Re: CAS Java Client on JBOSS

Mon, 07 Jan 2008 14:50:41 -0800

Andrew,

This page is about as good as it gets.  However, I think that Srikar's specific issue is not clearly addressed.  Look at the step instructing how to import the cert into "cacerts."  The instructions should clearly specify that this step is needed for CAS client applications and not for the CAS server.  This is significant when the clients are on servers other than the server running CAS.

Adam

Andrew Petro wrote:
Adam, Srikar,

Does the Solving SSL Issues page help any?


On Jan 7, 2008, at 10:54 AM, Adam Rybicki wrote:

Srikar,

This should be an FAQ, but it isn't.  I have searched through the "usual suspects" sites:
I found no information to help you address your issue.  This should be fixed.  I hope that Scott or someone else can suggest how and where to add this information.

Anyway, it appears that you are using the Yale CAS client.  The client attempts to verify the service ticket it received from CAS, and when it tries to connect to the CAS server, it encounters an javax.net.ssl.SSLHandshakeException.  This is usually caused by using a self-signed SSL certificate on the CAS server.  The Java process running JBoss does not trust the certificate presented by the CAS server.  This is part of Java security.

You can either fix it by using a properly signed certificate or work around the issue by telling Java to trust your self-signed certificate.  I don't have a complete tutorial here, but you have to use Java's "keytool" command, its "-import" option, the "-trustcacerts" option, and you should add it to the Java's "cacerts" keystore file.  On Linux this will likely require root access.  I don't think that Java will trust a certificate added to a user-specific keystore.  This message in the mailing list archives starts with instructions for importing the self-signed certificate into "cacerts" keystore.

Anyhow, please let me know if this helps.

Adam

Srikar Kummamuri wrote:
I am trying to integrate and existing JBOSS application with the CAS client.  I changed the we.xml as shown in java cas client instructions and added the jar file (casclient-2.1.1.jar ) in lib directory of the web-inf directory.
 
As expected, upon accessing the app for the first time, user gets navigated to the CAS server that was installed on a Tomcat. When the CAS validates the user, and send the request back to JBOSS, exception is being thrown by CAS as follows.
 
11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  tp.cas.client.CASReceipt - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate
ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[h
ttps://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http%3A%2F%2Falx-dev-lap06.wwre.org
%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
11:19:41,105 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  cas.client.filter.CASFilter - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to valida
te ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] ticket=[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http%3A%2F%2Falx-dev-lap06.wwre.
org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
11:19:41,120 INFO  [STDOUT] 2008-01-07 11:19:41 ERROR  web].[localhost].[/MGS-Reporting].[action] - Servlet.service() for servlet action threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[
null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate] ticket
=[ST-13-qYbLWTpYMEcATIcSlPAO] service=[http%3A%2F%2Falx-dev-lap06.wwre.org%3A8080%2FMGS-Reporting%2Faction%2FreportingHome.do] renew=false]]]
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
        at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
        at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
        at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCert
PathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
        at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
        at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
        at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
        ... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
        at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
        ... 36 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
        ... 41 more
 
 
 
My web.xml is,
 
             <filter>
                  <filter-name>CAS Filter</filter-name>
                  <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
                  <init-param>
                    <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
                    <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/login</param-value>
                  </init-param>
                  <init-param>
                   <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
                   <param-value>https://alx-dev-wrk04.wwre.org:8444/cas-server-webapp-3.1.1/serviceValidate</param-value>
                  </init-param>
                  <init-param>
                   <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
                   <param-value>alx-dev-lap06.wwre.org:8080</param-value>
                  </init-param>
                </filter>
 
 
 
   <filter-mapping>
                  <filter-name>CAS Filter</filter-name>
                  <url-pattern>/action/*</url-pattern>
    </filter-mapping>
 
 
 
Any idea why I am getting the error here??  Is this something to do with SSL on the JBOSS side?? 
 
 
Thank a lot
Srikar.
 
 
 
 
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
<arybicki.vcf>_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
  



begin:vcard
fn:Adam Rybicki
n:Rybicki;Adam
org:Unicon, Inc.;Professional Services
adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States
email;internet:[EMAIL PROTECTED]
tel;work:+1-480-558-2400
tel;home:+1-310-265-8286
tel;cell:+1-310-980-2758
x-mozilla-html:FALSE
url:http://www.unicon.net/
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to