Cas 5 Proxy Error
549 views
Skip to first unread message
Matt Stacey
Aug 4, 2017, 10:39:36 AM8/4/17
to cas-...@apereo.org
Hello,
Matt
I'm migrating from Cas 3 to Cas 5.1.2. So far I have been succesful with everything up to the point of the proxy policy. I'm getting the following error.
[org.apereo.cas.web.AbstractServiceValidateController] - <Failed to authenticate service credential [http://localhost:8080/bind/j_spring_cas_security_proxyreceptor]
Here are the last few lines of my cas server output.
2017-08-04 08:03:03,590 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: CLYTLE
WHAT: TGT-**********************************************ofMbwcwxY3-W000008983
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Aug 04 08:03:03 MDT 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
[ INFO] [04 Aug 2017 08:03:03,678] USER: (UNAUTHENTICATED); METHOD: (com....); ARGS(s): clytle; returned value(s): cly...@blah.com in 84 msecs [LoggingAspect:77]
[ INFO] [04 Aug 2017 08:03:04,270] USER: (UNAUTHENTICATED); METHOD: (com....); ARGS(s): clytle; returned value(s): false in 587 msecs [LoggingAspect:77]
2017-08-04 08:03:04,306 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: CLYTLE
WHAT: ST-1-QAuzbUq0cPRqpyE0WaDc-W000008983 for http://localhost:8080/bind/j_spring_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Aug 04 08:03:04 MDT 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2017-08-04 08:03:04,362 WARN [org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Proxy policy for service [^http://localhost:8080/bind/j_spring_cas_security_check] cannot authorize the requested callback url [http://localhost:8080/bind/j_spring_cas_security_proxyreceptor].>
2017-08-04 08:03:04,363 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [http://localhost:8080/bind/j_spring_cas_security_proxyreceptor] of type [HttpBasedServiceCredential], which suggests a configuration problem.>
2017-08-04 08:03:04,366 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHAT: Supplied credentials: [http://localhost:8080/bind/j_spring_cas_security_proxyreceptor]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Aug 04 08:03:04 MDT 2017
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
The client is still using Cas version 3 and I'm wondering if that is the problem. My client is configured as follows, and I'm not sure if this has something to do with the Cas20ServiceTicketValidator (seeing as it no longer exists in Cas 5.1.2) or something else. Any help would be greatly appreciated.
<!-- Handles the CAS ticket processing. -->
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="userService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="${system.casServerUrl}/cas" />
<beans:property name="proxyCallbackUrl" value="${system.serverUrl}/bind/j_spring_cas_security_proxyreceptor" />
<beans:property name="proxyGrantingTicketStorage" ref="pgtStorage" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="bind_auth_provider"/>
</beans:bean>
Thanks
Ray Bon
Aug 4, 2017, 11:33:17 AM8/4/17
to cas-...@apereo.org
This line
<Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [http://localhost:8080/bind/j_spring_cas_security_proxyreceptor] of type
CAS expects the proxy callback to be https (at least by default). Change client to use https.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 023 | rb...@uvic.ca
Matt Stacey
Aug 7, 2017, 5:54:21 PM8/7/17
to CAS Community
I switched the client to use https, but get the same error. Using the debugger I've tracked down where it makes the call to the client with the /j_spring_cas_security_proxyreceptor and it comes back with a 404.
My client side configuration is done with cas 3.2 and has the following in the context.xml file.
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="userService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="${system.casServerUrl}/cas" />
<beans:property name="proxyCallbackUrl" value="${system.serverUrl}/bind/j_spring_cas_security_proxyreceptor" />
<beans:property name="proxyGrantingTicketStorage" ref="pgtStorage" />
</beans:bean>
</beans:property>
<beans:property name="key"
value="bind_auth_provider"/>
</beans:bean>
Ray Bon
Aug 8, 2017, 11:07:27 AM8/8/17
to cas-...@apereo.org
Matt,
Your validation class is for non proxy config. See https://github.com/apereo/java-cas-client#orgjasigcasclientvalidationcas20proxyreceivingticketvalidationfilter.
Ray
Reply all
Reply to author
Forward
0 new messages