Hi everybody, I answer by myself. Problem was in server.xml access valve (It is necessary to declare application server's IP or to uncomment valve).
Hope this help ! Best regards, Le vendredi 7 avril 2017 14:47:01 UTC+2, Didier Capdevielle a écrit : > > Hi everybody, > > I'm a newbie too in CAS and i have the same problem. > > I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and > Tomcat8. > I installed an Apache Server to redirect request with AJP. > > Directly using CAS, no problem. > > But using CAS via an application (IdP for example), the same problem > occurs. > Login is OK but ServiceValidate is forbidden. > > Her are the logs from Apache ssl_access.log : > > 147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET > /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr > %2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D% > 3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy > HTTP/1.1" 200 9705 " > https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau > x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" > > "Mozilla/5.0 (Windows NT 10.0; WOW6 > 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 > Safari/537.36" > 147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST > /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr > %2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D > %3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy > HTTP/1.1" 302 1429 " > https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2 > > Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F% > 2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W > OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 > Safari/537.36" > 172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET > /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F% > 2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas% > 3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 > HTTP/1.1" 403 406 "-" "Java/1.7.0_121" > > Looking at messages, it seems like browser user-agent are authorized but > java user-agent (Java/1.7.0_121) - and probably others non browser agent - > is blocked. > > Is one or more certificates missing ? If yes, where and what kind of > certificates ? What else ? > > Thanks for your help ! > Best regards, > > > > > > Le jeudi 19 janvier 2017 22:42:36 UTC+1, Daniel Alzate a écrit : >> >> Hi, >> >> I'm new to CAS and also the community. >> >> I have a new CAS setup working, but I'm facing this same problem reported >> by Conan. I wonder if you found a solution or the cause of this issue? >> >> >> Best regards. >> >> Daniel. >> >> On Friday, May 27, 2016 at 2:33:53 AM UTC-5, Conan Malone wrote: >>> >>> cas.log shows nothing at all and cas-management.log shows the >>> '[org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response >>> code: 403 for URL:' error that I posted above. The only apps I have >>> installed right now are cas and the management app, can log into CAS fine >>> with casuser goes to the 'Login successful' page. >>> >>> On Thursday, May 26, 2016 at 5:53:41 PM UTC+1, Misagh Moayyed wrote: >>>> >>>> Does the CAS server produce any logs when it attempts to validate that >>>> ticket? Can you log into any other apps beside the management webapp? >>>> >>>> >>>> >>>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of >>>> *Conan >>>> Malone >>>> *Sent:* Thursday, May 26, 2016 2:11 AM >>>> *To:* CAS Community <cas-...@apereo.org> >>>> *Subject:* [cas-user] Cas-Service-Management-Overlay still not working >>>> (more info) >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> I'm making a new post as I feel there maybe wasn't enough information >>>> in my last one for anyone to help me out. >>>> >>>> >>>> >>>> I have downloaded the cas-overlay-template and >>>> cas-service-management-overlay (4.2.2), copied the correct files to >>>> /etc/cas/ and ran mvnw clean package on both of them with build success so >>>> that all seems fine. (both deployed in tomcat as ROOT.war and >>>> cas-services.war). >>>> >>>> >>>> >>>> I can go to https://mycasdomain.com/ and it goes to the login page, I >>>> can then log in with casuser,Mellon and this works fine (also can do >>>> RADIUS >>>> authentication). My problem seems to be with the cas-services-management >>>> as when I go to https://mycasdomain.com/cas-services/ (looking at >>>> network on chrome) I get redirected to manage.html which redirects to the >>>> login page as expected with url ' >>>> https://mycasdomain/login?service=https%3A%2F%2Fmycasdomain%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. >>>> >>>> The page has the 'Services Management Web Application' box at the top so >>>> I >>>> assume services are correctly set up. I then log in with casuser,Mellon >>>> and get 'The CAS management webapp is unavailable' screen. >>>> >>>> >>>> >>>> The login page redirected me to ' >>>> https://mycasdomain.com/cas-services/callback?client_name=CasClient&ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com' >>>> >>>> and gave a HTTP status 500. >>>> >>>> >>>> >>>> But looking through logs I find that I get a HTTP status 403 just >>>> before I get the 500 on a different address which is >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. >>>> >>>> If I put this address in my browser I get presented with >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> >>>> >>>> <cas:authenticationSuccess> >>>> >>>> <cas:user>casuser</cas:user> >>>> >>>> <cas:attributes> >>>> >>>> >>>> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> >>>> >>>> <cas:isFromNewLogin>true</cas:isFromNewLogin> >>>> >>>> >>>> <cas:authenticationDate>2016-05-26T09:53:00.011+01:00</cas:authenticationDate> >>>> >>>> </cas:attributes> >>>> >>>> </cas:authenticationSuccess> >>>> >>>> </cas:serviceResponse> >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> I'll put snippets from the parts I have changed in cas.properties, >>>> cas-management.properties below. *Can someone have a look through >>>> this and see if I am missing anything? * >>>> >>>> >>>> >>>> *p.s. I also have my CAS server behind a load balancer so it needs to >>>> go out the network to https://mycasdomain.com/ <https://mycasdomain.com/> >>>> and come back in through the load balancer back to the CAS server.. But I >>>> was thinking if there is a problem with this surely the normal cas login >>>> wouldn't work?* >>>> >>>> >>>> >>>> Thanks in advance, >>>> >>>> Conan >>>> >>>> >>>> >>>> >>>> >>>> ----------------------snippets and logs---------------------- >>>> >>>> >>>> >>>> server.name=https://mycasdomain.com >>>> >>>> server.prefix=${server.name} >>>> >>>> >>>> >>>> # security configuration based on IP address to access the /status and >>>> /statistics pages >>>> >>>> cas.securityContext.adminpages.ip=127\.0\.0\.1 >>>> >>>> >>>> >>>> >>>> >>>> ## >>>> >>>> # Unique CAS node name >>>> >>>> # host.name is used to generate unique Service Ticket IDs and >>>> SAMLArtifacts. This is usually set to the specific >>>> >>>> # hostname of the machine running the CAS node, but it could be any >>>> label so long as it is unique in the cluster. >>>> >>>> host.name=mycasdomain.com >>>> >>>> >>>> >>>> ---------------------- >>>> >>>> >>>> >>>> # CAS >>>> >>>> cas.host=https://mycasdomain.com >>>> >>>> cas.prefix=${cas.host} >>>> >>>> >>>> cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${cas.prefix}/login >>>> >>>> >>>> >>>> # Management >>>> >>>> cas-management.host=${cas.host} >>>> >>>> cas-management.prefix=${cas-management.host}/cas-services >>>> >>>> >>>> cas-management.securityContext.serviceProperties.service=${cas-management.prefix}/callback >>>> >>>> >>>> >>>> # Security >>>> >>>> cas-management.securityContext.serviceProperties.adminRoles=ROLE_ADMIN >>>> >>>> pac4j.callback.defaultUrl=/manage.html >>>> >>>> >>>> >>>> # views >>>> >>>> cas-management.viewResolver.basename=default_views >>>> >>>> >>>> >>>> ## >>>> >>>> # User details file location that contains list of users >>>> >>>> # who are allowed access to the management webapp: >>>> >>>> # >>>> >>>> user.details.file.location = file:/etc/cas/user-details.properties >>>> >>>> >>>> >>>> ## >>>> >>>> # JSON Service Registry >>>> >>>> # >>>> >>>> # Directory location where JSON service files may be found. >>>> >>>> service.registry.config.location=file:/etc/cas/services >>>> >>>> >>>> >>>> ---------------------- >>>> >>>> >>>> >>>> 2016-05-26 10:05:23,048 ERROR [org.jasig.cas.client.util.CommonUtils] - >>>> Server returned HTTP response code: 403 for URL: >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient >>>> >>>> java.io.IOException: Server returned HTTP response code: 403 for URL: >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient >>>> >>>> at >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) >>>> >>>> at >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) >>>> >>>> at >>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >>>> >>>> at >>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431) >>>> >>>> at >>>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) >>>> >>>> at >>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) >>>> >>>> at >>>> org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:321) >>>> >>>> at >>>> org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83) >>>> >>>> at >>>> org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99) >>>> >>>> at >>>> org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48) >>>> >>>> at >>>> org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81) >>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>> >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> >>>> at >>>> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222) >>>> >>>> at >>>> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) >>>> >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) >>>> >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) >>>> >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:620) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) >>>> >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) >>>> >>>> at >>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>> >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>>> >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>> >>>> at >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>> >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>> >>>> at >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >>>> >>>> at >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>> >>>> at >>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>> >>>> at >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>> >>>> at >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>> >>>> at >>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>> >>>> at >>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>> >>>> at >>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) >>>> >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>> >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>> >>>> at >>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>> >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+u...@apereo.org. >>>> To post to this group, send email to cas-...@apereo.org. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout >>>> . >>>> >>> -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46010e34-02e9-422e-baaf-784da7be8a4d%40apereo.org.
