CAS & GeoServer

TDenis

unread,

Jun 19, 2018, 6:53:33 AM6/19/18

to CAS Community

Hello,

I'am trying to configure geoserver to use CAS.

When I try to access geoserver:

https://192.168.56.10:8443/geoserver

the redirect occurs:

https://192.168.56.10:8443/cas/login?service=https%3A%2F%2F192.168.56.10%3A8443%2Fgeoserver

Then I get a redirect back to geoserver with a service ticket.

Then geoserver itself sends a request to validate ST, but it specifies a different callback url:

https://192.168.56.10:8443/cas/serviceValidate?service=https%3A%2F%2F192.168.56.10%3A8443%2Fgeoserver%2Fj_spring_cas_security_proxyreceptor&ticket=ST-82-.......

Then CAS denies the request with INVALID_SERVICE code.

And I get a redirection loop - geoserver redirects a client to CAS, CAS issues a ST and redirects back, geoserver requests a validation, CAS fails to validate, geoserver redirects a client to CAS and so on...

Need help on how to configure CAS to accept that different URL.

Thanks in advance.

Matthew Uribe

unread,

Jun 19, 2018, 11:10:07 AM6/19/18

to cas-...@apereo.org

How do you have the service defined? Do you have a wildcard for anything after the geoserver/ ?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/78c50be4-6568-40b2-8d4c-1f5c4c5bbd27%40apereo.org.

TDenis

unread,

Jun 19, 2018, 11:31:19 AM6/19/18

to CAS Community

No, I haven't defined custom services, I have only only two default json files: HTTPSandIMAPS-10000001.json and Apereo-10000002.json.

Isn't [^(https|imaps)://.*] service appropriate?

Log:

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Tue Jun 19 18:20:31 MSK 2018,source=InitialAuthenticationAttemptWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Jun 19 18:20:31 MSK 2018

CLIENT IP ADDRESS: 192.168.56.1

SERVER IP ADDRESS: 192.168.56.10

=============================================================

>

2018-06-19 18:20:31,814 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.getTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager',+org.apereo.cas.ticket.InvalidTicketException>

2018-06-19 18:20:31,815 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>

2018-06-19 18:20:31,815 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport.getAuthenticationFrom]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>

2018-06-19 18:20:31,816 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>

2018-06-19 18:20:31,816 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collecting authentication history based on [1] authentication events>

2018-06-19 18:20:31,822 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Evaluating authentication principal [casuser] for inclusion in result>

2018-06-19 18:20:31,822 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected principal attributes [{}] for inclusion in this result for principal [casuser]>

2018-06-19 18:20:31,823 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected single authentication attribute [credentialType] -> [UsernamePasswordCredential]>

2018-06-19 18:20:31,823 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected single authentication attribute [authenticationMethod] -> [AcceptUsersAuthenticationHandler]>

2018-06-19 18:20:31,823 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected single authentication attribute [successfulAuthenticationHandlers] -> [[AcceptUsersAuthenticationHandler]]>

2018-06-19 18:20:31,824 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Finalized authentication attributes [{credentialType=UsernamePasswordCredential, authenticationMethod=AcceptUsersAuthenticationHandler, successfulAuthenticationHandlers=[AcceptUsersAuthenticationHandler]}] for inclusion in this authentication result>

2018-06-19 18:20:31,824 DEBUG [org.apereo.cas.authentication.DefaultPrincipalElectionStrategy] - <Nominated [casuser] as the primary principal>

2018-06-19 18:20:31,825 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Determined primary authentication principal to be [casuser]>

2018-06-19 18:20:31,825 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Collected authentication attributes for this result are [{credentialType=UsernamePasswordCredential, authenticationMethod=AcceptUsersAuthenticationHandler, successfulAuthenticationHandlers=[AcceptUsersAuthenticationHandler]}]>

2018-06-19 18:20:31,826 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Authentication result commenced at [2018-06-19T18:20:31.826+03:00[Europe/Moscow]]>

2018-06-19 18:20:31,826 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - <Building an authentication result for authentication [org.apereo.cas.authentication.DefaultAuthentication@75b8cd7d] and service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@654609cb[id=https://192.168.56.10:8443/geoserver,originalUrl=https://192.168.56.10:8443/geoserver,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]]>

2018-06-19 18:20:31,827 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.grantServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>

2018-06-19 18:20:31,828 DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>

2018-06-19 18:20:31,828 DEBUG [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Current authentication via ticket [TGT-1-*********************************************************GYGuZ-6jsA-astra] allows service [https://192.168.56.10:8443/geoserver] to participate in the existing SSO session>

2018-06-19 18:20:31,829 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Looking up service ticket id generator for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]>

2018-06-19 18:20:31,829 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Attempting to encode service ticket [ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra]>

2018-06-19 18:20:31,832 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Encoded service ticket id [ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra]>

2018-06-19 18:20:31,833 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TGT-1-*********************************************************GYGuZ-6jsA-astra] to registry.>

2018-06-19 18:20:31,833 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra] to registry.>

2018-06-19 18:20:31,835 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra] for service [https://192.168.56.10:8443/geoserver] and principal [casuser]>

2018-06-19 18:20:31,835 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent@3917031d[ticketGrantingTicket=TGT-1-*********************************************************GYGuZ-6jsA-astra,serviceTicket=ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra]]>

2018-06-19 18:20:31,838 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: casuser

WHAT: ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra for https://192.168.56.10:8443/geoserver

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Jun 19 18:20:31 MSK 2018

CLIENT IP ADDRESS: 192.168.56.1

SERVER IP ADDRESS: 192.168.56.10

=============================================================

>

2018-06-19 18:20:31,839 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>

2018-06-19 18:20:31,840 DEBUG [org.apereo.cas.authentication.principal.DefaultResponse] - <Sanitized URL for redirect response is [https://192.168.56.10:8443/geoserver]>

2018-06-19 18:20:31,843 DEBUG [org.apereo.cas.authentication.principal.DefaultResponse] - <Final redirect response is [https://192.168.56.10:8443/geoserver?ticket=ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra]>

2018-06-19 18:20:31,851 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5f241c35[id=https://192.168.56.10:8443/geoserver,originalUrl=https://192.168.56.10:8443/geoserver,artifactId=ST-10-8baDkyl9gRV5VKkuXqQnk3kWMBw-astra,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@f1153c9[]]>

2018-06-19 18:20:31,852 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://192.168.56.10:8443/geoserver]>

2018-06-19 18:20:31,853 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.getTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager',+org.apereo.cas.ticket.InvalidTicketException>

2018-06-19 18:20:31,854 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>

2018-06-19 18:20:31,855 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <No specific authentication handlers are required for this transaction>

2018-06-19 18:20:31,860 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [HttpBasedServiceCredentialsAuthenticationHandler,AcceptUsersAuthenticationHandler]>

2018-06-19 18:20:31,861 WARN [org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - <Proxy policy for service [^(https|imaps)://.*] cannot authorize the requested callback url [https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor].>

2018-06-19 18:20:31,861 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[HttpBasedServiceCredentialsAuthenticationHandler] exception details: [https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor cannot be authorized].>

2018-06-19 18:20:31,862 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [AcceptUsersAuthenticationHandler]>

2018-06-19 18:20:31,862 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor] of type [HttpBasedServiceCredential]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>

2018-06-19 18:20:31,863 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor

WHAT: Supplied credentials: [https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Jun 19 18:20:31 MSK 2018

CLIENT IP ADDRESS: 192.168.56.10

SERVER IP ADDRESS: 192.168.56.10

=============================================================

>

2018-06-19 18:20:31,863 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <Failed to authenticate service credential [https://192.168.56.10:8443/geoserver/j_spring_cas_security_proxyreceptor]>

вторник, 19 июня 2018 г., 18:10:07 UTC+3 пользователь Matthew Uribe написал:

Ray Bon

unread,

Jun 19, 2018, 1:01:50 PM6/19/18

to cas-...@apereo.org

This line in the log:

The default definition does not allow proxying. Check service settings under Proxy Authentication tab.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

TDenis

unread,

Jun 20, 2018, 3:49:03 AM6/20/18

to CAS Community

Thank you, it worked.

вторник, 19 июня 2018 г., 20:01:50 UTC+3 пользователь rbon написал:

Reply all

Reply to author

Forward