Acegi with CAS

[Scott Battaglia]

If you're not using SSL then you should not see a trusted certificate error.

[kirill.frolov]

This variant doesn't suit me. I really need to use https. But.... thanks anyway.

[fooblahblah]

actually I removed the SSL dependency from both the cas client and the configuration file in cas server . I am using simple http

I was curious if these were configuration changes or did you edit the source?

Thanks
-Jeff

[fooblahblah]

I ask because I'm having similar issues whereby the CasProcessingFilter attempts to validate the ticket, but generates an error indicating "HTTPS hostname wrong: should be <127.0.0.1>".

I am able to manually make a request to the proxyValidate url and I get back a response with my username indicating the auth is valid (based on what I've read in the docs).

I'm using a self signed cert with CN=127.0.0.1

I have the CasProxyTicketValidator.trustStore property set to my keystore, which is the same one I'm using with Jetty.

Code:

....
2007-01-03 21:49:40,248 DEBUG [org.acegisecurity.ui.cas.CasProcessingFilter] - <Request is to process authentication>
2007-01-03 21:49:40,248 DEBUG [org.acegisecurity.providers.ProviderManager] - <Authentication attempt using org.acegisecurity.providers.cas.CasAuthenticationProvider>
2007-01-03 21:49:40,272 DEBUG [edu.yale.its.tp.cas.util.SecureURL] - <entering retrieve(https://127.0.0.1:8443/cas/proxyValidate?service=https://127.0.0.1:8443/j_acegi_cas_security_check&ticket=ST-2-eKeT5uOkkdqYkeZfWNWaQRDEOdwFgJDjeK2-20&pgtUrl=https://127.0.0.1:8443/cas/proxy/receptor)>
2007-01-03 21:49:40,756 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] - <Publishing event in context [Root WebApplicationContext]: org.acegisecurity.event.authentication.AuthenticationFailureServiceExceptionEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@e6a37ff9: Username: _cas_stateful_; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 1dna8dk1khek; Not granted any authorities]>
2007-01-03 21:49:40,756 WARN [org.acegisecurity.event.authentication.LoggerListener] - <Authentication event AuthenticationFailureServiceExceptionEvent: _cas_stateful_; details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 1dna8dk1khek; exception: HTTPS hostname wrong:  should be <127.0.0.1>>
2007-01-03 21:49:40,756 DEBUG [org.springframework.context.support.FileSystemXmlApplicationContext] - <Publishing event in context [org.springframework.context.support.FileSystemXmlApplicationContext;hashCode=17689439]: org.acegisecurity.event.authentication.AuthenticationFailureServiceExceptionEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@e6a37ff9: Username: _cas_stateful_; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 1dna8dk1khek; Not granted any authorities]>
2007-01-03 21:49:40,756 DEBUG [org.acegisecurity.ui.cas.CasProcessingFilter] - <Updated SecurityContextHolder to contain null Authentication>
2007-01-03 21:49:40,756 DEBUG [org.acegisecurity.ui.cas.CasProcessingFilter] - <Authentication request failed: org.acegisecurity.AuthenticationServiceException: HTTPS hostname wrong:  should be <127.0.0.1>>
2007-01-03 21:49:40,756 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - <SecurityContextHolder set to new context, as request processing completed>
2007-01-03 21:49:40,864 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - <Converted URL to lowercase, from: '/casfailed.html'; to: '/casfailed.html'>
2007-01-03 21:49:40,864 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - <Candidate is: '/casfailed.html'; pattern is /**; matched=true>
...

Any ideas? It has to be something screwy with my self signed certs... I've tried several permutation of changing the urls/certs between localhost and 127.0.0.1, but get a similar error.

Thanks,
-Jeff

[fooblahblah]

I figured out how to fix it, in a different way. I added an alias in /etc/hosts for 127.0.0.1 as 'blah'. Then changed all references in my applicationContext-acegi.xml conf that used to refer to '127.0.0.1' (or localhost - neither permutation worked) to 'blah'. Regnerated my self-signed cert with CN=blah and it all works.

-Jeff

[Paul Newport]

If you're not using SSL then you should not see a trusted certificate error.

I am getting trusted certificate errors too....

I am running SSL on the CAS server (running under Tomcat, because SSL configuration is relatively trivial on there), and the main app on Websphere (becasue we have to and SSL configuration is not relatively trivial on there).

When you say "If you're not using SSL then you should not see a trusted certificate error." is that SSL on the client (our web app) or Cas ?

Is there anything I need to turn off in the client acegi/cas context to turn off SLL ?