pac4j with proxy ticket

zoi.l...@gmail.com

unread,

Dec 8, 2014, 2:38:51 AM12/8/14

to pac4j...@googlegroups.com

Hi!

I'm new to pac4j and having some trouble about proxy ticket.

I have 2 application, the first one is the Web Client and the other is the Web Service. User should login from the Web Client and not from the Web Service directly. So the Web Client need to calling CAS to get a proxy ticket for my Web Service.

I use https://github.com/leleuj/play-pac4j-java-demo and https://groups.google.com/forum/#!topic/pac4j-users/yhZkakmDBdg for my reference.

I already define the new callback url for proxy and declare the CasProxyReceptor.

Here is my Global setup.

final String baseUrl = Play.application().configuration().getString("baseUrl");

final String casUrl = Play.application().configuration().getString("casUrl");

final CasClient casClient = new CasClient();

casClient.setCasLoginUrl(casUrl);

casClient.setCasProtocol(CasClient.CasProtocol.CAS20_PROXY);

casClient.setAcceptAnyProxy(true);

final CasProxyReceptor casProxyReceptor = new CasProxyReceptor();

casProxyReceptor.setCallbackUrl("https://localhost:7443/casProxyCallback");

casClient.setCasProxyReceptor(casProxyReceptor);

final Clients clients = new Clients(baseUrl + "/casProxyCallback", casClient, casProxyReceptor);

Config.setClients(clients);

Here is my route file.

GET /callback org.pac4j.play.CallbackController.callback()

POST /callback org.pac4j.play.CallbackController.callback()

GET /casProxyCallback org.pac4j.play.CallbackController.callback()

POST /casProxyCallback org.pac4j.play.CallbackController.callback()

And here is my controller.

@RequiresAuthentication(clientName = "CasClient")

public static Result index() {

final CommonProfile profile = getUserProfile();

final String service = "https://localhost:8443/j_spring_cas_security_check";

String proxyTicket = null;

if (profile instanceof CasProxyProfile) {

final CasProxyProfile proxyProfile = (CasProxyProfile) profile;

proxyTicket = proxyProfile.getProxyTicketFor(service);

Logger.debug(proxyTicket);

}

String proxyResponse = service+"?ticket=" + proxyTicket;

WSRequestHolder holder = WS.url(proxyResponse);

Promise<WSResponse> responsePromise = holder.get();

return ok(views.html.index.render("Your new application is ready.",proxyResponse));

}

I can get the proxyTicket, but i've got an error that said i'm missing the proxy granting ticket.

[error] o.p.c.c.CasProxyReceptor - Missing proxyGrantingTicket or proxyGrantingTicketIou

What should i do about that error? Do I still missing some configuration here?

Thank in advance for any help!

Regards,

Lynn

Jérôme LELEU

unread,

Dec 8, 2014, 6:26:42 AM12/8/14

to zoi.l...@gmail.com, pac4j...@googlegroups.com

Hi,

Proxy stuffs may be tricky, especially within the same web application.

At first sight, you define your CAS client and CAS proxy client both on the same url: the proxy callback url. The CAS client should be defined on /callback url.

You can do that by explictely setting this for the CAS client: casClient.setCallbackUrl(baseUrl + "/callback") before creating the clients configuration.

Thanks.

Best regards,

Jérôme LELEU

Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj

Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

zoi.l...@gmail.com

unread,

Dec 8, 2014, 9:52:58 PM12/8/14

to pac4j...@googlegroups.com

Thanks for the reply!

I've already adding the callback url for CAS Client, just as you said.

casClient.setCallbackUrl(baseUrl + "/callback");

But i still got the same error that said i'm missing the proxy granting ticket.

It appears that the proxy ticket that i've got is invalid.

And i also have a question. When i create the client, do i have to use the callback url or the proxy callback url?

final Clients clients = new Clients(baseUrl + "/casProxyCallback", casClient, casProxyReceptor);

Config.setClients(clients);

Regards,

Lynn

Jérôme LELEU

unread,

Dec 9, 2014, 8:11:28 AM12/9/14

to zoi.l...@gmail.com, pac4j...@googlegroups.com

Hi,

You need to set this url before creating the Clients object.

I think you need to enable logs and post them to see what's going on.

The callback url is the url called by the identity provider to finish the authentication process, that's the way it works for OAuth, CAS, OpenID, SAML...

For CAS proxy, a second url is necessary (even if it could be the same) to get additional information for proxyfication.

Best regards,

Jérôme LELEU

Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj

Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org

--

zoi.l...@gmail.com

unread,

Dec 10, 2014, 1:49:35 AM12/10/14

to pac4j...@googlegroups.com

Hi! Thanks for the info.

Yes, I set the url before creating the Client object.

This is my Global setting for my Web Client.

final CasClient casClient = new CasClient();

casClient.setLogoutHandler(new PlayLogoutHandler());

casClient.setCasProtocol(CasClient.CasProtocol.CAS20_PROXY);

casClient.setCallbackUrl(baseUrl + "/callback");

final CasProxyReceptor casProxyReceptor = new CasProxyReceptor();

casProxyReceptor.setCallbackUrl(baseUrl + "/casProxyCallback");

casClient.setCasProxyReceptor(casProxyReceptor);

casClient.setCasLoginUrl(casUrl);

final Clients clients = new Clients(baseUrl + "/casProxyCallback", casClient, casProxyReceptor);

Config.setClients(clients);

The only error in my console say:

[error] o.p.c.c.CasProxyReceptor - Missing proxyGrantingTicket or proxyGrantingTicketIou

When I try to see pac4j log, it says:

[DEBUG] - from org.pac4j.play.CallbackController in play-akka.actor.default-dispatcher-5

[DEBUG] - from org.pac4j.play.PlayLogoutHandler in play-akka.actor.default-dispatcher-5

ticket : ST-43-wkcXVSHcJl3dDcewUdbi-cas01.example.org

[DEBUG] - from org.pac4j.play.PlayLogoutHandler in play-akka.actor.default-dispatcher-5

save sessionId : 8224982f-dcf0-4adb-9897-d19ae5e0f950

[DEBUG] - from org.pac4j.cas.client.CasClient in play-akka.actor.default-dispatcher-5

casCredentials : <CasCredentials> | serviceTicket: ST-43-wkcXVSHcJl3dDcewUdbi-cas01.example.org | clientName: CasClient |

[DEBUG] - from org.pac4j.play.CallbackController in play-akka.actor.default-dispatcher-5

credentials : <CasCredentials> | serviceTicket: ST-43-wkcXVSHcJl3dDcewUdbi-cas01.example.org | clientName: CasClient |

[DEBUG] - from org.pac4j.core.client.BaseClient in play-akka.actor.default-dispatcher-5

credentials : <CasCredentials> | serviceTicket: ST-43-wkcXVSHcJl3dDcewUdbi-cas01.example.org | clientName: CasClient |

[DEBUG] - from org.pac4j.play.CallbackController in play-akka.actor.default-dispatcher-6

client : <CasProxyReceptor> | callbackUrl: https://localhost:7443/casProxyCallback?client_name=CasProxyReceptor | proxyGrantingTicketStorage: org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl@17f34498 | millisBetweenCleanUps: 60000 |

[DEBUG] - from org.pac4j.cas.client.CasProxyReceptor in play-akka.actor.default-dispatcher-9

proxyGrantingTicketIou : null

[DEBUG] - from org.pac4j.cas.client.CasProxyReceptor in play-akka.actor.default-dispatcher-9

proxyGrantingTicket : null

[ERROR] - from org.pac4j.cas.client.CasProxyReceptor in play-akka.actor.default-dispatcher-9

Missing proxyGrantingTicket or proxyGrantingTicketIou

It didn't make the proxy Granting Ticket and the proxy Granting Ticket Iou

Regards,

Lynn

Jérôme LELEU

unread,

Dec 10, 2014, 11:11:43 AM12/10/14

to zoi.l...@gmail.com, pac4j...@googlegroups.com

Hi,

OK. So you don't get a pgtIou, nor a pgtId. Strange. Do you have the access logs to your applications? To see the proxy callback url you receive.

Thanks.

Best regards,

Jérôme LELEU

Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj

Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org

--

Reply all

Reply to author

Forward