Hi John,
Perhaps you can test your CAS-ification with our CAS authentification
server (https://auth.ifremer.fr). To do so, you'll have to configure
your TDS web.xml file as follow :
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://auth.ifremer.fr/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://auth.ifremer.fr/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>your application server dns:your port</param-value>
</init-param>
</filter>
You can download the convenient cas.keystore (the public certificate
for our server) at :
http://secure.globalsign.net/cacert/sureserverEDU.crt
And then use the jvm options :
JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MaxPermSize=256m
-Djavax.net.ssl.trustStore=sureserverEDU.cert"
to launch the tomcat server.
I have created a login for you, it is :
login : jc1eed0
passwd : aze321
I hope this will help you,
Thomas
John Caron a écrit :
Thomas LOUBRIEU wrote:
Hi Jon,
up to now it is what we are using "as this". Our project, in the
coming weeks, is to extend the 'filter' functions (I don't know yet
which they are) so that we can't check the CAS-authentification (as
it now is) AND if the user login if authorized to access the
current URL according to a configuration file as follow (in XML or
java properties) :
URL_pattern1
login2
login3
login4
URL pattern2
login1
login5
...
where URL_patternX are base URL under which the access is restricted
and loginY are the authorized CAS logins.
otherwise access is free.
It a very simple authorization configuration but we have short
delays to built a demonstration system for an European operational
project.
Hi Thomas, im having trouble getting CAS to work, i keep getting the
following errors. I think Ive installed a certificate correctly in
both tomcat keystore and in JRE cacert. So you have any advice?
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-rduetdijO1DSxhaUv6EPioZdgItQERr7ufZ-20]
service=[http%3A%2F%2Flocalhost%3A8080%2Fthredds%2FdodsC%2FtestCAS%2FtestData.nc.html]
renew=false]]]
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:938)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 31 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 36 more