Hello,
Do not focus on the service loading, look at the logs from the time
you are actually trying to access the service. That should help you
more.
Hm... your HTTPd does SSL offloading. That might be the case... I
faced similar problem with my https/443 -> http/8080 proxy.
I am not sure if that applies to AJP proxying too, but i *think* AJP
should transfer scheme information... anyway, I will describe the
problem I was having. Just in case.
I was running https/443 (nGinx) -> http/8080 proxy (standalone
Tomcat + CAS .war). Older CAS (6.2.x) was working fine with my OIDC
configuration, newer (6.5.x) was not. I was getting the same error
as you do.
My server prefix was
https://am.something.tld/cas, so I set the OIDC
Issuer to
https://am.something.tld/cas/oidc . All good here.
In 6.5.x there is some additional matching/checking of the OIDC
issuer against incoming OIDC requests and/or service callbacks in
the CAS itself.
I got one line in the log which was something like:
the request https://am.something.tld/cas/oidc/authorize?=...
does not match oidc issuer http://am.something.tld/cas/oidc
See the "http" in the matching rule where the "https" should be? The
problem here was in bad uri scheme information getting to the CAS.
CAS gets the info from X-Forwarded-Proto header, and from the Tomcat
connector object (Java representation of the HTTP connector inside
the application container). Basically, CAS thought I was running
plain HTTP because the Tomcat connector obejct
is plain http
for the backend server and I was not giving it the X-Forwarded-Proto
header.
I had to make sure my proxy is setting correct X-Forwarded-Proto and
Tomcat propagates it to the application via RemoteIpValve.
Once I did this, things started working.
Cheers,
Fiisch
On 05/05/2022 02:01 PM, wouldsmina
wrote:
Hello Fiisch,
Yes debug logging is enabled, but nothing interesting.
Service file is correctly loaded :
[2022-05-05 12:10:03] [info]
#033[36m2022-05-05 12:10:03,277 DEBUG
[org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry]
- <Attempting to read and parse
[/etc/cas/services/appoidc-1624798320.json]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277
DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] -
<Mapped [email] to attribute release policy
[OidcEmailScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277
DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] -
<Mapped [profile] to attribute release policy
[OidcProfileScopeAttributeReleasePolicy]>#033[m
[2022-05-05 12:10:03] [info] #033[36m2022-05-05 12:10:03,277
DEBUG
[org.apereo.cas.oidc.services.OidcServiceRegistryListener] -
<Given scope [offline_access], service [1624798320] is
marked to generate refresh tokens>#033[m
The CAS server is behind a proxy (apache) like my CAS 6.1 :
<VirtualHost *:443>
ServerAdmin s...@domain.fr
ServerName cas-test.domain.fr
DocumentRoot /var/www/cas-test
AccessFileName .htaccess
<Directory />
Options FollowSymLinks
AllowOverride None
Allow from all
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/cas-test-error.log
CustomLog ${APACHE_LOG_DIR}/cas-test-ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ProxyPass /cas ajp://spartana-b2.domain.fr:8010/cas
</VirtualHost>
Regards.