cas/proxy failure w/ ProxyController returning null

[Duane Booher]

We have a cas/proxy failure which is blocking our CAS 5.0.6/5.0.7 production deployment. This sequence below works for our existing CAS 4.0.3 system.

1. https://cas-server.nau.edu/cas/login?service=https://my-app.nau.edu/mail/

SUCCESS: https://my-app.nau.edu/mail/?ticket=ST-1-idYBys2cQPo9TFrticiH-cas-server.nau.edu

2. https://cas-server.nau.edu/cas/serviceValidate?ticket=ST-1-idYBys2cQPo9TFrticiH-cas-server.nau.edu&service=https://my-app.nau.edu/mail/

SUCCESS response.

3. https://cas-server.nau.edu/cas/proxyValidate?ticket=ST-1-idYBys2cQPo9TFrticiH-cas-server.nau.edu&service=https://my-app.nau.edu/mail/&pgtUrl=https://cas-server.nau.edu/callback

SUCCESS response: userid PGTIOU-1-WfzNE715CnLCCAQAaIZQ45rSocWGBFdfVykHNqvbUKdWD6vkwX-cas-server.nau.edu false true 2017-07-25T09:41:06.053-07:00[US/Arizona] LdapAuthenticationHandler LdapAuthenticationHandler

4. tail -f localhost_access_log.2017-07-25.txt |grep -i pgtId=

"GET /callback?pgtIou=PGTIOU-1-WfzNE715CnLCCAQAaIZQ45rSocWGBFdfVykHNqvbUKdWD6vkwX-cas-server.nau.edu&pgtId=PGT-2-kEYrcBCFfmgqg7bfI0Ag673rEubeGtpjLNyIR3yOHs9dm5Mb7v-cas-server.nau.edu HTTP/1.1" 200 58 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_121)"

5. https://cas-server.nau.edu/cas/proxy?targetService=https://my-app.nau.edu/mail/&pgt=PGT-2-kEYrcBCFfmgqg7bfI0Ag673rEubeGtpjLNyIR3yOHs9dm5Mb7v-cas-server.nau.edu

FAILURE: url status code 500

6. The corresponding catalina-daemon.out shows a null returned from getTargetService(ProxyController.java:102)

2017-07-25 09:43:44,585 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch>

java.lang.NullPointerException

        at org.apereo.cas.web.ProxyController.getTargetService(ProxyController.java:102) ~[cas-server-support-validation-5.0.6.jar:5.0.6]

        at org.apereo.cas.web.ProxyController.handleRequestInternal(ProxyController.java:78) ~[cas-server-support-validation-5.0.6.jar:5.0.6]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_121]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_121]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_121]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_121]

7.  Line 102 - why is this.webApplicationServiceFactory.createService(request) return null???

    private Service getTargetService(final HttpServletRequest request) {

        return this.webApplicationServiceFactory.createService(request);

    }

8. Our Service Proxy Authentication:

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : ".*",

  "name" : "allow all",

  "id" : 10000005,

  "evaluationOrder" : 5,

  "evaluationOrder" : 10005

  "proxyPolicy" : {

    "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",

    "pattern" : ".*"

  }

}

Any ideas on a debug approach is appreciated.

[Matt Borja]

Hi Duane,

If you have a NullPointerException on that line, it suggests that the object was not properly instantiated, in this case setWebApplicationServiceFactory.

A couple reasons for this may be that you're either missing a module or certain settings in cas.properties required to "activate" the service. We've observed our fair share of difficulties stemming from documentation issues alone (CAS 5.1.x here). One we recently submitted [yet another] PR (#2811) for addresses a java.lang.ClassNotFoundException which merely involved changing org.apache.xerces.util.SecurityManager to com.sun.org.apache.xerces.internal.util.SecurityManager.

Also, in case you haven't seen this already (in addition to service configuration for Proxy Authentication): https://apereo.github.io/cas/5.0.x/installation/Configuring-Proxy-Authentication.html

Since you're already in the CAS 5 line, have you thought about going straight to CAS 5.1.x to see if the issue has been resolved there? It appears they started to move away from the instantiation methodology present in CAS 5.0.x (ProxyController.java:127) to constructor-based in CAS 5.1.x (ProxyController:66) per this issue: https://github.com/apereo/cas/issues/2184

Hope that helps some!

Matt Borja

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.

[Duane Booher]

Hi,

I've switched to 5.1.2 and can not get a successful cas/login?service=...

It is probably a mis-configuration on my part from 5.0.6 to 5.1.2, but I can't seem to find what that would be.

2017-08-01 10:32:20,397 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received exception due to a type mismatch>

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@5752070e targetAction = [EvaluateAction@1ba29e96 expression = flowScope.service.getResponse(requestScope.serviceTicketId), resultExpression = requestScope.response], attributes = map[[empty]]] in state 'redirect' of flow 'login' -- action execution attributes were 'map[[empty]]'

at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.Transition.execute(Transition.java:228) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:116) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:547) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:390) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE]

Also, attached a larger snip of the log.

Any ideas?

Thanks, Duane

[Duane Booher]

Here is an update on this post. We had too much customization invested in 5.0 to consider 5.1, and we found that the cas/proxy was broke on 5.0.5 and 5.0.6, but worked in 5.0.5, so we fell back to 5.0.5. I've been too busy to formally report this issue to the project and will do so soon.

Duane

On Tuesday, July 25, 2017 at 10:19:10 AM UTC-7, Duane Booher wrote:

[Duane Booher]

correct to last post: cas/proxy did not work for us on 5.0.6 and 5.0.7, but does work on 5.0.5

[Udo Einspanier]

Hi Duane,

do you have any updates on this issue? This still seems to be broken in 5.0.9.

Regards,

Udo

[Duane Booher]

No updates and and the last time I checked it was still unresolved. I know it is now consider an older release at this point, but we have decided to implement 5.0.5 in to production and we are now completing final testing.

[Alex]

Did you modified CAS login-webflow.xml?

From the logs I see that it trying to access to SimpleWebApplicationServiceImpl.getResponse(..).

Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method getResponse(java.lang.String) cannot be found on org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl type

This method doesn't exist in CAS 5.1 anymore (was in CAS 5.0).