The process the client takes is: 1. User requests a page 2. In onRequestStart, Application.cfc asks the CAS client to validate the user using "validate" 3. In validate, the client checks if the user is already logged in or if the ST URL parameter exists 4a. If not logged in and no ST parameter is present, send the user to CAS to login 4b. If not logged in and ST parameter is present, run "serviceValidate" using the provided ST 4c. If logged in, immediately continue into the CF application 5a. If the ST is verified, it then sets the username attribute (effectively logging the user into the application) 5b. If the ST is not verified, username stays blank 6a. If username is still blank, send user back to CAS login 6b. If username is not blank, continue into the CF application
Steps 3,4,6 takes place in "validate" Steps 5 takes place in "serviceValidate" What I think is happening with your application is the loop is occurring after logging into CAS in this way: 1,2,3,4b,5b,6a And this loop would be happening if the client is unable to verify the ST with the CAS server. I'm hoping the response from the CAS server will shed light onto the cause of the failure to validate the ST. Regards, John On Fri, May 22, 2009 at 15:21, Xuejin Ruan <[email protected]> wrote: > > Hi John, > > In my case it seems it never gets to serviceValidate. How to enable CAS > server log to get more info about the communication between CAS server and > Coldfusion Server? > > I've tested CAS integrateion with Java application, Acegi security, and > Spring Security, they all seems to at least working. But somehow I am stuck > here trying to integrate CAS with our legacy Coldfusion apps. > > Thanks, > > Xuejin > > > John Watson-13 wrote: >> >> Correct, but serviceValidate is what calls login when it was unable to >> verify the ST or extract a cas:user from the response (causing the >> loop). >> >> I'm hoping the response from the CAS server will shed some light on >> why it can't do one or the other. >> >> On Mon, May 18, 2009 at 16:17, Xuejin Ruan <[email protected]> wrote: >>> >>> Actually the endless loop comes before serviceValidate function was >>> called. >>> It seems it happen in the fuction "login". When I get to CAS login page, >>> if >>> I enter an incorrect credential, it correctly returns me the message "The >>> credentials you provided cannot be determined to be authentic." But if I >>> enter correct credential, then you will see from Tomcat console that it >>> keeps generating tickets, until at last it says "Page not found" with the >>> address bar showing the target page >>> "http://dprg110.ad.co.pierce.wa.us:8500/casTesting/";. (there were >>> occations >>> I got a ticket appended at the end of the URL) >>> >>> <cffunction name="login" access="public" output="no" returntype="void" >>> hint="Call CAS login page"> >>> <cfargument name="forceRenew" required="no" type="boolean" >>> default="false" hint="Force them to provide primary authentication" /> >>> <cflocation >>> url="#Variables.cas_server#login?service=#Variables.service##Iif(Variables.renew >>> OR >>> Arguments.forceRenew,DE('&renew=true'),DE(''))##Iif(Variables.gateway,DE('&gateway=true'),DE(''))#" >>> addtoken="no" /> >>> </cffunction> >>> >>> I did try adding cfabort after </cfhttp>, it seems never get there. >>> >>> Thanks, >>> >>> Xuejin >>> >>> >>> >>> >>> John Watson-13 wrote: >>>> >>>> Odd, please dump out the response that the CAS server returns. >>>> >>>> Add this: <cfdump var="#cfhttp.filecontent#" /><cfabort/> >>>> after </cfhttp> in the "serviceValidate" function. >>>> >>>> It will dump out the raw cas response and stop processing. >>>> >>>> On Fri, May 15, 2009 at 12:11, Xuejin Ruan <[email protected]> >>>> wrote: >>>>> >>>>> Hi John, >>>>> >>>>> Thanks so much for your reply. After I used keytool to create the >>>>> self-authored server certificate, I did import it to all my different >>>>> server's keystore, including coldfusion's keystore >>>>> (C:\ColdFusion8\runtime\jre\lib\security\caserts). So I am wondering >>>>> why >>>>> Coldfusion's JRun server does not trust it. Did you do extra >>>>> configuration >>>>> for jrun.xml to enable SSL for Coldfusion? I checked the log file of >>>>> Tomcat, and Coldfusion, and couldn't find any hint why the infinite >>>>> loop >>>>> was >>>>> there. >>>>> >>>>> The following is the error message I got from Firefox browser (by the >>>>> way, >>>>> it is not cookie issue): >>>>> Redirect Loop >>>>> Firefox has detected that the server is redirecting the request for >>>>> this >>>>> address in a way that will never complete. >>>>> The browser has stopped trying to retrieve the requested item. The site >>>>> is >>>>> redirecting the request in a way that will never complete. >>>>> * Have you disabled or blocked cookies required by this site? >>>>> * NOTE: If accepting the site's cookies does not resolve the >>>>> problem, >>>>> it >>>>> is likely a server configuration issue and not your computer. >>>>> >>>>> Thanks again for your time. >>>>> >>>>> Xuejin >>>>> >>>>> >>>>> >>>>> John Watson-13 wrote: >>>>>> >>>>>> Thank you for trying out the client. >>>>>> >>>>>> I think the problem you're running into is ColdFusion's JRun server >>>>>> does not trust your SSL cert that the tomcat server uses for CAS. So >>>>>> when ColdFusion tries to contact your CAS server it's not actually >>>>>> getting a response for CAS but rather an error about an invalid cert. >>>>>> So the client gets stuck in an infinite loop trying to send user to >>>>>> cas login, validate, fail validation, rinse and repeat. >>>>>> >>>>>> In my test environment I created my own CA and I import my CA's cert >>>>>> into all my different server's keystore so that any certs I sign are >>>>>> automatically trusted. >>>>>> I run CentOS and used these instructions: >>>>>> http://dev.antoinesolutions.com/openssl >>>>>> >>>>>> Then use: /opt/coldfusion8/runtime/jre/bin/keytool >>>>>> To import the cert into: >>>>>> /opt/coldfusion8/runtime/jre/lib/security/cacerts >>>>>> Detailed instructions: >>>>>> http://www.coldfusionmuse.com/index.cfm/2005/1/29/keystore >>>>>> >>>>>> Hope that solves your problem, >>>>>> >>>>>> John >>>>>> >>>>>> On Wed, May 13, 2009 at 12:18, Xuejin Ruan <[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> Hi John, >>>>>>> >>>>>>> Thanks so much for sharing the Coldfusion CAS Client Component with >>>>>>> the >>>>>>> community. I am new to CAS, but would like to explore the potential >>>>>>> of >>>>>>> using CAS as an SSO solution to our portal (which has Coldfusion as >>>>>>> well >>>>>>> as >>>>>>> Java applications). This morning I was playing with CAS clients your >>>>>>> wrote, >>>>>>> and encountered some problem. I am wondering whether you could shed >>>>>>> some >>>>>>> lights on. >>>>>>> >>>>>>> The following is my basic environment: >>>>>>> CAS server: 3.3.2 >>>>>>> Coldfusion: 8 >>>>>>> Tomcat: 6.0.18 >>>>>>> >>>>>>> I've downloaded cas server 3.3.2 and put the war file in Tomcat >>>>>>> webapp >>>>>>> directory. I also create a self-authored server certificate using >>>>>>> Keytool. >>>>>>> The CAS server is running fine. Then I download the cas.cfc component >>>>>>> and >>>>>>> put it in folder C:\ColdFusion8\CustomTags. I have a very simple >>>>>>> application >>>>>>> casTesting, which only has one file: index.cfm (output HelloWorld). I >>>>>>> download Application.cfc and put in in the folder of casTesting. And >>>>>>> I >>>>>>> only >>>>>>> made the following modification in Application.cfc: >>>>>>> <cfset Variables.CAS_arguments = { cas_server = >>>>>>> "https://<myServerName>:8443/cas", >>>>>>> service = >>>>>>> "http://<myServerName>:8500/casTesting", >>>>>>> direct_forwarding = true } /> >>>>>>> >>>>>>> Then I tried to run the application: >>>>>>> http://<myServerName>:8500/casTesting >>>>>>> It got redirected to the CAS login page. I typed login credentials, >>>>>>> and >>>>>>> after a long long while, it returned the following url: >>>>>>> http://<myServerName>:8500/casTesting?ticket=ST-4024-Or6y4zgpleq6MtM93qxr-cas >>>>>>> >>>>>>> And the page says: Page not found, connection failure. >>>>>>> >>>>>>> On Tomcat console window, it seems it is running a endless loop >>>>>>> issueing >>>>>>> ticket for the application until it timeouts. >>>>>>> >>>>>>> >>>>>>> If I tried page: http://<myServerName>:8500/casTesting without >>>>>>> having >>>>>>> Application.cfc in the folder, HelloWorld did get displayed >>>>>>> correctly. >>>>>>> >>>>>>> Am I missing something in the configuration? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Xuejin >>>>>>> >>>>>>> >>>>>>> >>>>>>> John Watson-13 wrote: >>>>>>>> >>>>>>>> I wrote a new ColdFusion CAS client in order to take advantage of >>>>>>>> Single >>>>>>>> Sign Out and Attribute releasing. Since I use an Application.cfc in >>>>>>>> my >>>>>>>> applications, I figured it was time to for the existing client to be >>>>>>>> rewritten as a ColdFusion component (CFC) and now I'm ready to >>>>>>>> release >>>>>>>> it >>>>>>>> to >>>>>>>> the community. >>>>>>>> >>>>>>>> I hope to hear feedback from the community and improvements/bug >>>>>>>> fixes >>>>>>>> are >>>>>>>> very welcome. >>>>>>>> >>>>>>>> http://www.ja-sig.org/wiki/display/CASC/ColdFusion+CAS+Client+Component >>>>>>>> John Watson >>>>>>>> Jr. Web Developer >>>>>>>> University of California, Merced >>>>>>>> >>>>>>>> -- >>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>> [email protected] >>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> View this message in context: >>>>>>> http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23526600.html >>>>>>> Sent from the CAS Users mailing list archive at Nabble.com. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> [email protected] >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>> >>>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23565346.html >>>>> Sent from the CAS Users mailing list archive at Nabble.com. >>>>> >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23607021.html >>> Sent from the CAS Users mailing list archive at Nabble.com. >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > -- > View this message in context: > http://www.nabble.com/New-ColdFusion-CAS-Client-tp23343215p23678695.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
