I've deployed my system to our UAT environment, and am now getting a 'Connection refused' error. The URL is:
http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas
I'm sure that there is a misconfiguration somewhere, but not sure how to debug? Any suggestions appreciated!
Thank you,
Mark
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Hi,
I've deployed my system to our UAT environment, and am now getting a 'Connection refused' error. The URL is:
http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas
I'm sure that there is a misconfiguration somewhere, but not sure how to debug? Any suggestions appreciated!
Thank you,
Mark
--
You are currently subscribed to cas-...@lists.jasig.org as: brianx...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
That's a layer 4 (TCP) problem. A connection refused exception is
thrown when the server-side socket sends a RST packet in response to a
client SYN, in other words "this port is closed, go away." This is
commonly caused by firewall or networking misconfiguration.
> http://xxx.xxx.xxx/cas/services/j_acegi_cas_security_check?ticket=ST-1-NVRIepgTV3dO1DaBwljK-cas
This is effectively loopback communication from the CAS server to
itself. Make sure that the host allows communication to itself, which
depending on your environment could be more complicated than loopback if
you have any kind of load balancer or reverse proxy in the mix.
I also note the http scheme in the URL above. We strongly recommend SSL
across the board for CAS client-server communication.
> I'm sure that there is a misconfiguration somewhere, but not sure
> how to debug?
tcpdump is your friend here.
M
Thanks for the response. I think there is a problem because our testing server has apache in the front as a proxy. If someone could help me get by giving me some pointers, I would be forever grateful. Some of the config I'm not to sure of as I didn't setup the apache server which is in place and acting as a proxy to the tomcat server where my app is deployed. Please see below for all the debugging info I thought was relevant, and if more is needed I would be happy to get it.
btw - I am not using SSL.
Thank you so very much!
Mark
I see in the logs:
WHO: xxx
WHAT: ST-1-wkrti4We3qhpY4eVrOEK-cas for http://xyzserver/cas/services/j_acegi_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Mar 26 13:21:42 EDT 2012
CLIENT IP ADDRESS: 1.1.126.248 (external IP #1 of apache server)
SERVER IP ADDRESS: unknown
However, if I run /sbin/ifconfig I get:
inet addr:192.168.x.y
and later on in the catalina.out log:
2012-03-26 13:21:42,072 DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <Request is to process authentication>
2012-03-26 13:21:42,073 DEBUG [org.springframework.security.authentication.ProviderManager] - <Authentication attempt using org.springframework.security.cas.authentication.CasAuthenticationProvider>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Placing URL parameters in map.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Calling template URL attribute map.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Loading custom parameters from configuration.>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Constructing validation url: http://xyzserver/cas/serviceValidate?ticket=ST-1-wkrti4We3qhpY4eVrOEK-cas&service=http%3A%2F%2Fxyzserver%2Fcas%2Fservices%2Fj_acegi_cas_security_check>
2012-03-26 13:21:42,073 DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Retrieving response from server.>
2012-03-26 13:21:42,123 ERROR [org.jasig.cas.client.util.CommonUtils] - <Connection refused>
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
When I ssh into the testing server, I goto a different external IP (say 1.1.126.224), so I there must be a DNS mapping in place to go from xyzserver to 1.1.126.248, which I guess makes sense.
One thing I did notice is that I *cannot* goto 1.1.126.248 directly, I can only get there via the DNS name, http://xyzserver.
Here is my cas.properties:
server.prefix=http://xyzserver/cas
cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
and finally the filter snippet from web.xml:
<filter xmlns="">
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://xyzserver/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://xyzserver</param-value>
</init-param>
</filter>
<filter xmlns="">
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://xyzserver/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://xyzserver</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter xmlns="">
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter xmlns="">
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping xmlns="">
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping xmlns="">
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping xmlns="">
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping xmlns="">
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Thanks again,
Mark