I tried it, but I get nothing more in logs. May be its due to the fact I'm not using the integrated Tomcat but the Debian one ? May be my problem its due to somethings else than CAS related parameters. May be something related to the authorization process ? I can't find a complete documentation of parameters accepted (and may be required ?) by the CAS management app, even less for the version 7. Do you know where I can find it ?
My configuration today: cas.server.name=https://idp.example.tld cas.server.prefix=${cas.server.name}/cas mgmt.server-name=https://idp.example.tld mgmt.user-properties-file=file:/etc/cas/config/users.json logging.config=file:/etc/cas/config/log4j2-management.xml spring.security.user.name=myuser spring.security.user.password=mypassword And my /etc/cas/config/users.json file: { "brenard" : { "@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition", "roles" : [ "ROLE_ADMIN" ] } } Note: brenard is my CAS username. Le mercredi 27 mars 2024 à 15:13:49 UTC+1, Ray Bon a écrit : > Benjamin, > > Try this logger (in both cas and cas management). Note > > <!-- DEBUG outbound and inbound headers and response as it is sent --> > <Logger name="org.apache.http.wire" level="debug" /> > > Ray > > On Wed, 2024-03-27 at 02:13 -0700, Benjamin Renard wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > Thanks for you return. Yes, I firstly think like you, but I have no error > in logs and I use a valid SSL certificate. Just to be sure, I tried to add > it in the keystore files (/etc/cas/thekeystore & > $JAVA_HOME/lib/security/cacerts) and I still have the same problem. The > keystore file (and its password) is correctly specified in my tomcat AJP > connector configuration. Futhermore, I can't see trace of request on the > *serviceValidate* CAS server endpoint (just have trace on the *login* > endpoint). > > > Do you have any other ideas of what could cause this problem or how to > debug it ? > > Thanks ! > Le mardi 26 mars 2024 à 19:40:57 UTC+1, Ray Bon a écrit : > > Benjamin, > > The behaviour you describe happens when the service ticket can not be > validated. > cas management submits the ST to cas through a back channel over https. > If there is nothing in cas audit log about validation / failed validation > (which would give a reason for failure), it could be a certificate problem. > > Do you have a proper/valid certificate for idp.example.tld (i.e. cert > signed by an authority)? > > If not, you may have to add it to the java keystore (assuming you have > already added it to tomcat config). > > Ray > > On Tue, 2024-03-26 at 05:02 -0700, Benjamin Renard wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > I'm trying to install a CAS server (v7) on a Debian 12 host. I using the > Debian's tomcat10 package, Apache2 as reverse proxy (AJP), the Oracle JDK > 21.0.2 and a CAS Initializr overlay to build the cas.war file. My CAS > server run well, but I have problem with the authentication of the > management app. I use a CAS Initializr overlay for the CAS management > 7.0.0-SNAPSHOT and I have no problem to build the war and deploy it in the > same context. I configure CAS client in the management app : > > cas.server.name=https://idp.example.tld > cas.server.prefix=${cas.server.name}/cas > > When I try to access to the management app, I'm entering in a loop : I'm > redirect to the CAS server that authenticate me and redirect me to the > management app on its callback URL with a ticket ( > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-53-oxTcezruW9p3hhw5YBRWDXF4HUk-cas1-preprod) > > and I'm redirect again to the CAS server for authentication, that redirect > me back with a new ticket and etc. > > I have no error in logs and I tried to enable debugging and I can't find > any indication about my problem (see logs below). Do you have any idea ? > > Futhermore, It's a good idea for you to run CAS server & management apps > version 7 in production or I have to use version 6 ? > > Thanks ! > > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.FilterChainProxy] - Securing GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,508 DEBUG > [org.springframework.security.web.access.channel.ChannelProcessingFilter] - > Request: filter invocation [GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod]; > > ConfigAttributes: [REQUIRES_SECURE_CHANNEL] > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] > > - Set SecurityContextHolder to anonymous SecurityContext > 2024-03-26 12:45:29,509 DEBUG > [org.springframework.security.web.FilterChainProxy] - Secured GET > /callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,510 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - GET > "/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod", > > parameters={masked} > 2024-03-26 12:45:29,512 DEBUG > [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapped > to ResourceHttpRequestHandler [classpath [dist/], classpath [static/]] > 2024-03-26 12:45:29,512 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - === SECURITY === > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - url: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - clients: null | matchers: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Provided > clientNames: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Default > security clients: null > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - Only client: > CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - > clientNameOnRequest: Optional.empty > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.client.Clients] - Found > client: CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null)) for name: CasClient > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.client.finder.DefaultSecurityClientFinder] - result: > [CasClient] > 2024-03-26 12:45:29,513 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - currentClients: > [CasClient(super=IndirectClient(super=BaseClient(name=CasClient, > authorizationGenerators=[org.apereo.cas.mgmt.authz.json.JsonResourceAuthorizationGenerator@3a1a130f, > > org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@693918b7], > credentialsExtractor=org.pac4j.cas.credentials.extractor.CasCredentialsExtractor@463e523, > > authenticator=InitializableObject(initialized=false, maxAttempts=3, > nbAttempts=0, lastAttempt=null, > minTimeIntervalBetweenAttemptsInMilliseconds=5000), > profileCreator=org.pac4j.core.profile.creator.AuthenticatorProfileCreator@356f4a7b, > > customProperties={}, profileFactoryWhenNotAuthenticated=null, > multiProfile=false, saveProfileInSession=true, > config=org.pac4j.core.config.Config@3236bd7d), callbackUrl= > https://idp.example.tld/cas-management/callback, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > callbackUrlResolver=org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@4a2a083e, > > ajaxRequestResolver=org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f402824, > > redirectionActionBuilder=org.pac4j.cas.redirect.CasRedirectionActionBuilder@31d3b75f, > > logoutProcessor=org.pac4j.cas.logout.processor.CasLogoutProcessor@5083e21e, > logoutActionBuilder=CasLogoutActionBuilder(serverLogoutUrl= > https://idp.example.tld/cas/logout, postLogoutUrlParameter=service), > checkAuthenticationAttempt=true), > configuration=CasConfiguration(encoding=UTF-8, loginUrl= > https://idp.example.tld/cas/login, prefixUrl=https://idp.example.tld/cas/, > restUrl=https://idp.example.tld/cas/v1/tickets, timeTolerance=1000, > protocol=CAS30, renew=false, gateway=false, acceptAnyProxy=false, > allowedProxyChains=[], defaultTicketValidator=null, proxyReceptor=null, > urlResolver=org.pac4j.core.http.url.DefaultUrlResolver@4c65ba89, > postLogoutUrlParameter=service, customParams={}, method=null, > privateKeyPath=null, privateKeyAlgorithm=null, privateKey=null, > hostnameVerifier=null, sslSocketFactory=null))] > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get sessionId: > 0D8A24DA3779DDC589CC82A00D7121ED > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.CacheControlMatcher@62ab3f9d -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XContentTypeOptionsMatcher@ba6fb34 > -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: StrictTransportSecurityMatcher(maxAge=15768000) -> true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XFrameOptionsMatcher@57ab0e5b -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: org.pac4j.core.matching.matcher.XSSProtectionMatcher@2471fb38 -> > true > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,513 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: > 93cdd09ba2c74a3d9235b3c71fb3e8dd for key: pac4jCsrfToken > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - previous > CSRF token: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jPreviousCsrfToken for value: 93cdd09ba2c74a3d9235b3c71fb3e8dd > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator] - > generated CSRF token: 2af42c4e87984404bcc144ac7034dbc3 for current URL: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: pac4jCsrfToken > for value: 2af42c4e87984404bcc144ac7034dbc3 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jCsrfTokenExpirationDate for value: 1711467929514 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.matching.checker.DefaultMatchingChecker] - Checking > matcher: > CsrfTokenGeneratorMatcher(csrfTokenGenerator=org.pac4j.core.matching.matcher.csrf.DefaultCsrfTokenGenerator@690fdeb, > > domain=null, path=/, httpOnly=true, secure=true, maxAge=null, > sameSitePolicy=null, addTokenAsAttribute=true, addTokenAsHeader=false, > addTokenAsCookie=true) -> true > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > pac4jUserProfiles > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Loaded profiles (from session: true): [] > 2024-03-26 12:45:29,514 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] > - Starting authentication > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.core.engine.savedrequest.DefaultSavedRequestHandler] - > requestedUrl: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: true, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Set key: > pac4jRequestedUrl for value: > https://idp.example.tld/cas-management/callback?client_name=CasClient&ticket=ST-10-ipOZZ-cIopn56--P0uA0wBlejuw-cas1-preprod > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - createSession: false, > retrieved session: > org.apache.catalina.session.StandardSessionFacade@730d8632 > 2024-03-26 12:45:29,514 DEBUG > [org.pac4j.jee.context.session.JEESessionStore] - Get value: null for key: > CasClient$attemptedAuthentication > 2024-03-26 12:45:29,515 DEBUG > [org.pac4j.cas.redirect.CasRedirectionActionBuilder] - redirectionUrl: > https://idp.example.tld/cas/login?service=https%3A%2F%2Fidp.example.tld%2Fcas-management%2Fcallback%3Fclient_name%3DCasClient > 2024-03-26 12:45:29,515 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Completed 302 FOUND > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdda8edc-2404-47ab-a761-13cba6312a59n%40apereo.org.
