[cas-user] Cas-Service-Management-Overlay still not working (more info)
瀏覽次數:349 次
跳到第一則未讀訊息
Conan Malone
2016年5月26日 清晨5:11:022016/5/26
收件者:CAS Community
Hi,
I'm making a new post as I feel there maybe wasn't enough information in my last one for anyone to help me out.
I have downloaded the cas-overlay-template and cas-service-management-overlay (4.2.2), copied the correct files to /etc/cas/ and ran mvnw clean package on both of them with build success so that all seems fine. (both deployed in tomcat as ROOT.war and cas-services.war).
I can go to https://mycasdomain.com/ and it goes to the login page, I can then log in with casuser,Mellon and this works fine (also can do RADIUS authentication). My problem seems to be with the cas-services-management as when I go to https://mycasdomain.com/cas-services/ (looking at network on chrome) I get redirected to manage.html which redirects to the login page as expected with url 'https://mycasdomain/login?service=https%3A%2F%2Fmycasdomain%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. The page has the 'Services Management Web Application' box at the top so I assume services are correctly set up. I then log in with casuser,Mellon and get 'The CAS management webapp is unavailable' screen.
The login page redirected me to 'https://mycasdomain.com/cas-services/callback?client_name=CasClient&ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com' and gave a HTTP status 500.
But looking through logs I find that I get a HTTP status 403 just before I get the 500 on a different address which is https://mycasdomain.com/p3/serviceValidate?ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. If I put this address in my browser I get presented with
----------------------------------------------------------------------------------
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>casuser</cas:user>
<cas:attributes>
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:authenticationDate>2016-05-26T09:53:00.011+01:00</cas:authenticationDate>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
----------------------------------------------------------------------------------
I'll put snippets from the parts I have changed in cas.properties, cas-management.properties below. Can someone have a look through this and see if I am missing anything?
p.s. I also have my CAS server behind a load balancer so it needs to go out the network to https://mycasdomain.com/ and come back in through the load balancer back to the CAS server.. But I was thinking if there is a problem with this surely the normal cas login wouldn't work?
Thanks in advance,
Conan
----------------------snippets and logs----------------------
server.prefix=${server.name}
# security configuration based on IP address to access the /status and /statistics pages
cas.securityContext.adminpages.ip=127\.0\.0\.1
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
----------------------
# CAS
cas.host=https://mycasdomain.com
cas.prefix=${cas.host}
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${cas.prefix}/login
# Management
cas-management.host=${cas.host}
cas-management.prefix=${cas-management.host}/cas-services
cas-management.securityContext.serviceProperties.service=${cas-management.prefix}/callback
# Security
cas-management.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
pac4j.callback.defaultUrl=/manage.html
# views
cas-management.viewResolver.basename=default_views
##
# User details file location that contains list of users
# who are allowed access to the management webapp:
#
user.details.file.location = file:/etc/cas/user-details.properties
##
# JSON Service Registry
#
# Directory location where JSON service files may be found.
service.registry.config.location=file:/etc/cas/services
----------------------
2016-05-26 10:05:23,048 ERROR [org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient
java.io.IOException: Server returned HTTP response code: 403 for URL: https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:321)
at org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48)
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Misagh Moayyed
2016年5月26日 中午12:53:402016/5/26
收件者:CAS Community
Does the CAS server produce any logs when it attempts to validate that ticket? Can you log into any other apps beside the management webapp?
Conan Malone
2016年5月27日 凌晨3:33:542016/5/27
收件者:CAS Community、mmoa...@unicon.net
cas.log shows nothing at all and cas-management.log shows the '[org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response code: 403 for URL:' error that I posted above. The only apps I have installed right now are cas and the management app, can log into CAS fine with casuser goes to the 'Login successful' page.
Daniel Alzate
2017年1月19日 下午4:42:382017/1/19
收件者:CAS Community、mmoa...@unicon.net
Hi,
I'm new to CAS and also the community.
I have a new CAS setup working, but I'm facing this same problem reported by Conan. I wonder if you found a solution or the cause of this issue?
Best regards.
Daniel.
I'm new to CAS and also the community.
I have a new CAS setup working, but I'm facing this same problem reported by Conan. I wonder if you found a solution or the cause of this issue?
Best regards.
Daniel.
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1e90456-eda3-4c52-a1db-50b136b0e3e4%40apereo.org.To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Didier Capdevielle
2017年4月7日 上午8:47:042017/4/7
收件者:CAS Community、mmoa...@unicon.net
Hi everybody,
I'm a newbie too in CAS and i have the same problem.
I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and Tomcat8.
I installed an Apache Server to redirect request with AJP.
Directly using CAS, no problem.
But using CAS via an application (IdP for example), the same problem occurs.
Login is OK but ServiceValidate is forbidden.
Her are the logs from Apache ssl_access.log :
147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%
3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 200 9705 "https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau
x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" "Mozilla/5.0 (Windows NT 10.0; WOW6
4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D
%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 302 1429 "https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2
Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%
3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 HTTP/1.1" 403 406 "-" "Java/1.7.0_121"
Looking at messages, it seems like browser user-agent are authorized but java user-agent (Java/1.7.0_121) - and probably others non browser agent - is blocked.
Is one or more certificates missing ? If yes, where and what kind of certificates ? What else ?
Thanks for your help !
Best regards,
I'm a newbie too in CAS and i have the same problem.
I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and Tomcat8.
I installed an Apache Server to redirect request with AJP.
Directly using CAS, no problem.
But using CAS via an application (IdP for example), the same problem occurs.
Login is OK but ServiceValidate is forbidden.
Her are the logs from Apache ssl_access.log :
147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%
3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 200 9705 "https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau
x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" "Mozilla/5.0 (Windows NT 10.0; WOW6
4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D
%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy HTTP/1.1" 302 1429 "https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2
Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas%
3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 HTTP/1.1" 403 406 "-" "Java/1.7.0_121"
Looking at messages, it seems like browser user-agent are authorized but java user-agent (Java/1.7.0_121) - and probably others non browser agent - is blocked.
Is one or more certificates missing ? If yes, where and what kind of certificates ? What else ?
Thanks for your help !
Best regards,
Didier Capdevielle
2017年4月11日 清晨7:38:252017/4/11
收件者:CAS Community、mmoa...@unicon.net
Hi everybody,
I answer by myself.
Problem was in server.xml access valve (It is necessary to declare application server's IP or to uncomment valve).
Hope this help !
Best regards,
I answer by myself.
Problem was in server.xml access valve (It is necessary to declare application server's IP or to uncomment valve).
Hope this help !
Best regards,
maxime.e...@gmail.com
2018年4月26日 下午3:14:332018/4/26
收件者:jasig-cas-user
Hello Didier,
Could you please detail your answer about your changes in the server.xml file, be it about the application server IP or the "uncomment valve" part ?
Thanks :)
Could you please detail your answer about your changes in the server.xml file, be it about the application server IP or the "uncomment valve" part ?
Thanks :)
回覆所有人
回覆作者
轉寄
0 則新訊息