Hi everybody, I answer by myself. Problem was in server.xml access valve (It is necessary to declare application server's IP or to uncomment valve).
Hope this help ! Best regards, Le vendredi 7 avril 2017 14:47:01 UTC+2, Didier Capdevielle a écrit : > > Hi everybody, > > I'm a newbie too in CAS and i have the same problem. > > I installed a CAS server 4.2.7 with Maven War Overlay, OpenJDK 7 and > Tomcat8. > I installed an Apache Server to redirect request with AJP. > > Directly using CAS, no problem. > > But using CAS via an application (IdP for example), the same problem > occurs. > Login is OK but ServiceValidate is forbidden. > > Her are the logs from Apache ssl_access.log : > > 147.210.233.170 - - [07/Apr/2017:14:01:36 +0200] "GET > /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr > %2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D% > 3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy > HTTP/1.1" 200 9705 " > https://idp-ubx.u-bordeaux.fr/WTST/wayf.php?entityID=https%3A%2F%2Fkrusty.u-bordeau > x.fr%2Fshowlazy&return=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy%2FShibboleth.sso%2FWAYF%3FSAMLDS%3D1%26target%3Dcookie%253A1491566493_4fae" > > "Mozilla/5.0 (Windows NT 10.0; WOW6 > 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 > Safari/537.36" > 147.210.233.170 - - [07/Apr/2017:14:01:45 +0200] "POST > /cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr > %2Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D > %3Fconversation%3De1s1&entityId=https%3A%2F%2Fkrusty.u-bordeaux.fr%2Fshowlazy > HTTP/1.1" 302 1429 " > https://cas3.u-bordeaux.fr/cas/login?service=https%3A%2F%2Ftestidp.u-bordeaux.fr%2 > > Fidp%2FAuthn%2FExtCas%3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1&entityId=https%3A%2F% > 2Fkrusty.u-bordeaux.fr%2Fshowlazy" "Mozilla/5.0 (Windows NT 10.0; W > OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 > Safari/537.36" > 172.29.52.88 - - [07/Apr/2017:14:01:45 +0200] "GET > /cas/serviceValidate?ticket=ST-4-b9WKP1g9E5K0rgXe5Nwj-cas-ubx&service=https%3A%2F% > 2Ftestidp.u-bordeaux.fr%2Fidp%2FAuthn%2FExtCas% > 3Bjsessionid%3D415E0BB45E1B68E7666829960DEEB70D%3Fconversation%3De1s1 > HTTP/1.1" 403 406 "-" "Java/1.7.0_121" > > Looking at messages, it seems like browser user-agent are authorized but > java user-agent (Java/1.7.0_121) - and probably others non browser agent - > is blocked. > > Is one or more certificates missing ? If yes, where and what kind of > certificates ? What else ? > > Thanks for your help ! > Best regards, > > > > > > Le jeudi 19 janvier 2017 22:42:36 UTC+1, Daniel Alzate a écrit : >> >> Hi, >> >> I'm new to CAS and also the community. >> >> I have a new CAS setup working, but I'm facing this same problem reported >> by Conan. I wonder if you found a solution or the cause of this issue? >> >> >> Best regards. >> >> Daniel. >> >> On Friday, May 27, 2016 at 2:33:53 AM UTC-5, Conan Malone wrote: >>> >>> cas.log shows nothing at all and cas-management.log shows the >>> '[org.jasig.cas.client.util.CommonUtils] - Server returned HTTP response >>> code: 403 for URL:' error that I posted above. The only apps I have >>> installed right now are cas and the management app, can log into CAS fine >>> with casuser goes to the 'Login successful' page. >>> >>> On Thursday, May 26, 2016 at 5:53:41 PM UTC+1, Misagh Moayyed wrote: >>>> >>>> Does the CAS server produce any logs when it attempts to validate that >>>> ticket? Can you log into any other apps beside the management webapp? >>>> >>>> >>>> >>>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >>>> *Conan >>>> Malone >>>> *Sent:* Thursday, May 26, 2016 2:11 AM >>>> *To:* CAS Community <[email protected]> >>>> *Subject:* [cas-user] Cas-Service-Management-Overlay still not working >>>> (more info) >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> I'm making a new post as I feel there maybe wasn't enough information >>>> in my last one for anyone to help me out. >>>> >>>> >>>> >>>> I have downloaded the cas-overlay-template and >>>> cas-service-management-overlay (4.2.2), copied the correct files to >>>> /etc/cas/ and ran mvnw clean package on both of them with build success so >>>> that all seems fine. (both deployed in tomcat as ROOT.war and >>>> cas-services.war). >>>> >>>> >>>> >>>> I can go to https://mycasdomain.com/ and it goes to the login page, I >>>> can then log in with casuser,Mellon and this works fine (also can do >>>> RADIUS >>>> authentication). My problem seems to be with the cas-services-management >>>> as when I go to https://mycasdomain.com/cas-services/ (looking at >>>> network on chrome) I get redirected to manage.html which redirects to the >>>> login page as expected with url ' >>>> https://mycasdomain/login?service=https%3A%2F%2Fmycasdomain%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. >>>> >>>> The page has the 'Services Management Web Application' box at the top so >>>> I >>>> assume services are correctly set up. I then log in with casuser,Mellon >>>> and get 'The CAS management webapp is unavailable' screen. >>>> >>>> >>>> >>>> The login page redirected me to ' >>>> https://mycasdomain.com/cas-services/callback?client_name=CasClient&ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com' >>>> >>>> and gave a HTTP status 500. >>>> >>>> >>>> >>>> But looking through logs I find that I get a HTTP status 403 just >>>> before I get the 500 on a different address which is >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-7-1df43YSsUctajcAt1miS-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient'. >>>> >>>> If I put this address in my browser I get presented with >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas";> >>>> >>>> <cas:authenticationSuccess> >>>> >>>> <cas:user>casuser</cas:user> >>>> >>>> <cas:attributes> >>>> >>>> >>>> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> >>>> >>>> <cas:isFromNewLogin>true</cas:isFromNewLogin> >>>> >>>> >>>> <cas:authenticationDate>2016-05-26T09:53:00.011+01:00</cas:authenticationDate> >>>> >>>> </cas:attributes> >>>> >>>> </cas:authenticationSuccess> >>>> >>>> </cas:serviceResponse> >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> I'll put snippets from the parts I have changed in cas.properties, >>>> cas-management.properties below. *Can someone have a look through >>>> this and see if I am missing anything? * >>>> >>>> >>>> >>>> *p.s. I also have my CAS server behind a load balancer so it needs to >>>> go out the network to https://mycasdomain.com/ <https://mycasdomain.com/> >>>> and come back in through the load balancer back to the CAS server.. But I >>>> was thinking if there is a problem with this surely the normal cas login >>>> wouldn't work?* >>>> >>>> >>>> >>>> Thanks in advance, >>>> >>>> Conan >>>> >>>> >>>> >>>> >>>> >>>> ----------------------snippets and logs---------------------- >>>> >>>> >>>> >>>> server.name=https://mycasdomain.com >>>> >>>> server.prefix=${server.name} >>>> >>>> >>>> >>>> # security configuration based on IP address to access the /status and >>>> /statistics pages >>>> >>>> cas.securityContext.adminpages.ip=127\.0\.0\.1 >>>> >>>> >>>> >>>> >>>> >>>> ## >>>> >>>> # Unique CAS node name >>>> >>>> # host.name is used to generate unique Service Ticket IDs and >>>> SAMLArtifacts. This is usually set to the specific >>>> >>>> # hostname of the machine running the CAS node, but it could be any >>>> label so long as it is unique in the cluster. >>>> >>>> host.name=mycasdomain.com >>>> >>>> >>>> >>>> ---------------------- >>>> >>>> >>>> >>>> # CAS >>>> >>>> cas.host=https://mycasdomain.com >>>> >>>> cas.prefix=${cas.host} >>>> >>>> >>>> cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${cas.prefix}/login >>>> >>>> >>>> >>>> # Management >>>> >>>> cas-management.host=${cas.host} >>>> >>>> cas-management.prefix=${cas-management.host}/cas-services >>>> >>>> >>>> cas-management.securityContext.serviceProperties.service=${cas-management.prefix}/callback >>>> >>>> >>>> >>>> # Security >>>> >>>> cas-management.securityContext.serviceProperties.adminRoles=ROLE_ADMIN >>>> >>>> pac4j.callback.defaultUrl=/manage.html >>>> >>>> >>>> >>>> # views >>>> >>>> cas-management.viewResolver.basename=default_views >>>> >>>> >>>> >>>> ## >>>> >>>> # User details file location that contains list of users >>>> >>>> # who are allowed access to the management webapp: >>>> >>>> # >>>> >>>> user.details.file.location = file:/etc/cas/user-details.properties >>>> >>>> >>>> >>>> ## >>>> >>>> # JSON Service Registry >>>> >>>> # >>>> >>>> # Directory location where JSON service files may be found. >>>> >>>> service.registry.config.location=file:/etc/cas/services >>>> >>>> >>>> >>>> ---------------------- >>>> >>>> >>>> >>>> 2016-05-26 10:05:23,048 ERROR [org.jasig.cas.client.util.CommonUtils] - >>>> Server returned HTTP response code: 403 for URL: >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient >>>> >>>> java.io.IOException: Server returned HTTP response code: 403 for URL: >>>> https://mycasdomain.com/p3/serviceValidate?ticket=ST-9-MbZeb0hglH5p4OW3HUAn-mycasdomain.com&service=https%3A%2F%2Fmycasdomain.com%2Fcas-services%2Fcallback%3Fclient_name%3DCasClient >>>> >>>> at >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) >>>> >>>> at >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) >>>> >>>> at >>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >>>> >>>> at >>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:431) >>>> >>>> at >>>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41) >>>> >>>> at >>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193) >>>> >>>> at >>>> org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:321) >>>> >>>> at >>>> org.pac4j.cas.client.CasClient.retrieveUserProfile(CasClient.java:83) >>>> >>>> at >>>> org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99) >>>> >>>> at >>>> org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:48) >>>> >>>> at >>>> org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:81) >>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>> >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> >>>> at >>>> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:222) >>>> >>>> at >>>> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:814) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:737) >>>> >>>> at >>>> org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) >>>> >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) >>>> >>>> at >>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) >>>> >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:620) >>>> >>>> at >>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) >>>> >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) >>>> >>>> at >>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >>>> >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>>> >>>> at >>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>> >>>> at >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>> >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>>> >>>> at >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >>>> >>>> at >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>> >>>> at >>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>>> >>>> at >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>> >>>> at >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>>> >>>> at >>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>>> >>>> at >>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>>> >>>> at >>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) >>>> >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>> >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>> >>>> at >>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>> >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4f814e4-0dac-4996-ab4d-ac795b3848aa%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout >>>> . >>>> >>> -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46010e34-02e9-422e-baaf-784da7be8a4d%40apereo.org.
