Discussion:
Redirection failed on successful CAS authentication
k2g
2007-02-20 23:24:04 UTC
Permalink
Service app was built using webwork, spring, hibernate ....

I am using Acegi Security 1.0.3 and JA-SIG CAS 3.0.4 server

In the service app,
The redirection to cas login page works when i type in the service app url.
I am getting authenticated successfully from cas server login (see the
log below) and also being granted service ticket. But after that i am
getting redirected to casfailed.jsp in the service app, i get the
following error shown below.


log:
INFO [http-8443-Processor25]
AuthenticationManagerImpl.authenticate(88) | AuthenticationHandler:
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor25]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-dddSXAi3Rv6yBNlQYNFCIrClYZ5OdkJJoFb-20] for
service [https://localhost:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor24] LoggerListener.onApplicationEvent(55) |
Authentication event AuthenticationFailureServiceExceptionEvent:
_cas_stateful_; details:
***@ffffc434:
RemoteIpAddress: 10.22.2.148; SessionId: null; exception:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
ERROR [http-8443-Processor25] [jsp].invoke(253) | Servlet.service()
for servlet jsp threw exception
org.apache.jasper.JasperException: The absolute uri:
http://java.sun.com/jstl/core cannot be resolved in either web.xml or
the jar files deployed with this application at
org.apache.jasper.compiler.DefaultErrorHandler.jsp

Couple of observations from the log,

1. In the browser the following error was thrown (after successful
authentication from cas):

While processing request " /casfailed.jsp ", the application
encountered the following internal error condition:
org.apache.jasper.JasperException: The absolute uri:
http://java.sun.com/jstl/core cannot be resolved in either web.xml or
the jar files deployed with this application


My applicationContext.xml defn for authentication failureurl

<bean id="casProcessingFilter"
class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl"
value="/j_acegi_cas_security_check"/>
</bean>


In web.xml i have the following definition for casfailed.jsp ( its
necessary to declare error-page as i am using webwork)
<error-page>
<error-code>404</error-code>
<location>/casfailed.jsp</location>
</error-page>

looks like i goofed up with error-page declaration..
==============================
2. SSL issue warning

With regard to the warning, i got to know from here,
http://www.ja-sig.org/products/cas/server/ssl/index.html
that its because hostname is not mentioned while configuring the certs.

Well i could able to execute every command listed on the link except
the last two,
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass mypass
-keystore %JAVA_HOME%/jre/lib/security/cacerts

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass mypass

i was always getting keytool help usage returned in the command prompt
(also tried backslash \ to the path). Using java 1.5.0_09 on windows
xp


Thanks.
Scott Battaglia
2007-02-21 03:29:58 UTC
Permalink
It looks like your certificate is not in your JVM cacerts file. This should
add it to your cacerts file:

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts

replacing server.crt with the actual file holding your certificate.

-Scott
Post by k2g
Service app was built using webwork, spring, hibernate ....
I am using Acegi Security 1.0.3 and JA-SIG CAS 3.0.4 server
In the service app,
The redirection to cas login page works when i type in the service app url.
I am getting authenticated successfully from cas server login (see the
log below) and also being granted service ticket. But after that i am
getting redirected to casfailed.jsp in the service app, i get the
following error shown below.
INFO [http-8443-Processor25]
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor25]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-dddSXAi3Rv6yBNlQYNFCIrClYZ5OdkJJoFb-20] for
service [https://localhost:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor24] LoggerListener.onApplicationEvent(55) |
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
ERROR [http-8443-Processor25] [jsp].invoke(253) | Servlet.service()
for servlet jsp threw exception
http://java.sun.com/jstl/core cannot be resolved in either web.xml or
the jar files deployed with this application at
org.apache.jasper.compiler.DefaultErrorHandler.jsp
Couple of observations from the log,
1. In the browser the following error was thrown (after successful
While processing request " /casfailed.jsp ", the application
http://java.sun.com/jstl/core cannot be resolved in either web.xml or
the jar files deployed with this application
My applicationContext.xml defn for authentication failureurl
<bean id="casProcessingFilter"
class="org.acegisecurity.ui.cas.CasProcessingFilter">
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/casfailed.jsp"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl"
value="/j_acegi_cas_security_check"/>
</bean>
In web.xml i have the following definition for casfailed.jsp ( its
necessary to declare error-page as i am using webwork)
<error-page>
<error-code>404</error-code>
<location>/casfailed.jsp</location>
</error-page>
looks like i goofed up with error-page declaration..
==============================
2. SSL issue warning
With regard to the warning, i got to know from here,
http://www.ja-sig.org/products/cas/server/ssl/index.html
that its because hostname is not mentioned while configuring the certs.
Well i could able to execute every command listed on the link except
the last two,
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass mypass
-keystore %JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%\bin\keytool -import -file server.crt -keypass mypass
i was always getting keytool help usage returned in the command prompt
(also tried backslash \ to the path). Using java 1.5.0_09 on windows
xp
Thanks.
_______________________________________________
Yale CAS mailing list
http://tp.its.yale.edu/mailman/listinfo/cas
k2g
2007-02-21 16:13:08 UTC
Permalink
Same certification validation error after successful keystore creation
and import to cacerts


C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -genkey -alias tomcat -keyal
g RSA -validity 365
Enter keystore password: changeit
What is your first and last name?
[Unknown]: IT-2208 IT-2208
What is the name of your organizational unit?
[Unknown]: talkerman
What is the name of your organization?
[Unknown]: talkerman
What is the name of your City or Locality?
[Unknown]: hills
What is the name of your State or Province?
[Unknown]: {A
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US correct?
[no]: y

Enter key password for <tomcat>
(RETURN if same as keystore password):

C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -export -alias tomcat -file
server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>

C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -import -file server.crt -ke
ystore C:/"Program Files"/Java/jdk1.5.0_11/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Issuer: CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Serial number: 45dc6729
Valid from: Wed Feb 21 10:37:13 EST 2007 until: Thu Feb 21 10:37:13 EST 2008
Certificate fingerprints:
MD5: 4F:7D:A0:F3:18:3B:6A:74:41:85:65:05:CD:0F:AF:AE
SHA1: AD:5B:61:62:0C:D5:32:00:91:03:20:1A:77:4D:C2:AB:B2:7D:94:35
Trust this certificate? [no]: y
Certificate was added to keystore
==============================================================================================

After this i changed the application-Security.xml
casAuthenticationProvider bean key value as

<property name="key" value="changeit"/>

then

tomcat connector config (in server.xml ) is now

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" keystoreFile="C:\Documents and
Settings\myname\.keystore" keystorePass="changeit" sslProtocol="TLS"
/>



deployed and started tomcat

This is the log

INFO [http-8443-Processor24]
AuthenticationManagerImpl.authenticate(88) | AuthenticationHandler:
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor24]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-XJguyqMPCmiTVlUJ6tNbQMcYzFX6bKXWvew-20] for
service [https://IT-2208:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor23] LoggerListener.onApplicationEvent(55) |
Authentication event AuthenticationFailureServiceExceptionEvent:
_cas_stateful_; details:
***@ffffc434:
RemoteIpAddress: 10.22.2.148; SessionId: null; exception:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Scott Battaglia
2007-02-21 16:26:22 UTC
Permalink
Your CN should be the same name as your server. So IT-2208, not IT2208
IT-2208

-Scott
Post by k2g
Same certification validation error after successful keystore creation
and import to cacerts
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -genkey -alias tomcat -keyal
g RSA -validity 365
Enter keystore password: changeit
What is your first and last name?
[Unknown]: IT-2208 IT-2208
What is the name of your organizational unit?
[Unknown]: talkerman
What is the name of your organization?
[Unknown]: talkerman
What is the name of your City or Locality?
[Unknown]: hills
What is the name of your State or Province?
[Unknown]: {A
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US correct?
[no]: y
Enter key password for <tomcat>
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -export -alias tomcat -file
server.crt
Enter keystore password: changeit
Certificate stored in file <server.crt>
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -import -file server.crt -ke
ystore C:/"Program Files"/Java/jdk1.5.0_11/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Issuer: CN=IT-2208 IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Serial number: 45dc6729
Valid from: Wed Feb 21 10:37:13 EST 2007 until: Thu Feb 21 10:37:13 EST 2008
MD5: 4F:7D:A0:F3:18:3B:6A:74:41:85:65:05:CD:0F:AF:AE
SHA1: AD:5B:61:62:0C:D5:32:00:91:03:20:1A:77:4D:C2:AB:B2:7D:94:35
Trust this certificate? [no]: y
Certificate was added to keystore
==============================================================================================
After this i changed the application-Security.xml
casAuthenticationProvider bean key value as
<property name="key" value="changeit"/>
then
tomcat connector config (in server.xml ) is now
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" keystoreFile="C:\Documents and
Settings\myname\.keystore" keystorePass="changeit" sslProtocol="TLS"
/>
deployed and started tomcat
This is the log
INFO [http-8443-Processor24]
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor24]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-XJguyqMPCmiTVlUJ6tNbQMcYzFX6bKXWvew-20] for
service [https://IT-2208:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor23] LoggerListener.onApplicationEvent(55) |
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
_______________________________________________
Yale CAS mailing list
http://tp.its.yale.edu/mailman/listinfo/cas
k2g
2007-02-21 17:50:33 UTC
Permalink
Same error again after making changes in the first and last name field

C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -genkey -alias tomcat -keyal
g RSA -validity 365
Enter keystore password: changeit
What is your first and last name?
[Unknown]: IT-2208
What is the name of your organizational unit?
[Unknown]: talkerman
What is the name of your organization?
[Unknown]: talkerman
What is the name of your City or Locality?
[Unknown]: hills
What is the name of your State or Province?
[Unknown]: {A
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US correct?
[no]: y

Enter key password for <tomcat>
(RETURN if same as keystore password):

C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -export -alias tomcat -file
serv.crt
Enter keystore password: changeit
Certificate stored in file <serv.crt>

C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -import -file serv.crt -keys
tore C:/"Program Files"/Java/jdk1.5.0_11/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Issuer: CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Serial number: 45dc8222
Valid from: Wed Feb 21 12:32:18 EST 2007 until: Thu Feb 21 12:32:18 EST 2008
Certificate fingerprints:
MD5: 23:11:5E:B2:87:21:67:10:A7:2F:82:1A:A9:84:8F:67
SHA1: AD:75:25:E6:6A:B0:08:C2:2C:10:F1:AD:72:65:76:73:BA:E5:91:79
Trust this certificate? [no]: y
Certificate was added to keystore


--->

redeployed the apps in the webapps directory of tomcat and started the tomcat

INFO [http-8443-Processor24]
AuthenticationManagerImpl.authenticate(88) | AuthenticationHandler:
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor24]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-YhQhZzJSd3r7dLAc5s9VdbC0lSg7K3Elg0C-20] for
service [https://IT-2208:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor25] LoggerListener.onApplicationEvent(55) |
Authentication event AuthenticationFailureServiceExceptionEvent:
_cas_stateful_; details:
***@3bcc: RemoteIpAddress:
10.22.2.148; SessionId: E09988C8D30EAAF56028B32EE08CAC07; exception:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Scott Battaglia
2007-02-21 18:14:24 UTC
Permalink
Can you confirm that you are adding it to the correct JVM cacerts file (if
you have multiple JVMs)?

Thanks
-Scott
Post by k2g
Same error again after making changes in the first and last name field
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -genkey -alias tomcat -keyal
g RSA -validity 365
Enter keystore password: changeit
What is your first and last name?
[Unknown]: IT-2208
What is the name of your organizational unit?
[Unknown]: talkerman
What is the name of your organization?
[Unknown]: talkerman
What is the name of your City or Locality?
[Unknown]: hills
What is the name of your State or Province?
[Unknown]: {A
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US correct?
[no]: y
Enter key password for <tomcat>
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -export -alias tomcat -file
serv.crt
Enter keystore password: changeit
Certificate stored in file <serv.crt>
C:\>C:\"Program Files"\Java\jdk1.5.0_11\bin\keytool -import -file serv.crt-keys
tore C:/"Program Files"/Java/jdk1.5.0_11/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Issuer: CN=IT-2208, OU=talkerman, O=talkerman, L=hills, ST={A, C=US
Serial number: 45dc8222
Valid from: Wed Feb 21 12:32:18 EST 2007 until: Thu Feb 21 12:32:18 EST 2008
MD5: 23:11:5E:B2:87:21:67:10:A7:2F:82:1A:A9:84:8F:67
SHA1: AD:75:25:E6:6A:B0:08:C2:2C:10:F1:AD:72:65:76:73:BA:E5:91:79
Trust this certificate? [no]: y
Certificate was added to keystore
--->
redeployed the apps in the webapps directory of tomcat and started the tomcat
INFO [http-8443-Processor24]
org.acegisecurity.adapters.cas3.CasAuthenticationHandler successfully
authenticated the user.
INFO [http-8443-Processor24]
CentralAuthenticationServiceImpl.grantServiceTicket(167) | Granted
service ticket [ST-2-YhQhZzJSd3r7dLAc5s9VdbC0lSg7K3Elg0C-20] for
service [https://IT-2208:8443/myapp/j_acegi_cas_security_check] for
user [admin]
WARN [http-8443-Processor25] LoggerListener.onApplicationEvent(55) |
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
_______________________________________________
Yale CAS mailing list
http://tp.its.yale.edu/mailman/listinfo/cas
k2g
2007-02-21 18:54:21 UTC
Permalink
Only jvm 1.5.0_11 is installed

Also tried adding truststoreFile and truststorePass to server.xml but
same error again


<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" keystoreFile="C:\Documents and
Settings\myname\.keystore" keystorePass="changeit"
truststoreFile="C:\Program
Files\Java\jdk1.5.0_11\jre\lib\security\cacerts"
truststorePass="changeit" sslProtocol="TLS" />


I am not sure whats happening here.

is it something like tomcat couldnt get the truststore ?

Thanks.
k2g
2007-02-21 20:19:01 UTC
Permalink
I have given two scenario's in the former its just the ticket
generation, validation and redirection, in the later its about SSL
communication

This is what i understood about SSO using CAS (excluding proxy communication)
pls. correct me if i am wrong,

1. User requests to contact the Service url (myapp) through https (Cas
cant work without https)

2. Service creates a Ticket Granting Cookie and attaches a Ticket
Granting Ticket and TGC is stored in the User's browser.

3. Then the Service "redirects" the browser to the CAS login page

4. User enters username and password ( login ticket is added to the
post), presses submit button

5. If authentication is successful, CAS appends the Service ticket to
the Service url (myapp) and "redirects" to Service (myapp)

6. Now the Service ticket is verified with the Ticket granting ticket
if both are equal then user is "authorized" to use the Service


Service ticket is verified with the Ticket granting ticket, if this is
correct where does it happen i mean is it on the Service server or CAS
server or user's computer (where TGT is stored in TGC)

What happens to the login ticket once its generated does it stay in
the CAS server or User's machine ?


Wherever i have mentioned redirects in the above points, are those
really redirects (ie., CAS --> browser --> Service) or it is CAS -->
Service


I think the service ticket will be valid till the time user uses the
service, it would be invalid if the user navigates to other service or
he closes the browser.


I think SSL communication between user / Service / CAS works this way
(again pls. correct me if i am wrong)

a. User contacts the Service, he is thrown the certificate and he accepts it.

b. Now the service redirects to CAS

c. After successful login authentication, CAS requests the Service for
public key

d. Service sends the public key to CAS

e. CAS checks the Service public key with its own key, if keys are
equal the redirect to Service url which User requested in the
beginning.
If it fails it just redirects to a unknown page (as it is happening to
me in the posts here)

org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
does it use default trust store to authenticate with the service, if
so the changes i have done should have worked.




Thanks.
Stephane Bailliez
2007-02-22 03:44:20 UTC
Permalink
Post by k2g
Service app was built using webwork, spring, hibernate ....
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Typically your truststore is not set (ie: your CA is not trusted)
Post by k2g
ERROR [http-8443-Processor25] [jsp].invoke(253) | Servlet.service()
for servlet jsp threw exception
http://java.sun.com/jstl/core cannot be resolved in either web.xml or
the jar files deployed with this application at
org.apache.jasper.compiler.DefaultErrorHandler.jsp
Typically you're using the wrong jstl version with the wrong servlet
container (or webapp declaration).

The uri above is for jstl 1.0 (typically Servlet 2.3), the uri for jstl
1.1 is http://java.sun.com/jsp/jstl/core (part of JSP 2.0 / Servlet 2.4).

-- stephane

Loading...