Re: [cas-user] exception thrown when tickets expire, but expiring seems normal

[Scott Battaglia]

Hi, 

Is this error every time a ticket expires or every time you try to use an expired ticket?

Thanks

Scott

On Thu, Aug 16, 2012 at 11:08 AM, Ken Hohl <kennet...@us.thewg.com> wrote:

We're using CAS 3.4.2.1 on JBoss5 clustered with JBossCache3.  Every time a ticket expires we get the following error in our log (I have filtered out all the apache, spring, etc entries) and left just CAS and our customization entries (none of which exist for this error).

Our confusion is that this does not seem like an error but normal operation.  In addition, the stack dump is quite long and this occurs pretty frequently.

Since we are not experiencing any functionality issues, we are not terribly concerned, but would like to both ensure there is not something wrong that is not obvious and reduce the size of our logs.

2012-08-15 11:42:49,489 ERROR [org.jasig.cas.integration.restlet.TicketGrantingTicketResource] (ajp-10.208.55.108-8009-4)
org.jasig.cas.ticket.InvalidTicketException
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody2(CentralAuthenticationServiceImpl.java:181)
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody3$advice(CentralAuthenticationServiceImpl.java:44)
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1)
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody4(CentralAuthenticationServiceImpl.java:244)
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody5$advice(CentralAuthenticationServiceImpl.java:44)
        at org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:1)
        at org.jasig.cas.integration.restlet.TicketGrantingTicketResource.acceptRepresentation(TicketGrantingTicketResource.java:78)

--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Ken Hohl]

Every time we try to use an expired ticket. Code snippet below. Note the block that throws an exception if the ticket is expired. The problem is that nothing seems to catch this exception and deal with it more gracefully than logging an error with a full stack.

@Audit(
action="SERVICE_TICKET",
actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String grantServiceTicket(final String ticketGrantingTicketId, final Service service, final Credentials credentials) throws TicketException {

Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
Assert.notNull(service, "service cannot be null");

final TicketGrantingTicket ticketGrantingTicket;
ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

if (ticketGrantingTicket == null) {
throw new InvalidTicketException();
}

synchronized (ticketGrantingTicket) {
if (ticketGrantingTicket.isExpired()) {
this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
throw new InvalidTicketException();

[Scott Battaglia]

The WebFlow action is probably logging it.  We can reduce the logging there as we don't expect you to do anything with it.

Can you log an improvement issue for that and assign it to me?

Thanks

Scott

        }
    }
--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Ken Hohl]

Great. Thank you. Issue link below. It does not seem as if I can assign to you though.

https://issues.jasig.org/browse/CAS-1169

[Scott Battaglia]

No worries, I assigned it to me myself!

Thanks

On Wed, Aug 22, 2012 at 2:32 PM, Ken Hohl <kennet...@us.thewg.com> wrote:

Great.  Thank you.  Issue link below.  It does not seem as if I can assign to you though.

https://issues.jasig.org/browse/CAS-1169

--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Nemanja Guzina]

Hi Scot,

I have one question about SSO and CAS.

I'm implementing CAS into a wide used app-s, and I have one request, 

is it possible for example :

One application (APP1) is authenticated via CAS, and it tries to access second app (APP2) via web service and authentication must be handled automatically via CAS because they are both connected to same CAS server?

Thanks in advance.

Nemanja Guzina translations.com

[Nemanja Guzina]

BTW app is using Spring.

---

From: Nemanja Guzina <nemanj...@yahoo.com>
To: "cas-...@lists.jasig.org" <cas-...@lists.jasig.org>
Sent: Sunday, August 26, 2012 10:15 PM
Subject: CAS web services question

[Scott Battaglia]

Nemanja,

It sounds like you need to look at proxy authentication.  Have you looked into that?

Cheers,
Scott

On Sun, Aug 26, 2012 at 8:17 PM, Nemanja Guzina <nemanj...@yahoo.com> wrote:

BTW app is using Spring.

---

From: Nemanja Guzina <nemanj...@yahoo.com>
To: "cas-...@lists.jasig.org" <cas-...@lists.jasig.org>
Sent: Sunday, August 26, 2012 10:15 PM
Subject: CAS web services question

Hi Scot,

I have one question about SSO and CAS.

I'm implementing CAS into a wide used app-s, and I have one request, 

is it possible for example :

One application (APP1) is authenticated via CAS, and it tries to access second app (APP2) via web service and authentication must be handled automatically via CAS because they are both connected to same CAS server?

Thanks in advance.

Nemanja Guzina translations.com

-- 
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Nemanja Guzina]

Yes, but my case is a bit different, 

User is already authenticated into APP1 and that APP1 addresses APP2 via WebService. In that point, I don't have username or password.

best,

Nemanja Guzina translations.com 

-- 

[Nemanja Guzina]

Yes, but my case is a bit different, 

User is already authenticated into APP1 and that APP1 addresses APP2 via WebService. In that point, I don't have username or password.

best,

Nemanja Guzina translations.com 

---

From: Scott Battaglia <scott.b...@gmail.com>
To: cas-...@lists.jasig.org
Sent: Monday, August 27, 2012 2:28 PM
Subject: Re: [cas-user] CAS web services question

Nemanja,

It sounds like you need to look at proxy authentication.  Have you looked into that?

Cheers,
Scott

On Sun, Aug 26, 2012 at 8:17 PM, Nemanja Guzina <nemanj...@yahoo.com> wrote:

BTW app is using Spring.

---

From: Nemanja Guzina <nemanj...@yahoo.com>
To: "cas-...@lists.jasig.org" <cas-...@lists.jasig.org>
Sent: Sunday, August 26, 2012 10:15 PM
Subject: CAS web services question

Hi Scot,

I have one question about SSO and CAS.

I'm implementing CAS into a wide used app-s, and I have one request, 

is it possible for example :

One application (APP1) is authenticated via CAS, and it tries to access second app (APP2) via web service and authentication must be handled automatically via CAS because they are both connected to same CAS server?

Thanks in advance.

Nemanja Guzina translations.com

-- 
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com


To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-...@lists.jasig.org as: nemanj...@yahoo.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Philippe MARASSE]

Le 27/08/2012 15:11, Nemanja Guzina a écrit :

Yes, but my case is a bit different, 

User is already authenticated into APP1 and that APP1 addresses APP2 via WebService. In that point, I don't have username or password.

If App1 needs credentials of User to access App2 (as far as WebService is CAS-aware), then I think proxy (on App1) is the behavior you're looking for.

Rgds.

-- 
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur 
86021 Poitiers Cedex
Tel : 05.49.44.57.19

[Nemanja Guzina]

Thanks for response, but I don't know if I'm following you.

Does that mean that I'll have to change authentication mechanism in APP1(switch to proxy authentication) in order to access to APP2?

I need to access APP2 via WebService and via browser without authenticating user again.

Thanks, 

Nemanja Guzina, www.translations.com 

---

From: Philippe MARASSE <philippe...@ch-poitiers.fr>
To: cas-...@lists.jasig.org
Sent: Monday, August 27, 2012 4:22 PM

Subject: Re: [cas-user] CAS web services question

[Philippe MARASSE]

Le 27/08/2012 19:24, Nemanja Guzina a écrit :

Thanks for response, but I don't know if I'm following you.

Does that mean that I'll have to change authentication mechanism in APP1(switch to proxy authentication) in order to access to APP2?

If App1 have to use webservice of App2 as "User", IMHO the answer is yes.

I need to access APP2 via WebService and via browser without authenticating user again.

webservice on App2 needs to be cassified !

Thanks, 

Nemanja Guzina, www.translations.com 

---

From: Philippe MARASSE <philippe...@ch-poitiers.fr>
To: cas-...@lists.jasig.org
Sent: Monday, August 27, 2012 4:22 PM
Subject: Re: [cas-user] CAS web services question

Le 27/08/2012 15:11, Nemanja Guzina a écrit :

Yes, but my case is a bit different, 

User is already authenticated into APP1 and that APP1 addresses APP2 via WebService. In that point, I don't have username or password.

If App1 needs credentials of User to access App2 (as far as WebService is CAS-aware), then I think proxy (on App1) is the behavior you're looking for.

Rgds.

-- 
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur 
86021 Poitiers Cedex
Tel : 05.49.44.57.19

-- 
You are currently subscribed to cas-...@lists.jasig.org as: philippe...@ch-poitiers.fr

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Nemanja Guzina]

Thanks Phillippe, 

So does that mean, that if I swithch to proxy authentication I will be able to use SSO via CAS by switching from APP1 to APP2 by browser, and using web services of APP2 from APP1?

Many thanks

Nemanja Guzina www.translations.com

---

From: Philippe MARASSE <philippe...@ch-poitiers.fr>
To: cas-...@lists.jasig.org

Sent: Tuesday, August 28, 2012 9:07 AM

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com

[Nemanja Guzina]

And if it is possible, does that mean that we will have to send credentials via rest?

---

From: Nemanja Guzina <nemanj...@yahoo.com>

To: "cas-...@lists.jasig.org" <cas-...@lists.jasig.org>
Sent: Tuesday, August 28, 2012 9:45 AM