Thanks. I redid my ssl cert and reset the param-values in CASFilter to the full server name and all works now.
John ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Petro Sent: Tuesday, June 05, 2007 2:36 PM To: Yale CAS mailing list Subject: localhost cert only works for trivial case where cas, client app,and browser all running on localhost John, <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://localhost:8443/cas/login</param-value> </init-param> When your browser accesses the application, CASFilter will detect that it does not yet have an authenticated session, and will instruct the browser to redirect to the CAS login URL. In this case, that URL is "https://localhost:8443/cas/login"; <https://localhost:8443/cas/login> . So the browser attempts to access that URL. When you run the browser on the web server itself, this resolves to the CAS server. When you run the browser from any other machine, the CAS server is not running on "localhost" from the perspective of the web browser, and so you don't get to CAS and cannot continue. Since CASFilter is in front of the application, all requests for the application will be redirected in this way until an authenticated session is established, and so you experience inability to access the application at all. The solution is to use a URL involving a real hostname to specify the CAS server, which will require a non-localhost SSL certificate. Localhost certs will only work for the trivial example where CAS server, client application, and browser, are *all* running on localhost. Andrew Graves, John wrote: Hoping someone has run across this one and can point me in the proper direction... I've got CAS set up for an application on a local server. The ssl cert I created for that server is defined for localhost. The ssl cert has been imported into both the tomcat keystore and the JRE cacerts keystore. Using a browser on that machine, I have no problems authenticating and using the application. I can enter the application using either http://localhost:8080/myApp or http://my.web.server:8080/myApp. Attempting to connect to the application from another machine (in the same domain) using the latter URL, however, the application is unreachable. From the other machine, I have no problems reaching http://my.web.server:8443/cas/login, and the authentication works. (Using the CAS Login URL and the serviceUrl parameter for CASFilter does not route me to my requested destination application, though, from either machine.) This has to be some form of a configuration glitch on my part, as I have other, non-CASified applications on that server that I have no problems reaching from the other box. Here is my web.xml section from the CASified app... <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://localhost:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://localhost:8443/cas/serviceValidate</param-value> </init-param <!--init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>localhost:8080</param-value> </init-param--> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name> <param-value>http://my.web.server:8080/myApp</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name> <param-value>true</param-value> </init-param> </filter> <!-- Everything must go through the CAS Filter--> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> John Graves Sr. Software Engineer Advanced Systems Group Essex 321-837-7014 This electronic message and any files transmitted with it contain information which may be privileged and/or proprietary. The information is intended for use solely by the intended recipient(s). If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this information is prohibited. If you have received this electronic message in error, please advise the sender by reply email or by telephone (301-939-7000) and delete the message. ________________________________ _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas This electronic message and any files transmitted with it contain information which may be privileged and/or proprietary. The information is intended for use solely by the intended recipient(s). If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this information is prohibited. If you have received this electronic message in error, please advise the sender by reply email or by telephone (301-939-7000) and delete the message.
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
