Cas-Service-Management-Overlay still not working (more info)

[Conan Malone]

Hi,

I'm making a new post as I feel there maybe wasn't enough information in my last one for anyone to help me out.

I have downloaded the cas-overlay-template and cas-service-management-overlay (4.2.2), copied the correct files to /etc/cas/ and ran mvnw clean package on both of them with build success so that all seems fine.  (both deployed in tomcat as ROOT.war and cas-services.war).

I can go to https://mycasdomain.com/ and it goes to the login page, I can then log in with casuser,Mellon and this works fine (also can do RADIUS authentication).  My problem seems to be with the cas-services-management as when I go to https://mycasdomain.com/cas-services/ (looking at network on chrome) I get redirected to manage.html which redirects to the login page as expected with url 'https://mycasdomain/login?service=https%3A%2F%2Fmycasdomain%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'.  The page has the 'Services Management Web Application' box at the top so I assume services are correctly set up.  I then log in with casuser,Mellon and get 'The CAS management webapp is unavailable' screen.

The login page redirected me to 'https://mycasdomain.com/cas-services/callback?client_name=CasClient&ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com' and gave a HTTP status 500.

But looking through logs I find that I get a HTTP status 403 just before I get the 500 on a different address which is https://mycasdomain.com/p3/serviceValidate?ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'.  If I put this address in my browser I get presented with 

----------------------------------------------------------------------------------

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">

<cas:authenticationSuccess>

<cas:user>casuser</cas:user>

<cas:attributes>

<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>

<cas:isFromNewLogin>true</cas:isFromNewLogin>

<cas:authenticationDate>2016-05-26T09:53:00.011+01:00</cas:authenticationDate>

</cas:attributes>

</cas:authenticationSuccess>

</cas:serviceResponse>

----------------------------------------------------------------------------------

I'll put snippets from the parts I have changed in cas.properties, cas-management.properties below.  Can someone have a look through this and see if I am missing anything?  

p.s. I also have my CAS server behind a load balancer so it needs to go out the network to https://mycasdomain.com/ and come back in through the load balancer back to the CAS server.. But I was thinking if there is a problem with this surely the normal cas login wouldn't work?

Thanks in advance,

Conan

----------------------snippets and logs----------------------

server.name=https://mycasdomain.com

server.prefix=${server.name}

# security configuration based on IP address to access the /status and /statistics pages

 cas.securityContext.adminpages.ip=127\.0\.0\.1

##

# Unique CAS node name

# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts.  This is usually set to the specific

# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.

host.name=mycasdomain.com

----------------------

# CAS

cas.host=https://mycasdomain.com

cas.prefix=${cas.host}

cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${cas.prefix}/login

# Management

cas-management.host=${cas.host}

cas-management.prefix=${cas-management.host}/cas-services

cas-management.securityContext.serviceProperties.service=${cas-management.prefix}/callback

# Security

cas-management.securityContext.serviceProperties.adminRoles=ROLE_ADMIN

pac4j.callback.defaultUrl=/manage.html

# views

cas-management.viewResolver.basename=default_views

##

# User details file location that contains list of users

# who are allowed access to the management webapp:

#

user.details.file.location = file:/etc/cas/user-details.properties

##

# JSON Service Registry

#

# Directory location where JSON service files may be found.

service.registry.config.location=file:/etc/cas/services

----------------------

2016-05-26 10:05:23,048 ERROR [org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient

java.io.IOException: Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient

        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)

        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)

        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)

        at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)

        at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)

        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)

        at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:321)

        at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83)

        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)

        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)

        at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)

        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)

        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)

        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)

        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)

        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

[Misagh Moayyed]

Does the CAS server produce any logs when it attempts to validate that ticket? Can you log into any other apps beside the management webapp?

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Conan Malone]

cas.log shows nothing at all and cas-management.log shows the '[org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL:' error that I posted above.  The only apps I have installed right now are cas and the management app, can log into CAS fine with casuser goes to the 'Login successful' page.

[Daniel Alzate]

Hi,

I'm new to CAS and also the community.

I have a new CAS setup working, but I'm facing this same problem reported by Conan. I wonder if you found a solution or the cause of this issue?


Best regards.

Daniel.

[Didier Capdevielle]

Hi everybody,

I'm a newbie too in CAS and i have the same problem.

I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and Tomcat8.
I installed an Apache Server to redirect request with AJP.

Directly using CAS, no problem.

But using CAS via an application (IdP for example), the same problem occurs.
Login is OK but ServiceValidate is forbidden.

Her are the logs from Apache ssl_access.log :

147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%
3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 200 9705 "https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau
x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" "Mozilla/5.0 (Windows NT 10.0; WOW6
4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D
%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 302 1429 "https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2
Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%
3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 HTTP/1.1" 403 406 "-" "Java/1.7.0_121"

Looking at messages, it seems like browser user-agent are authorized but java user-agent (Java/1.7.0_121) - and probably others non browser agent - is blocked.

Is one or more certificates missing ? If yes, where and what kind of certificates ? What else ?

Thanks for your help !
Best regards,