>>Make sure not to apply the authentication filter to the proxy endpoint.
thanks for you help ,scott.
I have put the callbackurl before the authentication filter and the CAS
Proxy seems working for me.
Thanks again.
The filter mappings now like so in the serverA:
<!-- callbackurl is not to apply the authentication filter-->
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxy/test.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2009/10/8 Scott Battaglia <[email protected]>
> Make sure not to apply the authentication filter to the proxy endpoint.
> You could also try putting the validation filter first. I haven't tried
> that so I haven't really thought through on whether there are security
> ramifications to that.
>
>
>
> On Wed, Oct 7, 2009 at 4:39 AM, kevin kevin <[email protected]> wrote:
>
>> Scott,Thank you for the hint .
>> I have debuged the code , it seems the serverA's certificate is OK.
>>
>> when i access the url "http://serverA:8080/appA/serviceA",the log will be
>> list like below.
>>
>> 1. Enter into AuthenticationFilter
>> serviceUrl:http://serverA:8080/appA/serviceA
>> assertion:null
>> ticket:null
>> redirecting to
>> https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2FserviceA
>> 2009-10-07 16:17:11,493 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>> <AuthenticationHandler:
>> org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler
>> successfully authenticated the user which provided the following
>> credentials: [username: admin]>
>> 2009-10-07 16:17:11,493 INFO
>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
>> [ST-11-luecr2dLyBYYJFy6Sx4x-cas] for service [
>> http://serverA:8080/appA/serviceA] for user [admin]>
>>
>> //after the cas login ,redirect to the http://serverA:8080/appA/serviceAwith
>> ticket
>> 2. Enter into AuthenticationFilter
>> serviceUrl:http://serverA:8080/appA/serviceA
>> assertion:null
>> ticket:ST-11-luecr2dLyBYYJFy6Sx4x-cas
>>
>> 3 Enter into Cas20ProxyReceivingTicketValidationFilter
>>
>> //then do the validation in cas server.
>> //the callbackUrl was called two times ,can be seen in the 3.1 and 3.3
>>
>> //the callbackUrl was called first without pgtIou and pgtId
>> 3.1 Enter into AuthenticationFilter
>> serviceUrl:http://serverA:8080/appA/proxy/test.jsp
>> assertion:null
>> ticket:null
>> redirecting to
>> https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp
>>
>> //because the the correct response code was returned ,CAS server
>> validation is continued.
>> 3.2. 2009-10-07 16:17:11,524 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>> <AuthenticationHandler:
>> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
>> successfully authenticated the user which provided the following
>> credentials: [callbackUrl: https://serverA:8443/appA/proxy/test.jsp]>
>>
>> //the callbackUrl was called second with pgtIou and pgtId
>> 3.3 Enter AuthenticationFilter
>> serviceUrl:
>> http://serverA:8080/appA/proxy/test.jsp?pgtIou=PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas&pgtId=TGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas
>> assertion:null
>> ticket:null
>> redirecting to
>> https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas
>>
>> //return to cas client validate
>> 4. 2009/10/07 16:17:15
>> org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl retrieve
>> INFO: No Proxy Ticket found for PGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas
>>
>> //after the successfully validate,redirect to
>> http://serverA:8080/appA/serviceA
>> 5.Enter AuthenticationFilter
>> serviceUrl:http://serverA:8080/appA/serviceA
>> assertion:org.apache.catalina.session.standardsessionfac...@afc7a9
>> Enter into Cas20ProxyReceivingTicketValidationFilter
>> RequestUri:/appA/serviceA
>>
>> //because serviceA has been logined,now can execute the serviceA
>> 6.Enter serviceA
>> AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor("
>> http://serverB:8080/appB/serviceB";) is null.
>> can't get the ticket.
>> .....
>>
>> The problem is that when executing the "redirecting to
>> https://serverA:8443/cas/login?service=http%3A%2F%2FserverA%3A8080%2FappA%2Fproxy%2Ftest.jsp%3FpgtIou%3DPGTIOU-8-NZZ9lyLmJQLxlBFixCOP-cas%26pgtId%3DTGT-21-SviqU6egP6dQbVHUHhsoXTanfJ3K1U71fjtFfwyEXbgRJHXclp-cas
>> "
>> (we can see in 3.3) ,the CAS server is not return and reenter into cas
>> client validation filter which will set the proxyGrantingTicketIou and
>> proxyGrantingTicket to local.
>>
>> it seems that when call the "callbackUrl" in CAS server ,it just enter
>> into AuthenticationFilter and can't enter into cas client validate filter.
>>
>> why this happend ,could you get me a hit for that.
>> thank you very much.
>>
>> your friend
>>
>> ----
>> kevin
>>
>>
>>
>> 2009/10/7 Scott Battaglia <[email protected]>
>>
>>> On Tue, Oct 6, 2009 at 10:55 PM, kevin kevin <[email protected]> wrote:
>>>
>>>> Scott,thank you very much!
>>>>
>>>> >You need both the receptor and the callback in A.
>>>> is it means i could modified the web.mxl in A like this below and do
>>>> nothing for web.xml in B
>>>> web.mxl in A:<snip />
>>>>
>>>> by the way ,is the suffix of "proxyCallbackUrl" must match the
>>>> "proxyReceptorUrl"?
>>>>
>>>
>>> Yes it should.
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> >Then you'll need to call the API to get the ticket.
>>>> before I call the serviceB from A ,i must add the pt to the URL of
>>>> serviceB ,is that right?
>>>>
>>>> String pt =
>>>> AssertionHolder.getAssertion().getPrincipal().getProxyTicketFor("
>>>> http://serverB:8080/appB/serviceB";)
>>>>
>>>> URL urlB= new URL("http://serverB:8080/appB/serviceB?pt="+pt);
>>>>
>>>
>>> You should be passing it as "ticket".
>>>
>>>> ....
>>>>
>>>> but when i access "http://serverA:8080/appA/serviceA";,
>>>> then CAS login first,then run the service A and can't get the servcieB
>>>> yet.
>>>>
>>>> in the log i can see the the value of "pt" is null and "No Proxy Ticket
>>>> found for PGTIOU-7-hkxtdSxngYiu6RxkbVLP-cas" was output.
>>>>
>>>
>>> That means the ticket was not sent back. Check your CAS server logs to
>>> find out why. The most likely reason is that it didn't like serverA's
>>> certificate when it did the callback.
>>>
>>> Cheers,
>>> Scott
>>>
>>>
>>>
>>>>
>>>>
>>>> thanks again.
>>>>
>>>> yours
>>>> -------
>>>> kevin
>>>>
>>>>
>>>> 2009/10/7 Scott Battaglia <[email protected]>
>>>>
>>>>> You need both the receptor and the callback in A.
>>>>>
>>>>> Then you'll need to call the API to get the ticket.
>>>>>
>>>>> Cheers,
>>>>> Scott
>>>>>
>>>>>
>>>>> On Tue, Oct 6, 2009 at 9:46 PM, kevin kevin <[email protected]> wrote:
>>>>>
>>>>>> Hi,all
>>>>>> I'm a newbee and puzzled for the CAS proxy.
>>>>>> the CAS server:cas-server-3.3.3
>>>>>> the CAS client:cas-client-3.1.8
>>>>>>
>>>>>> The application flow is like the below.
>>>>>> Brower -> the service of Web application A -> the service of Web
>>>>>> application B
>>>>>>
>>>>>> Both of Web application "A" and "B" are protected by CAS.
>>>>>>
>>>>>> The user access the the service of th Web application A used by brower
>>>>>> .
>>>>>> the service of "A" needs access the the service of "B" for getting the
>>>>>> data.
>>>>>>
>>>>>> for example:
>>>>>> access the url "http://serverA:8080/appA/serviceA";,
>>>>>> then the serviceA get the data from serviceB(
>>>>>> http://serverB:8080/appB/serviceB)
>>>>>> serviceA is a servlet and get the service B in servlet like this:
>>>>>> ....
>>>>>> URL urlB= new URL("http://serverB:8080/appB/serviceB";);
>>>>>>
>>>>>> //then get the data according stream
>>>>>> BufferedReader br = new BufferedReader(new
>>>>>> InputStreamReader(urlB.openStream(),"UTF-8"));
>>>>>> ...
>>>>>>
>>>>>> So I think that i need the CAS Proxy to correctly get the data from
>>>>>> "B" in the service of "A".
>>>>>>
>>>>>> The problem is that i can't clearly known how to configure the web.xml
>>>>>> in the "A" and "B".
>>>>>>
>>>>>> I just put the property "proxyCallbackUrl" in the "B" and put the
>>>>>> property "proxyReceptorUrl" in the "A".
>>>>>> the value of "proxyCallbackUrl " is "
>>>>>> https://serverA:8443/appA/proxy/test.jsp"; and it exist in the "A".
>>>>>> the "test.jsp" just a exist file and do nothing in it.
>>>>>>
>>>>>> when i configure that ,but it seems don't work for me while accessing
>>>>>> the servceA and can't get the data from serviceB.
>>>>>> I think the main difference is in the configureation of CAS Validation
>>>>>> Filter,so i list the segment of web.xml.
>>>>>> Is it right for CAS proxy?what's the difference between "A" and "B"
>>>>>> when I used the CAS Proxy?
>>>>>>
>>>>>> the web.xml of Web application "A":
>>>>>>
>>>>>> <filter>
>>>>>> <filter-name>CAS Validation Filter</filter-name>
>>>>>>
>>>>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
>>>>>> <init-param>
>>>>>> <param-name>casServerUrlPrefix</param-name>
>>>>>> <param-value>https://casserver:8443/cas</param-value>
>>>>>> </init-param>
>>>>>> <init-param>
>>>>>> <param-name>serverName</param-name>
>>>>>> <param-value>http://serverA:8080</param-value>
>>>>>> </init-param>
>>>>>> <init-param>
>>>>>> <param-name>proxyReceptorUrl</param-name>
>>>>>> <param-value>/proxy/test.jsp</param-value>
>>>>>> </init-param>
>>>>>> </filter>
>>>>>>
>>>>>>
>>>>>> the web.xml of Web application "B" :
>>>>>> <filter>
>>>>>> <filter-name>CAS Validation Filter</filter-name>
>>>>>>
>>>>>> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
>>>>>> <init-param>
>>>>>> <param-name>casServerUrlPrefix</param-name>
>>>>>> <param-value>https://casserver:8443/cas</param-value>
>>>>>> </init-param>
>>>>>> <init-param>
>>>>>> <param-name>serverName</param-name>
>>>>>> <param-value>http://serverB:8080</param-value>
>>>>>> </init-param>
>>>>>> <init-param>
>>>>>> <param-name>acceptAnyProxy</param-name>
>>>>>> <param-value>true</param-value>
>>>>>> </init-param>
>>>>>> <init-param>
>>>>>> <param-name>proxyCallbackUrl </param-name>
>>>>>> <param-value>https://serverA:8443/appA/proxy/test.jsp
>>>>>> </param-value>
>>>>>> </init-param>
>>>>>> </filter>
>>>>>>
>>>>>>
>>>>>> Thanks in advance
>>>>>>
>>>>>> ----
>>>>>> kevin
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> You are currently subscribed to [email protected] as:
>>>>>> [email protected]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> To unsubscribe, change settings or access archives, see
>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>>>
>>>>>>
>>>>> --
>>>>> You are currently subscribed to [email protected] as:
>>>>> [email protected]
>>>>>
>>>>> To unsubscribe, change settings or access archives, see
>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>>
>>>>>
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>>
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
