I'm working with CAS (server version 3.2) and spring-security (version 2.0.3 with cas-client-core 3.1.3) and I have everything working fine over http with both the server and my client app deployed on my local tomcat server. However, when I switched over to https I started getting the following exception when trying to log in:
2008-07-16 13:43:05,774 ERROR [AbstractCasProtocolUrlBasedTicketValidator.java:49] : java.io.IOException: HTTPS hostname wrong: should be <[my ip address]> java.io.IOException: HTTPS hostname wrong: should be <[my ip address]> at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178) at org.springframework.security.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:145) at org.springframework.security.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:131) at org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:195) Where [my ip address] was my actual IP address since that's what I was using for all the urls. In looking at the source, checkURLSpoofing fails when calling "hostnameverifier.verify(s, session)" and after debugging into it, the host name verifier being used was javax.net.ssl.HttpsURLConnection.DefaultHostnameVerifier which always just returns false. After more testing I found that if I change all the urls over to use my computer name instead of the IP address it all started working fine over http and https. Any idea why that would be the case? If it makes any difference I'm in the process of upgrading from acegisecurity to spring-security and I used to have a bunch of custom logic to allow for http traffic during testing/development, but I've removed most of that since it no longer seems necessary with the latest code. Thanks ---------------------------------------------------------------------- CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
