Acegi CAS - stuck in CasAuthenticationProvider

[erilem]

Hi

I need to set up Acegi + CAS, and I'm having problem. I don't fully control the application I'm working on so switching from Acegi to Spring Security isn't an option at this point.

The setup:

• acegi-security-1.0.7
• acegi-security-cas-1.0.7
• cas-server-3.3.5

The problem: the authentication process is blocked in the CasAuthenticationProvider. "blocked" here means the process does not move forward. Here's the last Acegi log lines I see:

HTML Code:

12 Jan 14:38:06 DEBUG [util.FilterChainProxy] - /j_acegi_cas_security_check?ticket=ST-19-AyGHiFFOc5XknShmeCTo-cas at position 4 of 6 in additional filter cha
in; firing Filter: 'org.acegisecurity.ui.cas.CasProcessingFilter@618821'
12 Jan 14:38:06 DEBUG [cas.CasProcessingFilter] - Request is to process authentication
12 Jan 14:38:06 DEBUG [providers.ProviderManager] - Authentication attempt using org.acegisecurity.providers.cas.CasAuthenticationProvider
12 Jan 14:38:06 WARN [ticketvalidator.CasProxyTicketValidator] - The current CAS ProxyTicketValidator does not support the 'renew' property. The ticket cannot be validated as having been issued by a 'renew' authentication. It is expected this will be corrected in a future version of CAS' ProxyTicketValidator.

The CAS server logs do not include much. I can see the granting of the ticket:

HTML Code:

2010-01-12 14:38:06,342 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-19-AyGHiFFOc5XknShmeCTo-cas] for service [https://localhost:8443/geoserver/j_acegi_cas_security_check] for user [jeichar]>

and I also see SSLSocket exceptions (Warnings):

HTML Code:

2010-01-12 15:04:42.177::WARN:  handle failed
java.lang.UnsupportedOperationException: The method shutdownOutput() is not supported in SSLSocket

but I don't know if there are harmful.

My security context file is derived from the cas-contacts sample. It is attached to this post (applicationContext-acegi-security-cas.txt).

As I said the process is blocked and I get no exception in Acegi. The browser is redirected to j_acegi_cas_security_check but waits for ever.

I've tried multiple casclient.jar files that I've found here and there, but I always get the same issue.

Does anyone know where the problem could come from? Any hint would be highly appreciated. And please tell me if my post misses important information.

Thanks,

[erilem]

There seems to be a deadlock between Acegi and CAS - they wait for each other.

No hint for me?

Thanks,

[erilem]

Hi

I'm suspicious about the casclient.jar I'm using, maybe it doesn't work with the version of Acegi or CAS Server I'm using. Could someone point me to an appropriate casclient.jar version?

Thanks,

[pmularien]

Well, this may represent an issue:

Code:

12 Jan 14:38:06 WARN [ticketvalidator.CasProxyTicketValidator] - The current CAS ProxyTicketValidator does not support the 'renew' property. The ticket cannot be validated as having been issued by a 'renew' authentication. It is expected this will be corrected in a future version of CAS' ProxyTicketValidator.

Do you need to set the CAS renew property? Have you tried your configuration with that property removed?

[erilem]

Well, this may represent an issue:

Code:

12 Jan 14:38:06 WARN [ticketvalidator.CasProxyTicketValidator] - The current CAS ProxyTicketValidator does not support the 'renew' property. The ticket cannot be validated as having been issued by a 'renew' authentication. It is expected this will be corrected in a future version of CAS' ProxyTicketValidator.

Do you need to set the CAS renew property? Have you tried your configuration with that property removed?

Yes. I've added renew=true on purpose, just to see where the code is blocking.

Thanks,

[pmularien]

Is there any way you can watch the network traffic between the CAS server and your app? Or set a breakpoint in the CAS client code to see what it's doing? When you say it's "hanging", it is really hanging, or just never validating the ticket and returning with an error?

[erilem]

Is there any way you can watch the network traffic between the CAS server and your app? Or set a breakpoint in the CAS client code to see what it's doing? When you say it's "hanging", it is really hanging, or just never validating the ticket and returning with an error?

CAS Client hanged on the proxyValidate request.

We found the problem. It was due to a bug in Jetty (CAS Server runs in Jetty), see http://jira.codehaus.org/browse/JETTY-559. Upgrading Jetty to a more recent version solved the problem.

Thank you.