x509 authentication in 4.1.8
56 views
Skip to first unread message
Klaus-Dieter Krannich
May 23, 2016, 4:11:53 PM5/23/16
to CAS Community
Hello,
after upgrade to 4.1.8 (from 4.1.6) we have problems with x509 authentication.
----
2016-05-23 19:15:28,546 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - Certificate found in request.
2016-05-23 19:15:28,575 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Evaluating [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
2016-05-23 19:15:28,579 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - .* matches EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x == true
2016-05-23 19:15:28,581 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Checking certificate keyUsage extension
2016-05-23 19:15:28,583 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - KeyUsage extension is marked critical or required by configuration.
2016-05-23 19:15:28,589 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - EMAILADDRESS=yy@zz, CN=[^,]*, OU=x, O=x, L=x, ST=x, C=x matches EMAILADDRESS=yy@zz, CN=x, OU=x, O=x, L=x, ST=x, C=x == true
2016-05-23 19:15:28,591 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Found valid client certificate
2016-05-23 19:15:28,593 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - X509CredentialsAuthenticationHandler successfully authenticated [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
2016-05-23 19:15:28,594 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Attempting to resolve a principal...
2016-05-23 19:15:28,612 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Resolving principal for [
[
Version: V3
Subject: EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x
...
]
2016-05-23 19:15:28,630 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Creating SimplePrincipal for [x...@yy.zz]
2016-05-23 19:15:28,631 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Created seed map='{username=[x...@yy.zz]}' for uid='x...@yy.zz'
2016-05-23 19:15:28,631 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Adding attribute 'username' with value '[x...@yy.zz]' to query builder 'null'
2016-05-23 19:15:28,632 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Constructed LDAP search query [(|(mail=x...@yy.zz)(uid=x...@yy.zz))]
2016-05-23 19:15:28,637 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Generated query builder '[org.ldaptive.SearchFilter@-1951432215::filter=(|(mail={0})(uid={0})), parameters={0=x...@yy.zz}]' from query Map {username=[x...@yy.zz]}.
2016-05-23 19:15:28,681 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Converted ldap DN entry [cn=x,ou=x,o=x,c=x] to attribute map {uid=[xx], employeeType=[xx], mail=[x...@yy.zz], businessCategory=[x], displayName=[x], destinationIndicator=[x]}
2016-05-23 19:15:28,684 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [X509CertificateCredential] for audit
2016-05-23 19:15:28,685 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
WHAT: 'principal' cannot be null.
Check the correctness of @Audit annotation at the following audit point: execution(public abstract transient org.jasig.cas.authentication.Authentication org.jasig.cas.authentication.AuthenticationManager.authenticate(org.jasig.cas.authentication.Credential[]))
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
----
Any suggestions?
K-D Krannich
after upgrade to 4.1.8 (from 4.1.6) we have problems with x509 authentication.
----
2016-05-23 19:15:28,546 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - Certificate found in request.
2016-05-23 19:15:28,575 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Evaluating [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
2016-05-23 19:15:28,579 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - .* matches EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x == true
2016-05-23 19:15:28,581 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Checking certificate keyUsage extension
2016-05-23 19:15:28,583 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - KeyUsage extension is marked critical or required by configuration.
2016-05-23 19:15:28,589 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - EMAILADDRESS=yy@zz, CN=[^,]*, OU=x, O=x, L=x, ST=x, C=x matches EMAILADDRESS=yy@zz, CN=x, OU=x, O=x, L=x, ST=x, C=x == true
2016-05-23 19:15:28,591 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Found valid client certificate
2016-05-23 19:15:28,593 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - X509CredentialsAuthenticationHandler successfully authenticated [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
2016-05-23 19:15:28,594 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Attempting to resolve a principal...
2016-05-23 19:15:28,612 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Resolving principal for [
[
Version: V3
Subject: EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x
...
]
2016-05-23 19:15:28,630 DEBUG [org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver] - Creating SimplePrincipal for [x...@yy.zz]
2016-05-23 19:15:28,631 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Created seed map='{username=[x...@yy.zz]}' for uid='x...@yy.zz'
2016-05-23 19:15:28,631 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Adding attribute 'username' with value '[x...@yy.zz]' to query builder 'null'
2016-05-23 19:15:28,632 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Constructed LDAP search query [(|(mail=x...@yy.zz)(uid=x...@yy.zz))]
2016-05-23 19:15:28,637 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Generated query builder '[org.ldaptive.SearchFilter@-1951432215::filter=(|(mail={0})(uid={0})), parameters={0=x...@yy.zz}]' from query Map {username=[x...@yy.zz]}.
2016-05-23 19:15:28,681 DEBUG [org.jasig.services.persondir.support.ldap.LdaptivePersonAttributeDao] - Converted ldap DN entry [cn=x,ou=x,o=x,c=x] to attribute map {uid=[xx], employeeType=[xx], mail=[x...@yy.zz], businessCategory=[x], displayName=[x], destinationIndicator=[x]}
2016-05-23 19:15:28,684 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [X509CertificateCredential] for audit
2016-05-23 19:15:28,685 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [subjectDn=EMAILADDRESS=x...@yy.zz, CN=x, OU=x, O=x, L=x, ST=x, C=x,serialNumber=x]
WHAT: 'principal' cannot be null.
Check the correctness of @Audit annotation at the following audit point: execution(public abstract transient org.jasig.cas.authentication.Authentication org.jasig.cas.authentication.AuthenticationManager.authenticate(org.jasig.cas.authentication.Credential[]))
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
----
Any suggestions?
K-D Krannich
Reply all
Reply to author
Forward
0 new messages