We're trying to log in via gateways - basically bouncing requests for 
users that are already logged into one cas to another server, then 
validating the tickets we get back.  These tickets seem to validate fine, 
but the CASFilter doesn't forward the user on to our protected application, 
instead it just forwards the user to our login.jsp.

>From the cas log (trace level below) you can see that our local 
cas server gateways to the remote cas server, gets a valid ticket, 
uses the ticket to get a valid receipt and returns to the local cas 
server.  The local cas server always shows the login page after this 
and actually with this setup won't let us login anymore.

Using:
- glassfish v2ur2
- cas-server 3.2.1 (newest)

Thooughts?

Chris


This is the log after going to the a service protected by our local 
cas that should be able to sso with another cas server:
URL:
https://localCas.foo.ca:8181/cas/login?service=http%3A%2F%2FlocalCas.f
oo.ca%3A8080%2Fplayer-service%2F&ticket=ST-32-mO2r6idSN7jGqCrqv3bO-rem
oteCas.foo.ca

ErrorLog:
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS ticket was not present on request.
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- Did not previously gateway.  Setting session attribute to true.
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering redirectToCAS()
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering getService()
2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.Util] - 
entering 
getService([EMAIL PROTECTED],
localCas.foo.ca:8181)
2008-06-02 15:57:48,234 TRACE [edu.yale.its.tp.cas.client.Util] - 
returning from getService() with encoded service 
[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2
53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- returning from getService() with service 
[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2
53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
2008-06-02 15:57:48,234 DEBUG 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- Redirecting browser to
[https://remoteCas.foo.ca/cas3/login?service=https%3A%2F%2FlocalCas.fo
o.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%253A%252F%252FlocalCas.foo.
ca%253A8080%252Fplayer-service%252F&gateway=true)
2008-06-02 15:57:48,234 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- returning from redirectToCAS()
2008-06-02 15:57:48,296 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,296 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering getAuthenticatedUser()
2008-06-02 15:57:48,312 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering getService()
2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.Util] - 
entering 
getService([EMAIL PROTECTED],
localCas.foo.ca:8181)
2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.Util] - 
returning from getService() with encoded service 
[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2
53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
2008-06-02 15:57:48,312 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- returning from getService() with service 
[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%2
53A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
2008-06-02 15:57:48,312 DEBUG 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- about to validate ProxyTicketValidator:
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] 
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
ticket=[ST-32-mO2r6idSN7jGqCrqv3bO-remoteCas.foo.ca]
service=[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%
3Dhttp%253A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
renew=false]]]
2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.client.CASReceipt] 
- entering 
getReceipt(ProxyTicketValidator=[[edu.yale.its.tp.cas.client.ProxyTick
etValidator proxyList=[null] 
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
ticket=[ST-32-mO2r6idSN7jGqCrqv3bO-remoteCas.foo.ca]
service=[https%3A%2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%
3Dhttp%253A%252F%252FlocalCas.foo.ca%253A8080%252Fplayer-service%252F]
renew=false]]])
2008-06-02 15:57:48,312 TRACE [edu.yale.its.tp.cas.util.SecureURL] - 
entering
retrieve(https://remoteCas.foo.ca/cas3/proxyValidate?service=https%3A%
2F%2FlocalCas.foo.ca%3A8181%2Fcas%2Flogin%3Fservice%3Dhttp%253A%252F%2
52FlocalCas.foo.ca%253A8080%252Fplayer-service%252F&ticket=ST-32-mO2r6
idSN7jGqCrqv3bO-remoteCas.foo.ca)
2008-06-02 15:57:48,328 TRACE [edu.yale.its.tp.cas.client.CASReceipt] 
- returning from getReceipt() with return value 
[[edu.yale.its.tp.cas.client.CASReceipt userName=[sad503] 
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
proxyCallbackUrl=[null] pgtIou=[null]
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
proxyList=[[]]]]
2008-06-02 15:57:48,328 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- validated ticket to get authenticated receipt 
[[edu.yale.its.tp.cas.client.CASReceipt userName=[sad503] 
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
proxyCallbackUrl=[null] pgtIou=[null]
casValidateUrl=[https://remoteCas.foo.ca/cas3/proxyValidate]
proxyList=[[]]]], now passing request along filter chain.
2008-06-02 15:57:48,343 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- returning from doFilter()
2008-06-02 15:57:48,359 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,359 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,390 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,390 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:57:48,437 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..



Refreshing the URL shown above just adds this to the log:
2008-06-02 15:58:26,515 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- entering doFilter()
2008-06-02 15:58:26,515 TRACE 
[edu.yale.its.tp.cas.client.filter.CASFilter]
- CAS_FILTER_RECEIPT attribute was present and acceptable - passing  
request through filter..


Trying to login to just our local cas now, so again on the url above. 
Produces this exception:
javax.servlet.ServletException:
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to 
validate ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localCas.foo.ca:8181/cas/proxyValidate]
ticket=[ST-23-svfDCJlaOsFdAQemjAEu]
service=[http%3A%2F%2FlocalCas.foo.ca%3A8080%2Fplayer-service%2F]
renew=false]]]

root cause
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to 
validate ProxyTicketValidator 
[[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localCas.foo.ca:8181/cas/proxyValidate]
ticket=[ST-23-svfDCJlaOsFdAQemjAEu]
service=[http%3A%2F%2FlocalCas.foo.ca%3A8080%2Fplayer-service%2F]
renew=false]]]

root cause
java.io.IOException: Server returned HTTP response code: 500 for URL:
https://localCas.foo.ca:8181/cas/proxyValidate?service=http%3A%2F%2Flo
calCas.foo.ca%3A8080%2Fplayer-service%2F&ticket=ST-23-svfDCJlaOsFdAQem
jAEu

--
Christopher Brooks, MSc.
Web: http://www.cs.usask.ca/~cab938
Mail: 176 Thorvaldson Building
      110 Science Place
      Saskatoon, SK
      S7N 5C9



_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to