Cas dont redirect to the application after succesful logged in
93 views
Skip to first unread message
MIPM GmbH
Mar 25, 2020, 10:46:58 AM3/25/20
to CAS Community
Hello,
My CAS is on Version 6.2.0-RC3. Most of the time CAS works just fine but sometimes the casified application stucks and firefox shows the message "wait for cas". To fix that i restart cas everytime.
This problem seem to appear whenever I use two diffrent browser at the same client on that cassifed application. I figured out that the parameter ticket is missing in the url.
I hope someone can help me.
You find attached cas.properties and the log. I have tried to reproduce the problem. The log isnt very helpful either. It just shows that cas stopped working at "Service ticket created".
Please let me know if you need further informations
Mathieu HETRU
Mar 25, 2020, 11:13:05 AM3/25/20
to cas-...@apereo.org
hello,
what is the characteristics of the server (memory, proc, disk space) and the memory allocated on the tomcat ?
thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99ce6d68-3119-4742-8080-1336eb9901b5%40apereo.org.
Ray Bon
Mar 25, 2020, 11:55:37 AM3/25/20
to cas-...@apereo.org
My guess would be the service did not or could not complete the log in process.
ST-9 was validated but ST-8 was not. After a ST is created, cas redirects to the service. You can check this in your browser's network panel in developer tools. The service needs to contact cas to validate the ticket, this is done directly, not through
the browser.
Ray
On Wed, 2020-03-25 at 07:46 -0700, MIPM GmbH wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
MIPM GmbH
Mar 25, 2020, 12:12:45 PM3/25/20
to CAS Community
Server have 12 gb ram and 50 gb of disk space Processor 4x4 core 2,5 ghz tomcat runs with 8 gb memory
Hope this helps
Am Mittwoch, 25. März 2020 16:13:05 UTC+1 schrieb Mathieu HETRU:
hello,what is the characteristics of the server (memory, proc, disk space) and the memory allocated on the tomcat ?thanks
Le mer. 25 mars 2020 à 15:47, MIPM GmbH <i...@mipm.com> a écrit :
--Hello,My CAS is on Version 6.2.0-RC3. Most of the time CAS works just fine but sometimes the casified application stucks and firefox shows the message "wait for cas". To fix that i restart cas everytime.This problem seem to appear whenever I use two diffrent browser at the same client on that cassifed application. I figured out that the parameter ticket is missing in the url.I hope someone can help me.You find attached cas.properties and the log. I have tried to reproduce the problem. The log isnt very helpful either. It just shows that cas stopped working at "Service ticket created".Please let me know if you need further informations
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
Ray Bon
Mar 26, 2020, 12:05:30 PM3/26/20
to cas-...@apereo.org
You will not see the call to cas/validate in the browser network panel, just the redirect back to the service (which I do not see in the images). The validation step is done in the background. You will have to look at server (tomcat, apache, etc.) access
logs to see if the requests arrive.
I apologize for not be more clear earlier.
Since cas is hanging, is it possible that the service definition is incorrect. Does the service in the image ever work?
Compare the service definitions for both services.
Ray
MIPM GmbH
Mar 27, 2020, 3:26:28 AM3/27/20
to CAS Community
Yes the service works. I can access the site and sso works but sometimes it doesent work. I have to restart the cas server to get it working again. This problem occurs to every service not just this one in the picture.
MIPM GmbH
Mar 27, 2020, 4:26:05 AM3/27/20
to CAS Community
Update: All services work until I log in and log out 6 times in a row. Then the problem occurs. Every service seems to have this problem after log in and log out 6 times in a row.
Why? Has anyone an idea?
Ray Bon
Mar 27, 2020, 11:55:13 AM3/27/20
to cas-...@apereo.org
Could this be a weird bug with in memory ticket registry?
Try setting a different ticket registry.
Ray
On Fri, 2020-03-27 at 01:26 -0700, MIPM GmbH wrote:
Update: All services work until I log in and log out 6 times in a row. Then the problem occurs. Every service seems to have this problem after log in and log out 6 times in a row.
Why? Has anyone an idea?
bleucheese
Mar 27, 2020, 12:04:14 PM3/27/20
to CAS Community
Just to add to this. We're encountering something similar that at the moment is isolated to one installation.
It's only happening on chrome and one deployment of CAS (6.1.3). It's very odd behavior. We were performing quality assurance testing against an application, the user changed their password in our application then closed their browser window, ending their application session. They re-opened the browser window and were redirected to the CAS login screen. At this point, if they enter their credentials and submit the 302 response from CAS to redirect to the validate service seems like it's not completing/closing. Using wireshark, we see a bunch of "continuing request" type packetc. There are no errors that we can see in the logs, we've attached a snippet. The gist of it is that CAS generates a service ticket but does not complete the 302 request that should redirect the browser to the application's auth layer to validate the user's ST. The 302 request remains pending and chrome spins forever. This is reproducible on this one CAS instance but not some others.
We've noticed that if you click the login button on the CAS login page again while CAS is hung up, it sends the same data and CAS generates a new service ticket and completes its authentication process successfully, returning the 302 request properly and allowing the user to login. This is consistently reproducible as well.
This instance is using a self-signed cert but even with a CA cert that makes it a valid certificate, we still encounter the issues. Attached logs show behavior on the CAS side.
With this upcoming release of our application we're upgrading from CAS 5.3.x to 6.1.3, we did not have any issues like this with the previous version. We have modified some configuration options to enable AzureAD delegated auth, but it's not currently enabled on this instance.
With this upcoming release of our application we're upgrading from CAS 5.3.x to 6.1.3, we did not have any issues like this with the previous version. We have modified some configuration options to enable AzureAD delegated auth, but it's not currently enabled on this instance.
MIPM GmbH
Mar 30, 2020, 2:59:02 AM3/30/20
to CAS Community
I tried setting Hazelcast but that doesnt help either
MIPM GmbH
Apr 3, 2020, 8:43:03 AM4/3/20
to CAS Community
Somehow I was able to solve the problem. My service definitions were broken. This caused the problem. I replaced the service definitions with this default one:
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorized all application urls that support HTTPS and IMAPS protocols.",
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"evaluationOrder" : 10000,
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
},
"logo" : "images/logo_cas.png"
}
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"description" : "This service definition authorized all application urls that support HTTPS and IMAPS protocols.",
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"evaluationOrder" : 10000,
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
},
"logo" : "images/logo_cas.png"
}
Now it works fine! I hope this helps.
Thanks for everyone who helped me (:
Reply all
Reply to author
Forward
0 new messages