Re: [cas-user] Incorrect header check when importing keys

Thu, 15 Oct 2015 05:29:47 -0700

We downloaded source code for version 4.1.0 and patched it with this [1] commit. I confirm it works now, however, there are two details:
1) src/main/java/org/jasig/cas/support/saml/util/AbstractSaml20ObjectBuilder.java: Adding the logger lines makes the build crash (it doesn't seem to know what is logger in that context) 2) In the documentation at [2] it's still referenced that the googleAccountsArgumentExtractor bean has the c:servicesManager-ref="servicesManager" reference. We needed to remove it to make that work, otherwise an exception was thrown. 

Thanks.


[1]: 
https://github.com/Jasig/cas/commit/8f148172618704bfedf5861cb7e51c7f8243a8b6
[2]: 
http://jasig.github.io/cas/4.1.x/integration/Google-Apps-Integration.html


El 2015-10-14 14:55, Misagh Moayyed escribió:

This turned out to be an issue. Should be fixed in 4.1.1.

- Misagh


On Oct 13, 2015, at 9:38 AM, Nicolás <nico...@devels.es> wrote:

Hi Misagh,


This happens exclusively with the Google service, when logging 
directly to the Gmail service (por example). The Google service 
redirects the request to our CAS and then it crashes. Any other 
service configured that doesn't use SAML 2.0 works without any issue. 
In the moment that <ref bean="googleAccountsArgumentExtractor" /> is 
added to the argumentExtractors list, this behavior starts happening.



I remark this is working right now with 3.5.x with a pretty similar 
configuration, so I discard any Google side configuration.



I grabbed a request, and this is the result: 
login?SAMLRequest=fVJNT%2BMwEL0j8R8s35M0BbTIaoK6IEQldolo2MPejDOtpzh28Njt8u9xUxBwWK7PM%2B%2FLM7v41xu2BU%2FobMXLfMIZWOU6tOuKP7TX2Tm%2FqI%2BPZiR7M4h5DNrew3MECixtWhLjQ8Wjt8JJQhJW9kAiKLGc%2F7oV03wiBu%2BCU85wtriquDHuSTulTfe4edLQOTQGN0avtV6h3AwaEaUcJGd%2F3m1N97YWRBEWloK0IUGT8iwrJ1l50pZnYvpDnJ785ax5U%2FqJ9pDgO1uPhyESN23bZM3dsh0JttiB%2F52mK752bm0gV67fyzeSCLcJXklDwNmcCHxIBi%2BdpdiDX4LfooKH%2B9uK6xAGEkWx2%2B3yD5pCFtGYHLqYAxVSEa%2FHZsUYzn%2Bq9Hvr8l2a1x%2Fks%2BITVf32Y%2Fsgi6vGGVQvbJ663116kCGlCD6mENfO9zL8X63MyxHBLluNoyJaGkDhCqHjrKgPql9PIx3MKw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Four.google.domain%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1%26osid%3D1



However, I suspect this happens before the SAML request is processed, 
because it's thrown just at redirect time. I even disabled the service 
for Google Apps to see when does it happen, and the result is just the 
same.



If you need any additional tests please let me know, we were about to 
put this version into production when we detected this issue :-/


Thanks.

Nicolás

El 13/10/15 a las 15:16, Misagh Moayyed escribió:

When do you get this error? Do you start from Google Apps or do you 
directly go to cas/login? Could you capture the Google Apps request 
and paste that back?


- Misagh


On Oct 13, 2015, at 4:39 AM, nico...@devels.es wrote:

Hi,


We're running CAS 4.1.0 and we also use Google Apps, so we're trying 
to configure SAML 2.0 for this. Following this [1] document, we've 
made the following steps:



1) We did NOT generate a new private/public key pair, since we 
already have one from our previous CAS installation (3.5.x). We 
simply moved the public/private files to the new machine to the same 
path.


2) argumentExtractorsConfiguration.xml:

   <bean id="googleAccountsArgumentExtractor"

       
class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor"

         c:servicesManager-ref="servicesManager"
         c:privateKey-ref="privateKeyFactoryBean"
         c:publicKey-ref="publicKeyFactoryBean" />


   <bean id="privateKeyFactoryBean" 
class="org.jasig.cas.util.PrivateKeyFactoryBean"

         p:location="classpath:private.p8"
         p:algorithm="RSA" />


   <bean 
id="publicKeyFactoryBean"	class="org.jasig.cas.util.PublicKeyFactoryBean"

         p:location="classpath:public.key"
         p:algorithm="RSA" />


3) Although not documented, we added <ref 
bean="googleAccountsArgumentExtractor" /> to the argumentExtractors 
list:


   <util:list id="argumentExtractors">
     <ref bean="casArgumentExtractor" />
     <ref bean="samlArgumentExtractor" />
     <ref bean="googleAccountsArgumentExtractor" />
   </util:list>

When built, the following exception is being thrown:


   GRAVE: El Servlet.service() para el servlet [cas] en el contexto 
con ruta [/cas] lanzó la excepción [Request processing failed; 
nested exception is     
org.springframework.webflow.execution.ActionExecutionException: 
Exception thrown executing 
org.jasig.cas.web.flow.InitialFlowSetupAction@1149cb40 in state 
'null' of flow 'login' -- action      execution attributes were 
'map[[empty]]'] con causa raíz

   java.util.zip.ZipException: incorrect header check

	at 
java.util.zip.InflaterOutputStream.write(InflaterOutputStream.java:273)

        at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1793)
        at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1769)
        at org.apache.commons.io.IOUtils.copy(IOUtils.java:1744)

	at 
org.jasig.cas.util.CompressionUtils.inflate_aroundBody0(CompressionUtils.java:66)
	at 
org.jasig.cas.util.CompressionUtils$AjcClosure1.run_aroundBody0(CompressionUtils.java:1)
	at 
org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1.run_aroundBody0(CompressionUtils.java:1)
	at 
org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1$AjcClosure1.run(CompressionUtils.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.util.CompressionUtils$AjcClosure1$AjcClosure1.run(CompressionUtils.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.util.CompressionUtils$AjcClosure1.run(CompressionUtils.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.util.CompressionUtils.inflate(CompressionUtils.java:63)
	at 
org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder.decodeSamlAuthnRequest_aroundBody16(AbstractSaml20ObjectBuilder.java:262)
	at 
org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17.run_aroundBody0(AbstractSaml20ObjectBuilder.java:1)
	at 
org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17$AjcClosure1.run(AbstractSaml20ObjectBuilder.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder$AjcClosure17.run(AbstractSaml20ObjectBuilder.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.support.saml.util.AbstractSaml20ObjectBuilder.decodeSamlAuthnRequest(AbstractSaml20ObjectBuilder.java:253)
	at 
org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService.createServiceFrom_aroundBody0(GoogleAccountsService.java:133)
	at 
org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService$AjcClosure1.run(GoogleAccountsService.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService.createServiceFrom(GoogleAccountsService.java:131)
	at 
org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor.extractServiceInternal_aroundBody0(GoogleAccountsArgumentExtractor.java:69)
	at 
org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1.run_aroundBody0(GoogleAccountsArgumentExtractor.java:1)
	at 
org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1$AjcClosure1.run(GoogleAccountsArgumentExtractor.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor$AjcClosure1.run(GoogleAccountsArgumentExtractor.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor.extractServiceInternal(GoogleAccountsArgumentExtractor.java:69)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor.extractService_aroundBody0(AbstractArgumentExtractor.java:43)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1.run_aroundBody0(AbstractArgumentExtractor.java:1)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1.run_aroundBody0(AbstractArgumentExtractor.java:1)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1$AjcClosure1.run(AbstractArgumentExtractor.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1$AjcClosure1.run(AbstractArgumentExtractor.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor$AjcClosure1.run(AbstractArgumentExtractor.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
	at 
org.jasig.cas.web.support.AbstractArgumentExtractor.extractService(AbstractArgumentExtractor.java:43)
	at 
org.jasig.cas.web.support.WebUtils.getService_aroundBody4(WebUtils.java:97)
	at 
org.jasig.cas.web.support.WebUtils$AjcClosure5.run(WebUtils.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.web.support.WebUtils.getService(WebUtils.java:96)

	at 
org.jasig.cas.web.support.WebUtils.getService_aroundBody6(WebUtils.java:119)
	at 
org.jasig.cas.web.support.WebUtils$AjcClosure7.run(WebUtils.java:1)
	at 
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at 
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

        at org.jasig.cas.web.support.WebUtils.getService(WebUtils.java:118)

	at 
org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:97)
	at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
	at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
	at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
	at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
	at 
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
	at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
	at 
org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)

        at org.springframework.webflow.engine.Flow.start(Flow.java:526)

	at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
	at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
	at 
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
	at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)
	at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
	at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
	at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
	at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:857)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

	at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

	at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at 
org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:296)
	at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
	at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
	at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at 
org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
	at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
	at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
	at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
	at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
	at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:745)
        Suppressed: java.util.zip.ZipException: incorrect header check

		at 
java.util.zip.InflaterOutputStream.flush(InflaterOutputStream.java:169)
		at 
java.util.zip.InflaterOutputStream.finish(InflaterOutputStream.java:186)
		at 
java.util.zip.InflaterOutputStream.close(InflaterOutputStream.java:129)
		at 
org.jasig.cas.util.CompressionUtils.inflate_aroundBody0(CompressionUtils.java:68)

                ... 107 more


What could be the reason of this? The md5 checksums of the moved 
files seem to match.


Thanks,

Nicolás


[1]: 
http://jasig.github.io/cas/4.1.x/integration/Google-Apps-Integration.html


--

You are currently subscribed to cas-user@lists.jasig.org as: 
mmoay...@unicon.net
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user





--

You are currently subscribed to cas-user@lists.jasig.org as: 
mmoay...@unicon.net
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to