Hi,
The CAS client is sending the service url
"http%3A%2F%2Flocalhoat%3A8080%2FuPortal%2FLogin" (without the quotes) to
the Service Validator. However, it appears that this is not the initial
service sent to the login page (you can see what service a ticket is granted
for by turning on debug). I would see what is in the "service" parameter of
the login page (/login?service=<SERVICE URL>) and compare that to what the
CAS client is sending to the ticket validator and see why they are
different.
-Scott
On 11/15/06, asha latha <[EMAIL PROTECTED]> wrote:
Thank you very much Scott for your explanation.
Just now I realized that I am adding the certificate to 'C:\Program
Files\Java\jre1.5.0_05\lib\security\cacerts' file instead of 'C:\Program
Files\Java\jdk1.5.0_05\jre\lib\security\cacerts'. I have changed that and
now I am getting a different error.
Can you help me with this error.
This is the exception that I am getting
javax.servlet.ServletException:
Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/serviceValidate]
ticket=[ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20]
service=[http%3A%2F%2Flocalhoat%3A8080%2FuPortal%2FLogin]
errorCode=[INVALID_SERVICE]
errorMessage=[ticket 'ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20' does
not match supplied service] renew=false
entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
<http://www.yale.edu/tp/cas%27>>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20' does not match supplied
service
</cas:authenticationFailure>
</cas:serviceResponse>
]]]]
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:292)
*root cause*
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator
proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/serviceValidate]
ticket=[ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20]
service=[http%3A%2F%2Flocalhoat%3A8080%2FuPortal%2FLogin]
errorCode=[INVALID_SERVICE] errorMessage=[ticket
'ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20' does not match supplied service]
renew=false
entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'
<http://www.yale.edu/tp/cas%27>>
<cas:authenticationFailure code='INVALID_SERVICE'>
ticket 'ST-2-d19NGCVjeQsnNzcnjcaD1d3DfM65oWCBfMt-20' does not match supplied
service
</cas:authenticationFailure>
</cas:serviceResponse>
]]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.getAuthenticatedUser(CASValidateFilter.java:339)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:289)
Thanks in advance.
Thanks,
Asha
*Scott Battaglia <[EMAIL PROTECTED]>* wrote:
What I was saying was that the certificate for the CAS Server may not be
in the cacerts file for the uPortal instance's JVM. It would need to be
added. (I mention this explicitly because sometimes people think they added
it to the correct JVM and it turns out they didn't).
-Scott
On 11/15/06, asha latha <[EMAIL PROTECTED]> wrote:
>
> Thank you Scott for your reply.
>
> (a) does not trust the CAS server certificate which means it just needs
> to be added
> Can you please expain more on the point 'a' you specified.
>
> I am new to CAS, so I am not sure where to find enough information on
> this issue.
>
> >(b) the CN does not match the hostname (in this case localhost).
> I think this is not the issue because my host name is localhost.
>
> *Scott Battaglia < [EMAIL PROTECTED]>* wrote:
>
> It most likely means that the uPortal JVM either (a) does not trust the
> CAS server certificate which means it just needs to be added or (b) the CN
> does not match the hostname (in this case localhost).
>
> -Scott
>
> On 11/14/06, asha latha < [EMAIL PROTECTED]> wrote:
> >
> > Thank you very much for your support regarding this issue.
> >
> > Finally, my tomcat is working fine but I am still getting the error
> > when I try to integrate CAS to uportal.
> > I tried to access the uportal using the url
> >
https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost:8080%2FuPortal%2FLogin<https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost:8080%2FuPortal%2FLogin>
> >
> > CAS login screen appeared and I have provided it with
> > NetId: demo
> > Password: demo
> > The user is authenticated and it created a ticket and forwarded the
> > request to uportal
> >
> > These are the lines that are printed in the tomcat command prompt:
> >
> > [java] 2006-11-14 21:05:15,936 INFO [
> > org.jasig.cas.web.flow.AutomaticCookie
> > PathSetterAction] - <Setting ContextPath for cookies to: /cas>
> > [java] 2006-11-14 21:06:15,882 INFO [
> > org.jasig.cas.authentication.Authentic
> > ationManagerImpl] - <AuthenticationHandler:
> > org.jasig.cas.authentication.handler
> > .support.SimpleTestUsernamePasswordAuthenticationHandler successfully
> > authentica
> > ted the user which provided the following credentials: demo>
> > [java] 2006-11-14 21:06:15,912 INFO [
> > org.jasig.cas.CentralAuthenticationSer
> > viceImpl] - <Granted service ticket
> > [ST-2-nc4QVZbCvVrMfbukiTwiQlN9Ay6Yir09yd7-20
> > ] for service [ http://localhost:8080/uPortal/Login] for user [demo]>
> > [java] 2006-11-14 21:09:49,279 INFO [
> > org.jasig.cas.CentralAuthenticationSer
> > viceImpl] - <Granted service ticket
> > [ST-3-2ggz6GySwabK7ctCd0OfNbJYIhEs46H4kH9-20
> > ] for service [ http://localhost:8080/uPortal/Login] for user [demo]>
> >
> >
> >
> > but at this particular point I am getting the following exception.
> >
> > *exception*
> >
> > javax.servlet.ServletException
> > : Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[
https://localhost:8443/cas/serviceValidate]
ticket=[ST-2-nc4QVZbCvVrMfbukiTwiQlN9Ay6Yir09yd7-20]
> > service=[http%3A%2F%2Flocalhoat%3A8080%2FuPortal%2FLogin] renew=false]]]
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter
> > (CASValidateFilter.java:292)
> >
> > *root cause*
> >
> > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[
> > edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
> > casValidateUrl=[ https://localhost:8443/cas/serviceValidate]
ticket=[ST-2-nc4QVZbCvVrMfbukiTwiQlN9Ay6Yir09yd7-20]
> > service=[http%3A%2F%2Flocalhoat%3A8080%2FuPortal%2FLogin] renew=false]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt
> > (CASReceipt.java:52)
> >
edu.yale.its.tp.cas.client.filter.CASValidateFilter.getAuthenticatedUser(CASValidateFilter.java:339)
edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:289)
> >
> >
> > Can anybody help me with this error.
> >
> >
> > Thanks in advance.
> >
> > Thanks,
> > Asha
> >
> >
> > *John Thiltges < [EMAIL PROTECTED]>* wrote:
> >
> > asha latha wrote:
> > > Thank you for your response John.
> > >
> > > I removed those two lines from the server.xml.
> > >
> > > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > > enableLookups="false" disableUploadTimeout="true"
> > > acceptCount="100" scheme="https" secure="true"
> > > clientAuth="false" sslProtocol="TLS"
> > > />
> > > Now I am not getting exceptions in tomcat.
> > Excellent.
> > > But when I try to open the SSL configuration by going to
> > > https://localhost:8443/
> > >
> > > I am getting the following error message .
> > >
> > > There is a problem with this website's security
> > > certificate.
> > > The security certificate presented by this website was not
> > > issued by a trusted certificate authority.
> > >
> > >
> > >
> > > Security certificate problems may indicate an attempt to fool you or
> >
> > > intercept any data you send to the server.
> > >
> > > Do you have any idea what's going on?
> > >
> > Sounds like things are working fine.
> >
> > Because you made a self-signed certificate, it's not automatically
> > trusted by your browser and you get the warning. For a production
> > service, you'll probably want to purchase an SSL certificate from a
> > certificate authority (CA). There are lots of vendors:
> > Verisign/Thawte,
> > Comodo, GeoTrust, and many others.
> >
> > John
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> > ------------------------------
> > Sponsored Link
> >
> > Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate
> > new house payment
> >
<http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9134-16416&moid=4119>
> >
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
------------------------------
Sponsored Link
Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate
new house
payment<http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9132-16414&moid=4116>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
