Cas-Service-Management-Overlay still not working (more info)
465 views
Skip to first unread message
Conan Malone
May 26, 2016, 5:11:01 AM5/26/16
to CAS Community
Hi,
I'm making a new post as I feel there maybe wasn't enough information in my last one for anyone to help me out.
I have downloaded the cas-overlay-template and cas-service-management-overlay (4.2.2), copied the correct files to /etc/cas/ and ran mvnw clean package on both of them with build success so that all seems fine. (both deployed in tomcat as ROOT.war and cas-services.war).
I can go to https://mycasdomain.com/ and it goes to the login page, I can then log in with casuser,Mellon and this works fine (also can do RADIUS authentication). My problem seems to be with the cas-services-management as when I go to https://mycasdomain.com/cas-services/ (looking at network on chrome) I get redirected to manage.html which redirects to the login page as expected with url 'https://mycasdomain/login?service=https%3A%2F%2Fmycasdomain%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. The page has the 'Services Management Web Application' box at the top so I assume services are correctly set up. I then log in with casuser,Mellon and get 'The CAS management webapp is unavailable' screen.
The login page redirected me to 'https://mycasdomain.com/cas-services/callback?client_name=CasClient&ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com' and gave a HTTP status 500.
But looking through logs I find that I get a HTTP status 403 just before I get the 500 on a different address which is https://mycasdomain.com/p3/serviceValidate?ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. If I put this address in my browser I get presented with
----------------------------------------------------------------------------------
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>casuser</cas:user>
<cas:attributes>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:authenticationDate>2016-05-26T09:53:00.011+01:00</cas:authenticationDate>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
----------------------------------------------------------------------------------
I'll put snippets from the parts I have changed in cas.properties, cas-management.properties below. Can someone have a look through this and see if I am missing anything?
p.s. I also have my CAS server behind a load balancer so it needs to go out the network to https://mycasdomain.com/ and come back in through the load balancer back to the CAS server.. But I was thinking if there is a problem with this surely the normal cas login wouldn't work?
Thanks in advance,
Conan
----------------------snippets and logs----------------------
server.prefix=${server.name}
# security configuration based on IP address to access the /status and /statistics pages
cas.securityContext.adminpages.ip=127\.0\.0\.1
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
----------------------
# CAS
cas.host=https://mycasdomain.com
cas.prefix=${cas.host}
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${cas.prefix}/login
# Management
cas-management.host=${cas.host}
cas-management.prefix=${cas-management.host}/cas-services
cas-management.securityContext.serviceProperties.service=${cas-management.prefix}/callback
# Security
cas-management.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
pac4j.callback.defaultUrl=/manage.html
# views
cas-management.viewResolver.basename=default_views
##
# User details file location that contains list of users
# who are allowed access to the management webapp:
#
user.details.file.location = file:/etc/cas/user-details.properties
##
# JSON Service Registry
#
# Directory location where JSON service files may be found.
service.registry.config.location=file:/etc/cas/services
----------------------
2016-05-26 10:05:23,048 ERROR [org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient
java.io.IOException: Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:321)
at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Misagh Moayyed
May 26, 2016, 12:53:41 PM5/26/16
to CAS Community
Does the CAS server produce any logs when it attempts to validate that ticket? Can you log into any other apps beside the management webapp?
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Conan Malone
May 27, 2016, 3:33:53 AM5/27/16
to CAS Community, mmoa...@unicon.net
cas.log shows nothing at all and cas-management.log shows the '[org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL:' error that I posted above. The only apps I have installed right now are cas and the management app, can log into CAS fine with casuser goes to the 'Login successful' page.
Daniel Alzate
Jan 19, 2017, 4:42:36 PM1/19/17
to CAS Community, mmoa...@unicon.net
Hi,
I'm new to CAS and also the community.
I have a new CAS setup working, but I'm facing this same problem reported by Conan. I wonder if you found a solution or the cause of this issue?
Best regards.
Daniel.
I'm new to CAS and also the community.
I have a new CAS setup working, but I'm facing this same problem reported by Conan. I wonder if you found a solution or the cause of this issue?
Best regards.
Daniel.
Didier Capdevielle
Apr 7, 2017, 8:47:01 AM4/7/17
to CAS Community, mmoa...@unicon.net
Hi everybody,
I'm a newbie too in CAS and i have the same problem.
I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and Tomcat8.
I installed an Apache Server to redirect request with AJP.
Directly using CAS, no problem.
But using CAS via an application (IdP for example), the same problem occurs.
Login is OK but ServiceValidate is forbidden.
Her are the logs from Apache ssl_access.log :
147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%
3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 200 9705 "https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau
x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" "Mozilla/5.0 (Windows NT 10.0; WOW6
4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D
%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 302 1429 "https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2
Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%
3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 HTTP/1.1" 403 406 "-" "Java/1.7.0_121"
Looking at messages, it seems like browser user-agent are authorized but java user-agent (Java/1.7.0_121) - and probably others non browser agent - is blocked.
Is one or more certificates missing ? If yes, where and what kind of certificates ? What else ?
Thanks for your help !
Best regards,
I'm a newbie too in CAS and i have the same problem.
I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and Tomcat8.
I installed an Apache Server to redirect request with AJP.
Directly using CAS, no problem.
But using CAS via an application (IdP for example), the same problem occurs.
Login is OK but ServiceValidate is forbidden.
Her are the logs from Apache ssl_access.log :
147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%
3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 200 9705 "https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau
x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" "Mozilla/5.0 (Windows NT 10.0; WOW6
4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D
%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 302 1429 "https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2
Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%
3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 HTTP/1.1" 403 406 "-" "Java/1.7.0_121"
Looking at messages, it seems like browser user-agent are authorized but java user-agent (Java/1.7.0_121) - and probably others non browser agent - is blocked.
Is one or more certificates missing ? If yes, where and what kind of certificates ? What else ?
Thanks for your help !
Best regards,
Reply all
Reply to author
Forward
Message has been deleted
0 new messages