Same problem on my CAS Management webapp, it ends in "too many redirects". The same configuration is working fine with CAS 6.6.x and Management 6.6.x and the certificate is valid.
I can't find errors, and the ticket seems to be valid: ... 2024-03-27 07:39:34,185 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0> 2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Digested original ticket id [TGT-1-********PD8Hl30-cas-dev] to [064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b]> 2024-03-27 07:39:34,185 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [DefaultEncodedTicket(id=064acf194234da9769678f2ebd62453deb710c2e92966a30be34acbb8cfa49a4f519faf61342285493cbf82baf4805e7712a29381b064d68d10c19d2bce67e5b)]> 2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-1-********PD8Hl30-cas-dev]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.login.TicketGrantingTicketCheckAction@f63ecb0; result = valid> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@698bdaf2 expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = valid> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@109de836 on = valid, to = hasServiceCheck]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'hasServiceCheck' of flow 'login'> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@5efaf8bd on = flowScope.service != null, to = renewRequestCheck]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'hasServiceCheck'> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'renewRequestCheck' of flow 'login'> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf> 2024-03-27 07:39:34,187 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [CasClient]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.apereo.cas.web.flow.actions.RenewAuthenticationRequestCheckAction@1ab38eaf; result = proceed> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@42900422 expression = renewAuthenticationRequestCheckAction, resultExpression = [null]]; result = proceed> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1ad0074 on = proceed, to = generateServiceTicket]> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'renewRequestCheck'> 2024-03-27 07:39:34,187 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateServiceTicket' of flow 'login'> ... Regards, Hartmut Ray Bon schrieb am Dienstag, 26. März 2024 um 19:40:57 UTC+1: > Benjamin, > > The behaviour you describe happens when the service ticket can not be > validated. > cas management submits the ST to cas through a back channel over https. > If there is nothing in cas audit log about validation / failed validation > (which would give a reason for failure), it could be a certificate problem. > > Do you have a proper/valid certificate for idp.example.tld (i.e. cert > signed by an authority)? > > If not, you may have to add it to the java keystore (assuming you have > already added it to tomcat config). > > Ray > > On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > I'm trying to install a CAS server (v7) on a Debian 12 host. I using the > Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK > 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS > server run well, but I have problem with the authentication of the > management app. I use a CAS Initializr overlay for the CAS management > 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the > same context. I configure CAS client in the management app : > > cas.server.name=https://idp.example.tld > cas.server.prefix=${cas.server.name}/cas > > When I try to access to the management app, I'm entering in a loop : I'm > redirect to the CAS server that authenticate me and redirect me to the > management app on its callback URL with a ticket ( > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) > > and I'm redirect again to the CAS server for authentication, that redirect > me back with a new ticket and etc. > > I have no error in logs and I tried to enable debugging and I can't find > any indication about my problem (see logs below). Do you have any idea ? > > Futhermore, It's a good idea for you to run CAS server & management apps > version 7 in production or I have to use version 6 ? > > Thanks ! > > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.FilterChainProxy] - Securing GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.access.channel.ChannelProcessingFilter] - > Request: filter invocation [GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; > > ConfigAttributes: [REQUIRES_SECURE_CHANNEL] > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] > > - Set SecurityContextHolder to anonymous SecurityContext > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.FilterChainProxy] - Secured GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,510 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - GET > "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", > > parameters={masked} > 2024-03-26 12:45:29,512 DEBUG > [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped > to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]] > 2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - === SECURITY === > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - url: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - clients: null | matchers: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided > clientNames: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default > security clients: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: > CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - > clientNameOnRequest: Optional.empty > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found > client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: > [CasClient] > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - currentClients: > [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null))] > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: > 0D8A24DA3779DDC589CC82A00D7121ED > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 > -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: > 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous > CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - > generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken > for value: 2af42c4e87984404bcc144ac7034dbc3 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jCsrfTokenExpirationDate for value: 1711467929514 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: > CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, > > domain=null, path=/, httpOnly=true, secure=true, maxAge=null, > sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, > addTokenAsCookie=true) -> true > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > pac4jUserProfiles > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Loaded profiles (from session: true): [] > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Starting authentication > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - > requestedUrl: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jRequestedUrl for value: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > CasClient$attemptedAuthentication > 2024-03-26 12:45:29,515 DEBUG > [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: > https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient > 2024-03-26 12:45:29,515 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9f29a19-e216-4305-8027-fbaec2d873cbn%40apereo.org.
