Call to /proxyValidate can't validate proxy ticket because Cas20WithoutProxyingValidationSpecification is used
203 views
Skip to first unread message
Christian Koehn
Mar 14, 2018, 12:56:18 PM3/14/18
to CAS Community
Hi,
I am using CAS 5.2.2 and have an issue to validate a PT.
The entries in the logs are:
2018-03-14 16:44:27,253 WARN [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <[Cas20WithoutProxyingValidationSpecification] is not internally satisfied by the produced assertion>
2018-03-14 16:44:27,254 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <Service ticket [PT-2-M6hl8hYF6pihmXvcVWbzKPAlyYM7IpS-C9fHzXIePnJ4e5Eo9gnf1cXHHPqYrrE3DpAgdSJjy-8t-144Up-uLV71AUZwlArLwInFee8P3mFpi5eE3T5UEaVP3LVAl1WyLGrsNTXiUFxK4WJdXqSgc3tCG2jZiVPL-d3b1dff9cf2f] does not satisfy validation specification.>
My service definitions are:
For the Main service that needs to act as proxy
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://mainapp.mydomain.com/bin/view",
"name" : "CKOE wiki",
"id" : 2,
"description" : "Only ckoe wiki auth with proxy",
"evaluationOrder" : 2,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
},
"publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "/etc/cas/ckoewiki",
"algorithm" : "RSA"
}
The service that needs to be accessed by the main service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://otherapp.mydomain.com",
"name" : "Test DMS",
"id" : 3,
"description" : "Blah blah blah Test ",
"evaluationOrder" : 3,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
}
}
}
As said in the title, the service trying to validate the PT is calling the /proxyValidate endpoint... but without success.
Any hints where to look at?
Thanks,
Christian
I am using CAS 5.2.2 and have an issue to validate a PT.
The entries in the logs are:
2018-03-14 16:44:27,253 WARN [org.apereo.cas.validation.AbstractCasProtocolValidationSpecification] - <[Cas20WithoutProxyingValidationSpecification] is not internally satisfied by the produced assertion>
2018-03-14 16:44:27,254 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <Service ticket [PT-2-M6hl8hYF6pihmXvcVWbzKPAlyYM7IpS-C9fHzXIePnJ4e5Eo9gnf1cXHHPqYrrE3DpAgdSJjy-8t-144Up-uLV71AUZwlArLwInFee8P3mFpi5eE3T5UEaVP3LVAl1WyLGrsNTXiUFxK4WJdXqSgc3tCG2jZiVPL-d3b1dff9cf2f] does not satisfy validation specification.>
My service definitions are:
For the Main service that needs to act as proxy
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://mainapp.mydomain.com/bin/view",
"name" : "CKOE wiki",
"id" : 2,
"description" : "Only ckoe wiki auth with proxy",
"evaluationOrder" : 2,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
},
"publicKey" : {
"@class" : "org.apereo.cas.services.RegisteredServicePublicKeyImpl",
"location" : "/etc/cas/ckoewiki",
"algorithm" : "RSA"
}
The service that needs to be accessed by the main service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://otherapp.mydomain.com",
"name" : "Test DMS",
"id" : 3,
"description" : "Blah blah blah Test ",
"evaluationOrder" : 3,
"proxyPolicy" : {
"@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^https?://.*"
},
"usernameAttributeProvider" : {
"@class" : "org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "uid"
}
}
}
As said in the title, the service trying to validate the PT is calling the /proxyValidate endpoint... but without success.
Any hints where to look at?
Thanks,
Christian
Ray Bon
Mar 14, 2018, 2:35:31 PM3/14/18
to cas-...@apereo.org
Christian,
Try this log line to see result of proxy callback:
<!-- DEBUG Response code from server matched [###] may be useful for debugging proxy
Created HTTP post message payload [POST URL] on logout -->
<AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient" level="debug" />
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Christian Koehn
Mar 14, 2018, 4:11:17 PM3/14/18
to CAS Community
Hi Ray,
I am suffering from the cas-overlay logging hurdles, so I might cannot enable this directly.
However I saw directly after the service wants the PT validated these entries:
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5bea616e[id=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,originalUrl=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,artifactId=PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@5f3f57ff[]]>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json]>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.ServiceValidateController] - <Preparing to validate ticket [/serviceValidate] for service [PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f] via [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5bea616e[id=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,originalUrl=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,artifactId=PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]]. Do note that this validation request is not equipped to release principal attributes to applications. To access the authenticated principal along with attributes, invoke the [/p3/serviceValidate] endpoint instead.>
2018-03-14 19:39:19,152 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-14 19:39:19,152 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
The ServiceValidateController already points to the wrong /serviceValidate ... really strange
I am suffering from the cas-overlay logging hurdles, so I might cannot enable this directly.
However I saw directly after the service wants the PT validated these entries:
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.support.saml.authentication.principal.SamlServiceFactory] - <Request does not specify a [TARGET] or request body is empty>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5bea616e[id=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,originalUrl=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,artifactId=PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@5f3f57ff[]]>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json]>
2018-03-14 19:39:19,151 DEBUG [org.apereo.cas.web.ServiceValidateController] - <Preparing to validate ticket [/serviceValidate] for service [PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f] via [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@5bea616e[id=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,originalUrl=https://mydomain.com:443/alfresco/wcservice/ubx/getticket.json,artifactId=PT-5-pxDrF1I2iZLzLaqytVyLKF0o6l-6A3gUZMT-QnOYOhpUKTqCcHXGTvx0EUSapZWqV6WY1Z2gUx3YUaU4ggpAcFKwtCxv47ZLW53mqwO2aluIJ3gLvFPHl2qI5hPvZXhA8hQRCVFc46Ja0dVbhMvDcxr10s6721fy-d3b1dff9cf2f,principal=<null>,loggedOutAlready=false,format=XML]]. Do note that this validation request is not equipped to release principal attributes to applications. To access the authenticated principal along with attributes, invoke the [/p3/serviceValidate] endpoint instead.>
2018-03-14 19:39:19,152 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-03-14 19:39:19,152 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.validateServiceTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
The ServiceValidateController already points to the wrong /serviceValidate ... really strange
Christian Koehn
Mar 14, 2018, 4:43:10 PM3/14/18
to CAS Community
SHAME ON ME!
Despite the fact that I do not understand why it worked in the past with a CAS 3.X, I now checked the apache logs and saw that indeed /serviceValidate was called. So it was the service that was not working properly.
Sorry for the noise, but thanks Ray for your willingness to help.
Regards,
Christian
Despite the fact that I do not understand why it worked in the past with a CAS 3.X, I now checked the apache logs and saw that indeed /serviceValidate was called. So it was the service that was not working properly.
Sorry for the noise, but thanks Ray for your willingness to help.
Regards,
Christian
Reply all
Reply to author
Forward
0 new messages