[CAS 6.1.X] Issue with mod_auth_cas
52 views
Skip to first unread message
Jean-Damien POGOLOTTI
Feb 4, 2019, 3:56:56 AM2/4/19
to CAS Community
Hi there,
I've just installed CAS 6.1.0 to replace our legacy SSO infrastructure and I'm facing an issue while trying to authenticate from a web app secured by mod_auth_cas.
Redirection to the CAS service works, authentification is done but I receive an HTTP 401 in my web application.
Looking in the mod_auth_cas logs (set to debug), I see the following :
[Mon Feb 04 09:27:59.756552 2019] [:debug] [pid 9503] mod_auth_cas.c(1442): [client 147.<xx>:59439] MOD_AUTH_CAS: response = <!doctype html><html lang="fr"><head><title>\xc3\x89tat HTTP 406 \xe2\x80\x93 Inacceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>\xc3\x89tat HTTP 406 \xe2\x80\x93 Inacceptable</h1><hr class="line" /><p><b>Type</b> Rapport d'\xc3\xa9tat</p><p><b>description</b> La ressource identifi\xc3\xa9e par cette requ\xc3\xaate n'est capable de g\xc3\xa9n\xc3\xa9rer des r\xc3\xa9ponses qu'avec des caract\xc3\xa9ristiques incompatible avec la directive "accept" pr\xc3\xa9sente dans l'ent\xc3\xaate de requ\xc3\xaate.</p><hr class="line" /><h3>Apache Tomcat/9.0.14</h3></body></html>, referer: https://dummy.<xx>/?ticket=ST-41-aF1h-Q9qm9Ri-Gd01CUyPOwxjtQvmi-prod-410
[Mon Feb 04 09:27:59.756676 2019] [:error] [pid 9503] [client 147.<xx>:59439] MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: syntax error (2), referer: https://dummy.<xx>/?ticket=ST-41-aF1h-Q9qm9Ri-Gd01CUyPOwxjtQvmi-prod-410
I believe that the interesting part is the HTTP 406 answer received while validating the ticket. (La ressource identifiée par cette requète n'est capable de gérer des réponses qu'avec des caractéristiques incompatible avec la directive "accept" présente dans l'entête de requète.)
Looking at the Tomcat logs of the CAS server I see :
147.<xx> - - [04/Feb/2019:09:52:59 +0100] "POST /cas/serviceValidate?TARGET=https%3a%2f%2fdummy.<xx>%2f HTTP/1.1" 406 1119147.<xx> - - [04/Feb/2019:09:52:59 +0100] "POST /cas/serviceValidate?TARGET=https%3a%2f%2fdummy.<xx>%2f HTTP/1.1" 406 1119
The configuration of the mod_auth_cas apache module :
LoadModule auth_cas_module modules/mod_auth_cas.so<IfModule mod_auth_cas.c>CASVersion 2CASLoginURL https://federation.<xx>/cas/loginCASValidateURL https://federation.<xx>/cas/serviceValidateCASProxyValidateURL https://federation.<xx>/cas/proxyValidateCASCertificatePath /etc/httpd/conf.modules.d/federation.<xx>.crtCASValidateSAML OnCASCookiePath /var/lib/cas/CASTimeout 7200CASIdleTimeout 7200CASDebug On</IfModule>
Any help would be greatly appreciated.
Kind regards,
Jean-Damien
Jean-Damien POGOLOTTI
Feb 4, 2019, 6:40:17 AM2/4/19
to CAS Community
Turning CASValidateSAML to Off in the mod_auth_cas configuration correct the issue :
CASValidateSAML On
But I need to understand why.
Did I miss to include a dependency in my build.gradle ? Following are added :
dependencies {compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"compile "com.unboundid:unboundid-ldapsdk:4.0.9"compile "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"compile "org.apereo.cas:cas-server-support-saml-idp-ticket:${project.'cas.version'}"compile "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"compile "org.apereo.cas:cas-server-support-saml-idp-metadata:${project.'cas.version'}"compile "org.apereo.cas:cas-server-support-saml-idp-web:${project.'cas.version'}"}
Kind regards,
Jean-Damien
Jean-Damien POGOLOTTI
Feb 4, 2019, 6:53:58 AM2/4/19
to CAS Community
Ok, found it digging in the archive. I want a SAML answer and I'm not using the correct endpoint.
Replacing with :
#CASValidateURL https://federation.<xx>/cas/serviceValidateCASValidateSAML On
Solve the issue.
Kind regards,
Jean-Damien
Reply all
Reply to author
Forward
0 new messages