Proxy ticket is always null. Please help

[Corsair Hxw]

Hello,

I am using CAS Maven Overlay (version 5.2.3) to build CAS server.

The CAS server is running on http://localhost:8080/cas

I have changed POM and added dependency for json service registry:

<dependencies>
    <dependency>
        <groupId>org.apereo.cas</groupId>
        <artifactId>cas-server-support-json-service-registry</artifactId>
        <version>${cas.version}</version>
    </dependency>
</dependencies>

I have provided two service json files in /services:

greet-1.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "http://localhost:8090/greet",
  "name" : "greet",
  "id" : 1,
  "evaluationOrder" : 1
}

user-2.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "http://localhost:8090/user",
  "name" : "user",
  "id" : 2,
  "evaluationOrder" : 2
}

From my web application 1, I am trying to get the proxy ticket for another web application 2.

Web Application 1 Controller class is as below:

package com.learn.cas.proxyticket;

import org.jasig.cas.client.authentication.AttributePrincipal;
import org.springframework.security.cas.authentication.CasAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class GreetingsController {

 @GetMapping("/greet")
 public String greetWithProxyTicket(Authentication authentication) {
 String proxyTicket = null;


 if (authentication != null && authentication instanceof CasAuthenticationToken {
     AttributePrincipal principal = ((CasAuthenticationToken) authentication).getAssertion().getPrincipal();

     if (principal != null) {
         proxyTicket = principal.getProxyTicketFor("http://localhost:8090/user");
     }
 }

 return proxyTicket;
 }
}

Here, the returned value is always null. getProxyTicketFor always gives me null value. 

Web application 1 pom.xml and application.yml files are attached in case they are needed.

Any help on this is appreciated. Stuck on this for like month now :(

Best Regards,

Corsair

[Ray Bon]

Corsair,

Try these in the CAS log4j2.xml to see what happens on that side.

        <!-- INFO  Grented ticket [...] for service [...] for user [...]

             DEBUG Resolved service [limited details about service]

                   Located registered service definition [service details] -->

        <AsyncLogger name="org.apereo.cas.DefaultCentralAuthenticationService" level="debug" />

        <!-- DEBUG Looking up ticket id generator for [...]

                   Attempting to encode ... [...]

                   Encoded ... [...] -->

        <AsyncLogger name="org.apereo.cas.ticket.factory.DefaultProxyTicketFactory" level="debug" />

        <!-- DEBUG Response code from server matched [###] may be useful for debugging proxy

                   Created HTTP post message payload [POST URL] on logout -->

        <AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient" level="error" />

        <AsyncLogger name="org.apereo.cas.web" level="debug" />

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Man H]

read https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html

The service must also be authorized to receive the PGT as an attribute for the given attribute release policy of choice.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.+",
  "name" : "test",
  "id" : 1,
  "evaluationOrder" : 0,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "authorizedToReleaseProxyGrantingTicket" : true
  },

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc0cd2d2-5eb4-4d85-af80-71ea06696044%40apereo.org.

[Corsair Hxw]

Thank you for the information. It will definitely help to see what is happening in CAS.

I will post here, if I found any warning / error.

Regards,

[Corsair Hxw]

Hello,

Thank you for guiding me to the proxy authentication link. Found tons of information regarding the proxying applications.

I am very new to CAS world. There could be many things that could be wrong in my configuration. So thank you providing the information attributeReleasePolicy.

I changed the service json and authorizedToReleaseProxyGrantingTicket property is now set to "true".

Even after making these chagnes, null proxy ticket is returned.

Is there anything else that I could be missing?

Regards

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Lalot Dominique]

Something changed with CAS. They check now for what service you're asking a PT

For uPortal, I was obliged to put this in the web.xml: for the client side

        <init-param>

            <param-name>allowedProxyChains</param-name>

            <param-value>.*</param-value>

        </init-param>

In the CAS filter parameter

And for the service, you can change .* with the name of the service you're proxying to

 proxyPolicy:

  {

    @class: org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy

    pattern: .*

  }

and in the attributerelease section:

authorizedToReleaseProxyGrantingTicket: true

[Ray Bon]

Attach logs and json service file.

Ray