You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by doahh <ga...@prodia.co.uk> on 2008/05/13 22:51:32 UTC
Roller and CAS
I am trying to get Roller working with CAS and MySQL without using LDAP. I am
pretty sure that I have CAS set up correctly as in my log files I can see:
<AuthenticationHandler:
org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
successfully authenticated the user which provided the following
credentials: gavin>
but when I am returned to Roller I find myself back at the login page with a
message:
Wrong username and password combination
I have
http://www.nabble.com/Roller%2BCAS%2BLDAP%3A-Wrong-username-and-password-combination-td13625901s12275.html#a13625901
found this post but have not been able to find anything else on this except
a possibility that the SSL certificate is installed incorrectly. Someone
mentioned that the error the incorrect SSL certificate throws is never shown
in the logs and so I have no way of knowing if that is my problem.
If anyone has any ideas they would be much appreciated.
--
View this message in context: http://www.nabble.com/Roller-and-CAS-tp17218081s12275p17218081.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
Hi Jens and thanks for the reply,
I tried your suggestion but it didn't seem to make any difference. From your
comment, if your problem is the same as mine then I guess I can scratch off
chasing the SSL certificate as the problem and start looking for Roller
configuration problems.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17219388.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by Jens Greive <je...@googlemail.com>.
Hi,
right now I am not 100% sure that this is the solution but I was
struggeling with the same problem and adding the following to the
custom property file solved it when I remember correctly:
users.sso.enabled=true
Cheers,
Jens
Am 13.05.2008 um 22:51 schrieb doahh:
>
> I am trying to get Roller working with CAS and MySQL without using
> LDAP. I am
> pretty sure that I have CAS set up correctly as in my log files I
> can see:
>
> <AuthenticationHandler:
> org
> .jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
> successfully authenticated the user which provided the following
> credentials: gavin>
>
> but when I am returned to Roller I find myself back at the login
> page with a
> message:
>
> Wrong username and password combination
>
> I have
> http://www.nabble.com/Roller%2BCAS%2BLDAP%3A-Wrong-username-and-password-combination-td13625901s12275.html#a13625901
> found this post but have not been able to find anything else on
> this except
> a possibility that the SSL certificate is installed incorrectly.
> Someone
> mentioned that the error the incorrect SSL certificate throws is
> never shown
> in the logs and so I have no way of knowing if that is my problem.
>
> If anyone has any ideas they would be much appreciated.
> --
> View this message in context: http://www.nabble.com/Roller-and-CAS-tp17218081s12275p17218081.html
> Sent from the Roller - User mailing list archive at Nabble.com.
>
Re: SOLVED: Re: Roller and CAS integration & also bad credentials
error
Posted by doahh <ga...@prodia.co.uk>.
I think I have found the answer to the bad credentials error that gets
thrown, I asked about it
http://www.nabble.com/_cas_stateful_-gets-passed-to-me-as-a-username-from-Acegi---throws-exception-td17428160.html#a17442234
here and got a reply .
To save you going there, in your acegi-security.xml find the
"casProxyTicketValidator" bean definition and comment out the
"proxyCallbackUrl". I haven't tested it much but it seems to work OK, the
http://www.acegisecurity.org/guide/springsecurity.html#introduction Acegi
documentation under 'How Cas works' point 9 says that:
The CasProxyTicketValidator may also include a proxy callback URL
and so it looks like that property is optional for more in depth
configurations. I have no idea what it really does though.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17442313.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
Looks like I was served a double whammy there and just got lucky in hitting
the correct combination over time. Not only was Acegi using the wrong
TrustStore but it turns out that the JRockit JVM is also causing a problem.
When ever I am using JRockit, Roller redirects me back to the login page -
that's with a new clean download and install of JRockit
(R27.5.0-jdk1.6.0_03). As soon as I switch to Sun's 1.6.0_03 it works.
This is a bit of a shame for me as I was using JRockit to get around the
Tomcat Permgen error that occurs on every 3-4 deploy.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17273424.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: SOLVED: Re: Roller and CAS
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
doahh wrote:
ile:
>
> org.jasig.cas.ticket.TicketCreationException:
> error.authentication.credentials.bad
>
> Caused by: error.authentication.credentials.bad
> at
> org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:265)
> ... 26 more
>
> but that would be a different matter.
I always get that as well. I've never been completely clear on why, but
it doesn't seem to affect anything as far as functionality. I've always
thought it had something to do with the initial login of the "anonymous"
user by Acegi, but don't hold me to that.
Anyway, congrats on getting things working. :-)
TTYL,
--
Phillip Rhodes
Chief Architect - OpenQabal
https://openqabal.dev.java.net
LinkedIn: http://www.linkedin.com/in/philliprhodes
SOLVED: Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
wow, amazing - that was it. Roller must have been looking at some internal,
or possibly non-existent, truststore by default and not using the one made
through http://blogs.sun.com/andreas/entry/no_more_unable_to_find the link
you posted earlier. I can now log in as my user and am taken to the 'Create
a blog' page in Roller which is where I would expect to be taken at this
stage.
I am seeing a new error in the log file:
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
Caused by: error.authentication.credentials.bad
at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25)
at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:113)
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:265)
... 26 more
but that would be a different matter.
A 1000 thanks for yours and other posters continued help through this
thread. I am not sure I would have found it without the additional comments
which made me look into the truststores and SSL generation in more depth.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17260639.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
doahh wrote:
> CAS is set to use the Roller database and the users were in there before I
> tried to use CAS. I set the password field in the Roller database to be
> 'tester' in plain text (no encryption). CAS seems happy but now I look in
> Roller's security.xml file I find:
>
> <bean id="casAuthenticationProvider"
> class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
> <property name="key" value="rollerlovesacegi"/>
> </bean>
>
> That would seem to be telling CAS that the password field is encrypted with
> the given key of 'rollerlovesacegi'. My use of a plain text password may be
> causing problems even though CAS seems happy. I wonder how CAS is told which
> encryption algorithm is used.
I don't think that will affect anything, at least as far as the Roller
password field is concerned. CAS shouldn't even be looking at that,
unless you have explicitly defined the CAS configuration that way. If
so, I guess there could be an issue. To be completely honest, I'm not
exactly sure what the particular property is used for. But FWIW, my
configuration also has that line in it. But my CAS configuration pulls
authentication info from a completely separate source and the password
field in the Roller table is completely ignored.
> <bean id="casProxyTicketValidator"
> class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
> <property name="trustStore"
> value="/Library/Java/Home/lib/security/cacerts"/>
> </bean>
>
> and that makes me wonder if I added my certificate to the correct
> trustStore. I wonder where '/Library/Java/Home/lib/security/cacerts' is?
>
I don't remember doing it, but I have that "trustStore" property
commented out. You might try taking it out and see what happens.
TTYL,
--
Phillip Rhodes
Chief Architect - OpenQabal
https://openqabal.dev.java.net
LinkedIn: http://www.linkedin.com/in/philliprhodes
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
Sorry for the second message but I have made some significant edits to my
previous comment:
I have tried the CN name as both localhost and also as the machine name
(eggbert) without success.
CAS is set to use the Roller database and the users were in there before I
tried to use CAS. I set the password field in the Roller database to be
'tester' in plain text (no encryption). CAS seems happy but now I look in
Roller's security.xml file I find:
<bean id="casAuthenticationProvider"
class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="key" value="rollerlovesacegi"/>
</bean>
That would seem to be telling CAS that the password field is encrypted with
the given key of 'rollerlovesacegi'. My use of a plain text password may be
causing problems even though CAS seems happy. I wonder how CAS is told which
encryption algorithm is used.
I can also see in security.xml:
<bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="trustStore"
value="/Library/Java/Home/lib/security/cacerts"/>
</bean>
and that makes me wonder if I added my certificate to the correct
trustStore. I wonder where '/Library/Java/Home/lib/security/cacerts' is?
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17259789.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
Thanks again for your answer, I think at this point I am almost completely
stuck.
I have tried the CN name as both localhost and also as the machine name
(eggbert) without success.
CAS is set to use the Roller database and the users were in there before I
tried to use CAS. I set the password field in the Roller database to be
'tester' in plain text (no encryption). CAS seems OK with that but maybe
there is some oddity where Roller still looks at the password field, thinks
it is still in encrypted format and so prevents access. Do you know how I
can tell CAS that the field in the database is encrypted?
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17259528.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
doahh wrote:
> I should have mentioned that I am using a self signed certificate but as
> Philip says there is no error message even in debug mode.
>
> The problem still persists which could mean I am doing something wrong in
> the above certificate generation sequence.
Hmmm. The only other problem I remember seeing related to this, is
something to do with the CN of the certificate not matching the
hostname.
Outside of that, I think you'll also get the generic
"bad username/password" message from Roller, even after successful
CAS authentication, if the given username doesn't exist in the
Roller table that stores users. You might want to double
check that point if you haven't already.
TTYL,
--
Phillip Rhodes
Chief Architect - OpenQabal
https://openqabal.dev.java.net
LinkedIn: http://www.linkedin.com/in/philliprhodes
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
I should have mentioned that I am using a self signed certificate but as
Philip says there is no error message even in debug mode.
My understanding of the process so far is:
1) Generate the SSL certificate using keytool which is entered into my
keystore at /home/gavin/.keystore
2) I then fire up the app ImportSSLCert
http://blogs.sun.com/andreas/entry/no_more_unable_to_find provided here
which connects to Tomcat, downloads the certificate from the
/home/gavin/.keystore file and add it to a new file called jssecacerts in
the same directory as the ImportSSLCerts class.
3) The file jssecacerts is then copied to the JAVA_HOME/jre/lib/security
folder where everything should be ready to go.
>From here when Tomcat fires up I think this is what is happening:
1) Tomcat loads the key from my keystore at /home/gavin/.keystore
2) At some point the jsse libraries need to authenticate against the
provided key (that Tomcat reads in) and uses the jssecacerts file which
should contain the certificate.
3) If that was successful then everything would be OK.
The problem still persists which could mean I am doing something wrong in
the above certificate generation sequence.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17250401.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
Fernando Soares wrote:
> I have a working solution with roller 4.0 and CAS and really the worst
> part was de ssl config.
> I'm using Glassfish in both deployements, so I just can help with that
> container, but I dont think that copyng the ssl certicate work in any
> java container.
From what I saw, the SSL certificate issue (at least the one I'm
thinking about) is only really a problem if you're using a self-signed
certificate. When using a self-signed on, JSSE blows up deep in the
guts of some of the CAS code (I forget if it was CAS server or CAS
client though) when trying to validate the login token, because the
certificate root isn't trusted by JSSE.
> If you have the level debug in roller you can check for a message (it's
> hard to find) about the missing CA in the server.
> You have to put the certificate you generate for CAS in the CA storage
> of the cantainer instance you are using for Roller.
FWIW, back when I ran into this problem, it was never logged at all, not
even in debug mode. I only ever found out what was happening by
single-stepping through the code using the Eclipse debugger.
That is, if the OP is having the same problem I was having.
TTYL,
--
Phillip Rhodes
Chief Architect - OpenQabal
https://openqabal.dev.java.net
LinkedIn: http://www.linkedin.com/in/philliprhodes
Re: Roller and CAS
Posted by Fernando Soares <fs...@iol.pt>.
I have a working solution with roller 4.0 and CAS and really the worst
part was de ssl config.
I'm using Glassfish in both deployements, so I just can help with that
container, but I dont think that copyng the ssl certicate work in any
java container.
If you have the level debug in roller you can check for a message (it's
hard to find) about the missing CA in the server.
You have to put the certificate you generate for CAS in the CA storage
of the cantainer instance you are using for Roller.
doahh wrote:
> Thanks for the link Philip, I didn't have any luck with it after copying the
> generated certificate to the java security directory. I have also tried
> following the http://www.ja-sig.org/products/cas/server/ssl/index.html
> instructions that I found here but again I didn't get any further.
>
--
fs@iol.pt
Media Capital Telecomunicações
“Failure is not an option:
it comes with the software!”
Re: Roller and CAS
Posted by doahh <ga...@prodia.co.uk>.
Thanks for the link Philip, I didn't have any luck with it after copying the
generated certificate to the java security directory. I have also tried
following the http://www.ja-sig.org/products/cas/server/ssl/index.html
instructions that I found here but again I didn't get any further.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17226730.html
Sent from the Roller - User mailing list archive at Nabble.com.
Re: Roller and CAS
Posted by Jens Greive <je...@googlemail.com>.
Hi,
during the process of generating the certificate you are asked for
your name. Try putting the name of the host there. For example
'localhost'. Sounds a little strange but I am pretty sure that this is
the problem then.
You have to remove your old certificate from the store before
installing a new one with the same alias of course.
Jens
Am 14.05.2008 um 00:30 schrieb Phillip Rhodes:
> doahh wrote:
>> I have http://www.nabble.com/Roller%2BCAS%2BLDAP%3A-Wrong-username-and-password-combination-td13625901s12275.html#a13625901
>> found this post but have not been able to find anything else on
>> this except
>> a possibility that the SSL certificate is installed incorrectly.
>> Someone
>> mentioned that the error the incorrect SSL certificate throws is
>> never shown
>> in the logs and so I have no way of knowing if that is my problem.
>
> Are you using a self-signed certificate? If you are, I can almost
> guarantee you that at least part of the problem is the dreaded
> "unable to find valid certification path" error that I was talking
> about before.
>
> Browse to this page:
>
> <http://blogs.sun.com/andreas/entry/no_more_unable_to_find>
>
> and follow the steps there to make JSSE aware of
> your certificate if you are using a self-signed certificate. Then try
> things again.
>
> If you're using a certificate from Verisign or somebody, I'm not
> sure what to tell you offhand.
>
>
> TTYL,
>
>
> --
> Phillip Rhodes
> Chief Architect - OpenQabal
> https://openqabal.dev.java.net
> LinkedIn: http://www.linkedin.com/in/philliprhodes
Re: Roller and CAS
Posted by Phillip Rhodes <mi...@cpphacker.co.uk>.
doahh wrote:
>
> I have
> http://www.nabble.com/Roller%2BCAS%2BLDAP%3A-Wrong-username-and-password-combination-td13625901s12275.html#a13625901
> found this post but have not been able to find anything else on this except
> a possibility that the SSL certificate is installed incorrectly. Someone
> mentioned that the error the incorrect SSL certificate throws is never shown
> in the logs and so I have no way of knowing if that is my problem.
>
Are you using a self-signed certificate? If you are, I can almost
guarantee you that at least part of the problem is the dreaded
"unable to find valid certification path" error that I was talking about
before.
Browse to this page:
<http://blogs.sun.com/andreas/entry/no_more_unable_to_find>
and follow the steps there to make JSSE aware of
your certificate if you are using a self-signed certificate. Then try
things again.
If you're using a certificate from Verisign or somebody, I'm not sure
what to tell you offhand.
TTYL,
--
Phillip Rhodes
Chief Architect - OpenQabal
https://openqabal.dev.java.net
LinkedIn: http://www.linkedin.com/in/philliprhodes
Re: Roller ignores successful CAS authentication
Posted by Martin Homik <mh...@dfki.de>.
I've been following the discussion of this thread (and others as well) and I
ran into the same problems. Today I gave it another shot and tried the
following tutorial:
http://www.ja-sig.org/wiki/display/CASUM/Demo
It suffices to go through the tutorial until step 9. Read "Beginner Issues".
Things that I did differently this time are:
- created a self-signed certificate with keytool; instead of using
'localhost' as full name, use your host name.
- in the configuration files I replaced 'localhost' by my host name.
- deleted all my jdks/jres from my system and installed just one(!) latest
Java SE 6
That worked. I was able to continue with Matt's SSO tutorial.
--
View this message in context: http://www.nabble.com/Roller-ignores-successful-CAS-authentication-tp17218081s12275p17487558.html
Sent from the Roller - User mailing list archive at Nabble.com.