[cas-user] ConnectException: Connection refused

[Mark]

Hi,

I've deployed my system to our UAT environment, and am now getting a 'Connection refused' error. The URL is:

http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas

I'm sure that there is a misconfiguration somewhere, but not sure how to debug? Any suggestions appreciated!

Thank you,

Mark
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[b savage]

Hi,

Recheck that the urls are correct in your cas.properties file.  For example, that you specifying the port after the fully qualified domain name of your UAT host.

If the connection error happens to be due to an ssl trust ssue, practical tips and debugging steps are here:

https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide

Welcome to come back with more information for folks to go on - such as a fuller context/dump of the error (is the connection refused logged in catalina.out?),, a  publicly-consumable version of your cas.properties, cas version.

Regards,

Brian

On Sun, Mar 25, 2012 at 9:25 AM, Mark <mwasch...@gmail.com> wrote:

Hi,

I've deployed my system to our UAT environment, and am now getting a 'Connection refused' error. The URL is:

http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas

I'm sure that there is a misconfiguration somewhere, but not sure how to debug? Any suggestions appreciated!

Thank you,

Mark

--
You are currently subscribed to cas-...@lists.jasig.org as: brianx...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Marvin S. Addison]

> I've deployed my system to our UAT environment, and am now getting a
> 'Connection refused' error. The URL is:

That's a layer 4 (TCP) problem. A connection refused exception is
thrown when the server-side socket sends a RST packet in response to a
client SYN, in other words "this port is closed, go away." This is
commonly caused by firewall or networking misconfiguration.

> http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas

This is effectively loopback communication from the CAS server to
itself. Make sure that the host allows communication to itself, which
depending on your environment could be more complicated than loopback if
you have any kind of load balancer or reverse proxy in the mix.

I also note the http scheme in the URL above. We strongly recommend SSL
across the board for CAS client-server communication.

> I'm sure that there is a misconfiguration somewhere, but not sure
> how to debug?

tcpdump is your friend here.

M

[Mark]

Hi,

Thanks for the response. I think there is a problem because our testing server has apache in the front as a proxy. If someone could help me get by giving me some pointers, I would be forever grateful. Some of the config I'm not to sure of as I didn't setup the apache server which is in place and acting as a proxy to the tomcat server where my app is deployed. Please see below for all the debugging info I thought was relevant, and if more is needed I would be happy to get it.

btw - I am not using SSL.

Thank you so very much!

Mark

I see in the logs:

WHO: xxx
WHAT: ST-1-wkrti4We3qhpY4eVrOEK-cas for http://xyzserver/cas/services/j_acegi_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Mar 26 13:21:42 EDT 2012
CLIENT IP ADDRESS: 1.1.126.248 (external IP #1 of apache server)
SERVER IP ADDRESS: unknown

However, if I run /sbin/ifconfig I get:

inet addr:192.168.x.y

and later on in the catalina.out log:
2012-03-26 13:21:42,072 DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <Request is to process authentication>
2012-03-26 13:21:42,073 DEBUG [org.springframework.security.authentication.ProviderManager] - <Authentication attempt using org.springframework.security.cas.authentication.CasAuthenticationProvider>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Placing URL parameters in map.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Calling template URL attribute map.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Loading custom parameters from configuration.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Constructing validation url: http://xyzserver/cas/serviceValidate?ticket=ST-1-wkrti4We3qhpY4eVrOEK-cas&service=http%3A%2F%2Fxyzserver%2Fcas%2Fservices%2Fj_acegi_cas_security_check>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Retrieving response from server.>
2012-03-26 13:21:42,123 ERROR [org.jasig.cas.client.util.CommonUtils] - <Connection refused>
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)

When I ssh into the testing server, I goto a different external IP (say 1.1.126.224), so I there must be a DNS mapping in place to go from xyzserver to 1.1.126.248, which I guess makes sense.

One thing I did notice is that I *cannot* goto 1.1.126.248 directly, I can only get there via the DNS name, http://xyzserver.

Here is my cas.properties:
server.prefix=http://xyzserver/cas

cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}

and finally the filter snippet from web.xml:

<filter xmlns="">
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://xyzserver/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://xyzserver</param-value>
</init-param>
</filter>

<filter xmlns="">
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://xyzserver/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://xyzserver</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter xmlns="">
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter xmlns="">
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

<filter-mapping xmlns="">
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping xmlns="">
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping xmlns="">
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping xmlns="">
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

[Mark]

ah, OK, thank you, I think that is the case, a reverse proxy of some kind must be in place. Do I need to modify the apache proxy server to accomplish this?

Thanks again,

Mark