We're trying to log in via gateways - basically bouncing requests for users that are already logged into one cas to another server, then validating the tickets we get back. These tickets seem to validate fine, but the CASFilter doesn't forward the user on to our protected application, instead it just forwards the user to our login.jsp.
>From the cas log (trace level below) you can see that our local cas server gateways to the remote cas server, gets a valid ticket, uses the ticket to get a valid receipt and returns to the local cas server. The local cas server always shows the login page after this and actually with this setup won't let us login anymore. Using: - glassfish v2ur2 - cas-server 3.2.1 (newest) Thooughts? Chris This is the log after going to the a service protected by our local cas that should be able to sso with another cas server: URL: https://localCas.foo.ca:8181/cas/login?service=http%3A%2F%2FlocalCas.f oo.ca%3A8080%2Fplayer-service%2F&ticket=ST-32-mO2r6idSN7jGqCrqv3bO-rem oteCas.foo.ca ErrorLog: 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS ticket was not present on request. 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - Did not previously gateway. Setting session attribute to true. 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering redirectToCAS() 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering getService() 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.Util] - entering getService([EMAIL PROTECTED], localCas.foo.ca:8181) 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.Util] - returning from getService() with encoded service [https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2 53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - returning from getService() with service [https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2 53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] 2008-06-02 15:57:48,234 DEBUG [edu.yale.its.tp.cas.client.filter.CASFilter] - Redirecting browser to [https://remoteCas.foo.ca/cas3/login?service=https%3A%2F%2FlocalCas.fo o.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%253A%252F%252FlocalCas.foo. ca%253A8080%252Fplayer-service%252F&gateway=true) 2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - returning from redirectToCAS() 2008-06-02 15:57:48,296 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,296 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering getAuthenticatedUser() 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering getService() 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.Util] - entering getService([EMAIL PROTECTED], localCas.foo.ca:8181) 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.Util] - returning from getService() with encoded service [https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2 53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - returning from getService() with service [https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2 53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] 2008-06-02 15:57:48,312 DEBUG [edu.yale.its.tp.cas.client.filter.CASFilter] - about to validate ProxyTicketValidator: [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] ticket=[ST-32-mO2r6idSN7jGqCrqv3bO-remoteCas.foo.ca] service=[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice% 3Dhttp%253A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] renew=false]]] 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.CASReceipt] - entering getReceipt(ProxyTicketValidator=[[edu.yale.its.tp.cas.client.ProxyTick etValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] ticket=[ST-32-mO2r6idSN7jGqCrqv3bO-remoteCas.foo.ca] service=[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice% 3Dhttp%253A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F] renew=false]]]) 2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.util.SecureURL] - entering retrieve(https://remoteCas.foo.ca/cas3/proxyValidate?service=https%3A% 2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%253A%252F%2 52FlocalCas.foo.ca%253A8080%252Fplayer-service%252F&ticket=ST-32-mO2r6 idSN7jGqCrqv3bO-remoteCas.foo.ca) 2008-06-02 15:57:48,328 TRACE [edu.yale.its.tp.cas.client.CASReceipt] - returning from getReceipt() with return value [[edu.yale.its.tp.cas.client.CASReceipt userName=[sad503] casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] proxyCallbackUrl=[null] pgtIou=[null] casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] proxyList=[[]]]] 2008-06-02 15:57:48,328 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - validated ticket to get authenticated receipt [[edu.yale.its.tp.cas.client.CASReceipt userName=[sad503] casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] proxyCallbackUrl=[null] pgtIou=[null] casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate] proxyList=[[]]]], now passing request along filter chain. 2008-06-02 15:57:48,343 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - returning from doFilter() 2008-06-02 15:57:48,359 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,359 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,390 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,390 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:57:48,437 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. Refreshing the URL shown above just adds this to the log: 2008-06-02 15:58:26,515 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - entering doFilter() 2008-06-02 15:58:26,515 TRACE [edu.yale.its.tp.cas.client.filter.CASFilter] - CAS_FILTER_RECEIPT attribute was present and acceptable - passing request through filter.. Trying to login to just our local cas now, so again on the url above. Produces this exception: javax.servlet.ServletException: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localCas.foo.ca:8181/cas/proxyValidate] ticket=[ST-23-svfDCJlaOsFdAQemjAEu] service=[http%3A%2F%2FlocalCas.foo.ca%3A8080%2Fplayer-service%2F] renew=false]]] root cause edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localCas.foo.ca:8181/cas/proxyValidate] ticket=[ST-23-svfDCJlaOsFdAQemjAEu] service=[http%3A%2F%2FlocalCas.foo.ca%3A8080%2Fplayer-service%2F] renew=false]]] root cause java.io.IOException: Server returned HTTP response code: 500 for URL: https://localCas.foo.ca:8181/cas/proxyValidate?service=http%3A%2F%2Flo calCas.foo.ca%3A8080%2Fplayer-service%2F&ticket=ST-23-svfDCJlaOsFdAQem jAEu -- Christopher Brooks, MSc. Web: http://www.cs.usask.ca/~cab938 Mail: 176 Thorvaldson Building 110 Science Place Saskatoon, SK S7N 5C9 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
