You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Gianluca Tessarolo <gi...@gmail.com> on 2014/01/26 19:31:17 UTC

shiro-cas always redirect to error page

Hi,

I've successfully installed CAS server (Jasig) running on tomcat 7 on port
8443 (ssl support, context name: cas-server-webapp-3.5.2) and I've an
application running on the same server on a glassfish application server on
port 8080 (context:name LDAPClient1 notice that LDAP is only a typo and I
don't want to access an LDAP...).

I've configured shiro.ini with the following parameters:

[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.xhtml
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
casRealm.casServerUrlPrefix =
https://192.168.0.200:8443/cas-server-webapp-3.5.2
casRealm.casService = http://192.168.0.200:8080/LDAPClient1/shiro-cas
casRealm.validationProtocol = SAML
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
roles.loginUrl =
https://192.168.0.200:8443/cas-server-webapp-3.5.2/login?service=http://192.168.0.200:8080/LDAPClient1/shiro-cas

[urls]
/shiro-cas = casFilter
/protected/** = roles[ROLE_USER]
/logout = logout
/** = anon

Cas server (jasig) is configured with default installation parameters so
it's using SimpleTestUsernamePasswordAuthenticationHandler.

When I run my app and try to access a protected resource shiro-cas
successfully redirects me on cas login page, I enter username and password
(the same as username) and cas redirects me always on the error page (I
don't understand why...).

I've tried to enable debug on log4j.properties and what I see is this:

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,704 DEBUG
[http-thread-pool-8080(2)]
org.jasig.cas.client.validation.Saml11TicketValidator - Placing URL
parameters in map.

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,705 DEBUG
[http-thread-pool-8080(2)]
org.jasig.cas.client.validation.Saml11TicketValidator - Calling template URL
attribute map.

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,705 DEBUG
[http-thread-pool-8080(2)]
org.jasig.cas.client.validation.Saml11TicketValidator - Loading custom
parameters from configuration.

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,705 DEBUG
[http-thread-pool-8080(2)]
org.jasig.cas.client.validation.Saml11TicketValidator - Constructing
validation url:
https://192.168.0.200:8443/cas-server-webapp-3.5.2/samlValidate?TARGET=http%3A%2F%2F192.168.0.200%3A8080%2FLDAPClient1%2Fshiro-cas

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,705 DEBUG
[http-thread-pool-8080(2)]
org.jasig.cas.client.validation.Saml11TicketValidator - Retrieving response
from server.

Informazioni: CAS SHIRO DEMO APP 2014/01/26 19:07:00,744 DEBUG
[http-thread-pool-8080(2)] org.apache.shiro.web.servlet.SimpleCookie - Added
HttpServletResponse Cookie [rememberMe=deleteMe; Path=/LDAPClient1;
Max-Age=0; Expires=Sat, 25-Jan-2014 18:07:00 GMT]

Strangely it puts a cooky that is already expired, the test was done on
26-Jan-2014 not 25-Jan-2014 !

I can't understand what is the problem, can you help me ?

Many thanks in advance...



--
View this message in context: http://shiro-user.582556.n2.nabble.com/shiro-cas-always-redirect-to-error-page-tp7579563.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: shiro-cas always redirect to error page

Posted by Gianluca Tessarolo <gi...@gmail.com>.

Hi Jérôme,

many thanks for your attention...

I've tried with CAS protocol and I've found the problem (even if I've don't
solved yet...).

The application running on Glassfish throws this exception as soon as cas
returns the token:

PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

I've followed this guide to create the certificate and I've added it into
$JAVA_HOME/jre/lib/security/cacerts but Glassfish throws the exception.

I've tried to run the application on a second tomcat and it works good !

So the problem is that Glassfish don't see the certificate added into jre
cacerts and shiro-cas module works good !!!



--
View this message in context: http://shiro-user.582556.n2.nabble.com/shiro-cas-always-redirect-to-error-page-tp7579563p7579586.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: shiro-cas always redirect to error page

Posted by jleleu <le...@gmail.com>.

Hi,

I don't see anything wrong in your configuration. I would expect more logs
from the CAS client though. Any other log somewhere else...

First question: does it work with the CAS 2.0 protocol validation response?
(/serviceValidate url)

Best regards,
Jérôme




--
View this message in context: http://shiro-user.582556.n2.nabble.com/shiro-cas-always-redirect-to-error-page-tp7579563p7579573.html
Sent from the Shiro User mailing list archive at Nabble.com.