Application Not Authorized to Use CAS
4,077 views
Skip to first unread message
marco.bencivenni
Apr 14, 2011, 12:08:10 PM4/14/11
to casshib
Dear all,
I installed casshib in order to interface to an IDP SAML .
When I try to connect to IDP using casshib (https://
halfback.cnaf.infn.it:9494/casshib/shib/app1/login) I'm correctly
redirect to login page of IDP but if I try to enter with my credential
I got a page with the following message:
"Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to
use CAS."
But if I read the log of IDP server I can see that I have been
successfully authenticated by LDAP PWD
Do you have some suggestions about this problem?
Thanks in advance for your support,
Marco
I installed casshib in order to interface to an IDP SAML .
When I try to connect to IDP using casshib (https://
halfback.cnaf.infn.it:9494/casshib/shib/app1/login) I'm correctly
redirect to login page of IDP but if I try to enter with my credential
I got a page with the following message:
"Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to
use CAS."
But if I read the log of IDP server I can see that I have been
successfully authenticated by LDAP PWD
Do you have some suggestions about this problem?
Thanks in advance for your support,
Marco
John Mitchell
Apr 14, 2011, 1:30:45 PM4/14/11
to cas...@googlegroups.com, marco.bencivenni
Marco,
Did you register the application in the
casshib-service-registrations.xml file? If not you will need to enter
the allowed URL, an application override id that maps to your
shibboleth2.xml file configuration, and a passcode for the ticket
validation URLs.
> Thanks in advance for your support,
> Marco
>
> --
> You received this message because you are subscribed to the Google Groups "casshib" group.
> To post to this group, send email to cas...@googlegroups.com.
> To unsubscribe from this group, send email to casshib+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/casshib?hl=en.
>
>
--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam
marco.bencivenni
Apr 15, 2011, 8:07:27 AM4/15/11
to casshib
Hi John,
thanks for your answer but the file you mentioned it was configured
correctly.
Below our configurations.
- We configure the casshib-service-registration.xml file in this way:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="https://hostname:1234/app1/"
appname="app1"
passcode="101" />
</casShibServiceRegistrations>
- And this is web.xml file of the application app1:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<!-- CAS logout URL for logout.jsp -->
<context-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>https://hostname:1234/casshib/shib/app1/logout</param-
value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-
class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-
class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://hostname:1234/casshib/shib/app1/login</
param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<!-- cas 2.0 validator -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-
class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hostname:1234/casshib/shib/101</param-
value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<!-- saml validator -->
<filter>
<filter-name>CAS Saml Validation Filter</filter-name>
<filter-
class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</
filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hostname:1234/casshib/shib/101</param-
value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Saml Validation Filter</filter-name>
<url-pattern>/</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</filter-mapping>
<!-- this filter makes request.getRemoteUser() return the principal
name
from the CAS validation response -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-
class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</
filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
- This is the cas.properties of casshib:
cas.securityContext.serviceProperties.service=https://hostname:1234/
casshib/shib/app1/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://
hostname:1234/casshib/shib/app1/login
cas.securityContext.ticketValidator.casServerUrlPrefix=https://
hostname:1234/casshib/shib/app1
cas.securityContext.casProxyTicketValidator.casValidate=https://
hostname:1234/casshib/shib/app1/proxyValidate
cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views
host.name=hostname
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
- This is shibboleth2.xml file:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="hostname" port="1234" scheme="https">
<!-- service #1 -->
<PathRegex regex="casshib/shib/app1"
applicationId="app1" authType="shibboleth" requireSession="true"/>
<!-- service #2 -->
<PathRegex regex="casshib/shib/app2"
applicationId="app2" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id="default" policyId="default"
entityID="https://hostname/shibboleth"
homeURL="https://hostname/index.html"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="false">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="false">
<SSO entityID="https://idp.infn.it/saml2/idp/metadata.php"
discoveryProtocol="SAMLDS" discoveryURL="https://
hostname/DS/WAYF">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate"
metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="true"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/
>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" file="our.idp.org-metadata.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" path="attribute-
map.xml"/>
<!-- Use a SAML query if no attributes are supplied during
SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-
policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. --
>
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<!-- service #1 -->
<ApplicationOverride id="app1"
entityID="https://hostname/casshib/app1"
homeURL="https://app1.hostname/"
REMOTE_USER="shibattr-uid">
<!-- NOTE the cookieProps path is different for each service.
The handlerURL needs to fall within the path of the
cookie. -->
<Sessions lifetime="28800" timeout="3600"
checkAddress="false"
handlerURL="/casshib/shib/app1/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/app1/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/casshib/shib/app1">
</Sessions>
</ApplicationOverride>
<!-- service #2 -->
<ApplicationOverride id="app2"
entityID="https://hostname/casshib/app2"
homeURL="https://app2.hostname/"
REMOTE_USER="shibattr-uid">
<Sessions lifetime="28800" timeout="3600"
checkAddress="false"
handlerURL="/casshib/shib/app2/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/app2/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/casshib/shib/app2">
</Sessions>
</ApplicationOverride>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate
runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-
policy.xml"/>
<!-- Low-level configuration about protocols and bindings
available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
- This il attribute-map.xml:
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- First some useful eduPerson attributes that many sites might
use. -->
<Attribute name="urn:mace:dir:attribute-
def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-
def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-
affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement"
id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
id="entitlement"/>
<!-- A persistent id attribute that supports personalized
anonymous access. -->
<!-- First, the deprecated/incorrect version, decoded as a scoped
string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<!-- <AttributeDecoder
xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!
$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
</Attribute>
<!-- Second, an alternate decoder that will decode the incorrect
form into the newer form. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-
id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Some more eduPerson attributes, uncomment these to use
them... -->
<Attribute name="urn:mace:dir:attribute-
def:eduPersonPrimaryAffiliation" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:uid" id="shibattr-uid"/>
</Attributes>
-This is attribute-policy.xml:
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues"
xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/
>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to
manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one
primary. -->
<afp:AttributeRule attributeID="shibattr-affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-unscoped-
affiliation">
<afp:PermitValueRuleReference
ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-primary-affiliation">
<afp:PermitValueRuleReference
ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested.
-->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
-After startup of tomcat and request of login this is the log file:
INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8585
Apr 15, 2011 10:49:29 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /127.0.0.1:8020
Apr 15, 2011 10:49:29 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/20 config=null
Apr 15, 2011 10:49:29 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8105 ms
2011-04-15 10:49:47,896 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Beginning ticket cleanup.>
2011-04-15 10:49:47,900 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 tickets found to be removed.>
2011-04-15 10:49:47,901 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished ticket cleanup.>
2011-04-15 10:50:18,767 WARN
[org.springframework.web.servlet.PageNotFound] - <No mapping found for
HTTP request with URI [/casshib/shib/app1/css/cas.css] in
DispatcherServlet with name 'cas'>
2011-04-15 10:51:27,998 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2011-04-15 10:51:27,999 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2
services.>
> > For more options, visit this group athttp://groups.google.com/group/casshib?hl=en.
>
> --
> John P. Mitchell <jpmitch...@alaska.edu>
> 907.450.8320http://www.alaska.edu/oit/iam
thanks for your answer but the file you mentioned it was configured
correctly.
Below our configurations.
- We configure the casshib-service-registration.xml file in this way:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="https://hostname:1234/app1/"
appname="app1"
passcode="101" />
</casShibServiceRegistrations>
- And this is web.xml file of the application app1:
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<!-- CAS logout URL for logout.jsp -->
<context-param>
<param-name>casServerLogoutUrl</param-name>
<param-value>https://hostname:1234/casshib/shib/app1/logout</param-
value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-
class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-
class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://hostname:1234/casshib/shib/app1/login</
param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<!-- cas 2.0 validator -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-
class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hostname:1234/casshib/shib/101</param-
value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<!-- saml validator -->
<filter>
<filter-name>CAS Saml Validation Filter</filter-name>
<filter-
class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</
filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://hostname:1234/casshib/shib/101</param-
value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://hostname:1234</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Saml Validation Filter</filter-name>
<url-pattern>/</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</filter-mapping>
<!-- this filter makes request.getRemoteUser() return the principal
name
from the CAS validation response -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-
class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</
filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
- This is the cas.properties of casshib:
cas.securityContext.serviceProperties.service=https://hostname:1234/
casshib/shib/app1/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://
hostname:1234/casshib/shib/app1/login
cas.securityContext.ticketValidator.casServerUrlPrefix=https://
hostname:1234/casshib/shib/app1
cas.securityContext.casProxyTicketValidator.casValidate=https://
hostname:1234/casshib/shib/app1/proxyValidate
cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views
host.name=hostname
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
- This is shibboleth2.xml file:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="hostname" port="1234" scheme="https">
<!-- service #1 -->
<PathRegex regex="casshib/shib/app1"
applicationId="app1" authType="shibboleth" requireSession="true"/>
<!-- service #2 -->
<PathRegex regex="casshib/shib/app2"
applicationId="app2" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id="default" policyId="default"
entityID="https://hostname/shibboleth"
homeURL="https://hostname/index.html"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="false">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="false">
<SSO entityID="https://idp.infn.it/saml2/idp/metadata.php"
discoveryProtocol="SAMLDS" discoveryURL="https://
hostname/DS/WAYF">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate"
metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="true"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/
>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" file="our.idp.org-metadata.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" path="attribute-
map.xml"/>
<!-- Use a SAML query if no attributes are supplied during
SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets
other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-
policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. --
>
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<!-- service #1 -->
<ApplicationOverride id="app1"
entityID="https://hostname/casshib/app1"
homeURL="https://app1.hostname/"
REMOTE_USER="shibattr-uid">
<!-- NOTE the cookieProps path is different for each service.
The handlerURL needs to fall within the path of the
cookie. -->
<Sessions lifetime="28800" timeout="3600"
checkAddress="false"
handlerURL="/casshib/shib/app1/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/app1/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/casshib/shib/app1">
</Sessions>
</ApplicationOverride>
<!-- service #2 -->
<ApplicationOverride id="app2"
entityID="https://hostname/casshib/app2"
homeURL="https://app2.hostname/"
REMOTE_USER="shibattr-uid">
<Sessions lifetime="28800" timeout="3600"
checkAddress="false"
handlerURL="/casshib/shib/app2/Shibboleth.sso"
handlerSSL="true"
exportLocation="/casshib/shib/app2/Shibboleth.sso/
GetAssertion"
idpHistory="false" idpHistoryDays="7"
cookieProps="; path=/casshib/shib/app2">
</Sessions>
</ApplicationOverride>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate
runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-
policy.xml"/>
<!-- Low-level configuration about protocols and bindings
available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>
</SPConfig>
- This il attribute-map.xml:
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- First some useful eduPerson attributes that many sites might
use. -->
<Attribute name="urn:mace:dir:attribute-
def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-
def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-
affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement"
id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
id="entitlement"/>
<!-- A persistent id attribute that supports personalized
anonymous access. -->
<!-- First, the deprecated/incorrect version, decoded as a scoped
string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<!-- <AttributeDecoder
xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!
$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
</Attribute>
<!-- Second, an alternate decoder that will decode the incorrect
form into the newer form. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"
id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-
id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-
format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder"
formatter="$NameQualifier!$SPNameQualifier!$Name"
defaultQualifiers="true"/>
</Attribute>
<!-- Some more eduPerson attributes, uncomment these to use
them... -->
<Attribute name="urn:mace:dir:attribute-
def:eduPersonPrimaryAffiliation" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder"
caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:uid" id="shibattr-uid"/>
</Attributes>
-This is attribute-policy.xml:
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues"
xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/
>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to
manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one
primary. -->
<afp:AttributeRule attributeID="shibattr-affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-unscoped-
affiliation">
<afp:PermitValueRuleReference
ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-primary-affiliation">
<afp:PermitValueRuleReference
ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="shibattr-targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested.
-->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
-After startup of tomcat and request of login this is the log file:
INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8585
Apr 15, 2011 10:49:29 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /127.0.0.1:8020
Apr 15, 2011 10:49:29 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/20 config=null
Apr 15, 2011 10:49:29 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 8105 ms
2011-04-15 10:49:47,896 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Beginning ticket cleanup.>
2011-04-15 10:49:47,900 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 tickets found to be removed.>
2011-04-15 10:49:47,901 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished ticket cleanup.>
2011-04-15 10:50:18,767 WARN
[org.springframework.web.servlet.PageNotFound] - <No mapping found for
HTTP request with URI [/casshib/shib/app1/css/cas.css] in
DispatcherServlet with name 'cas'>
2011-04-15 10:51:27,998 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2011-04-15 10:51:27,999 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2
services.>
>
> --
> John P. Mitchell <jpmitch...@alaska.edu>
> 907.450.8320http://www.alaska.edu/oit/iam
marco.bencivenni
Apr 18, 2011, 6:11:54 AM4/18/11
to casshib
Ok I understand that the mail was too long,
but I can't understand the reason of failure when all seems correctly
configured.
Some questions:
- where can I found log or increase the log level? because I can't
find any error maessage in logs.
- "The application you attempted to authenticate to is not authorized
to use CAS." --> which application? the IDP shibboleth that I try to
authenticate against to? In this case I have to set something in IDP
server?
Thanks for your support (I hope)
Marco B
On Apr 15, 2:07 pm, "marco.bencivenni" <marco.bencive...@gmail.com>
wrote:
> ...
>
> read more »
but I can't understand the reason of failure when all seems correctly
configured.
Some questions:
- where can I found log or increase the log level? because I can't
find any error maessage in logs.
- "The application you attempted to authenticate to is not authorized
to use CAS." --> which application? the IDP shibboleth that I try to
authenticate against to? In this case I have to set something in IDP
server?
Thanks for your support (I hope)
Marco B
On Apr 15, 2:07 pm, "marco.bencivenni" <marco.bencive...@gmail.com>
wrote:
> Hi John,
> thanks for your answer but the file you mentioned it was configured
> correctly.
> Below our configurations.
>
> - We configure the casshib-service-registration.xml file in this way:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <casShibServiceRegistrations>
> <service id="https://hostname:1234/app1/"
> appname="app1"
> passcode="101" />
> </casShibServiceRegistrations>
>
> - And this is web.xml file of the application app1:
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
> thanks for your answer but the file you mentioned it was configured
> correctly.
> Below our configurations.
>
> - We configure the casshib-service-registration.xml file in this way:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <casShibServiceRegistrations>
> <service id="https://hostname:1234/app1/"
> appname="app1"
> passcode="101" />
> </casShibServiceRegistrations>
>
> - And this is web.xml file of the application app1:
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> read more »
John Mitchell
Apr 18, 2011, 1:37:50 PM4/18/11
to cas...@googlegroups.com
Marco,
On Mon, Apr 18, 2011 at 2:11 AM, marco.bencivenni
<marco.be...@gmail.com> wrote:
> Ok I understand that the mail was too long,
> but I can't understand the reason of failure when all seems correctly
> configured.
>
> Some questions:
>
> - where can I found log or increase the log level? because I can't
> find any error maessage in logs.
You can find some logging in the Java container logging directory.
I think it creates a cas.log. If you look at the cas documentation for
the upstream cas you can find out how to turn up debugging for the
logs. It can be very verbose. Check out the following:
https://wiki.jasig.org/display/CASUM/Logging
>
> - "The application you attempted to authenticate to is not authorized
> to use CAS." --> which application? the IDP shibboleth that I try to
> authenticate against to? In this case I have to set something in IDP
> server?
>
This error seems to be coming from the CAS server. It usually
points to not have the right URL configured in
casshib-service-registration.xml.
> --
> You received this message because you are subscribed to the Google Groups "casshib" group.
> To post to this group, send email to cas...@googlegroups.com.
> To unsubscribe from this group, send email to casshib+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/casshib?hl=en.
>
>
--
John P. Mitchell <jpmit...@alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam
marco.bencivenni
Apr 19, 2011, 7:50:53 AM4/19/11
to casshib
Hi john,
thanks for your support.
Only one thing: we have also authorization problem in the management
page: https://halfback.cnaf.infn.it:9494/casshib/services/j_acegi_cas_security_check
The error is "Authorization Failure. You are not authorized to use
this application for the following reason: Failed to provide a CAS
service ticket to validate."
Is it the same problem?
Our cas.properties
cas.securityContext.serviceProperties.service=https://
halfback.cnaf.infn.it:9494/casshib/services/j_acegi_cas_security_check
cas.securityContext.ticketValidator.casServerUrlPrefix=https://
halfback.cnaf.infn.it:9494/casshib
cas.securityContext.casProxyTicketValidator.casValidate=https://
halfback.cnaf.infn.it:9494/casshib/proxyValidate
cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views
host.name=cas
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
Our casshib-service-registration.xml is
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
<service id="https://halfback.cnaf.infn.it:9494/app1/"
appname="app2"
passcode="102" />
</casShibServiceRegistrations>
Marco B
On 18 Apr, 19:37, John Mitchell <jpmitch...@alaska.edu> wrote:
> Marco,
>
> On Mon, Apr 18, 2011 at 2:11 AM, marco.bencivenni
>
> >> xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-ap..."
> >> class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFi lter</
> ...
>
> leggi tutto
thanks for your support.
Only one thing: we have also authorization problem in the management
page: https://halfback.cnaf.infn.it:9494/casshib/services/j_acegi_cas_security_check
The error is "Authorization Failure. You are not authorized to use
this application for the following reason: Failed to provide a CAS
service ticket to validate."
Is it the same problem?
Our cas.properties
cas.securityContext.serviceProperties.service=https://
halfback.cnaf.infn.it:9494/casshib/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://
halfback.cnaf.infn.it:9494/casshib/login
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://
cas.securityContext.ticketValidator.casServerUrlPrefix=https://
halfback.cnaf.infn.it:9494/casshib
cas.securityContext.casProxyTicketValidator.casValidate=https://
halfback.cnaf.infn.it:9494/casshib/proxyValidate
cas.themeResolver.defaultThemeName=default
cas.viewResolver.basename=default_views
host.name=cas
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
Our casshib-service-registration.xml is
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<casShibServiceRegistrations>
appname="app1"
passcode="101" />
<service id="https://halfback.cnaf.infn.it:9494/app2/"
passcode="101" />
appname="app2"
passcode="102" />
</casShibServiceRegistrations>
Marco B
On 18 Apr, 19:37, John Mitchell <jpmitch...@alaska.edu> wrote:
> Marco,
>
> On Mon, Apr 18, 2011 at 2:11 AM, marco.bencivenni
>
>
> leggi tutto
marco.bencivenni
Apr 20, 2011, 8:23:37 AM4/20/11
to casshib
Dear,
encreasing log level we found that the error is:
2011-04-20 14:18:01,246 DEBUG
[org.springframework.webflow.engine.impl.FlowExecutionImpl] -
<Attempting to handle
[org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction@326cbecf in
state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
[org.jasig.cas.services.UnauthorizedServiceException: The passcode
provided is invalid.]>
But we don't understand why the passcode is invalid because we set it
correctly in the configuration file: web.xml and casshib-service-
registration.xml
casshib-service-registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<shibServiceRegistrations>
</shibServiceRegistrations>
web.xml
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-
class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-
class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://halfback.cnaf.infn.it:9494/casshib/shib/
app1/login</param-value>
101</param-value>
</init-param>
</filter>
Thanks for your support,
Marco B
On 19 Apr, 13:50, "marco.bencivenni" <marco.bencive...@gmail.com>
wrote:
> ...
>
> leggi tutto
encreasing log level we found that the error is:
2011-04-20 14:18:01,246 DEBUG
[org.springframework.webflow.engine.impl.FlowExecutionImpl] -
<Attempting to handle
[org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction@326cbecf in
state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
[org.jasig.cas.services.UnauthorizedServiceException: The passcode
provided is invalid.]>
But we don't understand why the passcode is invalid because we set it
correctly in the configuration file: web.xml and casshib-service-
registration.xml
casshib-service-registration.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
</shibServiceRegistrations>
web.xml
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-
class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-
class>
<init-param>
<param-name>casServerLoginUrl</param-name>
app1/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://halfback.cnaf.infn.it:9494</param-value>
<init-param>
<param-name>serverName</param-name>
</init-param>
</filter>
<!-- cas 2.0 validator -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-
class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</
</filter>
<!-- cas 2.0 validator -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-
filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://halfback.cnaf.infn.it:9494/casshib/shib/
<init-param>
<param-name>casServerUrlPrefix</param-name>
101</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://halfback.cnaf.infn.it:9494</param-value>
<init-param>
<param-name>serverName</param-name>
</init-param>
</filter>
Thanks for your support,
Marco B
On 19 Apr, 13:50, "marco.bencivenni" <marco.bencive...@gmail.com>
wrote:
> Hi john,
>
> thanks for your support.
>
> Only one thing: we have also authorization problem in the management
> page:https://halfback.cnaf.infn.it:9494/casshib/services/j_acegi_cas_secur...
>
> thanks for your support.
>
> Only one thing: we have also authorization problem in the management
>
> leggi tutto
John Mitchell
Apr 20, 2011, 1:58:29 PM4/20/11
to cas...@googlegroups.com
Marco,
The passcode is used in the ticket validation URL that the browser
is redirected to from the service provider. In your case it would look
something like this:
https://halfback.cnaf.infn.it:9494/casshib/shib/101/serviceValidate
Is this how you are using the passcode? Also I used five digit
passcodes, not sure if there is some minimum number of digits. I am
new to CAS and how it works in its guts.
Also, I do not think I changed web.xml at all in the casshib distribution.
marco.bencivenni
Apr 22, 2011, 6:53:33 AM4/22/11
to casshib
Dear John,
We have tried to follow your suggestion choosing a five digit passcode
the results are these:
if I try to click https://halfback.cnaf.infn.it:9494/casshib/shib/10123/serviceValidate
the error in the browser is:
CAS is Unavailable There was an error trying to complete your request.
and the error in the log is:
the error in the browser is:
Authentication Error The system wasn't able to properly detect your
authentication credentials.
and the error in the log is:
[org.springframework.webflow.execution.ActionExecutor] - <Finished
executing
edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction@530ce397;
result = error>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.execution.AnnotatedAction] - <Clearing
action execution attributes map[[empty]]>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.execution.ActionExecutor] - <Finished
executing [EvaluateAction@6b1af7bb expression =
principalFromRemoteAction, resultExposer = [null]]; result = error>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.engine.Transition] - <Executing
[Transition@377e4cec on = error, to = casShibAuthErrorView]>
Sincerly we don't know how to solve these problems because we followed
step by step the casshib documentation but we continue to have
problems.
we hope that someone can provide a solution at this problem because
we'd like to use this configuration in production of important
project.
Best regrads,
Marco B
> ...
>
> leggi tutto
We have tried to follow your suggestion choosing a five digit passcode
the results are these:
if I try to click https://halfback.cnaf.infn.it:9494/casshib/shib/10123/serviceValidate
the error in the browser is:
CAS is Unavailable There was an error trying to complete your request.
and the error in the log is:
<Attempting to handle
[org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction@326cbecf in
state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
[org.jasig.cas.services.UnauthorizedServiceException: The passcode
provided is invalid.]>
if I try to click https://halfback.cnaf.infn.it:9494/app1
[org.springframework.webflow.execution.ActionExecutionException:
Exception thrown executing
edu.ucmerced.cas.web.flow.CasShibInitialFlowSetupAction@326cbecf in
state 'null' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
[org.jasig.cas.services.UnauthorizedServiceException: The passcode
provided is invalid.]>
the error in the browser is:
Authentication Error The system wasn't able to properly detect your
authentication credentials.
and the error in the log is:
[org.springframework.webflow.execution.ActionExecutor] - <Finished
executing
edu.ucmerced.cas.adaptors.casshib.web.flow.PrincipalFromHttpHeadersNonInteractiveCredentialsAction@530ce397;
result = error>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.execution.AnnotatedAction] - <Clearing
action execution attributes map[[empty]]>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.execution.ActionExecutor] - <Finished
executing [EvaluateAction@6b1af7bb expression =
principalFromRemoteAction, resultExposer = [null]]; result = error>
2011-04-22 11:02:16,985 DEBUG
[org.springframework.webflow.engine.Transition] - <Executing
[Transition@377e4cec on = error, to = casShibAuthErrorView]>
Sincerly we don't know how to solve these problems because we followed
step by step the casshib documentation but we continue to have
problems.
we hope that someone can provide a solution at this problem because
we'd like to use this configuration in production of important
project.
Best regrads,
Marco B
>
> leggi tutto
Reply all
Reply to author
Forward
0 new messages