RE:[cas-user] Logout with mod_auth_cas not working
Anyone any hints on where it might go wrong? Thanks! Ralf From: Steppacher Ralf [ralf.steppac...@derivativepartners.com] Sent: Wednesday, October 09, 2013 16:42 To: cas-user@lists.jasig.org Subject: [cas-user] Logout with mod_auth_cas not working Hello CAS users, I am having troubles getting logout with mod_auth_cas to work. I know the documentation in https://github.com/Jasig/mod_auth_cas says that it is an experimental feature... I am using the head version of the master branch as of end of August. When I call the CAS logout URL I receive the log output below from mod_aut_cas. All statements are printed twice. Also, it seems to look at the contents of the POST twice. On the first go it reads the "l" of "logoutRequest", on the second go it reads the rest of the string, which contains the SAML logout request. Could this be a configuration issue that makes mod_auth_cas behave in such a way? Apache log for a single request to https://dev.local.fe2/cas/logout: [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] Entering cas_authenticate() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS Service 'https%3a%2f%2fdev.local.fe2%2f' [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] entering getCASLoginURL() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] entering getCASGateway() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] entering redirectRequest() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] Adding outgoing header: Location: https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] Entering cas_authenticate() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS Service 'https%3a%2f%2fdev.local.fe2%2f' [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] entering getCASLoginURL() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] entering getCASGateway() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] entering redirectRequest() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] Adding outgoing header: Location: https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes (ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-6-JKcjM93PFyxcn5sk2GHmydOmyn7DaTyxbyj%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-37-GYLVQn1Ly3mDVH17Obk6-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes (ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-5-fUVEWneUCA79uuTcXJZRrOj1KoQwx91ucZA%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-38-pZ0MOWzzXqZEC266GxXp-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve bucket brigade: This function has not been implemented on this platform [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve bucket brigade: This function has not been implemented on this platform mod_aut_cas configuration: CASCookiePath /var/cache/apache2/mod_auth_cas/ CASValidateServer Off CASDebug On CASAllowWildcardCert On CASLoginURL https://dev.local.fe2/cas/login CASValidateURL https://dev.local.fe2/cas/samlValidate CASValidateSAML On CASSSOEnabled On ProxyPass /cas https://steppra1-linux-mint:8443/cas ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2 ProxyPassReverseCookiePath /cas / Authtype CAS CASScope . CASAuthNHeader on CASScrubRequestHeaders On Require valid-user Satisfy Any Any help is greatly appreciated! Ralf -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartner
[cas-user] Logout with mod_auth_cas not working
Hello CAS users, I am having troubles getting logout with mod_auth_cas to work. I know the documentation in https://github.com/Jasig/mod_auth_cas says that it is an experimental feature... I am using the head version of the master branch as of end of August. When I call the CAS logout URL I receive the log output below from mod_aut_cas. All statements are printed twice. Also, it seems to look at the contents of the POST twice. On the first go it reads the "l" of "logoutRequest", on the second go it reads the rest of the string, which contains the SAML logout request. Could this be a configuration issue that makes mod_auth_cas behave in such a way? Apache log for a single request to https://dev.local.fe2/cas/logout: [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] Entering cas_authenticate() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS Service 'https%3a%2f%2fdev.local.fe2%2f' [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] entering getCASLoginURL() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] entering getCASGateway() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] entering redirectRequest() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] Adding outgoing header: Location: https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] Entering cas_authenticate() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS Service 'https%3a%2f%2fdev.local.fe2%2f' [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] entering getCASLoginURL() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] entering getCASGateway() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] entering redirectRequest() [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] Adding outgoing header: Location: https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes (ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-6-JKcjM93PFyxcn5sk2GHmydOmyn7DaTyxbyj%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-37-GYLVQn1Ly3mDVH17Obk6-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes (ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-5-fUVEWneUCA79uuTcXJZRrOj1KoQwx91ucZA%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-38-pZ0MOWzzXqZEC266GxXp-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E) from incoming buckets\n [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve bucket brigade: This function has not been implemented on this platform [Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve bucket brigade: This function has not been implemented on this platform mod_aut_cas configuration: CASCookiePath /var/cache/apache2/mod_auth_cas/ CASValidateServer Off CASDebug On CASAllowWildcardCert On CASLoginURL https://dev.local.fe2/cas/login CASValidateURL https://dev.local.fe2/cas/samlValidate CASValidateSAML On CASSSOEnabled On ProxyPass /cas https://steppra1-linux-mint:8443/cas ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2 ProxyPassReverseCookiePath /cas / Authtype CAS CASScope . CASAuthNHeader on CASScrubRequestHeaders On Require valid-user Satisfy Any Any help is greatly appreciated! Ralf -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML Ticket Validation
Never mind, the headers are there if you only look at the correct end of the communication. Thanks a lot for your help! Ralf From: Steppacher Ralf [ralf.steppac...@derivativepartners.com] Sent: Tuesday, August 27, 2013 16:57 To: cas-user@lists.jasig.org Subject: RE: [cas-user] SAML Ticket Validation I was working with the master all along (1.0.10). I should have mentioned that. Out of curiosity I reverted back to 1.0.9.1 but that did not change anything. However, completing the setup for releasing LDAP attributes has indeed fixed it to a certain extend! I now get the following in the log and I can access the application. 2013-08-27 15:52:18,794 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - But mod_auth_cas does not write any headers to the http response. Neither the remote user (CASAuthNHeader) nor the SAML attributes (CASValidateSAML). Also the directive "Require cas-attribute username:blah" does not prevent me from accessing the application as user "steppra1". Ralf From: Marvin Addison [marvin.addi...@gmail.com] Sent: Tuesday, August 27, 2013 13:34 To: cas-user@lists.jasig.org Subject: Re: [cas-user] SAML Ticket Validation > Indeed it is complaining about an XML that cannot be parsed: > > [Tue Aug 27 13:17:09 2013] [error] [client 127.0.0.1] MOD_AUTH_CAS: Error > parsing XML content (Internal error), referer: > https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2ffe2.html Unfortunately it doesn't provide any details on _why_ parsing failed. I'd recommend you try a build from the latest HEAD version on the master branch; we're using it and it works fine. Seems easy enough to test and I'd be curious whether you can upgrade around your problem. M -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML Ticket Validation
I was working with the master all along (1.0.10). I should have mentioned that. Out of curiosity I reverted back to 1.0.9.1 but that did not change anything. However, completing the setup for releasing LDAP attributes has indeed fixed it to a certain extend! I now get the following in the log and I can access the application. 2013-08-27 15:52:18,794 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - But mod_auth_cas does not write any headers to the http response. Neither the remote user (CASAuthNHeader) nor the SAML attributes (CASValidateSAML). Also the directive "Require cas-attribute username:blah" does not prevent me from accessing the application as user "steppra1". Ralf From: Marvin Addison [marvin.addi...@gmail.com] Sent: Tuesday, August 27, 2013 13:34 To: cas-user@lists.jasig.org Subject: Re: [cas-user] SAML Ticket Validation > Indeed it is complaining about an XML that cannot be parsed: > > [Tue Aug 27 13:17:09 2013] [error] [client 127.0.0.1] MOD_AUTH_CAS: Error > parsing XML content (Internal error), referer: > https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2ffe2.html Unfortunately it doesn't provide any details on _why_ parsing failed. I'd recommend you try a build from the latest HEAD version on the master branch; we're using it and it works fine. Seems easy enough to test and I'd be curious whether you can upgrade around your problem. M -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML Ticket Validation
ompressed 481 to 324 : URL /fe2.html, referer: https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2ffe2.html [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 10450 for worker http://steppra1-linux-mint:9558/best_buy/ [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1837): proxy: worker http://steppra1-linux-mint:9558/best_buy/ already initialized [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 10450 for (steppra1-linux-mint) min=0 max=25 smax=25 [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 10450 for worker http://build.local.apps/ [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1837): proxy: worker http://build.local.apps/ already initialized [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1914): proxy: initialized worker 1 in child 10450 for (build.local.apps) min=0 max=25 smax=25 [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 2 in child 10450 for worker http://steppra1-linux-mint:9558/ [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1837): proxy: worker http://steppra1-linux-mint:9558/ already initialized [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1914): proxy: initialized worker 2 in child 10450 for (steppra1-linux-mint) min=0 max=25 smax=25 [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 3 in child 10450 for worker https://steppra1-linux-mint:8443/cas [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1837): proxy: worker https://steppra1-linux-mint:8443/cas already initialized [Tue Aug 27 13:17:11 2013] [debug] proxy_util.c(1914): proxy: initialized worker 3 in child 10450 for (steppra1-linux-mint) min=0 max=25 smax=25 [Tue Aug 27 13:17:14 2013] [info] [client 127.0.0.1] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Aug 27 13:17:14 2013] [info] [client 127.0.0.1] Connection closed to child 68 with standard shutdown (server dev.local.fe2:443) Ralf From: Steppacher Ralf [ralf.steppac...@derivativepartners.com] Sent: Tuesday, August 27, 2013 11:52 To: cas-user@lists.jasig.org Subject: RE: [cas-user] SAML Ticket Validation Marvin, Re #1: Yes, I have not bothered yet with the attributes and what I need to do in order to release them As I cannot make the request succeed I figured I have no chance to verify that whatever I do to make the attributes available is working or not. But maybe that is what confuses mod_auth_cas or the SAML validation? I will build and deploy your modified version of the module later today and report back. Re #2: Indeed we can see an odd request for /favicon.ico that that is redirected via CAS. But not all the time. CSS and JS I don't see redirected. The CSS and JS that is in the log I posted is that of CAS itself. Is it not? Thanks and regards Ralf From: Marvin Addison [marvin.addi...@gmail.com] Sent: Monday, August 26, 2013 14:39 To: cas-user@lists.jasig.org Subject: Re: [cas-user] SAML Ticket Validation > OK. Here we go... Something indeed seems to be wrong with mod_auth_cas. With > every http request for SAML validation I get one or more segfaults in the > apache default error.log. Two observations about the logs you shared: 1. You're getting a successful SAML ticket validation response. 2. Looks like you're getting redirected to CAS for resources (JS, CSS, favicon) other than your application entry point HTML page. There's nothing strictly wrong with #2 per se, but it makes reading the logs much harder and it's relatively less efficient. It would be interesting to have some logging to indicate successful parsing of attributes, but I don't see an AttributeResponse in the SAML message, which indicates you haven't configured CAS for attribute release or you haven't allowed attributes to be released in the service manager. I have a patched version you can use that provides additional attribute logging, https://github.com/serac/mod_auth_cas/tree/attr-logging, which you may find helpful. In my experience most problems are in parsing the XML; it would be reassuring to know you're getting past that part. M -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML Ticket Validation
Marvin, Re #1: Yes, I have not bothered yet with the attributes and what I need to do in order to release them As I cannot make the request succeed I figured I have no chance to verify that whatever I do to make the attributes available is working or not. But maybe that is what confuses mod_auth_cas or the SAML validation? I will build and deploy your modified version of the module later today and report back. Re #2: Indeed we can see an odd request for /favicon.ico that that is redirected via CAS. But not all the time. CSS and JS I don't see redirected. The CSS and JS that is in the log I posted is that of CAS itself. Is it not? Thanks and regards Ralf From: Marvin Addison [marvin.addi...@gmail.com] Sent: Monday, August 26, 2013 14:39 To: cas-user@lists.jasig.org Subject: Re: [cas-user] SAML Ticket Validation > OK. Here we go... Something indeed seems to be wrong with mod_auth_cas. With > every http request for SAML validation I get one or more segfaults in the > apache default error.log. Two observations about the logs you shared: 1. You're getting a successful SAML ticket validation response. 2. Looks like you're getting redirected to CAS for resources (JS, CSS, favicon) other than your application entry point HTML page. There's nothing strictly wrong with #2 per se, but it makes reading the logs much harder and it's relatively less efficient. It would be interesting to have some logging to indicate successful parsing of attributes, but I don't see an AttributeResponse in the SAML message, which indicates you haven't configured CAS for attribute release or you haven't allowed attributes to be released in the service manager. I have a patched version you can use that provides additional attribute logging, https://github.com/serac/mod_auth_cas/tree/attr-logging, which you may find helpful. In my experience most problems are in parsing the XML; it would be reassuring to know you're getting past that part. M -- You are currently subscribed to cas-user@lists.jasig.org as: ralf.steppac...@derivativepartners.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] HTTP status 500 when authenticating via LDAP without service URL
Hello, I have a problem with LDAP authentication in CAS 3.5.2: As soon as I add either an instance of FastBindLdapAuthenticationHandler or BindLdapAuthenticationHandler to the chain of authenticationHandlers, the basic test to call /cas/login stops working (if using a user that would be successfully authenticated through LDAP). I can see from the logs that the user is authenticated alright but then things go south. But all I get in the logs, and only on level debug, is a message saying "Ignoring the received exception due to a type mismatch". If I call /cas/services and then log in, then everything works fine. I assume this is a bug? This is the log output with org.jasig logging in level DEBUG. 2013-08-26 15:01:09,241 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-26 15:01:09,241 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-26 15:01:09,245 INFO [org.perf4j.TimingLogger] - 2013-08-26 15:01:09,245 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2013-08-26 15:01:09,250 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - 2013-08-26 15:01:09,250 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2013-08-26 15:01:09,250 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - 2013-08-26 15:01:09,251 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - 2013-08-26 15:01:09,252 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - 2013-08-26 15:01:09,252 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - 2013-08-26 15:01:09,254 DEBUG [org.jasig.cas.web.FlowExecutionExceptionResolver] - java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2886) at org.apache.catalina.connector.Request.getSession(Request.java:2316) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:898) at org.springframework.webflow.context.servlet.HttpSessionMap.getMutex(HttpSessionMap.java:98) at org.springframework.webflow.core.collection.LocalSharedAttributeMap.getMutex(LocalSharedAttributeMap.java:39) at org.springframework.webflow.conversation.impl.ContainedConversation.unlock(ContainedConversation.java:108) at org.springframework.webflow.execution.repository.support.ConversationBackedFlowExecutionLock.unlock(ConversationBackedFlowExecutionLock.java:55) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:178) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923) ... -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] SAML Ticket Validation
Jérôme, sorry for the long response times. Unfortunately I am making negative
progress and cannot provide the mod_auth_cas logs at the moment.
I have switched to a freshly built OpenLDAP 2.4.35. Not for the better though.
A login attempt authenticated via fast ldap bind, yields an HTTP code 500 in
about 9 out of 10 login attempts (after the tgt has been issued). There is no
error in the CAS log. I will check the tomcat log first thing on Monday. I hope
I can provide the mod_auth_cas logs in the near future...
Thanks!
Ralf
From: Jérôme LELEU [lel...@gmail.com]
Sent: Tuesday, August 20, 2013 08:32
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] SAML Ticket Validation
Hi,
It looks correct AFAIK. Don't you have any more logs on mod_auth_cas ?
Best regards,
Jérôme
2013/8/19 Steppacher Ralf
mailto:ralf.steppac...@derivativepartners.com>>
Hi Jérôme,
My mod_auth_cas configuration looks like this:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASValidateServer Off
CASDebug On
CASAllowWildcardCert On
CASLoginURL https://dev.local.fe2/cas/login
#CASValidateURL https://dev.local.fe2/cas/serviceValidate
CASValidateURL https://dev.local.fe2/cas/samlValidate
CASValidateSAML On
ProxyPass /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2
ProxyPassReverseCookiePath /cas /
Authtype CAS
CASScrubRequestHeaders On
Require valid-user
# CASAuthNHeader does not seem to work. Working around it for now...
Header set REMOTE_USER %{REMOTE_USER}s
Satisfy Any
Thanks!
Ralf
From: Jérôme LELEU [lel...@gmail.com<mailto:lel...@gmail.com>]
Sent: Sunday, August 18, 2013 09:41
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: Re: [cas-user] SAML Ticket Validation
Hi,
What's your mod_auth_cas configuration ?
Thanks.
Best regards,
Jérôme
2013/8/16 Ralf Steppacher
mailto:ralf.steppac...@derivativepartners.com>>
Dear all,
I am just getting started with CAS 3.5.2 and got stuck when I tried to employ
SAML. Eventually I will need SAML to transport user group membership
information from a LDAP-server to the client application.
I have set up mod_auth_cas 1.0.10 for apach2. The same apache2 serves the
application. CAS is proxied in on the apache. Authentication as such works
until I switch to SAML. The same ST is validated twice. The ST is removed from
the registry after the first (successfull) validation attempt and is therefor
not available for the second attempt.
I found a previous post describing the exact same effect. The author was
advised to check for configuration issues. Unfortunately there was no hint as
to where to look?
This is the debug log output of a single request to the service
https://dev.fe2.local:
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] - http://schemas.xmlsoap.org/soap/envelope/";>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint>
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor]
- https://dev.local.fe2/fe2.html>
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl]
- mailto:ralf.steppac...@derivativepartners.com>].
The default principal id is
[ralf.steppac...@derivativepartners.com<mailto:ralf.steppac...@derivativepartners.com>].>
2013-08-16 14:38:19,686 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.ServiceValidateController] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor]
- https://dev.local.fe2/fe2.html>
2013-08-16 14:38:19,880 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,881 DEBUG
[org.jasig.cas.authentication.principal.SamlService] - http://schemas.xmlsoap.org/soap/envelope/";>ST-2-
RE: [cas-user] SAML Ticket Validation
Hi Jérôme,
My mod_auth_cas configuration looks like this:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASValidateServer Off
CASDebug On
CASAllowWildcardCert On
CASLoginURL https://dev.local.fe2/cas/login
#CASValidateURL https://dev.local.fe2/cas/serviceValidate
CASValidateURL https://dev.local.fe2/cas/samlValidate
CASValidateSAML On
ProxyPass /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2
ProxyPassReverseCookiePath /cas /
Authtype CAS
CASScrubRequestHeaders On
Require valid-user
# CASAuthNHeader does not seem to work. Working around it for now...
Header set REMOTE_USER %{REMOTE_USER}s
Satisfy Any
Thanks!
Ralf
From: Jérôme LELEU [lel...@gmail.com]
Sent: Sunday, August 18, 2013 09:41
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] SAML Ticket Validation
Hi,
What's your mod_auth_cas configuration ?
Thanks.
Best regards,
Jérôme
2013/8/16 Ralf Steppacher
mailto:ralf.steppac...@derivativepartners.com>>
Dear all,
I am just getting started with CAS 3.5.2 and got stuck when I tried to employ
SAML. Eventually I will need SAML to transport user group membership
information from a LDAP-server to the client application.
I have set up mod_auth_cas 1.0.10 for apach2. The same apache2 serves the
application. CAS is proxied in on the apache. Authentication as such works
until I switch to SAML. The same ST is validated twice. The ST is removed from
the registry after the first (successfull) validation attempt and is therefor
not available for the second attempt.
I found a previous post describing the exact same effect. The author was
advised to check for configuration issues. Unfortunately there was no hint as
to where to look?
This is the debug log output of a single request to the service
https://dev.fe2.local:
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] - http://schemas.xmlsoap.org/soap/envelope/";>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint>
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,685 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor]
- https://dev.local.fe2/fe2.html>
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,685 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl]
- mailto:ralf.steppac...@derivativepartners.com>].
The default principal id is
[ralf.steppac...@derivativepartners.com].>
2013-08-16 14:38:19,686 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,686 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.ServiceValidateController] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,687 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor]
- https://dev.local.fe2/fe2.html>
2013-08-16 14:38:19,880 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,881 DEBUG
[org.jasig.cas.authentication.principal.SamlService] - http://schemas.xmlsoap.org/soap/envelope/";>ST-2-5S4qgEJ5LLEAP45Xecdp-steppra1-linux-mint>
2013-08-16 14:38:19,881 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,881 DEBUG
[org.jasig.cas.authentication.principal.SamlService] -
2013-08-16 14:38:19,881 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor]
- https://dev.local.fe2/fe2.html>
2013-08-16 14:38:19,881 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,881 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
2013-08-16 14:38:19,882 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] -
2013-08-16 14:38:19,882 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - mailto:cas-user@lists.jasig.org> as:
lel...@gmail.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
ralf.steppac...@derivativepartners.com
To unsubscribe, change settings or access archives, see
http://
