Scott, Can you please point me to the documentation that talks about how to request PGTs? Thanks for your prompt help Rahul
________________________________
From: [EMAIL PROTECTED] on behalf of Scott Battaglia
Sent: Wed 6/4/2008 10:34 AM
To: Yale CAS mailing list
Subject: Re: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry
+CasServer 3.0.7
PGTIOUs are not valid ticket identifiers. You should be requesting PGTs
-Scott
2008/6/4 Rahul Bhardwaj <[EMAIL PROTECTED]>:
I tried with the DefaultTicketRegistry and I still get a similar error.
Here are some more details for a better understanding of the situation
(when used with the default ticket registry):
- We are using Spring/Acegi in the project with Websphere 6.0.2.19
<http://6.0.2.19/> and JDK 1.4.2
- User tries to access AppA
- It results in redirecting to CAS
- On successful login, user is redirected to AppA - During this step I
noticed that when I was using the JdbcTicketRegistry, the addTicket method was
called thrice. none of those calls were for pgtIou
- AppA makes a request to AppB from server side logic and provides the
CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from
CasAuthenticationToken.getProxyGrantingTicketIou()
- AppB reports the error of invalid token. During debug mode I can see
that the proxy granting ticket looked like a valid token. Also if you see my
previous email, CAS complained that "Ticket
[PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were
expecting interface org.jasig.cas.ticket.ServiceTicket". This to me suggests
that CAS is receiving the correct ticket but somehow not finding it.
I will appreciate any help on this.
Please find attached the case-servlet.xml file and
applicationContext.xml files
Thanks
Rahul
[6/4/08 2:42:49:795 EDT] 00000055 SystemOut O [EMAIL
PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL
PROTECTED],authenticationHandlerClass=interface>
org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780]
[6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I
org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
AuthenticationHandler: $Proxy215 successfully authenticated the user which
provided the following credentials: rbhardwaj
[6/4/08 2:42:49:920 EDT] 00000055 SystemOut O [EMAIL
PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920
<mailto:[EMAIL
PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920>
]
[6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I
org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted
service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for service
[https://localhost:9444/AppA/j_acegi_cas_security_check] for user [rbhardwaj]
[6/4/08 2:42:50:014 EDT] 00000055 SystemOut O [EMAIL
PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014
<mailto:[EMAIL
PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014>
]
[6/4/08 2:42:50:170 EDT] 00000048 SystemOut O [EMAIL
PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL
PROTECTED],authenticationHandlerClass=interface>
org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170]
[6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I
org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
AuthenticationHandler: $Proxy215 successfully authenticated the user which
provided the following credentials: https://localhost:9444/App/casProxy/receptor
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O [EMAIL
PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280
<mailto:[EMAIL
PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280>
]
[6/4/08 2:42:50:280 EDT] 00000048 SystemOut O [EMAIL
PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280
<mailto:[EMAIL
PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280>
]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq :
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Jun 04 02:42:49 EDT
2008,principal=rbhardwaj,attributes={}]
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request :
PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O
assertion.chainedAuthentications[chainSize-1].principal.id
<http://principal.id/> ) rbhardwaj
[6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is :
rbhardwaj
[6/4/08 2:43:15:014 EDT] 00000048 SystemOut O [EMAIL
PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL
PROTECTED],authenticationHandlerClass=interface>
org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014]
[6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I
org.jasig.cas.authentication.AuthenticationManagerImpl authenticate
AuthenticationHandler: $Proxy215 successfully authenticated the user which
provided the following credentials:
https://localhost:9444/AppB/casProxy/receptor
[6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E
org.jasig.cas.web.ServiceValidateController handleRequestInternal
TicketException generating ticket for:
https://localhost:9444/AppB/casProxy/receptor
org.jasig.cas.ticket.InvalidTicketException
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at
org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy216.delegateTicketGrantingTicket(Unknown Source)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at
com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at
com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at
com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364)
at
com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760)
at
com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
________________________________
From: [EMAIL PROTECTED] on behalf of Rahul Bhardwaj
Sent: Wed 6/4/2008 12:50 AM
To: [email protected]
Subject: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +
CasServer 3.0.7
Hi Everyone,
In my project, we use Cas Server 3.0.7. <http://3.0.7./> Since we have
a clustered environment we are using JDBCTicketRegistry as documented on CAS
confluence.
I am trying to secure remote invocations from App A to App B by relying
on the proxy ticket. The problem is that the CAS server always errors out with
the exception given below. The basic problem is that although the CAS Server
webapp is generating and passing the PGTIOU ticket, it is never saved in the
database. When App B tries to authenticate the user with the PGTIOU ticket,
since it is not present in the database, the JdbcTicketRegistry class creates
an expired ticket. All this is happening in my development desktop and there is
no clustering in there.
I have the following queries:
1 - Since database is not used for storing PGTIOUs, why is CAS trying
to read it from JDBCTicketRegistry on validation? Am I doing something wrong?
2 - How can I configure/customize CAS to use JDBCTicketRegistry for
proxy tickets as well
Thanks
Rahul
PS: Please ignore the ClassCastException for
org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. The root
problem is that the JdbcTicketRegistry is being invoked but the ticket was
never saved in the database in the first place. I also confirmed this by
debugging the registry and seeing all the tickets that were saved using it.
[6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could
not invoke the service() method on servlet cas. Exception thrown :
org.springframework.web.util.NestedServletException: Request processing failed;
nested exception is java.lang.ClassCastException: Ticket
[PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were
expecting interface org.jasig.cas.ticket.ServiceTicket
Caused by: java.lang.ClassCastException: Ticket
[PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class
org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were
expecting interface org.jasig.cas.ticket.ServiceTicket
at
org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139)
at
org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy1.delegateTicketGrantingTicket(Unknown Source)
at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
at
com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89)
at
com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924)
at
com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at
com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
at
com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at
com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471)
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
