Hello Scott Thanks for that I'll check out the things you've mentioned.
Luminis doesn't seem to be changing the service url as demonstrated below. It's definitely the same service url that is generated at the client end, sent back by the CAS server and then generated again by the client for checking,based on the info I've included below. It does make the error message a bit odd! STOP PRESS :) Here was a url that worked http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk <http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk&ticket=ST-6-3Tc> If I add a param with an url encoded space http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk <http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk&ticket=ST-6-3Tc>?param=123456%20789 It doesn't work 2008-06-13 16:36:09,462 - DEBUG org.jasig.cas.client.authentication.AuthenticationFilter - no ticket and no assertion found 2008-06-13 16:36:09,463 - DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated: http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk?param=123456%20789 2008-06-13 16:36:09,463 - DEBUG org.jasig.cas.client.authentication.AuthenticationFilter - redirecting to "https://luminis.shef.ac.uk/cp/cas/login?service=http%3A%2F%2Fresolverdev.shef.ac.uk%3A800%2F%3Fhttp%3A%2F%2Fwww.shef.ac.uk%3Fparam%3D123456%2520789"; 2008-06-13 16:36:25,089 - DEBUG org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter - Attempting to validate ticket: ST-19-7aTgJKzCw1BzdmFCIvjl 2008-06-13 16:36:25,090 - DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated: http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk?param=123456%20789 2008-06-13 16:36:25,100 - WARN org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-19-7aTgJKzCw1BzdmFCIvjl' does not match supplied service If I add a param without a space http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk <http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk&ticket=ST-6-3Tc>?param=123456789* * It does work. Is this expected behavior from the CAS client ? The %20 seems to be breaking the comparison test even though the urls are exactly the same. Cheers Nomit Scott Battaglia wrote: > Hi, > > I'm not sure what version of Luminis you are using but if I recall > correctly certain versions may exhibit issues with URL encoding (I > can't recall exactly). > > You can also try upgrading to CAS Client for Java 3.1.3-rc3 (though > the final will probably be out later today) which is located in the > JASIG Maven2 Repository. I don't believe we've changed any of the > logic for generating service urls though. > > In either CAS, when doing a redirect and a validation attempt, the CAS > Client attempts to generate the service urls using the same method, so > unless the URL is coming back slightly changed or its being stored in > the CAS server differently, it should always match. > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > On Fri, Jun 13, 2008 at 9:47 AM, nomit <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hello Andrew > > Many thanks for you reply. > > I've turned on debugging and this produces the following > > > 2008-06-13 14:34:24,759 - DEBUG > org.jasig.cas.client.authentication.AuthenticationFilter - no > ticket and > no assertion found > 2008-06-13 14:34:24,760 - DEBUG > org.jasig.cas.client.util.CommonUtils - > serviceUrl generated: > > http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932 > 2008-06-13 > > <http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=379322008-06-13> > 14:34:24,760 - DEBUG > org.jasig.cas.client.authentication.AuthenticationFilter - redirecting > to > > "https://luminis.shef.ac.uk/cp/cas/login?service=http%3A%2F%2Fresolverdev.shef.ac.uk%3A800%2F%3Fhttp%3A%2F%2Fproquest.umi.com%2Fpqdlink%3FVer%3D1%26Exp%3D02-19-2008%26REQ%3D3%26Cert%3D8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%2520cgZLOA5G9YvJ2%2F7Ga9kCse4ZZL2e7vJqwjFoqZw%2520P6VJ%2FYIAo0QQPHG%26pub%3D37932"; > > > 2008-06-13 14:34:50,618 - DEBUG > org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter > - Attempting to validate ticket: ST-12-LNRtCbHqQCrgJHYGnEB9 > 2008-06-13 14:34:50,618 - DEBUG > org.jasig.cas.client.util.CommonUtils - > serviceUrl generated: > > http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932 > 2008-06-13 > > <http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=379322008-06-13> > 14:34:50,645 - WARN > org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter > - org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-12-LNRtCbHqQCrgJHYGnEB9' does not match supplied service > > org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-12-LNRtCbHqQCrgJHYGnEB9' does not match supplied service > > at org.jasig.cas..... > > > The cas server gets: > > > https://luminis.shef.ac.uk/cp/home/displaylogin?goto=https://luminis.shef.ac.uk/cp/cas/login?service=http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932 > > <https://luminis.shef.ac.uk/cp/home/displaylogin?goto=https://luminis.shef.ac.uk/cp/cas/login?service=http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932> > > where > service= > > http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932 > > <http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1&Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cgZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932> > > I've diff-ed these and they look to be the same > > Cheers > > Nomit > > > Andrew R Feller wrote: > > nomit, > > > > This means that a CAS client was attempting to validate a > service ticket > > that was generated for another service. To determine the > service the > > ticket was created for: > > > > 1. Make sure you are logged out of CAS > > 2. Access the CAS protected application, which will redirect you > to the > > CAS login page > > 3. Examine the URL for the CAS login page for the service parameter > > > > This service parameter is what the CAS server uses in generating the > > service ticket. If you turn on debugging with the CAS client, > it will > > output the information it is sending to the CAS server to > validate the > > ticket. You can match the URLs and see if they are the same or not; > > according to CAS, they aren't. > > > > HTH, > > > > Andrew R Feller, Analyst > > University Information Systems > > 200 Fred Frey Building > > Louisiana State University > > Baton Rouge, LA, 70803 > > (225) 578-3737 (Office) > > (225) 578-6400 (Fax) > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>] > > On Behalf Of nomit > > Sent: Friday, June 13, 2008 4:42 AM > > To: [email protected] <mailto:[email protected]> > > Subject: JA-SIG CAS Java Client 3.1.1 problems > > > > Hello! > > Hope someone can give me clue to what to do next. > > > > I've searched the archives and googled but can't find anyone > with the > > same issue. > > > > I'm using JA-SIG CAS Java Client 3.1.1 to protect the a webapp in > > Tomcat (tested in 5.5.12 and 5.5.23). > > Here are 3 sniffed example urls that are being returned to the CAS > > filters in the webapp after successful authentication at our CAS > server. > > > > > http://resolverdev.shef.ac.uk:800/?http://infotrac.galegroup.com/itweb/s > > u_uk?db=ecco&ticket=ST-5-Ypiy9c6ITVg1hKoEBTTJ > > > > > http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk&ticket=ST-6-3Tc > <http://resolverdev.shef.ac.uk:800/?http://www.shef.ac.uk&ticket=ST-6-3Tc> > > 8tA8Od8oni1eCiUhS > > > > These work fine, with the CAS filter letting the request through. > > > > However this url > > > > > http://resolverdev.shef.ac.uk:800/?http://proquest.umi.com/pqdlink?Ver=1 > > > &Exp=02-19-2008&REQ=3&Cert=8RkgPFRptdR2FO9BI6WZzTyJQZzJBUi00ivY5SNt%20cg > > > ZLOA5G9YvJ2/7Ga9kCse4ZZL2e7vJqwjFoqZw%20P6VJ/YIAo0QQPHG&pub=37932&ticket > > =ST-4-W73WEvS79X0eLp0ASxxo > > > > fails with > > > > 2008-06-13 10:08:25,858 - WARN > > > org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilte > > r > > - org.jasig.cas.client.validation.TicketValidationException: > > ticket 'ST-4-W73WEvS79X0eLp0ASxxo' does not match supplied > service > > > > org.jasig.cas.client.validation.TicketValidationException: > > ticket 'ST-4-W73WEvS79X0eLp0ASxxo' does not match supplied > service > > > > at > > > org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseRespons > > eFromServer(Cas20ServiceTicketValidator.java:65) > > at > > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate > > (AbstractUrlBasedTicketValidator.java:165) > > at > > > org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter( > > AbstractTicketValidationFilter.java:129) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > > tionFilterChain.java:202) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > > erChain.java:173) > > at > > > org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(Authen > > ticationFilter.java:103) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica > > tionFilterChain.java:202) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt > > erChain.java:173) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv > > e.java:213) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv > > e.java:178) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java > > :126) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > > :105) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. > > java:107) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 > > 48) > > at > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:86 > > 8) > > at > > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proc > > essConnection(Http11BaseProtocol.java:663) > > at > > > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint > > .java:527) > > at > > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow > > erWorkerThread.java:80) > > at > > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool > > .java:684) > > at java.lang.Thread.run(Thread.java:595) > > > > I'm flummoxed why. The tickets look fine. Hope someone can give me a > > clue to what this error means or how to debug further! > > Any help much appreciated. > > cheeeeeeeeeeeeeeeeeers > > > > > > I'm also adding the CAS part of my web.xml if that is useful: > > > > > > <!-- JA-SIG CAS filters --> > > <filter> > > <filter-name>CAS Authentication Filter</filter-name> > > > > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</ > > filter-class> > > <init-param> > > <param-name>casServerLoginUrl</param-name> > > > > <param-value>https://luminis.shef.ac.uk/cp/cas/login</param-value> > > </init-param> > > </filter> > > <filter> > > <filter-name>CAS Validation Filter</filter-name> > > > > > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketV > > alidationFilter</filter-class> > > <init-param> > > <param-name>casServerUrlPrefix</param-name> > > > > <param-value>https://luminis.shef.ac.uk/cp/cas</param-value> > > </init-param> > > <init-param> > > > <param-name>redirectAfterValidation</param-name> > > <param-value>true</param-value> > > </init-param> > > </filter> > > <filter> > > <filter-name>CAS HttpServletRequest Wrapper > > Filter</filter-name> > > > > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter< > > /filter-class> > > </filter> > > > > > > -- > Nomit Babraa > Department of Corporate Information & Computing Services (CiCS) > University of Sheffield > 287 Glossop Rd > Sheffield > S10 2HB > Tel: 0114 222 1162 > > _______________________________________________ > Yale CAS mailing list > [email protected] <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Nomit Babraa Department of Corporate Information & Computing Services (CiCS) University of Sheffield 287 Glossop Rd Sheffield S10 2HB Tel: 0114 222 1162 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
