CAS management 7
817 views
Skip to first unread message
Benjamin Renard
Mar 26, 2024, 10:45:10 AM3/26/24
to CAS Community
Hello,
I'm trying to install a CAS server (v7) on a Debian 12 host. I using the Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS server run well, but I have problem with the authentication of the management app. I use a CAS Initializr overlay for the CAS management 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the same context. I configure CAS client in the management app :
cas.server.name=https://idp.example.tld
cas.server.prefix=${cas.server.name}/cas
cas.server.prefix=${cas.server.name}/cas
When I try to access to the management app, I'm entering in a loop : I'm redirect to the CAS server that authenticate me and redirect me to the management app on its callback URL with a ticket (https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) and I'm redirect again to the CAS server for authentication, that redirect me back with a new ticket and etc.
I have no error in logs and I tried to enable debugging and I can't find any indication about my problem (see logs below). Do you have any idea ?
Futhermore, It's a good idea for you to run CAS server & management apps version 7 in production or I have to use version 6 ?
Thanks !
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked}
2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]]
2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY ===
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): []
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication
2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient
2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked}
2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]]
2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY ===
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): []
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication
2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient
2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND
Ray Bon
Mar 26, 2024, 2:40:57 PM3/26/24
to cas-...@apereo.org
Benjamin,
The behaviour you describe happens when the service ticket can not be validated.
cas management submits the ST to cas through a back channel over https.
If there is nothing in cas audit log about validation / failed validation (which would give a reason for failure), it could be a certificate problem.
Do you have a proper/valid certificate for idp.example.tld (i.e. cert signed by an authority)?
If not, you may have to add it to the java keystore (assuming you have already added it to tomcat config).
Ray
On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hartmut Trüe
Mar 27, 2024, 3:22:35 AM3/27/24
to CAS Community, Ray Bon
Same problem on my CAS Management webapp, it ends in "too many redirects". The same configuration is working fine with CAS 6.6.x and Management 6.6.x
and the certificate is valid.
I can't find errors, and the ticket seems to be valid:
...
2024-03-27 07:39:34,185 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-********PD8Hl30-cas-dev] to [064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b]>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [DefaultEncodedTicket(id=064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b)]>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-1-********PD8Hl30-cas-dev]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@698bdaf2 expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@109de836 on = valid, to = hasServiceCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'hasServiceCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@5efaf8bd on = flowScope.service != null, to = renewRequestCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'hasServiceCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'renewRequestCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CasClient]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1ad0074 on = proceed, to = generateServiceTicket]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'renewRequestCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateServiceTicket' of flow 'login'>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-********PD8Hl30-cas-dev] to [064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b]>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [DefaultEncodedTicket(id=064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b)]>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-1-********PD8Hl30-cas-dev]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@698bdaf2 expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@109de836 on = valid, to = hasServiceCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'hasServiceCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@5efaf8bd on = flowScope.service != null, to = renewRequestCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'hasServiceCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'renewRequestCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CasClient]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1ad0074 on = proceed, to = generateServiceTicket]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'renewRequestCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateServiceTicket' of flow 'login'>
...
Regards,
Hartmut
Mohamed Amdouni
Mar 27, 2024, 7:01:20 AM3/27/24
to cas-...@apereo.org, Ray Bon
Hello,
I had a similar issue running cas management 6.6.4 and it was related to https.
My cas management was started with ssl disabled and this version of cas management requires SSL (see the security adapter ) and in the logs it says requires secure channel.
I tried to override the adapter but finally ended up by activating ssl to avoid the redirects …
Hope it helps…
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9f29a19-e216-4305-8027-fbaec2d873cbn%40apereo.org.
Benjamin Renard
Mar 27, 2024, 7:01:20 AM3/27/24
to CAS Community, Ray Bon
Hi Ray,
Thanks for you return. Yes, I firstly think like you, but I have no error in logs and I use a valid SSL certificate. Just to be sure, I tried to add it in the keystore files (/etc/cas/thekeystore & $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The keystore file (and its password) is correctly specified in my tomcat AJP connector configuration. Futhermore, I can't see trace of request on the serviceValidate CAS server endpoint (just have trace on the login endpoint).
Do you have any other ideas of what could cause this problem or how to debug it ?
Thanks !
Ray Bon
Mar 27, 2024, 10:13:49 AM3/27/24
to bn8...@gmail.com, cas-...@apereo.org
Benjamin,
Try this logger (in both cas and cas management). Note
<!-- DEBUG outbound and inbound headers and response as it is sent -->
<Logger name="org.apache.http.wire" level="debug" />
Ray
On Wed, 2024-03-27 at 02:13 -0700, Benjamin Renard wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hi Ray,
Thanks for you return. Yes, I firstly think like you, but I have no error in logs and I use a valid SSL certificate. Just to be sure, I tried to add it in the keystore files (/etc/cas/thekeystore & $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The keystore file (and its password) is correctly specified in my tomcat AJP connector configuration. Futhermore, I can't see trace of request on theserviceValidate CAS server endpoint (just have trace on the login endpoint).
Benjamin Renard
Mar 27, 2024, 12:40:40 PM3/27/24
to CAS Community, Ray Bon, bn8...@gmail.com
I tried it, but I get nothing more in logs. May be its due to the fact I'm not using the integrated Tomcat but the Debian one ? May be my problem its due to somethings else than CAS related parameters. May be something related to the authorization process ? I can't find a complete documentation of parameters accepted (and may be required ?) by the CAS management app, even less for the version 7. Do you know where I can find it ?
My configuration today:
cas.server.name=https://idp.example.tld
cas.server.prefix=${cas.server.name}/cas
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://idp.example.tld
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
spring.security.user.name=myuser
spring.security.user.password=mypassword
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
spring.security.user.name=myuser
spring.security.user.password=mypassword
And my /etc/cas/config/users.json file:
{
"brenard" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
"brenard" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
Note: brenard is my CAS username.
Benjamin Renard
Mar 27, 2024, 12:40:40 PM3/27/24
to CAS Community, Mohamed Amdouni, Ray Bon
Thank Mohamed,
What do you mean about enabling SSL ? My CAS management app is accessible via an Apache HTTPS VirtualHost that proxypass requests to a Tomcat's AJP Connector. It's "SSL enabled" for you ? :)
Note: My CAS server use the same Apache HTTPS VirtualHost and Tomcat AJP connector, but is deploy another context (/cas vs /cas-management).
Hartmut Trüe
Mar 28, 2024, 7:31:35 AM3/28/24
to CAS Community, Benjamin Renard, Mohamed Amdouni, Ray Bon
After playing a bit with the loglevels (debug for spring.webflow.log.level and spring.security.log.level), I found this. But I have no idea, if that is the problem or what to do.
As explained earlier, 6.6.x is running fine with the same configuration.
...
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@763bc2b expression = tokenAuthenticationAction, resultExpression = [null]]; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1b2a72b9 on = *, to = initialAuthenticationRequestValidationCheck]>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'tokenAuthenticationCheck'>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@763bc2b expression = tokenAuthenticationAction, resultExpression = [null]]; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1b2a72b9 on = *, to = initialAuthenticationRequestValidationCheck]>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'tokenAuthenticationCheck'>
...
Benjamin Renard
Mar 28, 2024, 3:46:46 PM3/28/24
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello Hartmut,
From my side, I can't observe this interesting error in my logs, even if enabling debuging on spring webflow & security. In fact, I also try to enable debug on root logger and I obtain nothing more than I have initialy posted here.
Could you share your operational configuration in v6 ? I would like to know what look like a operational configuration :)
Thanks !
Hartmut Trüe
Apr 2, 2024, 3:22:31 AM4/2/24
to CAS Community, Benjamin Renard, Hartmut Trüe, Mohamed Amdouni, Ray Bon
Hello Benjamin,
this is my CAS 6.6 management configuration:
#---------------------------------------------
# config for cas management webapp
logging.config=file:/etc/cas/config/log4j2-management.xml
server.servlet.context-path=/cas-management
cas.server.name=https://www.domain.tld
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://www.domain.tld
# for testing only : no login required
#mgmt.cas-sso=false
#mgmt.authz-ip-regex=.*
mgmt.user-properties-file=file:/etc/cas/config/adminUsers.json
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-roles[0]=ROLE_USER
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services-repo
mgmt.ldap.ldap-url=ldap://192.168.2.1/
mgmt.ldap.bind-dn=uid=cas,ou=accounts,dc=de
mgmt.ldap.bind-credential=xxxxxxxxxxxx
#mgmt.ldap.use-ssl=false
mgmt.ldap.use-start-tls=false
mgmt.ldap.block-wait-time=3000
mgmt.ldap.connect-timeout=2000
mgmt.ldap.validate-on-checkout=false
mgmt.ldap.validate-periodically=true
mgmt.ldap.validate-period=300
mgmt.ldap.idle-time=600
mgmt.ldap.max-pool-size=10
mgmt.ldap.min-pool-size=1
mgmt.ldap.prune-period=300
mgmt.ldap.ldapAuthz.base-dn=ou=people,dc=domain,dc=tld
mgmt.ldap.ldapAuthz.search-filter=uid={user}
mgmt.ldap.ldapAuthz.allow-multiple-results=false
#---------------------------------------------
logging.config=file:/etc/cas/config/log4j2-management.xml
server.servlet.context-path=/cas-management
cas.server.name=https://www.domain.tld
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://www.domain.tld
# for testing only : no login required
#mgmt.cas-sso=false
#mgmt.authz-ip-regex=.*
mgmt.user-properties-file=file:/etc/cas/config/adminUsers.json
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-roles[0]=ROLE_USER
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services-repo
mgmt.ldap.ldap-url=ldap://192.168.2.1/
mgmt.ldap.bind-dn=uid=cas,ou=accounts,dc=de
mgmt.ldap.bind-credential=xxxxxxxxxxxx
#mgmt.ldap.use-ssl=false
mgmt.ldap.use-start-tls=false
mgmt.ldap.block-wait-time=3000
mgmt.ldap.connect-timeout=2000
mgmt.ldap.validate-on-checkout=false
mgmt.ldap.validate-periodically=true
mgmt.ldap.validate-period=300
mgmt.ldap.idle-time=600
mgmt.ldap.max-pool-size=10
mgmt.ldap.min-pool-size=1
mgmt.ldap.prune-period=300
mgmt.ldap.ldapAuthz.base-dn=ou=people,dc=domain,dc=tld
mgmt.ldap.ldapAuthz.search-filter=uid={user}
mgmt.ldap.ldapAuthz.allow-multiple-results=false
#---------------------------------------------
Hartmut
Hartmut Trüe
Jul 15, 2024, 5:07:49 AM7/15/24
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello,
after several updates since April, nothing has changed: cas-management 6.6 works as expected, the same configuration with cas-management 7.0 still ends in "too many redirects".
This makes cas 7 unusable for me. I still don't have any ideas what the problem might be.
Hartmut
after several updates since April, nothing has changed: cas-management 6.6 works as expected, the same configuration with cas-management 7.0 still ends in "too many redirects".
This makes cas 7 unusable for me. I still don't have any ideas what the problem might be.
Hartmut
Mohamed Amdouni
Jul 15, 2024, 12:45:03 PM7/15/24
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello,
Will explain what was the error for me, hope it would help you figure out the problem.
In my usecase, the cas management was behind a proxy, so the URL of cas management was "https" but the ssl is only on the proxy side, then the proxy forward to my cas management instance wich is not started with ssl (http).
In the security configuration of cas management : see this file : https://github.com/apereo/cas-management/blob/7.0.x/webapp/cas-mgmt-webapp-config/src/main/java/org/apereo/cas/mgmt/config/CasManagementSecurityConfiguration.java
there are this line http.requiresChannel(c -> c.anyRequest().requiresSecure()); which require to have a secure channel and so too many redirects.
I tried to overried the security configuration with no success so the solution was to start cas management with ssl and point https URL in the proxy configuration.
Try to check this class and find why it redirects....
Try to install a local instance of cas management ...
Best Regards
Mohamed Amdouni
Jul 18, 2024, 7:01:23 AM7/18/24
to Hartmut Trüe, Benjamin Renard, CAS Community, Ray Bon
Hello,
Just to add that the logger that may give more information
Is org.jasig.cas.client
You may add a lot of logger’s (cas and spring ) to print more debug information
See this template
And add async loggers as match as you can :) that may help.
—— I get a similar error on my local machine when I start the jvm with wrong proxy settings because I’m in a corporate network so I added the right http.proxyHost and https.proxyHost http.proxyPort https.proxyPort to resolve too many redirects error because the management couldn’t validate tickets but I get logs by org.jasig.cas.client logger with a clear error. I don’t think it’s your case but some tips to investigate.
Good luck
Best regards.
Le jeu. 18 juil. 2024 à 11:30, Hartmut Trüe <htr...@gmail.com> a écrit :
Hello Mohamed,thanks for your reply, that might lead me in the right direction.My CAS is running behind a reverse proxy, but it is all "https":
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxyAt the moment it looks to me like a problem with HSTS and CORS, something must have changed between 6.6 and 7.0.But I haven't been able to solve it yet.Best Regards
Hartmut
Hartmut Trüe
Jul 18, 2024, 7:01:23 AM7/18/24
to CAS Community, Mohamed Amdouni, Hartmut Trüe, Benjamin Renard, Ray Bon
Hello Mohamed,
thanks for your reply, that might lead me in the right direction.
My CAS is running behind a reverse proxy, but it is all "https":
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxy
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxy
At the moment it looks to me like a problem with HSTS and CORS, something must have changed between 6.6 and 7.0.
But I haven't been able to solve it yet.
Best Regards
Hartmut
Hartmut
Mohamed Amdouni schrieb am Montag, 15. Juli 2024 um 18:45:03 UTC+2:
Hartmut Trüe
Jul 22, 2024, 5:26:04 AM7/22/24
to CAS Community, Hartmut Trüe, Mohamed Amdouni, Benjamin Renard, Ray Bon
... no way. To exclude my proxy as the cause I have configured my tomcat so that it delivers https itself with a valid certificate.
CAS itself is working fine, CAS-Management continues to run in the "too many redirects" error.
Best Regards
Hartmut
Mohsen Saeedi
Jul 26, 2024, 10:50:50 PM7/26/24
to cas-...@apereo.org, Hartmut Trüe, Mohamed Amdouni, Benjamin Renard, Ray Bon
I have same problem for cas 7.0.x in my local environment and i run management 6.6.4 in local environment without any problem! but management 7.0.x has problem and it ends in "too many redirects".
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/589e483d-8b48-4e66-8492-eafdce3c5a2dn%40apereo.org.
--
Seyyed Mohsen Saeedi
سید محسن سعیدی
Mohsen Saeedi
Jul 26, 2024, 10:50:55 PM7/26/24
to cas-...@apereo.org, Benjamin Renard, Hartmut Trüe, Mohamed Amdouni, Ray Bon
Can you send your build.gradle? I want to check dependencies that defined for your build.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/846f5824-cd0b-4d47-8071-ab7cd5a9d1fcn%40apereo.org.
Tom Reijnders
Jul 29, 2024, 8:44:28 AM7/29/24
to CAS Community, Ray Bon
See also https://groups.google.com/a/apereo.org/g/cas-user/c/VFVlwBSMdDg/m/vt_IOXOCBAAJ
I believe this is the same issue. Ray identified a mistake in cas-management itself (and a workaround). I don't know of a fix yet and have not been able to have a look myself yet either.
Hartmut Trüe
Jul 30, 2024, 8:38:08 AM7/30/24
to CAS Community, Tom Reijnders, Ray Bon
@Mohsen: its the build.gradle from the cas-management overlay without modifications. And I tried with reverse proxy, without reverse proxy, standalone tomcat, embedded tomcat ... all the same.
@Tom: I know that workaround, thankyou, but for a production environment it doesn't feel good. I don't know if it is the same issue, my cas-management does not log much despite debug mode. And in my CAS log there is no other error
visible
than "
No credentials could be extracted/detected from the current request". But that does not help me, I don't know how I could change that.
2024-07-30 13:11:21,455 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted service ticket [ST-33-********3rMmfoE-cas-dev] for service [https://my.domain.de/cas-management/callback?client_name=CasClient] and principal [casuser]>
2024-07-30 13:11:21,456 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHEN: 2024-07-30T11:11:21.456317337
WHO: casuser
WHAT: {service=https://my.domain.de/cas-management/callback?client_name=CasClient, ticketId=ST-33-********3rMmfoE-cas-dev}
ACTION: SERVICE_TICKET_CREATED
CLIENT IP ADDRESS: 192.168.122.150
SERVER IP ADDRESS: 192.168.25.17
=============================================================
>
2024-07-30 13:11:21,535 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-07-30 13:11:21,535 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-07-30 13:11:21,543 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHEN: 2024-07-30T11:11:21.543264010
WHO: casuser
WHAT: {result=Service Access Granted, service=https://my.domain.de/cas-management/callback?client_name=CasClient, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
CLIENT IP ADDRESS: 192.168.122.150
SERVER IP ADDRESS: 192.168.25.17
=============================================================
2024-07-30 13:11:21,456 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHEN: 2024-07-30T11:11:21.456317337
WHO: casuser
WHAT: {service=https://my.domain.de/cas-management/callback?client_name=CasClient, ticketId=ST-33-********3rMmfoE-cas-dev}
ACTION: SERVICE_TICKET_CREATED
CLIENT IP ADDRESS: 192.168.122.150
SERVER IP ADDRESS: 192.168.25.17
=============================================================
>
2024-07-30 13:11:21,535 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-07-30 13:11:21,535 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-07-30 13:11:21,543 INFO [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHEN: 2024-07-30T11:11:21.543264010
WHO: casuser
WHAT: {result=Service Access Granted, service=https://my.domain.de/cas-management/callback?client_name=CasClient, requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
CLIENT IP ADDRESS: 192.168.122.150
SERVER IP ADDRESS: 192.168.25.17
=============================================================
Frédéric Dussurget
Aug 21, 2024, 2:26:05 PM8/21/24
to CAS Community, Hartmut Trüe, Tom Reijnders, Ray Bon
Hi there,
I tried to migrate from 6.6 to 7.0 and I'm doing the same observation as you all :
it is looping forever.
And when turning off cas authn (
mgmt.cas-sso=false) it starts to work again ... It's not going to go to production but, still, I'm happy to work with tomcat10, jdk21, etc.
Let's wait for a fix
Hartmut Trüe
Sep 18, 2024, 4:49:58 AM9/18/24
to CAS Community, Frédéric Dussurget, Hartmut Trüe, Tom Reijnders, Ray Bon
Hi,
cas-management-overlay seems to be neglected.
There is a branch 7.0, which apparently does not work not only for me until now.
And in the master branch the version is still 6.3.0-snapshot with source- and targetcomapatibility=11 ...
Unfortunately, the wait for a fix seems to be very long...
Ray Bon
Sep 18, 2024, 2:12:21 PM9/18/24
to htr...@gmail.com, cas-...@apereo.org, ajjrei...@gmail.com, dussu...@gmail.com
Hartmut,
It looks like they are moving to a different tool, palantir, https://apereo.github.io/cas/7.0.x/installation/Admin-Dashboard.html
Ray
Mohsen Saeedi
Sep 21, 2024, 12:09:27 AM9/21/24
to cas-...@apereo.org, htr...@gmail.com, ajjrei...@gmail.com, dussu...@gmail.com
I saw that, but documentation is not clear. What is the endpoint and configuration?
I just added gradle dependencies to build.gradle with successfully build.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/69ae1f0967405db29089d898a0d6aa5ef891b4f0.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages