CAS Client 3.1 Spring configuration and PGT

Hello,

I have configured the CAS Client with spring configuration to use a Cas20ProxyReceivingTicketValidationFilter.

  <bean    

      name="casValidationFilter"

            class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">

            <property name="proxyReceptorUrl" value="/proxy/receptor"/>

            <property name="serverName" value="${cas.client.serverName}" />

            <property name="redirectAfterValidation" value="true"/>

            <property name="ticketValidator">

                  <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">

                        <constructor-arg index="0" value="${cas.server.url}" />

                        <property name="proxyCallbackUrl" value="https://myservice:8443/mycontext/proxy/receptor"/>

                  </bean>

            </property>

  </bean>

I make subsequent call to the Principal.GetProxyTicket(ServiceUrl) to proxy authenticate to another service and I have null return : No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.

I have made some debug to find that the  proxyGrantingTicketStorage  of the filter is not passed to the ServiceTicketValidator. That is why the PGTIOU sent back by the CAS server on ST validation does not correspond to the any PGT.

Did I made configuration mistake ?

I have included the log which shows that the PGT is sent by the CAS server :

26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93]  - Constructed service url: http://radiomee.vmmario3.rennes.niji:8080/camcas/gateway/gateway.jsp;jsessionid=DC60F272E9B8A8BAC30C07B345DF621C

26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99]  - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fgateway%2Fgateway.jsp%3Bjsessionid%3DDC60F272E9B8A8BAC30C07B345DF621C&gateway=true"

26/06/08 11:54:51.890 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107]  - removing gateway attribute from session

26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():84]  - no ticket and no assertion found

26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():234]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp

26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93]  - Constructed service url: http://myservice:8080/mycontext/protected/secured.jsp

26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99]  - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp"

26/06/08 11:54:59.015 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107]  - removing gateway attribute from session

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():128]  - Attempting to validate ticket: ST-22-mzbwF9YhWaMzGFdhcq1F-cas

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():86]  - Placing URL parameters in map.

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():94]  - Calling template URL attribute map.

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():97]  - Loading custom parameters from configuration.

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():173]  - Constructing validation url: https://vmmario3.rennes.niji:8443/cas/serviceValidate?pgtUrl=https%3A%2F%2Fmyservice%3A8443%2Fmycontext%2Fproxy%2Freceptor&ticket=ST-22-mzbwF9YhWaMzGFdhcq1F-cas&service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp

26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():177]  - Retrieving response from server.

26/06/08 11:54:59.265 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.util.CommonUtils.readAndRespondToProxyReceptorRequest():164]  - Received proxyGrantingTicketId [TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas] for proxyGrantingTicketIou [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas]

26/06/08 11:54:59.281 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl.save():89]  - Saving ProxyGrantingTicketIOU and ProxyGrantingTicket combo: [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas, TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas]

26/06/08 11:54:59.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():185]  - Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>

                <cas:authenticationSuccess>

                               <cas:user>toto</cas:user>

                               <cas:proxyGrantingTicket>PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas</cas:proxyGrantingTicket>

                </cas:authenticationSuccess>

</cas:serviceResponse>

26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():137]  - Successfully authenticated user: toto

26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():160]  - Redirecting after successful ticket validation.

26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp

Mathieu Rousselle

Andrew,

Thank you for your answer, setting service property instead of serverName does not resolved my issue, but I have found a solution. I have declared a proxyGrantingTicketStorage and passed its reference to the Filter and the Validator and it works.

I don’t have to use CAS20ProxyTicketValidator because the service I want to proxy authenticate use pam_cas mechanism.

The above listing contains the working configuration :

<!-- PGT Storage shared instance -->

  <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>

  <!-- Validation Filter Bean -->

  <bean    

      id="casValidationFilter"

            class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">

            <property name="proxyReceptorUrl" value="/proxy/receptor"/>

            <property name="serverName" value="${cas.client.serverName}" />

            <property name="redirectAfterValidation" value="true"/>

            <!-- PGT Storage shared instance -->

            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>

            <property name="ticketValidator">

                  <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">

                        <constructor-arg index="0" value="${cas.server.url}" />

                        <property name="proxyCallbackUrl" value="https://myservice:8443/mycontect/proxy/receptor"/>

                        <!-- PGT Storage shared instance -->

                        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage"/>

                  </bean>

            </property>

  </bean>

Mathieu

Mathieu,

On comparing your config against the wiki article for JA-SIG CAS 3.1 ( http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring), the only discrepancy I find is that you declared the serverName property vs the service property on the Cas20ProxyReceivingTicketValidationFilter.  Hrmmm, in your config you are using the Cas20ServiceTicketValidator.  Have you configured the CAS client on the service that should accept proxy tickets with the Cas20ProxyTicketValidator?


On 6/26/08 5:04 AM, "Mathieu ROUSSELLE" <mathieu.rousselle@...> wrote:

Hello,
 
I have configured the CAS Client with spring configuration to use a Cas20ProxyReceivingTicketValidationFilter.
 
 <bean     
      name="casValidationFilter"
            class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
           
            <property name="proxyReceptorUrl" value="/proxy/receptor"/>
           <property name="serverName" value="${cas.client.serverName}" />
           <property name="redirectAfterValidation" value="true"/>
           <property name="ticketValidator">
                 <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                       <constructor-arg index="0" value="${cas.server.url}" />
                       <property name="proxyCallbackUrl" value="https://myservice:8443/mycontext/proxy/receptor"/>
                 </bean>
           </property>
 </bean>

I make subsequent call to the Principal.GetProxyTicket(ServiceUrl) to proxy authenticate to another service and I have null return : No ProxyGrantingTicket was supplied, so no Proxy Ticket can be retrieved.

I have made some debug to find that the  proxyGrantingTicketStorage  of the filter is not passed to the ServiceTicketValidator. That is why the PGTIOU sent back by the CAS server on ST validation does not correspond to the any PGT.
 
Did I made configuration mistake ?
 
 
I have included the log which shows that the PGT is sent by the CAS server :
 
 
26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93] - Constructed service url: http://radiomee.vmmario3.rennes.niji:8080/camcas/gateway/gateway.jsp;jsessionid=DC60F272E9B8A8BAC30C07B345DF621C
26/06/08 11:54:50.750 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99] - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fgateway%2Fgateway.jsp%3Bjsessionid%3DDC60F272E9B8A8BAC30C07B345DF621C&gateway=true"
26/06/08 11:54:51.890 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107] - removing gateway attribute from session
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():84] - no ticket and no assertion found
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():234]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():93] - Constructed service url: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:53.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():99] - redirecting to "https://vmmario3.rennes.niji:8443/cas/login?service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp"
26/06/08 11:54:59.015 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.authentication.AuthenticationFilter.doFilter():107] - removing gateway attribute from session
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():128] - Attempting to validate ticket: ST-22-mzbwF9YhWaMzGFdhcq1F-cas
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209] - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():86] - Placing URL parameters in map.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():94] - Calling template URL attribute map.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.constructValidationUrl():97] - Loading custom parameters from configuration.
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():173] - Constructing validation url: https://vmmario3.rennes.niji:8443/cas/serviceValidate?pgtUrl=https%3A%2F%2Fmyservice%3A8443%2Fmycontext%2Fproxy%2Freceptor&ticket=ST-22-mzbwF9YhWaMzGFdhcq1F-cas&service=http%3A%2F%2Fmyservice%3A8080%2Fmycontext%2Fprotected%2Fsecured.jsp
26/06/08 11:54:59.031 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():177] - Retrieving response from server.
26/06/08 11:54:59.265 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.util.CommonUtils.readAndRespondToProxyReceptorRequest():164] - Received proxyGrantingTicketId [TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas] for proxyGrantingTicketIou [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas]
26/06/08 11:54:59.281 |DEBUG | [http-8443-Processor25] [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl.save():89]  - Saving ProxyGrantingTicketIOU and ProxyGrantingTicket combo: [PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas, TGT-37-jqWBBQo759vGWKSVaqq4TEqRkSyiVG9RTyw5shvoAHGFkgQsID-cas]
26/06/08 11:54:59.281 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate():185] - Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
                <cas:authenticationSuccess>
                               <cas:user>toto</cas:user>
 
                               <cas:proxyGrantingTicket>PGTIOU-17-tqCUkGUWq0BpQiud3Xo0-cas</cas:proxyGrantingTicket>
 
 
                </cas:authenticationSuccess>
</cas:serviceResponse>
 
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():137] - Successfully authenticated user: toto
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter():160] - Redirecting after successful ticket validation.
26/06/08 11:54:59.296 |DEBUG | [http-8080-Processor25] [org.jasig.cas.client.util.CommonUtils.constructServiceUrl():209]  - serviceUrl generated: http://myservice:8080/mycontext/protected/secured.jsp
 
Mathieu Rousselle

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas