PGTIOUs are not valid ticket identifiers. You should be requesting PGTs -Scott
2008/6/4 Rahul Bhardwaj <[EMAIL PROTECTED]>: > I tried with the DefaultTicketRegistry and I still get a similar error. > > Here are some more details for a better understanding of the situation > (when used with the default ticket registry): > - We are using Spring/Acegi in the project with Websphere 6.0.2.19 and JDK > 1.4.2 > - User tries to access AppA > - It results in redirecting to CAS > - On successful login, user is redirected to AppA - During this step I > noticed that when I was using the JdbcTicketRegistry, the addTicket method > was called thrice. none of those calls were for pgtIou > - AppA makes a request to AppB from server side logic and provides > the CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from > CasAuthenticationToken.getProxyGrantingTicketIou() > - AppB reports the error of invalid token. During debug mode I can see that > the proxy granting ticket looked like a valid token. Also if you see my > previous email, CAS complained that "Ticket > [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class > org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we > were expecting interface org.jasig.cas.ticket.ServiceTicket". This to me > suggests that CAS is receiving the correct ticket but somehow not finding > it. > > I will appreciate any help on this. > > Please find attached the case-servlet.xml file and applicationContext.xml > files > > Thanks > Rahul > > > [6/4/08 2:42:49:795 EDT] 00000055 SystemOut O > [EMAIL PROTECTED],authenticationHandlerClass=interface<[EMAIL > PROTECTED],authenticationHandlerClass=interface>org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780] > [6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I > org.jasig.cas.authentication.AuthenticationManagerImpl authenticate > AuthenticationHandler: $Proxy215 successfully authenticated the user which > provided the following credentials: rbhardwaj > [6/4/08 2:42:49:920 EDT] 00000055 SystemOut O > [EMAIL > PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920<[EMAIL > > PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920> > ] > [6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I > org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted > service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for > service [https://localhost:9444/AppA/j_acegi_cas_security_check] for user > [rbhardwaj] > [6/4/08 2:42:50:014 EDT] 00000055 SystemOut O > [EMAIL > PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014<[EMAIL > > PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014> > ] > [6/4/08 2:42:50:170 EDT] 00000048 SystemOut O > [EMAIL PROTECTED],authenticationHandlerClass=interface<[EMAIL > PROTECTED],authenticationHandlerClass=interface>org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170] > [6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I > org.jasig.cas.authentication.AuthenticationManagerImpl authenticate > AuthenticationHandler: $Proxy215 successfully authenticated the user which > provided the following credentials: > https://localhost:9444/App/casProxy/receptor > [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O > [EMAIL > PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280<[EMAIL > > PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280> > ] > [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O > [EMAIL > PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280<[EMAIL > > PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280> > ] > [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1 > [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq : > [EMAIL PROTECTED]<[EMAIL PROTECTED]>Jun 04 02:42:49 EDT > 2008,principal=rbhardwaj,attributes={}] > [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request : > PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost > [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O > assertion.chainedAuthentications[chainSize-1].principal.id) rbhardwaj > [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is : rbhardwaj > [6/4/08 2:43:15:014 EDT] 00000048 SystemOut O > [EMAIL PROTECTED],authenticationHandlerClass=interface<[EMAIL > PROTECTED],authenticationHandlerClass=interface>org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014] > [6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I > org.jasig.cas.authentication.AuthenticationManagerImpl authenticate > AuthenticationHandler: $Proxy215 successfully authenticated the user which > provided the following credentials: > https://localhost:9444/AppB/casProxy/receptor > [6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E > org.jasig.cas.web.ServiceValidateController handleRequestInternal > TicketException generating ticket for: > https://localhost:9444/AppB/casProxy/receptor > > org.jasig.cas.ticket.InvalidTicketException > at > org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60) > at java.lang.reflect.Method.invoke(Method.java:391) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139) > at > org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) > at $Proxy216.delegateTicketGrantingTicket(Unknown Source) > at > org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819) > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754) > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399) > at > org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:743) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) > at > org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) > at > com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572) > at > com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762) > at > com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89) > at > com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924) > at > com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288) > at > com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950) > at > com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657) > at > com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364) > at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760) > at > com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039) > at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471) > > ------------------------------ > *From:* [EMAIL PROTECTED] on behalf of Rahul Bhardwaj > *Sent:* Wed 6/4/2008 12:50 AM > *To:* [email protected] > *Subject:* Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry + > CasServer 3.0.7 > > Hi Everyone, > > In my project, we use Cas Server 3.0.7. Since we have a clustered > environment we are using JDBCTicketRegistry as documented on CAS confluence. > > > I am trying to secure remote invocations from App A to App B by relying on > the proxy ticket. The problem is that the CAS server always errors out with > the exception given below. The basic problem is that although the CAS Server > webapp is generating and passing the PGTIOU ticket, it is never saved in the > database. When App B tries to authenticate the user with the PGTIOU ticket, > since it is not present in the database, the JdbcTicketRegistry class > creates an expired ticket. All this is happening in my development desktop > and there is no clustering in there. > > I have the following queries: > 1 - Since database is not used for storing PGTIOUs, why is CAS trying to > read it from JDBCTicketRegistry on validation? Am I doing something wrong? > 2 - How can I configure/customize CAS to use JDBCTicketRegistry for proxy > tickets as well > > Thanks > Rahul > > PS: Please ignore the ClassCastException for > org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. > The root problem is that the JdbcTicketRegistry is being invoked but the > ticket was never saved in the database in the first place. I also confirmed > this by debugging the registry and seeing all the tickets that were saved > using it. > > > [6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could not > invoke the service() method on servlet cas. Exception thrown : > org.springframework.web.util.NestedServletException: Request processing > failed; nested exception is java.lang.ClassCastException: Ticket > [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class > org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we > were expecting interface org.jasig.cas.ticket.ServiceTicket > Caused by: java.lang.ClassCastException: Ticket > [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class > org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we > were expecting interface org.jasig.cas.ticket.ServiceTicket > at > org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42) > at > org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60) > at java.lang.reflect.Method.invoke(Method.java:391) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139) > at > org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) > at > org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) > at $Proxy1.delegateTicketGrantingTicket(Unknown Source) > at > org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819) > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754) > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399) > at > org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:743) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) > at > org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) > at > com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572) > at > com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762) > at > com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89) > at > com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924) > at > com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411) > at > com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288) > at > com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950) > at > com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582) > at > com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952) > at > com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039) > at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471) > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
