/p3/serviceValidate returning "Ticket...not recognized"
1,366 views
Skip to first unread message
William
May 2, 2016, 4:14:44 PM5/2/16
to CAS Community
I am running CAS 4.2.1. After I login and receive a service ticket, I cannot validate it against the "/p3/serviceValidate" endpoint.
I have set the "st.timeToKillInSeconds" to a long value.
My URL looks like the following:
https://localhost:8443/cas/p3/serviceValidate?service=https%3A%2F%2Flocalhost%3A8443%2Fprotected-web-app%2F&ticket=ST-6-fkKdVYPFypWKiqsThVfw-cas01.example.org
I receive this error back:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationFailure code="INVALID_TICKET">
Ticket 'ST-6-fkKdVYPFypWKiqsThVfw-cas01.example.org' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
The CAS log is showing the ticket was successfully validated after login, and when I try to validate it manually then it says validation failed:
2016-05-02 16:08:03,352 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Mon May 02 16:08:03 EDT 2016
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2016-05-02 16:08:03,397 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Service ticket [ST-6-fkKdVYPFypWKiqsThVfw-cas01.example.org] does not exist.>
2016-05-02 16:08:03,398 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Mon May 02 16:08:03 EDT 2016
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
I noticed the IP addresses are a mixture of IPv4 and IPv6. I don't know if that would make a difference or not.
Any ideas on this?
Regards,
William Crowell
Misagh Moayyed
May 2, 2016, 4:29:02 PM5/2/16
to CAS Community
Because STs can only be used once. Once it’s validated, it’s gone and you cannot manually re-validate it.
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4f8eb70-5b3e-4177-b352-1e40361615e2%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
William
May 2, 2016, 4:47:04 PM5/2/16
to CAS Community
Makes sense. I have been writing functional tests in Geb: https://github.com/wcrowell/cas-functional-tests
I am specifically working on this test: https://github.com/wcrowell/cas-functional-tests/blob/master/src/test/groovy/RenewSpec.groovy
I am using this document as a blueprint for the tests: https://wiki.jasig.org/display/CAS/CAS+Functional+Tests
The tests repeat the clause: "with a valid service ticket"
Is there a way I could use another ticket type (e.g. Proxy Granting Ticket) to validate the tickets or maybe I am making this too complicated.
Regards,
William Crowell
Misagh Moayyed
May 3, 2016, 1:04:18 PM5/3/16
to CAS Community
What you should be doing is:
1. Login, get a ticket, validate it.
2. Login with a renew=true, get a ticket, validate it.
3. Login, get a ticket, validate it with renew=true
4. Login with a renew=true, get a ticket, validate it with renew=true
PGTs are an entirely different matter. I haven’t looked at your tests, but you should not be reusing tickets.
From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of William
Sent: Monday, May 2, 2016 1:47 PM
To: CAS Community <cas-...@apereo.org>
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32396aa-15ff-4571-be88-a8a7c3e9d2e6%40apereo.org.
William
May 10, 2016, 10:13:48 AM5/10/16
to CAS Community, mmoa...@unicon.net
Misagh,
Is there a way to tell CAS not to encrypt the ticket granting cookie so I can use it against the serviceValidate endpoint?
Regards,
William Crowell
Misagh Moayyed
May 10, 2016, 10:23:49 AM5/10/16
to CAS Community
Help me out: Why do you need to pass the cookie, as I understand your question, to that endpoint?
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eec4a0e8-f9fd-4213-a463-a644df2bf5c3%40apereo.org.
Dmitriy Kopylenko
May 10, 2016, 10:25:12 AM5/10/16
to William, CAS Community, Misagh Moayyed
Hi William,
you’d need to map the default cookie cipher executor to the noop one here:
like so:
<alias name=“noOPCipherExecutor" alias="defaultCookieCipherExecutor" />
You’d also need to explicitly define the noop cipher executor as it’s not marked with @Component and therefor not picked up by Spring component scanning machinery:
Those are just mechanics - but I’d first ask yourself - why you need to disable the encryption, etc.
Cheers,
D.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eec4a0e8-f9fd-4213-a463-a644df2bf5c3%40apereo.org.
Waldbieser, Carl
May 10, 2016, 10:38:51 AM5/10/16
to William, CAS Community, mmoa...@unicon.net
William,
That endpoint usually gets passed a *service ticket*. Not a ticket granting ticket.
Are you sure you are passing the correct ticket?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Cc: mmoa...@unicon.net
> <javascript:>] *On Behalf Of *William
> *Sent:* Monday, May 2, 2016 1:47 PM
> *To:* CAS Community <cas-...@apereo.org <javascript:>>
> *Subject:* [cas-user] Re: /p3/serviceValidate returning "Ticket...not
> To post to this group, send email to cas-...@apereo.org <javascript:>.
> .
That endpoint usually gets passed a *service ticket*. Not a ticket granting ticket.
Are you sure you are passing the correct ticket?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Cc: mmoa...@unicon.net
Sent: Tuesday, May 10, 2016 10:13:48 AM
Subject: Re: [cas-user] Re: /p3/serviceValidate returning "Ticket...not recognized"
Misagh,
Is there a way to tell CAS not to encrypt the ticket granting cookie so I
can use it against the serviceValidate endpoint?
Regards,
William Crowell
On Tuesday, May 3, 2016 at 1:04:18 PM UTC-4, Misagh Moayyed wrote:
>
> What you should be doing is:
>
>
>
> 1. Login, get a ticket, validate it.
>
> 2. Login with a renew=true, get a ticket, validate it.
>
> 3. Login, get a ticket, validate it with renew=true
>
> 4. Login with a renew=true, get a ticket, validate it with
> renew=true
>
>
>
> PGTs are an entirely different matter. I haven’t looked at your tests, but
> you should not be reusing tickets.
>
>
>
> *From:* cas-...@apereo.org <javascript:> [mailto:cas-...@apereo.org
Subject: Re: [cas-user] Re: /p3/serviceValidate returning "Ticket...not recognized"
Misagh,
Is there a way to tell CAS not to encrypt the ticket granting cookie so I
can use it against the serviceValidate endpoint?
Regards,
William Crowell
On Tuesday, May 3, 2016 at 1:04:18 PM UTC-4, Misagh Moayyed wrote:
>
> What you should be doing is:
>
>
>
> 1. Login, get a ticket, validate it.
>
> 2. Login with a renew=true, get a ticket, validate it.
>
> 3. Login, get a ticket, validate it with renew=true
>
> 4. Login with a renew=true, get a ticket, validate it with
> renew=true
>
>
>
> PGTs are an entirely different matter. I haven’t looked at your tests, but
> you should not be reusing tickets.
>
>
>
> <javascript:>] *On Behalf Of *William
> *Sent:* Monday, May 2, 2016 1:47 PM
> *To:* CAS Community <cas-...@apereo.org <javascript:>>
> *Subject:* [cas-user] Re: /p3/serviceValidate returning "Ticket...not
> recognized"
>
>
>
> Makes sense. I have been writing functional tests in Geb:
> https://github.com/wcrowell/cas-functional-tests
>
>
>
> I am specifically working on this test:
> https://github.com/wcrowell/cas-functional-tests/blob/master/src/test/groovy/RenewSpec.groovy
>
>
>
> I am using this document as a blueprint for the tests:
> https://wiki.jasig.org/display/CAS/CAS+Functional+Tests
>
>
>
> The tests repeat the clause: "with a valid service ticket"
>
>
>
> Is there a way I could use another ticket type (e.g. Proxy Granting
> Ticket) to validate the tickets or maybe I am making this too complicated.
>
>
>
> Regards,
>
>
>
> William Crowell
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org <javascript:>.
>
>
>
> Makes sense. I have been writing functional tests in Geb:
> https://github.com/wcrowell/cas-functional-tests
>
>
>
> I am specifically working on this test:
> https://github.com/wcrowell/cas-functional-tests/blob/master/src/test/groovy/RenewSpec.groovy
>
>
>
> I am using this document as a blueprint for the tests:
> https://wiki.jasig.org/display/CAS/CAS+Functional+Tests
>
>
>
> The tests repeat the clause: "with a valid service ticket"
>
>
>
> Is there a way I could use another ticket type (e.g. Proxy Granting
> Ticket) to validate the tickets or maybe I am making this too complicated.
>
>
>
> Regards,
>
>
>
> William Crowell
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To post to this group, send email to cas-...@apereo.org <javascript:>.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32396aa-15ff-4571-be88-a8a7c3e9d2e6%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32396aa-15ff-4571-be88-a8a7c3e9d2e6%40apereo.org?utm_medium=email&utm_source=footer>
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a32396aa-15ff-4571-be88-a8a7c3e9d2e6%40apereo.org
> .
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eec4a0e8-f9fd-4213-a463-a644df2bf5c3%40apereo.org.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
William
May 10, 2016, 11:37:54 AM5/10/16
to CAS Community, alertya...@gmail.com, mmoa...@unicon.net, dkopy...@unicon.net
Dmitriy and Misagh,
I would prefer not to disable the ticket encryption. For the validation tests (https://wiki.jasig.org/display/CAS/CAS+Functional+Tests), I need to login through the user interface to generate a ticket. I need to be able to take that ticket and pass it into the "/validate" or "/serviceValidate" endpoints using this URI: /validate?service=foo&ticket=<valid ticket>
I cannot do that with a service ticket because the service ticket is invalidated immediately after login. The only other ticket that I am aware of is the Ticket Granting Cookie which is encrypted with jose4j (https://bitbucket.org/b_c/jose4j/wiki/Home) encryption library. I cannot pass an encrypted ticket into the "/validate" or "/serviceValidate" endpoints. I have already tried this.
The functional tests (https://github.com/wcrowell/cas-functional-tests) act as the browser. Therefore, I am limited in the information I get back from CAS other than my login was successful.
When I login to "/cas/login" without a service parameter, then I see the following cookies being sent back to the browser:
[TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxtSnRaR2hZVEZWRGRXOHhOM1ZaTkVwWk9VOTFYMmN1VkVnemEydDNOMDR5UVV4R1oxUkRVRkkxTWpaT1VsZFJUVlpEWDBKRE9XTkNiRXRWZFVGeWMwUk9Tamh5VFRSaE5uSkRNbkJUWjA1cmJ6RjVTMUpDVW5GeWR6Sm5TM2g0TmtnM1lUTnNVRzh6V25CT2JGSlpVVWN0U0RScmRGWlJTM050TTFjMWFERTNWbDlJZW5kdk0zUjNhM0UyZG1ORFVHYzRaR2t3YlRoRFEzRTBkR0pVUVU1UVNXdDJhVVpHUTNnNVdEaG9WMGROVjBGc1NFOXZhM1pIYUdkNlgxVkhUamhuTFc1eU5qaFBVVlZhYkc1TlNIUTFRMTl1WkVwVlJVTm1hMmwzWkRsbExVMDBVMFJtVERjeVJYRlhlbWRoTjJkSlJrZENYMWROYjNad1VrZHdOR2xMYlVWMlUwOTVYMkZ5ZVROVU9WRkNkVkp0YzB3NFJDMDJhQzAxWkhKaFFqUTNhVnBZZFUwd2RIWkVlSFZWTVVsUmVXZHZUakJYU1RSMWRFVjJYMHR0Y21jdU9GZFFOek5OVjI5aVVHbFhlVk0wVDNobVNrSkZadz09.7VH7BZ7i5RHbqCOCzwtszNCr4H2szYzwrar81qCt20FAPz025majx3wfNgTWWgkUVwgzRGHaLMD4tpIllYat8g; path=/cas/; domain=localhost;secure;, JSESSIONID=looz49v4d769zgy2s5712kci; path=/cas; domain=localhost;secure;]
I do see that when I provide a service request parameter to login, then I see the following cookies sent back:
[JSESSIONID=namyy4m6qr9amk5c89ua1v4h; path=/cas-services; domain=localhost;secure;, pac4jCsrfToken=ab647d9c-b38e-4fd3-aeb0-8403356c1b27; path=/cas-services; domain=localhost]
Is there anything on the page (header or cookie) that I could use to pass back to the "/validate" endpoint? Can I use JSESSIONID somehow to cross-reference what the ticket(s) are?
Do the functional tests (https://wiki.jasig.org/display/CAS/CAS+Functional+Tests) need to be rewritten?
Regards,
William Crowell
William
May 10, 2016, 12:14:25 PM5/10/16
to CAS Community, alertya...@gmail.com, mmoa...@unicon.net
Carl,
Just saw your response. You are correct. I would need to pass a service ticket, but the service ticket is invalidated right after you login so I cannot reuse that ticket against the "/validate" endpoint.
Regards,
Regards,
William Crowell
Waldbieser, Carl
May 10, 2016, 12:18:39 PM5/10/16
to William, CAS Community, mmoa...@unicon.net, dkopy...@unicon.net
William,
The ST shouldn't be disabled immediately after login.
For an accurate functional test, I think you ought to be able to obtain the ST from the /login response, either from a `Location` header or from scraping the response body.
You should be able to present that ticket to the CAS /serviceValidate endpoint.
Here is a short shell script to illustrate what I mean:
#! /bin/sh
if [ -z "$1" ]; then
echo "Usage: $0 [TGT]" >&2
exit 1
fi
CAS_LOGIN=${CAS_LOGIN:-https://cas.example.net/cas/login}
SERVICE_VALIDATE=${SERVICE_VALIDATE:-https://cas.example.net/cas/serviceValidate}
SERVICE=${SERVICE:-'https://service.example.org'}
TGT="$1"
ST=$(curl -v --get --data service="$SERVICE" --cookie CASTGC="$TGT" "$CAS_LOGIN" 2>&1 | \
grep -e '^< Location:' | grep -e ticket= | sed -e 's/^.*ticket=//' -e 's/\r//') && \
curl -v --get --data service="$SERVICE" --data ticket="$ST" "$SERVICE_VALIDATE"
You may have to adjust endpoints, etc.
Presenting the TGT to the /serviceValidate endpoint ought to fail, I would think.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
The ST shouldn't be disabled immediately after login.
For an accurate functional test, I think you ought to be able to obtain the ST from the /login response, either from a `Location` header or from scraping the response body.
You should be able to present that ticket to the CAS /serviceValidate endpoint.
Here is a short shell script to illustrate what I mean:
#! /bin/sh
if [ -z "$1" ]; then
echo "Usage: $0 [TGT]" >&2
exit 1
fi
CAS_LOGIN=${CAS_LOGIN:-https://cas.example.net/cas/login}
SERVICE_VALIDATE=${SERVICE_VALIDATE:-https://cas.example.net/cas/serviceValidate}
SERVICE=${SERVICE:-'https://service.example.org'}
TGT="$1"
ST=$(curl -v --get --data service="$SERVICE" --cookie CASTGC="$TGT" "$CAS_LOGIN" 2>&1 | \
grep -e '^< Location:' | grep -e ticket= | sed -e 's/^.*ticket=//' -e 's/\r//') && \
curl -v --get --data service="$SERVICE" --data ticket="$ST" "$SERVICE_VALIDATE"
You may have to adjust endpoints, etc.
Presenting the TGT to the /serviceValidate endpoint ought to fail, I would think.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/78f0ccf7-ed7c-48a7-b6e5-71227270cf49%40apereo.org.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
William
May 10, 2016, 12:19:33 PM5/10/16
to CAS Community, alertya...@gmail.com, mmoa...@unicon.net, dkopy...@unicon.net
I saw on another post Dmitriy proposed this:
"For the automated testing tools you might need to choose to use CAS’ REST resources: https://apereo.github.io/cas/4.2.x/protocol/REST-Protocol.html"
I will give that a shot.
Regards,
William Crowell
Waldbieser, Carl
May 10, 2016, 12:19:55 PM5/10/16
to William, CAS Community, mmoa...@unicon.net
William,
You just need to visit /login again with the TGC you obtained the first time, when you presented credentials.
Or you could visit with no cookies and just present the credentials again if you don't want to test SSO.
Thanks,
Carl
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Cc: alertya...@gmail.com, mmoa...@unicon.net
Sent: Tuesday, May 10, 2016 12:14:25 PM
Subject: Re: [cas-user] Re: /p3/serviceValidate returning "Ticket...not recognized"
You just need to visit /login again with the TGC you obtained the first time, when you presented credentials.
Or you could visit with no cookies and just present the credentials again if you don't want to test SSO.
Thanks,
Carl
----- Original Message -----
From: "William" <alertya...@gmail.com>
To: "CAS Community" <cas-...@apereo.org>
Cc: alertya...@gmail.com, mmoa...@unicon.net
Sent: Tuesday, May 10, 2016 12:14:25 PM
Subject: Re: [cas-user] Re: /p3/serviceValidate returning "Ticket...not recognized"
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e586cd4-5182-445a-a644-c7add455bb8e%40apereo.org.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Reply all
Reply to author
Forward
0 new messages