Scott, I found what I needed. I am still trying to achieve SSO for remote invocations after user has logged into one of the app. I was wrong when I was trying to pass PGTIOUs to the other apps. The thing that I was looking for was ProxyTicketReceptor.getProxyTicket() Thanks Rahul
________________________________ From: [EMAIL PROTECTED] on behalf of Scott Battaglia Sent: Wed 6/4/2008 1:20 PM To: Yale CAS mailing list Subject: Re: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry+CasServer 3.0.7 I don't know what you're doing that your applications are sending PGTIOUs to the CAS server and why the CAS server is attempting to retrieve them. If you're not familiar with it, you should read the protocol document on how CAS works: http://www.ja-sig.org/products/cas/overview/protocol/index.html -Scott On Wed, Jun 4, 2008 at 1:09 PM, Rahul Bhardwaj <[EMAIL PROTECTED]> wrote: Scott, Can you please point me to the documentation that talks about how to request PGTs? Thanks for your prompt help Rahul ________________________________ From: [EMAIL PROTECTED] on behalf of Scott Battaglia Sent: Wed 6/4/2008 10:34 AM To: Yale CAS mailing list Subject: Re: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry +CasServer 3.0.7 PGTIOUs are not valid ticket identifiers. You should be requesting PGTs -Scott 2008/6/4 Rahul Bhardwaj <[EMAIL PROTECTED]>: I tried with the DefaultTicketRegistry and I still get a similar error. Here are some more details for a better understanding of the situation (when used with the default ticket registry): - We are using Spring/Acegi in the project with Websphere 6.0.2.19 <http://6.0.2.19/> <http://6.0.2.19/> and JDK 1.4.2 - User tries to access AppA - It results in redirecting to CAS - On successful login, user is redirected to AppA - During this step I noticed that when I was using the JdbcTicketRegistry, the addTicket method was called thrice. none of those calls were for pgtIou - AppA makes a request to AppB from server side logic and provides the CasProcessFilter.CAS_STATELESS_IDENTIFIER and pgt from CasAuthenticationToken.getProxyGrantingTicketIou() - AppB reports the error of invalid token. During debug mode I can see that the proxy granting ticket looked like a valid token. Also if you see my previous email, CAS complained that "Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket". This to me suggests that CAS is receiving the correct ticket but somehow not finding it. I will appreciate any help on this. Please find attached the case-servlet.xml file and applicationContext.xml files Thanks Rahul [6/4/08 2:42:49:795 EDT] 00000055 SystemOut O [EMAIL PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL PROTECTED],authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561769780,timestamp=1212561769780] [6/4/08 2:42:49:905 EDT] 00000055 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: rbhardwaj [6/4/08 2:42:49:920 EDT] 00000055 SystemOut O [EMAIL PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920 <mailto:[EMAIL PROTECTED],ticketId=TGT-2-fj9XFXckBnJ9cfo94dYwpfzKMq5nysWY1O9-localhost,publishedDate=1212561769920,timestamp=1212561769920> ] [6/4/08 2:42:50:014 EDT] 00000055 CentralAuthen I org.jasig.cas.CentralAuthenticationServiceImpl grantServiceTicket Granted service ticket [ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost] for service [https://localhost:9444/AppA/j_acegi_cas_security_check] for user [rbhardwaj] [6/4/08 2:42:50:014 EDT] 00000055 SystemOut O [EMAIL PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014 <mailto:[EMAIL PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770014,timestamp=1212561770014> ] [6/4/08 2:42:50:170 EDT] 00000048 SystemOut O [EMAIL PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL PROTECTED],authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561770170,timestamp=1212561770170] [6/4/08 2:42:50:280 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/App/casProxy/receptor [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O [EMAIL PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280 <mailto:[EMAIL PROTECTED],ticketId=TGT-3-N1ipgNUEB6lrwTnxrrvZPvD2df0D2QHtbY6-localhost,publishedDate=1212561770280,timestamp=1212561770280> ] [6/4/08 2:42:50:280 EDT] 00000048 SystemOut O [EMAIL PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280 <mailto:[EMAIL PROTECTED],ticketId=ST-2-bpsAkKtfOdXFdT22duiVNacgveFDS0llcvH-localhost,publishedDate=1212561770280,timestamp=1212561770280> ] [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O chain size is : 1 [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O authenticationReq : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Jun 04 02:42:49 EDT 2008,principal=rbhardwaj,attributes={}] [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O pgtIou in request : PGTIOU-2-nd9TU0nyndkLyOMoGvRfVSWLkTdwzmOSGRt-localhost [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O assertion.chainedAuthentications[chainSize-1].principal.id <http://principal.id/> <http://principal.id/> ) rbhardwaj [6/4/08 2:42:50:451 EDT] 00000048 SystemOut O principal is : rbhardwaj [6/4/08 2:43:15:014 EDT] 00000048 SystemOut O [EMAIL PROTECTED],authenticationHandlerClass=interface <mailto:[EMAIL PROTECTED],authenticationHandlerClass=interface> org.jasig.cas.authentication.handler.AuthenticationHandler,publishedDate=1212561795014,timestamp=1212561795014] [6/4/08 2:43:15:108 EDT] 00000048 Authenticatio I org.jasig.cas.authentication.AuthenticationManagerImpl authenticate AuthenticationHandler: $Proxy215 successfully authenticated the user which provided the following credentials: https://localhost:9444/AppB/casProxy/receptor [6/4/08 2:43:15:202 EDT] 00000048 ServiceValida E org.jasig.cas.web.ServiceValidateController handleRequestInternal TicketException generating ticket for: https://localhost:9444/AppB/casProxy/receptor org.jasig.cas.ticket.InvalidTicketException at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:202) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60) at java.lang.reflect.Method.invoke(Method.java:391) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139) at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy216.delegateTicketGrantingTicket(Unknown Source) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:743) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:657) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:364) at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:760) at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:70) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952) at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471) ________________________________ From: [EMAIL PROTECTED] on behalf of Rahul Bhardwaj Sent: Wed 6/4/2008 12:50 AM To: [email protected] Subject: Proxy Granting Tickets (PGT tickets) + JDBCTicketRegistry + CasServer 3.0.7 Hi Everyone, In my project, we use Cas Server 3.0.7. <http://3.0.7./> <http://3.0.7./> Since we have a clustered environment we are using JDBCTicketRegistry as documented on CAS confluence. I am trying to secure remote invocations from App A to App B by relying on the proxy ticket. The problem is that the CAS server always errors out with the exception given below. The basic problem is that although the CAS Server webapp is generating and passing the PGTIOU ticket, it is never saved in the database. When App B tries to authenticate the user with the PGTIOU ticket, since it is not present in the database, the JdbcTicketRegistry class creates an expired ticket. All this is happening in my development desktop and there is no clustering in there. I have the following queries: 1 - Since database is not used for storing PGTIOUs, why is CAS trying to read it from JDBCTicketRegistry on validation? Am I doing something wrong? 2 - How can I configure/customize CAS to use JDBCTicketRegistry for proxy tickets as well Thanks Rahul PS: Please ignore the ClassCastException for org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl. The root problem is that the JdbcTicketRegistry is being invoked but the ticket was never saved in the database in the first place. I also confirmed this by debugging the registry and seeing all the tickets that were saved using it. [6/4/08 0:12:36:185 EDT] 00000048 ServletWrappe E SRVE0068E: Could not invoke the service() method on servlet cas. Exception thrown : org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket Caused by: java.lang.ClassCastException: Ticket [PGTIOU-2-GgOQjXvaUrBrEsVaoShObWVlbnbSAqr9wgK-localhost is of type class org.jasig.cas.modules.ticket.JdbcTicketRegistry$ExpiredTicketImpl when we were expecting interface org.jasig.cas.ticket.ServiceTicket at org.jasig.cas.ticket.registry.AbstractTicketRegistry.getTicket(AbstractTicketRegistry.java:42) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:198) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60) at java.lang.reflect.Method.invoke(Method.java:391) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:299) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:139) at org.jasig.cas.event.advice.CentralAuthenticationServiceMethodInterceptor.invoke(CentralAuthenticationServiceMethodInterceptor.java:41) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) at $Proxy1.delegateTicketGrantingTicket(Unknown Source) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:159) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:819) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:754) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:399) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:354) at javax.servlet.http.HttpServlet.service(HttpServlet.java:743) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:89) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1924) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:112) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619) at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952) at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1471) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
