jasig-cas IRC Logs-2011-09-22

Owned by Apereo Infrastructure
Last updated: Sept 22, 2011Version comment
6 min read

[09:39:33 CDT(-0500)] <brandon> hello
[09:57:27 CDT(-0500)] <kickehy> is there anything to installing maven besides downloading the binary zip folder and extracting it?
[10:37:07 CDT(-0500)] <ries> kickehy: it came with my OS, but what does the install documentation say of mane?
[10:37:10 CDT(-0500)] <ries> maven
[11:03:10 CDT(-0500)] <kickehy> ries: "You only need to install this on the machine where you'll maintain your CAS build"
[11:03:42 CDT(-0500)] <ries> kickehy: that's for compiling only as far as I can see
[11:04:54 CDT(-0500)] <kickehy> I think all i need is to extract it...anywhere I want...but need to make sure the path is pointed to the bin folder
[11:06:30 CDT(-0500)] <ries> you only need to make sure that mvn can be called from within your build directory
[11:07:08 CDT(-0500)] <kickehy> mmmk i'll just keep going and see what happens (tongue)
[11:07:35 CDT(-0500)] <ries> my baby steps initial CAS server works.. and I could re-modify it swell (me happy...)
[11:08:16 CDT(-0500)] <ries> now I am trying this now : https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example
[11:50:39 CDT(-0500)] <ries> hurray, got my little test app working (big grin)
[11:50:49 CDT(-0500)] <RaviJK> @ries congrats
[11:50:56 CDT(-0500)] <RaviJK> +1
[11:51:25 CDT(-0500)] <ries> Thanks RaviJK … load to learn still though...
[11:51:33 CDT(-0500)] <ries> I need to make Jahia CAS enabled and our apps aswell
[11:51:43 CDT(-0500)] <ries> But it looks very promising...
[11:51:46 CDT(-0500)] <RaviJK> ries : welcome to the club
[11:51:55 CDT(-0500)] <RaviJK> its a steep learning curve for sure
[11:52:19 CDT(-0500)] <ries> RaviJK: my problem is that I never really looked into Java security before.. so I am still a bit fuzzy about it
[11:52:56 CDT(-0500)] <RaviJK> (smile) , i never done Java before building CAS
[11:53:10 CDT(-0500)] <RaviJK> envy you .. being in much better position than me (smile)
[11:53:34 CDT(-0500)] <RaviJK> Anyone that has got restlet service working in CAS
[11:53:45 CDT(-0500)] <ries> RaviJK: Nhaaaaa.. I am not a java guru… I seem myself just fiddling along (big grin)
[11:59:27 CDT(-0500)] <ries> question for a CAS guru, can I have a application telling CAS that a specific user is logged in?
[12:41:15 CDT(-0500)] <apetro> ries, I don't understand the question
[12:41:57 CDT(-0500)] <wgthom> generally, no. CAS is not an application session manager. what are you trying to achieve?
[12:42:06 CDT(-0500)] <ries> apetro: I have a CMS system where users are getting logged in through a third party system (we don't control that third party) this login happens using some GET parameters (it's intranet)
[12:42:32 CDT(-0500)] <apetro> interesting. So, what would it mean for this third party system to tell CAS that the user is logged in?
[12:42:44 CDT(-0500)] <ries> Now I want to use CAS in such a way, that I also let these users login into CAS at the same time they are getting logged in into the CMS
[12:42:51 CDT(-0500)] <apetro> CAS needs to interact with the end user's browser to set a TGT cookie, the SSO session cookie, otherwise the user won't enjoy SSO
[12:42:56 CDT(-0500)] <apetro> ah, well, that might work
[12:43:12 CDT(-0500)] <apetro> you don't have to use username and password as credentials to CAS, you could use anything you like with a custom AuthenticationHandler
[12:43:23 CDT(-0500)] <ries> The third party system currently only links to the CMS, since we cannot control it we cannot let them login into CAS and then CAS redirects to the CMS
[12:43:52 CDT(-0500)] <apetro> so, in particular, your CMS login process could redirect to CAS with a token or something else that asserts the user's identity, CAS could consider that a login in lieu of password, and set the TGT cookie and allow the user to enjoy SSO thereafter.
[12:44:18 CDT(-0500)] <ries> ic, this will work with browser redirects, right?
[12:44:37 CDT(-0500)] <apetro> in principle, yes.
[12:44:39 CDT(-0500)] <ries> I cannot do this using some java code talking directly to CAS…. because CAS wouldn't know the sessions..
[12:44:55 CDT(-0500)] <apetro> CAS needs to interact with the end user's browser to set an SSO session cookie
[12:45:03 CDT(-0500)] <ries> yup...
[12:45:06 CDT(-0500)] <apetro> otherwise, being logged in to CAS doesn't mean much (anything?)
[12:45:34 CDT(-0500)] <ries> Agreed
[12:45:51 CDT(-0500)] <ries> going a bit further..
[12:46:39 CDT(-0500)] <ries> we also have a other system we CAN control, but users get's logged in 'overthere' then we can tell these people to request a token from us, we make a custom AuthenticationHandler that validates the token, logs the guy into CAS and have it redirected to the CMS
[12:46:57 CDT(-0500)] <ries> from there we have all the freedom to login iFramed applications and other stuff we can control...
[12:53:39 CDT(-0500)] <brandon> hello
[12:53:50 CDT(-0500)] <ries> hello brandon
[12:54:10 CDT(-0500)] <brandon> i have cas on an external server and when i try to login from uportal, i get an error
[12:54:12 CDT(-0500)] <brandon> org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-11-uFSf3zzxdweecjYjKOhB-cas' does not match supplied service.
[12:54:36 CDT(-0500)] <brandon> with cas 3.4.10 and uportal 3.2.2
[12:55:00 CDT(-0500)] * ries has zero experience with uPortal
[12:55:53 CDT(-0500)] <ries> it sounds like, from what I know of CAS now (1 days experience) that there is something wrong with the service parameter
[12:56:12 CDT(-0500)] <ries> http://jasig.275507.n4.nabble.com/CAS-ticket-problems-and-server-validation-td2308144.html
[12:57:24 CDT(-0500)] <brandon> is that in web.xml?
[12:59:43 CDT(-0500)] <apetro> in the portal web.xml, yes
[13:00:15 CDT(-0500)] <apetro> the CAS-using application must present identical "service" parameters at redirect to /cas/login and at its own invocation of /cas/serviceValidate
[13:01:36 CDT(-0500)] <brandon> ok, my service is set to https://myportal.edu/uPortal/Login
[13:01:53 CDT(-0500)] <brandon> i don't see a service key in web.xml though
[13:07:11 CDT(-0500)] <brandon> how do i check what service param it is looking for on the cas side?
[13:09:31 CDT(-0500)] <apetro> the cas side is easy, it's whatever was in the browser URL when you were looking at /cas/login?service=splat in your browser
[13:10:43 CDT(-0500)] <brandon> well it looks like the services are the same
[13:11:51 CDT(-0500)] <apetro> k
[13:11:58 CDT(-0500)] <apetro> well, they gotta be different to get that error
[13:12:26 CDT(-0500)] <apetro> the CAS server log should log the URLs both of what the ST was issued to authenticate to and what service URL is was attempted validated against, and those logged URLs will be different, and there you'll see your troubles
[13:12:44 CDT(-0500)] <apetro> unfortunately, CAS server doesn't tell the client (uPortal) what the correct service URL would have been, just that the client got it wrong.
[13:12:44 CDT(-0500)] <brandon> actually, nevermind
[13:12:46 CDT(-0500)] <brandon> they are different
[13:12:48 CDT(-0500)] <apetro> bingo
[13:13:34 CDT(-0500)] <brandon> The original service was 'https://portal-server/uPortal/Login' and the supplied service was 'https://cas-server/uPortal/Login'.
[13:13:49 CDT(-0500)] <brandon> somehow it is adding /uPortal/Login to my cas server url
[13:13:59 CDT(-0500)] <brandon> where do i go to edit the supplied service url?
[13:15:23 CDT(-0500)] <apetro> weird
[13:15:29 CDT(-0500)] <apetro> this should all be configured in uPortal's web.xml
[13:15:37 CDT(-0500)] <apetro> this is configuration of the java CAS client
[13:15:40 CDT(-0500)] <apetro> what version of uPortal?
[13:16:34 CDT(-0500)] <brandon> um, i clearly remember getting 3.2.4 from source but it says 3.2.2 in my portal footer
[13:16:41 CDT(-0500)] <apetro> heh
[13:18:04 CDT(-0500)] <brandon> should the serverName param in web.xml be the uportal url or the cas url?
[13:18:31 CDT(-0500)] <apetro> that's got a confusing name, doesn't it
[13:18:35 CDT(-0500)] <apetro> should be the uPortal server name
[13:18:38 CDT(-0500)] <apetro> https://source.jasig.org/uPortal/tags/rel-3-2-4/uportal-impl/src/main/resources/properties/security.properties
[13:19:05 CDT(-0500)] <apetro> how about that security.properties , is this a matter of what static-feeling login URL is being displayed by the login portlet in the UI?
[13:19:27 CDT(-0500)] <brandon> well, that's probably my problem, it is set to the cas server name, haha
[13:19:40 CDT(-0500)] <apetro> understandable misapprehension, that.
[13:19:59 CDT(-0500)] <brandon> and the casServerUrlPrefix, I have it set to https://cas-server.edu/cas
[13:20:06 CDT(-0500)] <brandon> is that right? with the https:// ?
[13:20:41 CDT(-0500)] <apetro> https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml
[13:21:17 CDT(-0500)] <apetro> looks right to me, it's like the example in that doco
[13:21:26 CDT(-0500)] <brandon> ok
[15:59:14 CDT(-0500)] <kickehy> how do you import the server certificate into the java cacerts store?
[15:59:41 CDT(-0500)] <wgthom> with the keytool of course (smile)
[15:59:48 CDT(-0500)] <wgthom> is this a trick question? (smile)
[16:00:06 CDT(-0500)] <kickehy> maybe i'm understanding the directions wrong
[16:00:07 CDT(-0500)] <wgthom> http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
[16:00:36 CDT(-0500)] <wgthom> which doc are you following?
[16:00:57 CDT(-0500)] <kickehy> wgthom: i don't know a ton about what i'm doing...just trying to get thist to work... https://wiki.jasig.org/display/CASUM/End-to-end+Windows+Example
[16:01:47 CDT(-0500)] <kickehy> and i'm using a server cert from our own CA and not the one in the example
[16:03:21 CDT(-0500)] <wgthom> have you tried this: https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide
[16:08:48 CDT(-0500)] <kickehy> that helps
[16:08:49 CDT(-0500)] <kickehy> (big grin)
[16:08:52 CDT(-0500)] <wgthom> cool
[16:10:45 CDT(-0500)] <kickehy> does it matter if it's base-64 or DER? i assume base-64
[16:17:50 CDT(-0500)] <kickehy> wgthom: hehe helps if i read "The certificate to be imported MUST be a DER-encoded file."
[16:18:08 CDT(-0500)] <wgthom> yes. helps to read. (smile)
[16:18:23 CDT(-0500)] <kickehy> or i should say...read further down the page
[16:18:39 CDT(-0500)] <wgthom> please feel free to help improve the docs
[16:18:42 CDT(-0500)] <kickehy> but thanks for that link
[16:21:06 CDT(-0500)] <wgthom> you welcome. good luck