[cas-user] Problem setting up Proxy support
162 views
Skip to first unread message
C. C. Tang
Jan 27, 2017, 12:17:01 AM1/27/17
to CAS Community
I am using CAS 4.2.x and I am exploring the Proxy feature.
But I am having difficulties setting it up by using examples(example_proxy_GET.php) in phpCAS as starting point.
The php failed to be authenticated as proxy and output logs like this:
(in forceAuthentication() call after successful login)
CAS log:
my service definition:
'mydomain' is having https setup properly using letsencrypt and the cert are imported to a custom trust store:
cas.properties
Why CAS keep saying Proxy policy for service [^(https?|imaps?)://.*] cannot authorize the requested callback url [https://lockcole.acgmoe.net/cas_test/php-client-examples/example_proxy_GET.php]?
It will be grateful to have any advise on what I am missing or anything I can do to trace the problem.
Thanks in advance.
C.C.
-- But I am having difficulties setting it up by using examples(example_proxy_GET.php) in phpCAS as starting point.
The php failed to be authenticated as proxy and output logs like this:
(in forceAuthentication() call after successful login)
.=> phpCAS::forceAuthentication() [example_proxy_GET.php:40]
ACC1 .| => CAS_Client::forceAuthentication() [CAS.php:1080]
ACC1 .| | => CAS_Client::isAuthenticated() [Client.php:1249]
ACC1 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1362]
ACC1 .| | | | neither user nor PGT found [Client.php:1581]
ACC1 .| | | <= false
ACC1 .| | | CAS 2.0 ticket `ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org' is present [Client.php:1415]
ACC1 .| | | => CAS_Client::validateCAS20('', NULL, NULL, false) [Client.php:1417]
ACC1 .| | | | [Client.php:3127]
ACC1 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3134]
ACC1 .| | | | | => CAS_Client::getURL() [Client.php:453]
ACC1 .| | | | | | Final URI: https://mydomain/cas_test/php-client-examples/example_proxy_GET.php [Client.php:3497]
ACC1 .| | | | | <= 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
ACC1 .| | | | <= 'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php'
ACC1 .| | | | => CAS_Client::_readURL('https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php', NULL, NULL, NULL) [Client.php:3149]
ACC1 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
ACC1 .| | | | | | Response Body:
ACC1 .| | | | | |
ACC1 .| | | | | |
ACC1 .| | | | | | <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
ACC1 .| | | | | | <cas:authenticationFailure code='INVALID_PROXY_CALLBACK'>
ACC1 .| | | | | | The supplied proxy callback url 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php' could not be authenticated.
ACC1 .| | | | | | </cas:authenticationFailure>
ACC1 .| | | | | | </cas:serviceResponse>
ACC1 .| | | | | |
ACC1 .| | | | | | [CurlRequest.php:84]
ACC1 .| | | | | <= true
ACC1 .| | | | <= true
ACC1 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php', false, false, '<cas:serviceResponse xmlns:cas=\'http://www.yale.edu/tp/cas\'> <cas:authenticationFailure code=\'INVALID_PROXY_CALLBACK\'> The supplied proxy callback url 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php' could not be authenticated. </cas:authenticationFailure></cas:serviceResponse>', 'INVALID_PROXY_CALLBACK', 'The supplied proxy callback url \'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php\' could not be authenticated.') [Client.php:3239]
ACC1 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:76]
ACC1 .| | | | | <= 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php'
ACC1 .| | | | | CAS URL: https://10.7.14.10:8443/cas/serviceValidate?service=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php&ticket=ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org&pgtUrl=https%3A%2F%2Fmydomain%2Fcas_test%2Fphp-client-examples%2Fexample_proxy_GET.php [AuthenticationException.php:79]
ACC1 .| | | | | Authentication failure: Ticket not validated [AuthenticationException.php:80]
ACC1 .| | | | | Reason: [INVALID_PROXY_CALLBACK] CAS error: The supplied proxy callback url 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php' could not be authenticated. [AuthenticationException.php:96]
ACC1 .| | | | | CAS response:
ACC1 .| | | | |
ACC1 .| | | | | <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
ACC1 .| | | | | <cas:authenticationFailure code='INVALID_PROXY_CALLBACK'>
ACC1 .| | | | | The supplied proxy callback url 'https://mydomain/cas_test/php-client-examples/example_proxy_GET.php' could not be authenticated.
ACC1 .| | | | | </cas:authenticationFailure>
ACC1 .| | | | | </cas:serviceResponse>
ACC1 .| | | | | [AuthenticationException.php:101]
ACC1 .| | | | | exit()
ACC1 .| | | | | -
ACC1 .| | | | -
ACC1 .| | | -
ACC1 .| | -
ACC1 .| -CAS log:
2017-01-27 13:04:54,819 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted ticket [ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org] for service [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php] and principal [user4]
2017-01-27 13:04:54,820 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user4
WHAT: ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org for https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.10
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,820 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user4
WHAT: ST-4-KbXXdH0HfEXBjPYWbAGn-cas01.example.org for https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.10
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,940 WARN [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - Proxy policy for service [^(https?|imaps?)://.*] cannot authorize the requested callback url [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php].
2017-01-27 13:04:54,941 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - HttpBasedServiceCredentialsAuthenticationHandler failed authenticating https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
2017-01-27 13:04:54,941 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
WHAT: Supplied credentials: [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.60
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,941 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: https://mydomain/cas_test/php-client-examples/example_proxy_GET.php
WHAT: Supplied credentials: [https://mydomain/cas_test/php-client-examples/example_proxy_GET.php]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Jan 27 13:04:54 CST 2017
CLIENT IP ADDRESS: 10.7.14.60
SERVER IP ADDRESS: 10.7.14.10
=============================================================
2017-01-27 13:04:54,941 WARN [org.jasig.cas.web.ServiceValidateController] - Failed to authenticate service credential https://mydomain/cas_test/php-client-examples/example_proxy_GET.phpmy service definition:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(https?|imaps?)://.*",
"name" : "test local",
"id" : 1,
"evaluationOrder" : 0,
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : true
}
}'mydomain' is having https setup properly using letsencrypt and the cert are imported to a custom trust store:
cas.properties
http.client.truststore.file=classpath:truststore.jksWhy CAS keep saying Proxy policy for service [^(https?|imaps?)://.*] cannot authorize the requested callback url [https://lockcole.acgmoe.net/cas_test/php-client-examples/example_proxy_GET.php]?
It will be grateful to have any advise on what I am missing or anything I can do to trace the problem.
Thanks in advance.
C.C.
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a9f6a9-9828-4712-900e-e9e03ea5a972%40apereo.org.
C. C. Tang
Jan 31, 2017, 2:02:59 AM1/31/17
to CAS Community
Is anyone having any hints?
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/89c81a33-cca4-418e-8b40-1c7750afa4a7%40apereo.org.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Ray Bon
Jan 31, 2017, 12:27:29 PM1/31/17
to cas-...@apereo.org
C.C.,
The CAS server must be able to access the callback URL. Perhaps there is a network issue.
Ray
The CAS server must be able to access the callback URL. Perhaps there is a network issue.
Ray
-- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE C023 | rb...@uvic.ca
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd802c68-e419-9162-7091-49841e66a657%40uvic.ca.- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
C. C. Tang
Feb 1, 2017, 12:55:12 AM2/1/17
to CAS Community, rb...@uvic.ca
I fixed my service definition so that an exception thrown when CAS really try to connect to callback URL.
It said
I am wondering why the custom trust store does not work. keytool -list correctly list my imported certificate chain.
Any help or advise are appreciated.
C.C.
It said
<java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
I am wondering why the custom trust store does not work. keytool -list correctly list my imported certificate chain.
Any help or advise are appreciated.
2017-02-01 13:29:42,084 ERROR [org.jasig.cas.util.http.SimpleHttpClient] - <java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:871)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:84)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.jasig.cas.util.http.SimpleHttpClient.isValidEndPoint(SimpleHttpClient.java:122)
at org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler.authenticate(HttpBasedServiceCredentialsAuthenticationHandler.java:58)
at org.jasig.cas.authentication.PolicyBasedAuthenticationManager.authenticateAndResolvePrincipal(PolicyBasedAuthenticationManager.java:279)
at org.jasig.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:222)
at org.jasig.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:131)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
at org.jasig.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:128)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:620)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:609)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:68)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.ryantenney.metrics.spring.MeteredMethodInterceptor.invoke(MeteredMethodInterceptor.java:45)
at com.ryantenney.metrics.spring.MeteredMethodInterceptor.invoke(MeteredMethodInterceptor.java:32)
at com.ryantenney.metrics.spring.AbstractMetricMethodInterceptor.invoke(AbstractMetricMethodInterceptor.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.ryantenney.metrics.spring.TimedMethodInterceptor.invoke(TimedMethodInterceptor.java:48)
at com.ryantenney.metrics.spring.TimedMethodInterceptor.invoke(TimedMethodInterceptor.java:34)
at com.ryantenney.metrics.spring.AbstractMetricMethodInterceptor.invoke(AbstractMetricMethodInterceptor.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at com.ryantenney.metrics.spring.CountedMethodInterceptor.invoke(CountedMethodInterceptor.java:46)
at com.ryantenney.metrics.spring.CountedMethodInterceptor.invoke(CountedMethodInterceptor.java:32)
at com.ryantenney.metrics.spring.AbstractMetricMethodInterceptor.invoke(AbstractMetricMethodInterceptor.java:59)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
at com.sun.proxy.$Proxy70.authenticate(Unknown Source)
at org.jasig.cas.authentication.DefaultAuthenticationTransactionManager.handle(DefaultAuthenticationTransactionManager.java:29)
at org.jasig.cas.web.AbstractServiceValidateController.handleProxyGrantingTicketDelivery(AbstractServiceValidateController.java:190)
at org.jasig.cas.web.AbstractServiceValidateController.handleRequestInternal(AbstractServiceValidateController.java:222)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:238)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain
at org.jasig.cas.authentication.FileTrustStoreSslSocketFactory$CompositeX509TrustManager.checkServerTrusted(FileTrustStoreSslSocketFactory.java:279)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:865)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1453)
... 118 moreC.C.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7275020-03d1-4bed-a20b-1d4165111859%40apereo.org.- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Ben Howell-Thomas
Feb 1, 2017, 6:00:48 AM2/1/17
to cas-...@apereo.org, rb...@uvic.ca
Isn't it supposed to be "cas.httpClient.truststore.file"? (Also ...truststore.psw and ...truststore.type.)
We also have the certificate defined in Tomcat's server.xml that runs CAS though I think that's more for front-channel/browser use.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7275020-03d1-4bed-a20b-1d4165111859%40apereo.org.
This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8psu%3DntfR-%3DFV0U%2B%2BZKYN0jPf3hu144a3rGaUCzSSVTsMA%40mail.gmail.com.- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
C. C. Tang
Feb 2, 2017, 5:01:45 AM2/2/17
to CAS Community, rb...@uvic.ca
Isn't it supposed to be "cas.httpClient.truststore.file"? (Also ...truststore.psw and ...truststore.type.)
I tried this but still not work (same error from CAS)
I was following the guide at https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html and it was
I was following the guide at https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html and it was
http.client.* anyway...We also have the certificate defined in Tomcat's server.xml that runs CAS though I think that's more for front-channel/browser use.
In fact I am not very familiar with tomcat. Could you point me to some reference on how to set this up?
Thanks a lot.
C.C.
Thanks a lot.
C.C.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d27249c-4d10-4ed1-9228-f3c41a52a4eb%40apereo.org.Ben Howell-Thomas
Feb 3, 2017, 5:57:13 AM2/3/17
to cas-...@apereo.org, rb...@uvic.ca
In Tomcat's conf/server.xml you'll have a <Connector> tag. You can specify the keys and ca-cert Tomcat will use there eg :
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
sslProtocol="TLSv1.2"
keystoreFile="C:\some_path\certs\keystore.p12"
keystoreType="PKCS12" keystorePass="your password"
truststoreFile="C:\some_path\certs\ca-truststore.p12"
truststoreType="PKCS12" truststorePass="your password"
sslEnabledProtocols="TLSv1.2"
/>
I've removed some of the options we have for brevity.
They keystoreFile and truststoreFile are obviously the most important parts. Hopefully that'll be enough to help you google for appropriate config for your certificate type in case you don't use PKCS12.
On 2 February 2017 at 10:01, C. C. Tang <hiy...@gmail.com> wrote:
Isn't it supposed to be "cas.httpClient.truststore.file"? (Also ...truststore.psw and ...truststore.type.)I tried this but still not work (same error from CAS)
I was following the guide at https://apereo.github.io/cas/4.2.x/installation/Configuring-Proxy-Authentication.html and it washttp.client.* anyway...We also have the certificate defined in Tomcat's server.xml that runs CAS though I think that's more for front-channel/browser use.In fact I am not very familiar with tomcat. Could you point me to some reference on how to set this up?
Thanks a lot.
C.C.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d27249c-4d10-4ed1-9228-f3c41a52a4eb%40apereo.org.
This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8ptv3EMFVinsCDQ5yZwOmRkw_MhktDqCnc_pbXPXOkuMZA%40mail.gmail.com.- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Reply all
Reply to author
Forward
0 new messages