CAS management 7
236 views
Skip to first unread message
Benjamin Renard
Mar 26, 2024, 10:45:10 AMMar 26
to CAS Community
Hello,
I'm trying to install a CAS server (v7) on a Debian 12 host. I using the Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS server run well, but I have problem with the authentication of the management app. I use a CAS Initializr overlay for the CAS management 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the same context. I configure CAS client in the management app :
cas.server.name=https://idp.example.tld
cas.server.prefix=${cas.server.name}/cas
cas.server.prefix=${cas.server.name}/cas
When I try to access to the management app, I'm entering in a loop : I'm redirect to the CAS server that authenticate me and redirect me to the management app on its callback URL with a ticket (https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) and I'm redirect again to the CAS server for authentication, that redirect me back with a new ticket and etc.
I have no error in logs and I tried to enable debugging and I can't find any indication about my problem (see logs below). Do you have any idea ?
Futhermore, It's a good idea for you to run CAS server & management apps version 7 in production or I have to use version 6 ?
Thanks !
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked}
2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]]
2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY ===
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): []
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication
2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient
2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND
2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext
2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked}
2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]]
2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY ===
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))]
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): []
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication
2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value: https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632
2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication
2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient
2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND
Ray Bon
Mar 26, 2024, 2:40:57 PMMar 26
to cas-...@apereo.org
Benjamin,
The behaviour you describe happens when the service ticket can not be validated.
cas management submits the ST to cas through a back channel over https.
If there is nothing in cas audit log about validation / failed validation (which would give a reason for failure), it could be a certificate problem.
Do you have a proper/valid certificate for idp.example.tld (i.e. cert signed by an authority)?
If not, you may have to add it to the java keystore (assuming you have already added it to tomcat config).
Ray
On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hartmut Trüe
Mar 27, 2024, 3:22:35 AMMar 27
to CAS Community, Ray Bon
Same problem on my CAS Management webapp, it ends in "too many redirects". The same configuration is working fine with CAS 6.6.x and Management 6.6.x
and the certificate is valid.
I can't find errors, and the ticket seems to be valid:
...
2024-03-27 07:39:34,185 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-********PD8Hl30-cas-dev] to [064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b]>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [DefaultEncodedTicket(id=064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b)]>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-1-********PD8Hl30-cas-dev]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@698bdaf2 expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@109de836 on = valid, to = hasServiceCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'hasServiceCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@5efaf8bd on = flowScope.service != null, to = renewRequestCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'hasServiceCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'renewRequestCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CasClient]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1ad0074 on = proceed, to = generateServiceTicket]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'renewRequestCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateServiceTicket' of flow 'login'>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-********PD8Hl30-cas-dev] to [064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b]>
2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [DefaultEncodedTicket(id=064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b)]>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-1-********PD8Hl30-cas-dev]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@698bdaf2 expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = valid>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@109de836 on = valid, to = hasServiceCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'hasServiceCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@5efaf8bd on = flowScope.service != null, to = renewRequestCheck]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'hasServiceCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'renewRequestCheck' of flow 'login'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf>
2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CasClient]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]; result = proceed>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1ad0074 on = proceed, to = generateServiceTicket]>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'renewRequestCheck'>
2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateServiceTicket' of flow 'login'>
...
Regards,
Hartmut
Mohamed Amdouni
Mar 27, 2024, 7:01:20 AMMar 27
to cas-...@apereo.org, Ray Bon
Hello,
I had a similar issue running cas management 6.6.4 and it was related to https.
My cas management was started with ssl disabled and this version of cas management requires SSL (see the security adapter ) and in the logs it says requires secure channel.
I tried to override the adapter but finally ended up by activating ssl to avoid the redirects …
Hope it helps…
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9f29a19-e216-4305-8027-fbaec2d873cbn%40apereo.org.
Benjamin Renard
Mar 27, 2024, 7:01:20 AMMar 27
to CAS Community, Ray Bon
Hi Ray,
Thanks for you return. Yes, I firstly think like you, but I have no error in logs and I use a valid SSL certificate. Just to be sure, I tried to add it in the keystore files (/etc/cas/thekeystore & $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The keystore file (and its password) is correctly specified in my tomcat AJP connector configuration. Futhermore, I can't see trace of request on the serviceValidate CAS server endpoint (just have trace on the login endpoint).
Do you have any other ideas of what could cause this problem or how to debug it ?
Thanks !
Ray Bon
Mar 27, 2024, 10:13:49 AMMar 27
to bn8...@gmail.com, cas-...@apereo.org
Benjamin,
Try this logger (in both cas and cas management). Note
<!-- DEBUG outbound and inbound headers and response as it is sent -->
<Logger name="org.apache.http.wire" level="debug" />
Ray
On Wed, 2024-03-27 at 02:13 -0700, Benjamin Renard wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hi Ray,
Thanks for you return. Yes, I firstly think like you, but I have no error in logs and I use a valid SSL certificate. Just to be sure, I tried to add it in the keystore files (/etc/cas/thekeystore & $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The keystore file (and its password) is correctly specified in my tomcat AJP connector configuration. Futhermore, I can't see trace of request on theserviceValidate CAS server endpoint (just have trace on the login endpoint).
Benjamin Renard
Mar 27, 2024, 12:40:40 PMMar 27
to CAS Community, Ray Bon, bn8...@gmail.com
I tried it, but I get nothing more in logs. May be its due to the fact I'm not using the integrated Tomcat but the Debian one ? May be my problem its due to somethings else than CAS related parameters. May be something related to the authorization process ? I can't find a complete documentation of parameters accepted (and may be required ?) by the CAS management app, even less for the version 7. Do you know where I can find it ?
My configuration today:
cas.server.name=https://idp.example.tld
cas.server.prefix=${cas.server.name}/cas
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://idp.example.tld
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
spring.security.user.name=myuser
spring.security.user.password=mypassword
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
spring.security.user.name=myuser
spring.security.user.password=mypassword
And my /etc/cas/config/users.json file:
{
"brenard" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
"brenard" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
Note: brenard is my CAS username.
Benjamin Renard
Mar 27, 2024, 12:40:40 PMMar 27
to CAS Community, Mohamed Amdouni, Ray Bon
Thank Mohamed,
What do you mean about enabling SSL ? My CAS management app is accessible via an Apache HTTPS VirtualHost that proxypass requests to a Tomcat's AJP Connector. It's "SSL enabled" for you ? :)
Note: My CAS server use the same Apache HTTPS VirtualHost and Tomcat AJP connector, but is deploy another context (/cas vs /cas-management).
Hartmut Trüe
Mar 28, 2024, 7:31:35 AMMar 28
to CAS Community, Benjamin Renard, Mohamed Amdouni, Ray Bon
After playing a bit with the loglevels (debug for spring.webflow.log.level and spring.security.log.level), I found this. But I have no idea, if that is the problem or what to do.
As explained earlier, 6.6.x is running fine with the same configuration.
...
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@763bc2b expression = tokenAuthenticationAction, resultExpression = [null]]; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1b2a72b9 on = *, to = initialAuthenticationRequestValidationCheck]>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'tokenAuthenticationCheck'>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2024-03-28 09:43:41,073 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.TokenAuthenticationAction@7db98da0; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@763bc2b expression = tokenAuthenticationAction, resultExpression = [null]]; result = error>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1b2a72b9 on = *, to = initialAuthenticationRequestValidationCheck]>
2024-03-28 09:43:41,073 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'tokenAuthenticationCheck'>
...
Benjamin Renard
Mar 28, 2024, 3:46:46 PMMar 28
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello Hartmut,
From my side, I can't observe this interesting error in my logs, even if enabling debuging on spring webflow & security. In fact, I also try to enable debug on root logger and I obtain nothing more than I have initialy posted here.
Could you share your operational configuration in v6 ? I would like to know what look like a operational configuration :)
Thanks !
Hartmut Trüe
Apr 2, 2024, 3:22:31 AMApr 2
to CAS Community, Benjamin Renard, Hartmut Trüe, Mohamed Amdouni, Ray Bon
Hello Benjamin,
this is my CAS 6.6 management configuration:
#---------------------------------------------
# config for cas management webapp
logging.config=file:/etc/cas/config/log4j2-management.xml
server.servlet.context-path=/cas-management
cas.server.name=https://www.domain.tld
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://www.domain.tld
# for testing only : no login required
#mgmt.cas-sso=false
#mgmt.authz-ip-regex=.*
mgmt.user-properties-file=file:/etc/cas/config/adminUsers.json
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-roles[0]=ROLE_USER
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services-repo
mgmt.ldap.ldap-url=ldap://192.168.2.1/
mgmt.ldap.bind-dn=uid=cas,ou=accounts,dc=de
mgmt.ldap.bind-credential=xxxxxxxxxxxx
#mgmt.ldap.use-ssl=false
mgmt.ldap.use-start-tls=false
mgmt.ldap.block-wait-time=3000
mgmt.ldap.connect-timeout=2000
mgmt.ldap.validate-on-checkout=false
mgmt.ldap.validate-periodically=true
mgmt.ldap.validate-period=300
mgmt.ldap.idle-time=600
mgmt.ldap.max-pool-size=10
mgmt.ldap.min-pool-size=1
mgmt.ldap.prune-period=300
mgmt.ldap.ldapAuthz.base-dn=ou=people,dc=domain,dc=tld
mgmt.ldap.ldapAuthz.search-filter=uid={user}
mgmt.ldap.ldapAuthz.allow-multiple-results=false
#---------------------------------------------
logging.config=file:/etc/cas/config/log4j2-management.xml
server.servlet.context-path=/cas-management
cas.server.name=https://www.domain.tld
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://www.domain.tld
# for testing only : no login required
#mgmt.cas-sso=false
#mgmt.authz-ip-regex=.*
mgmt.user-properties-file=file:/etc/cas/config/adminUsers.json
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-roles[0]=ROLE_USER
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:///etc/cas/services-repo
mgmt.ldap.ldap-url=ldap://192.168.2.1/
mgmt.ldap.bind-dn=uid=cas,ou=accounts,dc=de
mgmt.ldap.bind-credential=xxxxxxxxxxxx
#mgmt.ldap.use-ssl=false
mgmt.ldap.use-start-tls=false
mgmt.ldap.block-wait-time=3000
mgmt.ldap.connect-timeout=2000
mgmt.ldap.validate-on-checkout=false
mgmt.ldap.validate-periodically=true
mgmt.ldap.validate-period=300
mgmt.ldap.idle-time=600
mgmt.ldap.max-pool-size=10
mgmt.ldap.min-pool-size=1
mgmt.ldap.prune-period=300
mgmt.ldap.ldapAuthz.base-dn=ou=people,dc=domain,dc=tld
mgmt.ldap.ldapAuthz.search-filter=uid={user}
mgmt.ldap.ldapAuthz.allow-multiple-results=false
#---------------------------------------------
Hartmut
Hartmut Trüe
Jul 15, 2024, 5:07:49 AM (10 days ago) Jul 15
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello,
after several updates since April, nothing has changed: cas-management 6.6 works as expected, the same configuration with cas-management 7.0 still ends in "too many redirects".
This makes cas 7 unusable for me. I still don't have any ideas what the problem might be.
Hartmut
after several updates since April, nothing has changed: cas-management 6.6 works as expected, the same configuration with cas-management 7.0 still ends in "too many redirects".
This makes cas 7 unusable for me. I still don't have any ideas what the problem might be.
Hartmut
Mohamed Amdouni
Jul 15, 2024, 12:45:03 PM (10 days ago) Jul 15
to CAS Community, Hartmut Trüe, Benjamin Renard, Mohamed Amdouni, Ray Bon
Hello,
Will explain what was the error for me, hope it would help you figure out the problem.
In my usecase, the cas management was behind a proxy, so the URL of cas management was "https" but the ssl is only on the proxy side, then the proxy forward to my cas management instance wich is not started with ssl (http).
In the security configuration of cas management : see this file : https://github.com/apereo/cas-management/blob/7.0.x/webapp/cas-mgmt-webapp-config/src/main/java/org/apereo/cas/mgmt/config/CasManagementSecurityConfiguration.java
there are this line http.requiresChannel(c -> c.anyRequest().requiresSecure()); which require to have a secure channel and so too many redirects.
I tried to overried the security configuration with no success so the solution was to start cas management with ssl and point https URL in the proxy configuration.
Try to check this class and find why it redirects....
Try to install a local instance of cas management ...
Best Regards
Mohamed Amdouni
Jul 18, 2024, 7:01:23 AM (7 days ago) Jul 18
to Hartmut Trüe, Benjamin Renard, CAS Community, Ray Bon
Hello,
Just to add that the logger that may give more information
Is org.jasig.cas.client
You may add a lot of logger’s (cas and spring ) to print more debug information
See this template
And add async loggers as match as you can :) that may help.
—— I get a similar error on my local machine when I start the jvm with wrong proxy settings because I’m in a corporate network so I added the right http.proxyHost and https.proxyHost http.proxyPort https.proxyPort to resolve too many redirects error because the management couldn’t validate tickets but I get logs by org.jasig.cas.client logger with a clear error. I don’t think it’s your case but some tips to investigate.
Good luck
Best regards.
Le jeu. 18 juil. 2024 à 11:30, Hartmut Trüe <htr...@gmail.com> a écrit :
Hello Mohamed,thanks for your reply, that might lead me in the right direction.My CAS is running behind a reverse proxy, but it is all "https":
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxyAt the moment it looks to me like a problem with HSTS and CORS, something must have changed between 6.6 and 7.0.But I haven't been able to solve it yet.Best Regards
Hartmut
Hartmut Trüe
Jul 18, 2024, 7:01:23 AM (7 days ago) Jul 18
to CAS Community, Mohamed Amdouni, Hartmut Trüe, Benjamin Renard, Ray Bon
Hello Mohamed,
thanks for your reply, that might lead me in the right direction.
My CAS is running behind a reverse proxy, but it is all "https":
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxy
Tomcat ->"ajp"->Apache2->"https"->Apache2 reverse proxy
At the moment it looks to me like a problem with HSTS and CORS, something must have changed between 6.6 and 7.0.
But I haven't been able to solve it yet.
Best Regards
Hartmut
Hartmut
Mohamed Amdouni schrieb am Montag, 15. Juli 2024 um 18:45:03 UTC+2:
Hartmut Trüe
Jul 22, 2024, 5:26:04 AM (3 days ago) Jul 22
to CAS Community, Hartmut Trüe, Mohamed Amdouni, Benjamin Renard, Ray Bon
... no way. To exclude my proxy as the cause I have configured my tomcat so that it delivers https itself with a valid certificate.
CAS itself is working fine, CAS-Management continues to run in the "too many redirects" error.
Best Regards
Hartmut
Reply all
Reply to author
Forward
0 new messages