IO error sending HTTP request to /samlValidate

[Manfredo Hopp]

Hi, we have cas client applications using SAML 1.1 which we recently upgraded to SAML 1.1 V2.6.6.

With one of these applications (= front end) we are experiencing problems when access through cas. 

These intermitent problems make this application unavailabe and we end changing the SAML version to its prior jar version. (1.1)

We have Cas 4.0.1 installed and the client application is  under spring/spring security (with srping security cas) version. Following is pom artifacts versions:

<org.springframework.version>4.2.2.RELEASE</org.springframework.version>

<org.springframework.security.version>4.0.3.RELEASE</org.springframework.security.version>

<org.jasig.cas.client.cas-client-core.version>3.2.1</org.jasig.cas.client.cas-client-core.version>

<org.opensaml.opensaml.version>2.6.6</org.opensaml.opensaml.version>

<commons-codec.commons-codec.version>1.5</commons-codec.commons-codec.version>

<org.apache.santuario.xmlsec.version>1.4.3</org.apache.santuario.xmlsec.version>

Cas 4.0.1 version has opensaml-2.5.1-1.jar version. 

Could this difference in version generate some problem with clients or is there any other known issue on this configuration.

Cas is running on tomcat .8.5.5 and application is under tomcat 6.0.45.

Any comments on this would be greatly appreciated!

Manfredo

Stacktrace of problem

=======================================================

mensaje IO error sending HTTP request to /samlValidatedescripción El servidor encontró un error interno que hizo que no pudiera rellenar este requerimiento.excepciónjava.lang.RuntimeException: IO error sending HTTP request to /samlValidate org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:215) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143) org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) causa raízjava.io.IOException: Server returned HTTP response code: 403 for URL: https://my.domain/cas/samlValidate?TARGET=http%3A%2F%2Fmy.domain%2Fauth%2Flogin%2Fcas sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1627) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:213) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:158) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:143) org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:270) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) nota La traza completa de la causa de este error se encuentra en los archivos de diario de Apache Tomcat/6.0.45.

[Misagh Moayyed]

You may want to consider upgrading the client itself, rather than a dependency it requires.

 

--Misagh

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAB623R85%2BosaYkhqtL6f7r8_-jYVU7zLRN%3D_gF8bpOZFWN8-yg%40mail.gmail.com.

[Manfredo Hopp]

Hi Misagh thank you for your reply, 

I made a mistake in the above pom artifact versions.

I will write down the 2 versions we have beeing using:

The new configuration pom (the one which throws that stacktrace) is:

<org.springframework.version>4.3.3.RELEASE</org.springframework.version>

<org.springframework.security.version>4.1.3.RELEASE</org.springframework.security.version>

<org.jasig.cas.client.cas-client-support-saml.version>3.4.1</org.jasig.cas.client.cas-client-support-saml.version>

<org.opensaml.opensaml.version>2.6.6</org.opensaml.opensaml.version>

<commons-codec.commons-codec.version>1.10</commons-codec.commons-codec.version>

<org.apache.santuario.xmlsec.version>1.5.7</org.apache.santuario.xmlsec.version>

                SAML has no dependency on cas-client so we put version 2.6.6 

The older version (the one we have to use in order to avoid the problems) would be:

<org.springframework.version>4.2.2.RELEASE</org.springframework.version>

<org.springframework.security.version>4.0.3.RELEASE</org.springframework.security.version>

<org.jasig.cas.client.cas-client-core.version>3.3.3</org.jasig.cas.client.cas-client-core.version>

<org.opensaml.opensaml.version>1.1</org.opensaml.opensaml.version>

<commons-codec.commons-codec.version>1.5</commons-codec.commons-codec.version>

<org.apache.santuario.xmlsec.version>1.4.3</org.apache.santuario.xmlsec.version>

Thank you again

Manfredo

[Misagh Moayyed]

3.4.1 does not use OpenSAML. The problem is elsewhere.

https://github.com/apereo/java-cas-client/issues/100

 

--Misagh

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Manfredo Hopp

Sent: Wednesday, November 23, 2016 1:57 PM
To: Cas <cas-...@apereo.org>

--

- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAB623R-X_O%2BriauA_%3DLHDE1Zso6VYuT88BcaRsiU50ZFmE5szg%40mail.gmail.com.