Benjamin, Try this logger (in both cas and cas management). Note
<!-- DEBUG outbound and inbound headers and response as it is sent --> <Logger name="org.apache.http.wire" level="debug" /> Ray On Wed, 2024-03-27 at 02:13 -0700, Benjamin Renard wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, Thanks for you return. Yes, I firstly think like you, but I have no error in logs and I use a valid SSL certificate. Just to be sure, I tried to add it in the keystore files (/etc/cas/thekeystore & $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The keystore file (and its password) is correctly specified in my tomcat AJP connector configuration. Futhermore, I can't see trace of request on theserviceValidate CAS server endpoint (just have trace on the login endpoint). Do you have any other ideas of what could cause this problem or how to debug it ? Thanks ! Le mardi 26 mars 2024 à 19:40:57 UTC+1, Ray Bon a écrit : Benjamin, The behaviour you describe happens when the service ticket can not be validated. cas management submits the ST to cas through a back channel over https. If there is nothing in cas audit log about validation / failed validation (which would give a reason for failure), it could be a certificate problem. Do you have a proper/valid certificate for idp.example.tld (i.e. cert signed by an authority)? If not, you may have to add it to the java keystore (assuming you have already added it to tomcat config). Ray On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I'm trying to install a CAS server (v7) on a Debian 12 host. I using the Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS server run well, but I have problem with the authentication of the management app. I use a CAS Initializr overlay for the CAS management 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the same context. I configure CAS client in the management app : cas.server.name<http://cas.server.name>=https://idp.example.tld cas.server.prefix=${cas.server.name<http://cas.server.name>}/cas When I try to access to the management app, I'm entering in a loop : I'm redirect to the CAS server that authenticate me and redirect me to the management app on its callback URL with a ticket (https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) and I'm redirect again to the CAS server for authentication, that redirect me back with a new ticket and etc. I have no error in logs and I tried to enable debugging and I can't find any indication about my problem (see logs below). Do you have any idea ? Futhermore, It's a good idea for you to run CAS server & management apps version 7 in production or I have to use version 6 ? Thanks ! 2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.FilterChainProxy] - Securing GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,508 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] - Request: filter invocation [GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] 2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - Set SecurityContextHolder to anonymous SecurityContext 2024-03-26 12:45:29,509 DEBUG [org.springframework.security.web.FilterChainProxy] - Secured GET /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,510 DEBUG [org.springframework.web.servlet.DispatcherServlet] - GET "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", parameters={masked} 2024-03-26 12:45:29,512 DEBUG [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]] 2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - === SECURITY === 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - url:https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - clients: null | matchers: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided clientNames: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default security clients: null 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: CasClient 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - clientNameOnRequest: Optional.empty 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: [CasClient] 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - currentClients: [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, authenticator=InitializableObject(initialized=false, maxAttempts=3, nbAttempts=0, lastAttempt=null, minTimeIntervalBetweenAttemptsInMilliseconds=5000), profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, customProperties={}, profileFactoryWhenNotAuthenticated=null, multiProfile=false, saveProfileInSession=true, config=org.pac4j.core.config.Config@3236bd7d), callbackUrl=https://idp.example.tld/cas-management/callback, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl=https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), checkAuthenticationAttempt=true), configuration=CasConfiguration(encoding=UTF-8, loginUrl=https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, postLogoutUrlParameter=service, customParams={}, method=null, privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, hostnameVerifier=null, sslSocketFactory=null))] 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: 0D8A24DA3779DDC589CC82A00D7121ED 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> true 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,513 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL:https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken for value: 2af42c4e87984404bcc144ac7034dbc3 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfTokenExpirationDate for value: 1711467929514 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking matcher: CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, domain=null, path=/, httpOnly=true, secure=true, maxAge=null, sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, addTokenAsCookie=true) -> true 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: pac4jUserProfiles 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Loaded profiles (from session: true): [] 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - Starting authentication 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - requestedUrl:https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jRequestedUrl for value:https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@730d8632 2024-03-26 12:45:29,514 DEBUG [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: CasClient$attemptedAuthentication 2024-03-26 12:45:29,515 DEBUG [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl:https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient 2024-03-26 12:45:29,515 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fced61064f59c6df75151e4b0f6d25e469e590c.camel%40uvic.ca.
