"401 Authorization Required"

[pouria Mahmoudi]

Hi,
I setup apache httpd (2.2.15) and tomcat 8 and also downloaded cas server war file as explained in this document:
https://www.howtoforge.com/how-to-set-up-apache-tomcat-mod_jk-sso-cas-mod_auth_cas

Everything was good, so when I try to access a secured page, I correctly redirected to CAS server, but when I enter user/pass and expected to see the secured pages, I see "401 Authorization Required" page.

There is not much helpful information in the apache log, neither in cas server. however I added the log here:

CAS server log:

2016-10-01 12:43:47,648 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-icfYsgQpiaNi4qC5oPC1-its.cas] for service [http://localhost/examples/] for user [casuser]>
2016-10-01 12:43:47,648 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: casuser
WHAT: ST-2-icfYsgQpiaNi4qC5oPC1-its.cas for http://localhost/examples/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Oct 01 12:43:47 PDT 2016
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================


Apache httpd log:

error_log:

[Sat Oct 01 12:35:02 2016] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Sat Oct 01 12:35:02 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Oct 01 12:35:02 2016] [notice] Digest: generating secret for digest authentication ...
[Sat Oct 01 12:35:02 2016] [notice] Digest: done
[Sat Oct 01 12:35:02 2016] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Sat Oct 01 12:35:02 2016] [info] LDAP: SSL support available
[Sat Oct 01 12:35:02 2016] [warn] ./mod_dnssd.c: No services found to register
[Sat Oct 01 12:35:02 2016] [notice] Apache/2.2.15 (Unix) DAV/2 mod_jk/1.2.32 SVN/1.6.11 configured -- resuming normal operations
[Sat Oct 01 12:35:02 2016] [info] Server built: Jul 18 2016 15:24:00

access_log:
::1 - - [01/Oct/2016:12:43:39 -0700] "GET /examples/ HTTP/1.1" 302 336 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
::1 - - [01/Oct/2016:12:43:47 -0700] "GET /examples/?ticket=ST-2-icfYsgQpiaNi4qC5oPC1-its.cas HTTP/1.1" 401 476 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"


I am really confused. Any help will be much appreciated.


This is cas.config:

LoadModule auth_cas_module    /usr/lib64/httpd/modules/mod_auth_cas.so
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://localhost:9443/cas/login
CASValidateURL https://localhost:9443/cas/serviceValidate
<Location /examples>
        AuthType CAS
        require valid-user
</Location>

[pouria Mahmoudi]

Ok I have figured out the issue. I needed to setup HTTPS for apache to be able to see the logs and when I installed HTTPS for apache I saw the 401 Authorization problem which was related to SSL certificate non CA .

So what I did to fix the issue was to open up mod_auth.cas.c file and replace this line:

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);

with 

curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);

and bingo. It fixed the issue.

[Phil Ames]

This is extremely dangerous, your service is now vulnerable to HTTPS / man-in-the-middle style attacks.  In fact, we explicitly removed this feature several years ago because of this:

https://github.com/Jasig/mod_auth_cas/commit/1b1032c230a3ddf9db9004326bd4d075ab602c0e

Please instead consider using 'http://' as a validation URL - this should remove any certificate misconfiguration issues to help facilitate any debugging.  If that resolves the issue, you need to fix your configuration directives to point them at the right certificate chain.

If you can't access the CAS server over https, you should be able to start diagnosing from the debug logs based on the curl_easy_perform() return value here: "MOD_AUTH_CAS: curl_easy_perform()"

to figure out why the connection is failing.

-Phil

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a936356-1d94-41c0-a95e-7d2f9d0f6e49%40apereo.org.

For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Waldbieser, Carl]

This could actually be bad advice, depending on you CAS environment.
In a development scenario, this may not be so bad. In a production scenario where your CAS client needs to cross an untrusted network to validate the CAS service ticket, you are leaving the validation open to a MITM attacks.

If mod_auth_cas isn't validating the certificate, you should find out why instead of turning off peer verification.
Since it is using the cURL library, it seems like you could use command line cURL to test the cert. You should try to run the command as the same user mod_auth_cas runs as, as the issue could just be a permission issue on the PEM file.

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[pouria Mahmoudi]

I know it is not safe to turn certificate validation off for production. I was testing in dev environment where I don't have a valid CA certificate and dev server is not accessible outside the company.

Anyways thanks for the concern and sharing it.