Phil Ames wrote:
Hi Patrick,
If you look at the "Validation Response" in the debug logs, you will
see that mod_auth_cas received this from the server:
HTTP/1.1 200 OK
[...]
yes
pln
mod_auth_cas by default uses CASVersion 2. This version of the CAS
protocol sends ticket validation responses as an XML message. The
response you are receiving looks like a CAS version 1 response. It
may be that you have pointed the CASValidateURL to the CAS v1
validation URL. The 2 possible fixes are to correct the
CASValidateURL or to set the directive CASVersion 1 in your
mod_auth_cas configuration.
Hope this helps,
-Phil
Thanks. I changed to CASVersion 1. Now I get a Redirect Loop
according to Firefox. The error log and access log results are
below. Could this be related to the fact that my web server
has multiple names? It is glast2.stanford.edu, glast.stanford.edu
and www-glast.stanford.edu.
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(851): [client
171.64.108.17] Insufficient time elapsed since last cache clean
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(994): [client
171.64.108.17] Cookie '2ba7d38cc0a45d62cd0a16ffa88ea7e5' created for
user 'pln'
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(363): [client
171.64.108.17] Determining CAS scope (path: /, CASScope: (null),
CASRenew: (null), CASGateway: (null))
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(643): [client
171.64.108.17] Adding outgoing header: Set-Cookie:
MOD_AUTH_CAS=2ba7d38cc0a45d62cd0a16ffa88ea7e5;Path=/
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(481): [client
171.64.108.17] CAS Service 'http%3a%2f%2fglast2.stanford.edu%2fCAS'
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(506): [client
171.64.108.17] Adding outgoing header: Location:
https://glast-ground.slac.stanford.edu/cas/login?service=http%3a%2f%2fglast2.stanford.edu%2fCAS
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(550): [client
171.64.108.17] Modified r->args (old
'ticket=ST-2249-RyvchBENq3HPHMPNELpD', new '')
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(481): [client
171.64.108.17] CAS Service 'http%3a%2f%2fglast2.stanford.edu%2fCAS'
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1450): [client
171.64.108.17] Validation request: GET
/cas/validate?service=http%3a%2f%2fglast2.stanford.edu%2fCAS&ticket=ST-2249-RyvchBENq3HPHMPNELpD
HTTP/1.1\nHost: glast-ground.slac.stanford.edu\nConnection: close\n\n
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1458): [client
171.64.108.17] Request successfully transmitted
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 338 bytes of response
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 8 bytes of response
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 0 bytes of response
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(1472): [client
171.64.108.17] Validation response: HTTP/1.1 200 OK\r\nConnection:
close\r\nDate: Thu, 19 Mar 2009 18:11:36 GMT\r\nServer:
Microsoft-IIS/6.0\r\nMicrosoftOfficeWebServer: 5.0_Pub\r\nX-Powered-By:
ASP.NET\r\nPragma: No-cache\r\nCache-Control: no-cache\r\nExpires: Wed,
31 Dec 1969 16:00:00 PST\r\nSet-Cookie:
JSESSIONID=1EE90136D0D96359119D68EC0C009DDA; Path=/cas;
Secure\r\nContent-Length: 8\r\n\r\nyes\npln\n
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(851): [client
171.64.108.17] Insufficient time elapsed since last cache clean
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(994): [client
171.64.108.17] Cookie '289b076032f7b96be68db8164b1589b6' created for
user 'pln'
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(363): [client
171.64.108.17] Determining CAS scope (path: /, CASScope: (null),
CASRenew: (null), CASGateway: (null))
[Thu Mar 19 11:11:36 2009] [debug] mod_auth_cas.c(643): [client
171.64.108.17] Adding outgoing header: Set-Cookie:
MOD_AUTH_CAS=289b076032f7b96be68db8164b1589b6;Path=/
[Thu Mar 19 11:11:37 2009] [debug] mod_auth_cas.c(481): [client
171.64.108.17] CAS Service 'http%3a%2f%2fglast2.stanford.edu%2fCAS'
[Thu Mar 19 11:11:37 2009] [debug] mod_auth_cas.c(506): [client
171.64.108.17] Adding outgoing header: Location:
https://glast-ground.slac.stanford.edu/cas/login?service=http%3a%2f%2fglast2.stanford.edu%2fCAS
gamera.stanford.edu - - [19/Mar/2009:11:11:31 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:35 -0700] "GET
/CAS?ticket=ST-2243-Xqk4Nhhaq2WkuuWtiPqj HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:35 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:35 -0700] "GET
/CAS?ticket=ST-2244-R6EXMFNEasrKYgEe7YHW HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:35 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:35 -0700] "GET
/CAS?ticket=ST-2245-T57XbUFXE1w5VSnZG8hB HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:36 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:36 -0700] "GET
/CAS?ticket=ST-2246-MoJfnIqkJ2F07orRX2AY HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:36 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:36 -0700] "GET
/CAS?ticket=ST-2247-P8ZwzD4kRrXklS7EWnkQ HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:36 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:36 -0700] "GET
/CAS?ticket=ST-2248-Saf0uslViAtzotRDYcB8 HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:36 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - pln [19/Mar/2009:11:11:36 -0700] "GET
/CAS?ticket=ST-2249-RyvchBENq3HPHMPNELpD HTTP/1.1" 302 217 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
gamera.stanford.edu - - [19/Mar/2009:11:11:37 -0700] "GET /CAS HTTP/1.1"
302 279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7"
On Thu, Mar 19, 2009 at 1:34 PM, Patrick Nolan
<[email protected]> wrote:
I first heard of CAS two days ago and decided to try it out.
I'm working with a guy who has a CAS version 2 server.
My web server is Apache 2.2.3 on a clone of Red Hat Enterprise 5.
I found an RPM for mod_auth_cas 1.0.7 and installed it with no
problem. I made a minimal setup: I set CASLoginURL, CASValidateURL
and CASDebug on. Everything else was left alone. I made a directory
and put the directives
AuthName "CAS"
AuthType CAS
require valid-user
in its configuration.
When I direct my browser to that directory, it is redirected to the
CAS server's login page. After entering my username and password,
I am sent back to my destination, with
?ticket=ST-2217-Bj9j9WvqzXqa2arzgZE5 appended to the URL. So far
this looks good.
Unfortunately the result is a 401 error, "Authorization Required".
I boosted Apache's LogLevel to "debug" and got this:
[Thu Mar 19 10:27:42 2009] [debug] mod_auth_cas.c(481): [client
171.64.108.17] CAS Service 'http%3a%2f%2fglast2.stanford.edu%2fCAS'
[Thu Mar 19 10:27:42 2009] [debug] mod_auth_cas.c(506): [client
171.64.108.17] Adding outgoing header: Location:
https://glast-ground.slac.stanford.edu/cas/login?service=http%3a%2f%2fglast2.stanford.edu%2fCAS
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(550): [client
171.64.108.17] Modified r->args (old 'ticket=ST-2217-Bj9j9WvqzXqa2arzgZE5',
new '')
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(481): [client
171.64.108.17] CAS Service 'http%3a%2f%2fglast2.stanford.edu%2fCAS'
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1450): [client
171.64.108.17] Validation request: GET
/cas/validate?service=http%3a%2f%2fglast2.stanford.edu%2fCAS&ticket=ST-2217-Bj9j9WvqzXqa2arzgZE5
HTTP/1.1\nHost: glast-ground.slac.stanford.edu\nConnection: close\n\n
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1458): [client
171.64.108.17] Request successfully transmitted
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 338 bytes of response
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 8 bytes of response
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1466): [client
171.64.108.17] Received 0 bytes of response
[Thu Mar 19 10:27:46 2009] [debug] mod_auth_cas.c(1472): [client
171.64.108.17] Validation response: HTTP/1.1 200 OK\r\nConnection:
close\r\nDate: Thu, 19 Mar 2009 17:27:48 GMT\r\nServer:
Microsoft-IIS/6.0\r\nMicrosoftOfficeWebServer: 5.0_Pub\r\nX-Powered-By:
ASP.NET\r\nPragma: No-cache\r\nCache-Control: no-cache\r\nExpires: Wed, 31
Dec 1969 16:00:00 PST\r\nSet-Cookie:
JSESSIONID=01AB1BEEA7485E5B91470B7F7B5FB056; Path=/cas;
Secure\r\nContent-Length: 8\r\n\r\nyes\npln\n
[Thu Mar 19 10:27:46 2009] [error] [client 171.64.108.17] MOD_AUTH_CAS:
error parsing CASv2 response: XML parser error code: syntax error (2)
I don't have a clue how to proceed.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
