Re: [cas-user] CAS - Service Managment - Connection Reset
Hi, It works : the expected ticket is a service ticket and not the TGT. Pretty strange : it seems that the problem comes from within your application. Easy advice, but did you try enablig some logs on java.net and org.jasig.cas ? Thanks. Best regards, Jérôme 2013/10/22 Michael Kromarek mkroma...@highline.edu Trying https://my_server.highline.edu:8443/cas/serviceValidate with out any parameters: SSL handshake successful Server Certificate verified HTTP/1.1 200 OK Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/plain;charset=UTF-8 Content-Language: en-US Content-Length: 242 Date: Tue, 22 Oct 2013 21:13:55 GMT Server: Apache cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas' cas:authenticationFailure code='INVALID_REQUEST' #039;service#039; and #039;ticket#039; parameters are both required /cas:authenticationFailure * Connection #0 to host my_server.highline.edu left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): Passing the service ticket created from the attempt at using /cas/services curl https://my_server.highline.edu:8443/cas/serviceValidate?service=https%3A%2F%2Fmy_server.highline.edu%3A8443%2Fcas%2Fservicesticket=ST-1-piyf2WgKIKHn1sCCgWVw-my_server.highline.edu; -v SSL Handshake and certificate verification succeed followed by Host: my_server.highline.edu:8443 Accept: */* HTTP/1.1 200 OK Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/plain;charset=UTF-8 Content-Language: en-US Content-Length: 248 Date: Tue, 22 Oct 2013 21:12:03 GMT Server: Apache cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas' cas:authenticationFailure code='INVALID_TICKET' ticket #039; ST-1-piyf2WgKIKHn1sCCgWVw-my_server.highline.edu#039; not recognized /cas:authenticationFailure * Connection #0 to host my_server.highline.edu left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): - If I change the ticket to the TGT that was created from authenticating at /cas/login I get the 500 internal service error and the Cas Unavailable html --Mike K. -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] OAuth 2.0 with Google, Github
Hi, You always need to use the generated url : GitHubProviderUrl. Your stack trace is almost unreadable but it seems that you have a problem when creating the TGT from the OAuth credentials. Would you mind enabling DEBUG logs on org.jasig and posting them ? Thanks. Best regards, Jérôme 2013/10/22 Hardik J Sheth h.sh...@tcs.com Hi Jerome . I had tried to add the oauth_provider=Githubprovider. But it didn't work. Then I had updated the url with same url as in your demo. a id=githubAuthorizationUrl href=${GitHubProviderUrl}Authenticate with GitHub/abr / Then I am getting following error in browser {failure:true,exception.message:org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.jasig.cas.support.oauth.web.flow.OAuthAction@12b8b27 in state 'oauthAction' of flow 'login' -- action execution attributes were 'map[[empty]]',exception.stacktrace:org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.jasig.cas.support.oauth.web.flow.OAuthAction@12b8b27 in state 'oauthAction' of flow 'login' -- action execution attributes were 'map[[empty]]'\r\n\tat org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)\r\n\tat org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)\r\n\tat org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)\r\n\tat org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)\r\n\tat org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)\r\n\tat org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)\r\n\tat org.springframework.webflow.engine.State.enter(State.java:194)\r\n\tat org.springframework.webflow.engine.Flow.start(Flow.java:535)\r\n\tat org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:366)\r\n\tat org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:225)\r\n\tat org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)\r\n\tat org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)\r\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)\r\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:690)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:803)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)\r\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)\r\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)\r\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)\r\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)\r\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\r\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)\r\n\tat org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)\r\n\tat
[cas-user] cas 3.5.1 PGT replication using ehcache replication
Hi We are using cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together in cas 3.5.1. Looking at the ticketRegistry.xml file it says bean id=ticketGrantingTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean description Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login. The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations (mostly grant service ticket) and thus benefit of web session affinity. /description property name=cacheName value=org.jasig.cas.ticket.TicketGrantingTicket / property name=cacheEventListeners ref local=ticketRMIAsynchronousCacheReplicator/ /property Use of TGTs does seem to be tied to web user started operations in a browser where you are stuck to one node and so maybe can be replicated slowly. However if you are using PGTs to obtain a PT it seems PGTs go into the same cache as TGTs and are replicated slowly as well? However getting a PT using a PGT can be done in code and so you can't rely on hitting the same node which means you can fall foul of the slower replication of PGTs if: You get the PGT from node 1 Form a request in code using this PGT that goes to node 2 to obtain your PT. Are the use of both cas-server-extension-clearpass (using cas proxy tickets) and cas-server-integration-ehcache modules together not supported of do I simply need to tune my ticketRMIAsynchronousCacheReplicator? The code in cas-server-3.5.1/cas-server-integration-ehcache/src/main/java/org/jasig/cas/ticket/registry/EhCacheTicketRegistry.java says public void addTicket(final Ticket ticket) { final Element element = new Element(ticket.getId(), ticket); if (ticket instanceof ServiceTicket) { log.debug(Adding service ticket {} to the cache, ticket.getId(), this.serviceTicketsCache.getName()); this.serviceTicketsCache.put(element); } else if (ticket instanceof TicketGrantingTicket) { log.debug(Adding ticket granting ticket {} to the cache {}, ticket.getId(), this.ticketGrantingTicketsCache.getName()); this.ticketGrantingTicketsCache.put(element); } else { throw new IllegalArgumentException(Invalid ticket type + ticket); } } So doesn't seem to distinguish between TGTs and PGTs Any advice or recommendation to open a JIRA appreciated Thanks -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] OAuth 2.0 with Google, Github
Hi Jerome, I have enabled debug log. The logs are attached here. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user23 Oct, 2013 4:43:04 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'source' to 'org.eclipse.jst.jee.server:CASServer' did not find a matching property. 23 Oct, 2013 4:43:04 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Cardiff\WebLogic\jdk160_05\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Windows Imaging\;C:\Program Files\Bitvise Tunnelier 23 Oct, 2013 4:43:04 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 23 Oct, 2013 4:43:04 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8090 23 Oct, 2013 4:43:04 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 678 ms 23 Oct, 2013 4:43:04 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina 23 Oct, 2013 4:43:04 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 23 Oct, 2013 4:43:05 PM org.apache.catalina.core.StandardContext addApplicationListener INFO: The listener org.jasig.cas.web.init.SafeContextLoaderListener is already configured for this context. The duplicate definition has been ignored. 23 Oct, 2013 4:43:05 PM org.apache.catalina.core.StandardContext addApplicationListener INFO: The listener com.tcs.sgv.util.CASContextListner is already configured for this context. The duplicate definition has been ignored. 23 Oct, 2013 4:43:05 PM org.apache.catalina.core.ApplicationContext log INFO: Initializing Spring root WebApplicationContext 2013-10-23 16:43:08,332 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service ^(https?|imaps?)://.* 2013-10-23 16:43:08,333 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service https://01hw394314:8090/CASServer/oauth2.0/callbackAuthorize 2013-10-23 16:43:08,333 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service http://mycasserver/login 2013-10-23 16:43:08,333 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 2 services. 2013-10-23 16:43:08,772 DEBUG [org.jasig.cas.util.AutowiringSchedulerFactoryBean] - Autowired the following triggers defined in application context: [triggerJobDetailTicketRegistryCleaner, periodicServiceRegistryReloaderTrigger] Inside CustomAuthenticationHandler Inside setDataSource 2013-10-23 16:43:10,002 INFO [org.jasig.cas.util.AutowiringSchedulerFactoryBean] - Starting Quartz Scheduler now 23 Oct, 2013 4:43:10 PM org.apache.catalina.core.ApplicationContext log INFO: Initializing Spring FrameworkServlet 'cas' 2013-10-23 16:43:10,483 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2013-10-23 16:43:10,484 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2013-10-23 16:43:10,484 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.updateRegisteredServiceEvaluationOrder(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2013-10-23 16:43:10,749 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - Registering flow definition 'ServletContext resource [/WEB-INF/login-webflow.xml]' under id 'login' 2013-10-23 16:43:10,780 DEBUG [org.springframework.webflow.execution.factory.ConditionalFlowExecutionListenerLoader] - Adding flow execution listener org.jasig.cas.web.flow.TerminateWebSessionListener@13ccea with criteria * 23 Oct, 2013 4:43:10 PM org.apache.catalina.core.StandardContext resourcesStart SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Document base D:\Cardiff\apache-tomcat-6.0.16\webapps\zksample2_v5_0613(zk5.0.6) does not exist or is not a readable directory at
RE: [cas-user] multi valued attributes in CAS 2.0 protocol
From: William G. Thompson, Jr. [mailto:wgt...@gmail.com] Sent: Tuesday, October 22, 2013 9:18 AM Sorry I was clearer...the pointer to CAS-1283 was a more of a suggestion to engage on that ticket...presumably to incorporate your enhancements. Ah, okay; I updated the ticket with a comment indicating it currently does not handle multivalued attributes and included the sample code adding an additional loop to avoid flattening them out. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] multi valued attributes in CAS 2.0 protocol
Excellent. I've re-opened this issue to consider Paul's enhancement. On Wed, Oct 23, 2013 at 12:48 PM, Paul B. Henson hen...@csupomona.edu wrote: From: William G. Thompson, Jr. [mailto:wgt...@gmail.com] Sent: Tuesday, October 22, 2013 9:18 AM Sorry I was clearer...the pointer to CAS-1283 was a more of a suggestion to engage on that ticket...presumably to incorporate your enhancements. Ah, okay; I updated the ticket with a comment indicating it currently does not handle multivalued attributes and included the sample code adding an additional loop to avoid flattening them out. -- You are currently subscribed to cas-user@lists.jasig.org as: wgt...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] CAS - Service Managment - Connection Reset
Hi Jérôme, I figured out what was causing the problem. When I added -Djava.net.debug=ssl to the JAVA_OPTS variable in /etc/default/tomcat7 and changed the logging level of org.jasig in the log4j.xml file to debug I caught the following: http-apr-8443-exec-10, WRITE: TLSv1 Handshake, length = 177 http-apr-8443-exec-10, WRITE: SSLv2 client hello message, length = 173 http-apr-8443-exec-10, handling exception: java.net.SocketException: Connection reset http-apr-8443-exec-10, SEND TLSv1 ALERT: fatal, description = unexpected_message http-apr-8443-exec-10, WRITE: TLSv1 Alert, length = 2 http-apr-8443-exec-10, Exception sending alert: java.net.SocketException: Broken pipe http-apr-8443-exec-10, called closeSocket() 2013-10-23 14:54:12,680 ERROR [org.jasig.cas.client.util.CommonUtils] - Connection reset java.net.SocketException: Connection reset I wasn't sure why the connection was issuing a SSLv2 hello message, but that is what was causing the problem. It turned out that even though I had configured Tomcat to only accept TLSv1 and SSLv3, the JVM was accepting SSLv2. To fix the problem I added the following flag to my JAVA_OPTS variable -Dhttps.protocols=TLSv1 Now I can access the services management portion and authenticate users successfully. Thanks for all your help! --Mike K. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user