Issues attempting to use proxy ticket authorization

Skip to first unread message

Kris Siegel

Mar 15, 2013, 10:02:21 PM3/15/13
Hey All,

I'm kinda at a loss at the moment with my issues. I'm not sure how well this forum is monitored but I'm hoping someone can help me.

First, here's my setup:

- Multiple web applications of varying types are deployed onto one Tomcat server (some written in jruby, some in grails, some in pure Java with servlets, etc).
- This server has CAS 3.3.1 running on it (if you're curious it's essentially the same as the following package:; it's a bundle of a web application and cas).
- Our jruby 1.7.1 application running on rails 3.2.11 needs to talk to a pure Java servlet based application's rest services which is protected by cas.
- There is already another java web application that talks to two other java web applications through cas proxy tickets so everything should be setup correctly (though as far as I know no one really uses it with the service we're hitting).
- We're currently using rubycas-client gem, the latest version.

What I'm trying to do is make rest calls from a Java backend where we essentially will have to pass back the proxy service and ticket since the jruby web application is handling all of the cas related stuff.

Now so far everything appears to be setup so that our session is running on ActiveRecord using a sqlite database, we can authenticate just fine with cas and cas even calls our /cas_proxy_callback/receive_pgt method. Here's where I'm running into issues.

pgt is always nil. Looking at the cas logs in debug mode I always get
2013-03-15 21:39:28,934 EDT [http-bio-8443-exec-4] INFO [org.jasig.cas.authentication.AuthenticationManagerImpl]: AuthenticationHandler: failed to authenticate the user which provided the following credentials: [callbackUrl: https://myserver/myapp/cas_proxy_callback/receive_pgt]
2013-03-15 21:39:28,936 EDT [http-bio-8443-exec-4] ERROR[org.jasig.cas.web.ServiceValidateController]: TicketException generating ticket for: [callbackUrl: https://myserver/myapp/cas_proxy_callback/receive_pgt]
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad

I monkey patched the gemo to display the parameters coming into the receive_pgt action in the cas_proxy_callback controller but it gets hit successfully it just doesn't contain anything.

We've been struggling with this for a while so ANY assistance will be HUGELY appreciated.



Matt Zukowski

Mar 18, 2013, 1:15:20 PM3/18/13
to RubyCAS
Maybe some sort of incompatibility between how your client expects the cas callback to receive/deliver the PGT IOU? There have been some changes in the protocol on the java side lately, and unfortunately the Ruby libraries haven't always kept up with this.

The way it is right now, the Ruby client expects the receive_pgt request to have 'pgt' and 'pgtId' parameters. Make sure that the client is sending these.


You received this message because you are subscribed to the Google Groups "RubyCAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

Kris Siegel

Mar 18, 2013, 11:33:21 PM3/18/13
Hey Matt,

I was actually able to solve my issue! So there were two things I had to change.

1. I had to enable threadsafe!. I was somewhat confused with the limitations on rails and concurrency but jRuby doesn't have the same issue. This made the authentication error with CAS go away.

2. I was never receiving the PGT IOU and after debugging I actually made a change to RubyCAS to resolve my issue.  I submitted a pull request for my change and it looks like someone else took it and tweaked it a little to better support backwards compatibility. You can take a look here:

I was very confused looking at the documentation as it looked like I needed rubycas-client-rails in order to work under rails 3 but everything failed badly when I used it in the documented fashion but rubycas-client by itself, other than my tweak, worked perfectly all under rails 3. The documentation seems to portray this backwards. This very well could simply be my poor understanding of RubyCAS.
Reply all
Reply to author
0 new messages