Scott,Thank you for the hint . I have debuged the code , it seems the serverA's certificate is OK.
when i access the url "http://serverA:8080/appA/serviceA",the log will be list like below. 1. Enter into AuthenticationFilter serviceUrl:http://serverA:8080/appA/serviceA assertion:null ticket:null redirecting to https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2FserviceA 2009-10-07 16:17:11,493 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: admin]> 2009-10-07 16:17:11,493 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-11-luecr2dLyBYYJFy6Sx4x-cas] for service [ http://serverA:8080/appA/serviceA] for user [admin]> //after the cas login ,redirect to the http://serverA:8080/appA/serviceAwith ticket 2. Enter into AuthenticationFilter serviceUrl:http://serverA:8080/appA/serviceA assertion:null ticket:ST-11-luecr2dLyBYYJFy6Sx4x-cas 3 Enter into Cas20ProxyReceivingTicketValidationFilter //then do the validation in cas server. //the callbackUrl was called two times ,can be seen in the 3.1 and 3.3 //the callbackUrl was called first without pgtIou and pgtId 3.1 Enter into AuthenticationFilter serviceUrl:http://serverA:8080/appA/proxy/test.jsp assertion:null ticket:null redirecting to https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp //because the the correct response code was returned ,CAS server validation is continued. 3.2. 2009-10-07 16:17:11,524 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://serverA:8443/appA/proxy/test.jsp]> //the callbackUrl was called second with pgtIou and pgtId 3.3 Enter AuthenticationFilter serviceUrl: http://serverA:8080/appA/proxy/test.jsp?pgtIou=PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas&pgtId=TGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas assertion:null ticket:null redirecting to https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas //return to cas client validate 4. 2009/10/07 16:17:15 org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl retrieve INFO: No Proxy Ticket found for PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas //after the successfully validate,redirect to http://serverA:8080/appA/serviceA 5.Enter AuthenticationFilter serviceUrl:http://serverA:8080/appA/serviceA assertion:org.apache.catalina.session.standardsessionfac...@afc7a9 Enter into Cas20ProxyReceivingTicketValidationFilter RequestUri:/appA/serviceA //because serviceA has been logined,now can execute the serviceA 6.Enter serviceA AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor(" http://serverB:8080/appB/serviceB";) is null. can't get the ticket. ..... The problem is that when executing the "redirecting to https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas " (we can see in 3.3) ,the CAS server is not return and reenter into cas client validation filter which will set the proxyGrantingTicketIou and proxyGrantingTicket to local. it seems that when call the "callbackUrl" in CAS server ,it just enter into AuthenticationFilter and can't enter into cas client validate filter. why this happend ,could you get me a hit for that. thank you very much. your friend ---- kevin 2009/10/7 Scott Battaglia <[email protected]> > On Tue, Oct 6, 2009 at 10:55 PM, kevin kevin <[email protected]> wrote: > >> Scott,thank you very much! >> >> >You need both the receptor and the callback in A. >> is it means i could modified the web.mxl in A like this below and do >> nothing for web.xml in B >> web.mxl in A:<snip /> >> >> by the way ,is the suffix of "proxyCallbackUrl" must match the >> "proxyReceptorUrl"? >> > > Yes it should. > > >> >> >> >> >> >Then you'll need to call the API to get the ticket. >> before I call the serviceB from A ,i must add the pt to the URL of >> serviceB ,is that right? >> >> String pt = >> AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor(" >> http://serverB:8080/appB/serviceB";) >> >> URL urlB= new URL("http://serverB:8080/appB/serviceB?pt="+pt); >> > > You should be passing it as "ticket". > >> .... >> >> but when i access "http://serverA:8080/appA/serviceA";, >> then CAS login first,then run the service A and can't get the servcieB >> yet. >> >> in the log i can see the the value of "pt" is null and "No Proxy Ticket >> found for PGTIOU-7-hkxtdSxngYiu6RxkbVLP-cas" was output. >> > > That means the ticket was not sent back. Check your CAS server logs to > find out why. The most likely reason is that it didn't like serverA's > certificate when it did the callback. > > Cheers, > Scott > > > >> >> >> thanks again. >> >> yours >> ------- >> kevin >> >> >> 2009/10/7 Scott Battaglia <[email protected]> >> >>> You need both the receptor and the callback in A. >>> >>> Then you'll need to call the API to get the ticket. >>> >>> Cheers, >>> Scott >>> >>> >>> On Tue, Oct 6, 2009 at 9:46 PM, kevin kevin <[email protected]> wrote: >>> >>>> Hi,all >>>> I'm a newbee and puzzled for the CAS proxy. >>>> the CAS server:cas-server-3.3.3 >>>> the CAS client:cas-client-3.1.8 >>>> >>>> The application flow is like the below. >>>> Brower -> the service of Web application A -> the service of Web >>>> application B >>>> >>>> Both of Web application "A" and "B" are protected by CAS. >>>> >>>> The user access the the service of th Web application A used by brower . >>>> the service of "A" needs access the the service of "B" for getting the >>>> data. >>>> >>>> for example: >>>> access the url "http://serverA:8080/appA/serviceA";, >>>> then the serviceA get the data from serviceB( >>>> http://serverB:8080/appB/serviceB) >>>> serviceA is a servlet and get the service B in servlet like this: >>>> .... >>>> URL urlB= new URL("http://serverB:8080/appB/serviceB";); >>>> >>>> //then get the data according stream >>>> BufferedReader br = new BufferedReader(new >>>> InputStreamReader(urlB.openStream(),"UTF-8")); >>>> ... >>>> >>>> So I think that i need the CAS Proxy to correctly get the data from "B" >>>> in the service of "A". >>>> >>>> The problem is that i can't clearly known how to configure the web.xml >>>> in the "A" and "B". >>>> >>>> I just put the property "proxyCallbackUrl" in the "B" and put the >>>> property "proxyReceptorUrl" in the "A". >>>> the value of "proxyCallbackUrl " is " >>>> https://serverA:8443/appA/proxy/test.jsp"; and it exist in the "A". >>>> the "test.jsp" just a exist file and do nothing in it. >>>> >>>> when i configure that ,but it seems don't work for me while accessing >>>> the servceA and can't get the data from serviceB. >>>> I think the main difference is in the configureation of CAS Validation >>>> Filter,so i list the segment of web.xml. >>>> Is it right for CAS proxy?what's the difference between "A" and "B" when >>>> I used the CAS Proxy? >>>> >>>> the web.xml of Web application "A": >>>> >>>> <filter> >>>> <filter-name>CAS Validation Filter</filter-name> >>>> >>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >>>> <init-param> >>>> <param-name>casServerUrlPrefix</param-name> >>>> <param-value>https://casserver:8443/cas</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>serverName</param-name> >>>> <param-value>http://serverA:8080</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>proxyReceptorUrl</param-name> >>>> <param-value>/proxy/test.jsp</param-value> >>>> </init-param> >>>> </filter> >>>> >>>> >>>> the web.xml of Web application "B" : >>>> <filter> >>>> <filter-name>CAS Validation Filter</filter-name> >>>> >>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >>>> <init-param> >>>> <param-name>casServerUrlPrefix</param-name> >>>> <param-value>https://casserver:8443/cas</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>serverName</param-name> >>>> <param-value>http://serverB:8080</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>acceptAnyProxy</param-name> >>>> <param-value>true</param-value> >>>> </init-param> >>>> <init-param> >>>> <param-name>proxyCallbackUrl </param-name> >>>> <param-value>https://serverA:8443/appA/proxy/test.jsp >>>> </param-value> >>>> </init-param> >>>> </filter> >>>> >>>> >>>> Thanks in advance >>>> >>>> ---- >>>> kevin >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
