Re: [cas-user] CAS - Service Managment - Connection Reset
Hi, It works : the expected ticket is a service ticket and not the TGT. Pretty strange : it seems that the problem comes from within your application. Easy advice, but did you try enablig some logs on java.net and org.jasig.cas ? Thanks. Best regards, Jérôme 2013/10/22 Michael Kromarek mkroma...@highline.edu Trying https://my_server.highline.edu:8443/cas/serviceValidate with out any parameters: SSL handshake successful Server Certificate verified HTTP/1.1 200 OK Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/plain;charset=UTF-8 Content-Language: en-US Content-Length: 242 Date: Tue, 22 Oct 2013 21:13:55 GMT Server: Apache cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas' cas:authenticationFailure code='INVALID_REQUEST' #039;service#039; and #039;ticket#039; parameters are both required /cas:authenticationFailure * Connection #0 to host my_server.highline.edu left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): Passing the service ticket created from the attempt at using /cas/services curl https://my_server.highline.edu:8443/cas/serviceValidate?service=https%3A%2F%2Fmy_server.highline.edu%3A8443%2Fcas%2Fservicesticket=ST-1-piyf2WgKIKHn1sCCgWVw-my_server.highline.edu; -v SSL Handshake and certificate verification succeed followed by Host: my_server.highline.edu:8443 Accept: */* HTTP/1.1 200 OK Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/plain;charset=UTF-8 Content-Language: en-US Content-Length: 248 Date: Tue, 22 Oct 2013 21:12:03 GMT Server: Apache cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas' cas:authenticationFailure code='INVALID_TICKET' ticket #039; ST-1-piyf2WgKIKHn1sCCgWVw-my_server.highline.edu#039; not recognized /cas:authenticationFailure * Connection #0 to host my_server.highline.edu left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): - If I change the ticket to the TGT that was created from authenticating at /cas/login I get the 500 internal service error and the Cas Unavailable html --Mike K. -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] OAuth 2.0 with Google, Github
Hi,
You always need to use the generated url : GitHubProviderUrl.
Your stack trace is almost unreadable but it seems that you have a problem
when creating the TGT from the OAuth credentials.
Would you mind enabling DEBUG logs on org.jasig and posting them ?
Thanks.
Best regards,
Jérôme
2013/10/22 Hardik J Sheth h.sh...@tcs.com
Hi Jerome . I had tried to add the oauth_provider=Githubprovider.
But it didn't work. Then I had updated the url with same url as in your
demo.
a id=githubAuthorizationUrl href=${GitHubProviderUrl}Authenticate
with GitHub/abr /
Then I am getting following error in browser
{failure:true,exception.message:org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
org.jasig.cas.support.oauth.web.flow.OAuthAction@12b8b27 in state
'oauthAction' of flow 'login' -- action execution attributes were
'map[[empty]]',exception.stacktrace:org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
org.jasig.cas.support.oauth.web.flow.OAuthAction@12b8b27 in state
'oauthAction' of flow 'login' -- action execution attributes were
'map[[empty]]'\r\n\tat
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)\r\n\tat
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)\r\n\tat
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)\r\n\tat
org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)\r\n\tat
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)\r\n\tat
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)\r\n\tat
org.springframework.webflow.engine.State.enter(State.java:194)\r\n\tat
org.springframework.webflow.engine.Flow.start(Flow.java:535)\r\n\tat
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:366)\r\n\tat
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:225)\r\n\tat
org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)\r\n\tat
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)\r\n\tat
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)\r\n\tat
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)\r\n\tat
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)\r\n\tat
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)\r\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)\r\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n\tat
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)\r\n\tat
org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)\r\n\tat
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)\r\n\tat
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)\r\n\tat
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)\r\n\tat
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)\r\n\tat
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)\r\n\tat
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)\r\n\tat
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)\r\n\tat
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)\r\n\tat
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\r\n\tat
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)\r\n\tat
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)\r\n\tat
[cas-user] cas 3.5.1 PGT replication using ehcache replication
Hi
We are using cas-server-extension-clearpass (using cas proxy tickets) and
cas-server-integration-ehcache modules together in cas 3.5.1.
Looking at the ticketRegistry.xml file it says
bean id=ticketGrantingTicketsCache
class=org.springframework.cache.ehcache.EhCacheFactoryBean
description
Ticket Granting Tickets (TGT) are valid for the lifetime of the
SSO Session. They become invalid either
by expiration policy (default 2 hours idle, 8 hours max) or by
explicit user sign off via /cas/login.
The TGT cache can be replicated slowly because TGT are only
manipulated via web user started operations
(mostly grant service ticket) and thus benefit of web session
affinity.
/description
property name=cacheName
value=org.jasig.cas.ticket.TicketGrantingTicket /
property name=cacheEventListeners
ref local=ticketRMIAsynchronousCacheReplicator/
/property
Use of TGTs does seem to be tied to web user started operations in a
browser where you are stuck to one node and so maybe can be replicated
slowly.
However if you are using PGTs to obtain a PT it seems PGTs go into the same
cache as TGTs and are replicated slowly as well?
However getting a PT using a PGT can be done in code and so you can't rely
on hitting the same node which means you can fall foul of the slower
replication of PGTs if:
You get the PGT from node 1
Form a request in code using this PGT that goes to node 2 to obtain your PT.
Are the use of both cas-server-extension-clearpass (using cas proxy
tickets) and cas-server-integration-ehcache modules together not supported
of do I simply need to tune my ticketRMIAsynchronousCacheReplicator?
The code in
cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java
says
public void addTicket(final Ticket ticket) {
final Element element = new Element(ticket.getId(), ticket);
if (ticket instanceof ServiceTicket) {
log.debug(Adding service ticket {} to the cache,
ticket.getId(), this.serviceTicketsCache.getName());
this.serviceTicketsCache.put(element);
} else if (ticket instanceof TicketGrantingTicket) {
log.debug(Adding ticket granting ticket {} to the cache {},
ticket.getId(), this.ticketGrantingTicketsCache.getName());
this.ticketGrantingTicketsCache.put(element);
} else {
throw new IllegalArgumentException(Invalid ticket type +
ticket);
}
}
So doesn't seem to distinguish between TGTs and PGTs
Any advice or recommendation to open a JIRA appreciated
Thanks
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] OAuth 2.0 with Google, Github
Hi Jerome,
I have enabled debug log. The logs are attached here.
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user23 Oct, 2013 4:43:04 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
property 'source' to 'org.eclipse.jst.jee.server:CASServer' did not find a
matching property.
23 Oct, 2013 4:43:04 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the java.library.path:
D:\Cardiff\WebLogic\jdk160_05\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program
Files\Windows Imaging\;C:\Program Files\Bitvise Tunnelier
23 Oct, 2013 4:43:04 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
23 Oct, 2013 4:43:04 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8090
23 Oct, 2013 4:43:04 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 678 ms
23 Oct, 2013 4:43:04 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
23 Oct, 2013 4:43:04 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.16
23 Oct, 2013 4:43:05 PM org.apache.catalina.core.StandardContext
addApplicationListener
INFO: The listener org.jasig.cas.web.init.SafeContextLoaderListener is
already configured for this context. The duplicate definition has been ignored.
23 Oct, 2013 4:43:05 PM org.apache.catalina.core.StandardContext
addApplicationListener
INFO: The listener com.tcs.sgv.util.CASContextListner is already configured
for this context. The duplicate definition has been ignored.
23 Oct, 2013 4:43:05 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
2013-10-23 16:43:08,332 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered
service ^(https?|imaps?)://.*
2013-10-23 16:43:08,333 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered
service https://01hw394314:8090/CASServer/oauth2.0/callbackAuthorize
2013-10-23 16:43:08,333 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered
service http://mycasserver/login
2013-10-23 16:43:08,333 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services.
2013-10-23 16:43:08,772 DEBUG
[org.jasig.cas.util.AutowiringSchedulerFactoryBean] - Autowired the following
triggers defined in application context:
[triggerJobDetailTicketRegistryCleaner, periodicServiceRegistryReloaderTrigger]
Inside CustomAuthenticationHandler
Inside setDataSource
2013-10-23 16:43:10,002 INFO
[org.jasig.cas.util.AutowiringSchedulerFactoryBean] - Starting Quartz
Scheduler now
23 Oct, 2013 4:43:10 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'cas'
2013-10-23 16:43:10,483 DEBUG
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] -
Found action method [public org.springframework.web.servlet.ModelAndView
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2013-10-23 16:43:10,484 DEBUG
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] -
Found action method [public org.springframework.web.servlet.ModelAndView
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2013-10-23 16:43:10,484 DEBUG
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] -
Found action method [public org.springframework.web.servlet.ModelAndView
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.updateRegisteredServiceEvaluationOrder(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2013-10-23 16:43:10,749 DEBUG
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] -
Registering flow definition 'ServletContext resource
[/WEB-INF/login-webflow.xml]' under id 'login'
2013-10-23 16:43:10,780 DEBUG
[org.springframework.webflow.execution.factory.ConditionalFlowExecutionListenerLoader]
- Adding flow execution listener
org.jasig.cas.web.flow.TerminateWebSessionListener@13ccea with criteria *
23 Oct, 2013 4:43:10 PM org.apache.catalina.core.StandardContext resourcesStart
SEVERE: Error starting static Resources
java.lang.IllegalArgumentException: Document base
D:\Cardiff\apache-tomcat-6.0.16\webapps\zksample2_v5_0613(zk5.0.6) does not
exist or is not a readable directory
at
RE: [cas-user] multi valued attributes in CAS 2.0 protocol
From: William G. Thompson, Jr. [mailto:wgt...@gmail.com] Sent: Tuesday, October 22, 2013 9:18 AM Sorry I was clearer...the pointer to CAS-1283 was a more of a suggestion to engage on that ticket...presumably to incorporate your enhancements. Ah, okay; I updated the ticket with a comment indicating it currently does not handle multivalued attributes and included the sample code adding an additional loop to avoid flattening them out. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] multi valued attributes in CAS 2.0 protocol
Excellent. I've re-opened this issue to consider Paul's enhancement. On Wed, Oct 23, 2013 at 12:48 PM, Paul B. Henson hen...@csupomona.edu wrote: From: William G. Thompson, Jr. [mailto:wgt...@gmail.com] Sent: Tuesday, October 22, 2013 9:18 AM Sorry I was clearer...the pointer to CAS-1283 was a more of a suggestion to engage on that ticket...presumably to incorporate your enhancements. Ah, okay; I updated the ticket with a comment indicating it currently does not handle multivalued attributes and included the sample code adding an additional loop to avoid flattening them out. -- You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] CAS - Service Managment - Connection Reset
Hi Jérôme, I figured out what was causing the problem. When I added -Djava.net.debug=ssl to the JAVA_OPTS variable in /etc/default/tomcat7 and changed the logging level of org.jasig in the log4j.xml file to debug I caught the following: http-apr-8443-exec-10, WRITE: TLSv1 Handshake, length = 177 http-apr-8443-exec-10, WRITE: SSLv2 client hello message, length = 173 http-apr-8443-exec-10, handling exception: java.net.SocketException: Connection reset http-apr-8443-exec-10, SEND TLSv1 ALERT: fatal, description = unexpected_message http-apr-8443-exec-10, WRITE: TLSv1 Alert, length = 2 http-apr-8443-exec-10, Exception sending alert: java.net.SocketException: Broken pipe http-apr-8443-exec-10, called closeSocket() 2013-10-23 14:54:12,680 ERROR [org.jasig.cas.client.util.CommonUtils] - Connection reset java.net.SocketException: Connection reset I wasn't sure why the connection was issuing a SSLv2 hello message, but that is what was causing the problem. It turned out that even though I had configured Tomcat to only accept TLSv1 and SSLv3, the JVM was accepting SSLv2. To fix the problem I added the following flag to my JAVA_OPTS variable -Dhttps.protocols=TLSv1 Now I can access the services management portion and authenticate users successfully. Thanks for all your help! --Mike K. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
