.cas.ServiceProperties">
<property name="service"
value="https://192.168.241.111:8443/contacts-cas/j_acegi_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<!-- note logout has little impact, due to CAS reauthentication
functionality (it will cause a refresh of the authentication though) -->
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout
-->
<constructor-arg>
<list>
<bean
class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<!-- Enabled by default for CAS, as a CAS deployment uses HTTPS -->
<bean id="channelProcessingFilter"
class="org.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref
local="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
\A/j_acegi_cas_security_check.*\Z=REQUIRES_SECURE_CHANNEL
\A.*\Z=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>
<bean id="channelDecisionManager"
class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<ref local="secureChannelProcessor"/>
<ref local="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="secureChannelProcessor"
class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor"
class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"><ref
local="casProcessingFilterEntryPoint"/></property>
</bean>
<bean id="casProcessingFilter"
class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property
name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
<property name="defaultTargetUrl"><value>/</value></property>
<property
name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
</bean>
<bean id="casProcessingFilterEntryPoint"
class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
<property
name="loginUrl"><value>https://192.168.241.111:8443/cas/login</value></property>
<property name="serviceProperties"><ref
local="serviceProperties"/></property>
</bean>
<bean id="httpRequestAccessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property
name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!-- Note the order that entries are placed against the
objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down
to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions
first, with LEAST SPECIFIC (ie a/.*) expressions last -->
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref
local="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
</value>
</property>
</bean>
<!-- BASIC Regular Expression Syntax (for beginners):
\A means the start of the string (ie the beginning of the URL)
\Z means the end of the string (ie the end of the URL)
. means any single character
* means null or any number of repetitions of the last expression (so
.* means zero or more characters)
Some examples:
Expression: \A/my/directory/.*\Z
Would match: /my/directory/
/my/directory/hello.html
Expression: \A/.*\Z
Would match: /hello.html
/
Expression: \A/.*/secret.html\Z
Would match: /some/directory/secret.html
/another/secret.html
Not match: /anothersecret.html (missing required /)
-->
<!-- <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>-->
</beans>
Sadegh Aliakbary
---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search._______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
