problem:HttpSession returned null object for ACEGI_SECURITY_CONTEXT

[yaojinyang]

Hi,
I have been spent more than one week for trying using Acegi as client for CAS. The problem is always that the Acegi client gets null authentication. First, I guessed the problem is that httpSession was lost during switch from https to http. Then, I put all my web resource under secure channel, but the problem is still there. This morning, I tested it with the contacts-cas.war sample, but same problem.


13:20:27,190 DEBUG FilterChainProxy,http-8443-Processor24:297 - /j_acegi_cas_security_check?ticket=ST-3-CbjQgQv2B4c7M3SX7W1XCybFQZZQvDzQEvq-20 at position 2 of 6 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextInteg rationFilter@10848b9'
13:20:27,190 DEBUG HttpSessionContextIntegrationFilter,http-8443-Processor24:215 - HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder
13:20:27,190 DEBUG FilterChainProxy,http-8443-Processor24:297 - /j_acegi_cas_security_check?ticket=ST-3-CbjQgQv2B4c7M3SX7W1XCybFQZZQvDzQEvq-20 at position 3 of 6 in additional filter chain; firing Filter: 'org.acegisecurity.ui.cas.CasProcessingFilter@194a 1e9'
13:20:27,190 DEBUG AbstractProcessingFilter,http-8443-Processor24:220 - Request is to process authentication


I also checked the log of cas server, but can't find any exception.
In the attachment, there is log form both client and server side.
Thanks for any helo you can provide.
Yaojin

[Paul Newport]

Hi,
I have been spent more than one week for trying using Acegi as client for CAS. The problem is always that the Acegi client gets null authentication. First, I guessed the problem is that httpSession was lost during switch from https to http. Then, I put all my web resource under secure channel, but the problem is still there. This morning, I tested it with the contacts-cas.war sample, but same problem.

Hi

Can I ask you where you got the contacts-cas.war file from, as I need that to try and get my cas configuration working ?

[yaojinyang]

Hi

Can I ask you where you got the contacts-cas.war file from, as I need that to try and get my cas configuration working ?

From http://foubert.free.fr/java/

[yaojinyang]

Hi,
I am reading the javadoc for httpSession and found it says that "Session information is scoped only to the current web application (ServletContext), so information stored in one context will not be directly visible in another." So my problem is because of this reason?
But, I think most people deploy their CAS server and client as different web applications, so how actually the httpSession can be shared betweeb them? Does any configuration required for that? Does anyone know?
Thanks,
Yaojin

[shreyank]

A http session is never shared between webapps, unless you do something extra with the parent classloader which is generally not advisable. What are you trying to get access to?
The user information can be accessed in each client webapp by using:
Authentication auth = SecurityContextHolder.getContext().getAuthenticati on();

[yaojinyang]

A http session is never shared between webapps, unless you do something extra with the parent classloader which is generally not advisable. What are you trying to get access to?
The user information can be accessed in each client webapp by using:
Authentication auth = SecurityContextHolder.getContext().getAuthenticati on();

The thing is I have deployed a CAS server as a web application (cas.war) and deploy a Acegi client as another web application (contacts-cas.war). But, the client has problem to get authentication object. The only reason I can find from log is that in client the httpSession object is null so a new SecurityContext instance associated with SecurityContextHolder is created. Therefore, I can't get the authentication object for the user who did the authentication. There must be a way that the information (at least username) of the authenticated user is passed from the CAS server to the client. So, I would like to know how it's achieved although the client and the server are different web applications. I think it's a very normal practice that deploying the CAS server and client in different web applications. But, unfortunately I have problem to make it work.

[shreyank]

Are you able to SSO to your client webapp?

org.acegisecurity.providers.cas.ticketvalidator.Ca sProxyTicketValidator.confirmTicketValid() is the method that validates the service ticket against CAS. Step through that to edu.yale.its.tp.cas.client.ServiceTicketValidator. validate(). Are you getting a correct response back from CAS? It should look like:

Code:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
   <cas:authenticationSuccess>
      <cas:user>YOUR_USER_NAME</cas:user>
      <cas:proxyGrantingTicket>PGTIOU-1-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</cas:proxyGrantingTicket
   </cas:authenticationSuccess>
</cas:serviceResponse>

[Paul Newport]

From http://foubert.free.fr/java/

Excellent, thanks.

[yaojinyang]

Are you able to SSO to your client webapp?

org.acegisecurity.providers.cas.ticketvalidator.Ca sProxyTicketValidator.confirmTicketValid() is the method that validates the service ticket against CAS. Step through that to edu.yale.its.tp.cas.client.ServiceTicketValidator. validate(). Are you getting a correct response back from CAS? It should look like:

Code:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
   <cas:authenticationSuccess>
      <cas:user>YOUR_USER_NAME</cas:user>
      <cas:proxyGrantingTicket>PGTIOU-1-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</cas:proxyGrantingTicket
   </cas:authenticationSuccess>
</cas:serviceResponse>

Hi,
Thank you for the reply. I think I am not able to SSO to my client webapp. What happened is the CAS server can successfully authenticate the user with his username and password. Then, the server redirects the user to client webapp with a ticket appended in the URL. Once the client side received this request, it tried to get the authenticated user from httpSession. Since the httpSession is null, the client created a new securityContext, so the user is treated as anonymous. Then, the user is rejected to access that web page because of lacking authorization. I have never reached the point that the CasProxyTicketValidator is used. Is something missing in my chain or I missed some configuration?
Yaojin

[shreyank]

Where exactly is your client failing? I'm fairly new to ACEGI+CAS so I don't neccessarily know the full sequence of steps the authentication goes through. However, I do not see any HttpSession access in the CasProcessingFilter sequence before CasProxyTicketValidator is reached.