MOD_AUTH_CAS: Error parsing XML content for 'decb1de835caaddffc2259b7aab99e86' (Internal error)

Description

Mod_auth_cas unable to parse XML entry
The reason is cas cookie does not store path information .

My auth_cas config is
LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
#CASVersion 2
CASDebug on
LogLevel debug

  1. Validate the authenticity of the login.goshen.edu SSL certificate by

  2. checking its chain of authority from the root CA.
    #CASCertificatePath /etc/pki/tls/certs/
    CASCertificatePath /etc/ssl/certs/
    CASValidateServer Off
    CASValidateDepth 9
    CASCookiePath /var/cache/apache2/mod_auth_cas/
    CASLoginURL https://optimus.svjniraj.com/cas/login
    CASValidateURL https://optimus.svjniraj.com/cas/serviceValidate
    CASTimeout 14400
    CASIdleTimeout 3600
    CASCacheCleanInterval 3600
    </IfModule>

I compared 2 cookie from different server and find out the difference
that 1 server cookie store path correctly but other does not store

<cacheEntry xmlns="http://uconn.edu/cas/mod_auth_cas">
<user>rajesh</user>
<issued>1340254723985670</issued>
<lastactive>1340254724000981</lastactive>
<path>/report/faces/a4j/s/3_3_3.Finalorg/richfaces/renderkit/html/css/basic_both.xcss/DATB/</path>
<ticket>ST-43240-bQcDf3d7vW9WeLECSU2w-cas</ticket>
</cacheEntry>

<cacheEntry xmlns="http://uconn.edu/cas/mod_auth_cas">
<user>tsd</user>
<issued>1340263159544993</issued>
<lastactive>1340263674883779</lastactive>
<path>/</path>
<ticket>ST-2273-fFaDtnzepFnnQIWAFJHl-cas</ticket>
</cacheEntry>

This is my cas debug log

[Thu Jun 21 12:48:33 2012] [debug] mod_auth_cas.c(1937): entering check_vhost_config()
[Thu Jun 21 12:48:33 2012] [debug] mod_auth_cas.c(1937): entering check_vhost_config()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1745): [client 192.168.1.46] Entering cas_authenticate()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(607): [client 192.168.1.46] Modified r->args (old 'ticket=ST-2272-HPTXeaOOkzeEoCjPrDgf-cas', new '')
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1600): [client 192.168.1.46] entering getResponseFromServer()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(519): [client 192.168.1.46] entering getCASService()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(539): [client 192.168.1.46] CAS Service 'http%3a%2f%2foptimus.svjniraj.com%2fcore'
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1674): [client 192.168.1.46] Validation response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationSuccess>\n\t\t<cas:user>tsd</cas:user>\n\n\n\t</cas:authenticationSuccess>\n</cas:serviceResponse>\n
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1293): [client 192.168.1.46] entering isValidCASTicket()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1299): [client 192.168.1.46] MOD_AUTH_CAS: response = <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>\n\t<cas:authenticationSuccess>\n\t\t<cas:user>tsd</cas:user>\n\n\n\t</cas:authenticationSuccess>\n</cas:serviceResponse>\n
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1124): [client 192.168.1.46] entering createCASCookie()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(946): [client 192.168.1.46] entering CASCleanCache()
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(988): [client 192.168.1.46] Beginning cache clean
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(1006): [client 192.168.1.46] Processing cache file 'decb1de835caaddffc2259b7aab99e86'
[Thu Jun 21 12:48:50 2012] [debug] mod_auth_cas.c(791): [client 192.168.1.46] entering readCASCacheFile()
[Thu Jun 21 12:48:50 2012] [error] [client 192.168.1.46] MOD_AUTH_CAS: Error parsing XML content for 'decb1de835caaddffc2259b7aab99e86' (Internal error)

Environment

Apache/2.2.20 (Ubuntu) mod_jk/1.2.32 mod_ssl/2.2.20 OpenSSL/1.0.0e.. Ubuntu server 11

Attachments

1

Activity

Show:

Phil Ames 
September 26, 2013 at 1:07 PM

Yes, there's discussion here:

https://lists.wisc.edu/read/messages?id=26793770

TL;DR : if you change the calls to apr_file_lock() to equivalent flock() calls then it should work. I don't know how Greg's thread on apr-dev ended, and whether libapr behavior will change.

Hendrik Blok 
September 25, 2013 at 9:57 AM

I have the same issue. Is their a solution or workaround?

Server version: Apache/2.2.3
Server built: Mar 4 2010 09:59:17
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)

Justin Dugger 
July 27, 2013 at 8:14 PM

I'm using the worker MPM + wsgi for a django app, and I'm logging the same errors from mod_auth_cas

  1. apache2 -V | grep MPM
    Server MPM: Worker
    -D APACHE_MPM_DIR="server/mpm/worker"

Greg Lazar 
April 5, 2013 at 3:12 PM

What MPM are people running with Apache that are seeing this issue. Have been discussing this with Phil on the dev mailing list. I found that apr_file_lock uses fnctl which only appears to honor the locking at a process level. So when you run in "worker" (multiple threads per process), the locks don't work. I switched to flock explicitly, and that took care of the problem, but still need to more than likely rebuild the apr itself to use flock.

Myers Carpenter 
February 15, 2013 at 7:53 PM

I see this consonantly in my log files and in firebug where in reauths for a img or css file. My theory is that the file is partial written to disk from a past request when the new request is try to read it.

Details

Assignee

Reporter

Priority

Created June 21, 2012 at 8:20 AM
Updated September 26, 2013 at 1:07 PM