[gatein-issues] [JBoss JIRA] Resolved: (GTNPORTAL-1046) GateIn and secure CAS integration: problem with renew parameter

Sohil Shah (JIRA) jira-events at lists.jboss.org
Tue Apr 13 16:12:25 EDT 2010 

     [ https://jira.jboss.org/jira/browse/GTNPORTAL-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sohil Shah resolved GTNPORTAL-1046.
-----------------------------------

    Resolution: Done


This can now be configured by adding the following configuration to: 02portal.war/WEB-INF/web.xml

<filter>
		<filter-name>LoginRedirectFilter</filter-name>
		<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
		<init-param>                                 
		  <!-- This should point to your SSO authentication server -->                                                                                              
		  <param-name>LOGIN_URL</param-name>   
		  <!--
		      If casRenewTicket param value of InitiateLoginServlet is:  not specified or false
		  -->
		  <!--
		  <param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic</param-value>
		  -->
		  <!--
		      If casRenewTicket param value of InitiateLoginServlet is : true
		  -->		
		  <param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic&amp;renew=true</param-value>      		  
		</init-param>
	</filter>
	
	<filter-mapping>
	  <filter-name>LoginRedirectFilter</filter-name>
	  <url-pattern>/*</url-pattern>	         
	</filter-mapping>


and

<servlet>
  <servlet-name>InitiateLoginServlet</servlet-name>
  <servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
  <init-param>
    <param-name>ssoServerUrl</param-name>
    <param-value>http://localhost:8888/cas</param-value>
  </init-param>
  <init-param>
    <param-name>casRenewTicket</param-name>
    <param-value>true</param-value>
  </init-param>
</servlet>

Also, the re-direct URLs on the JSP and templates must be changed to a generic one which is: /portal/sso

See an earlier bug resolution related to SSO Login Screen issue for details: https://jira.jboss.org/jira/browse/GTNPORTAL-997

> GateIn and secure CAS integration: problem with renew parameter
> ---------------------------------------------------------------
>
>                 Key: GTNPORTAL-1046
>                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1046
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 3.0.0-GA
>         Environment: GateIn+JBoss AS (localhost:8080) integrated with secure CAS,
> Tomcat+CAS with secure connector enabled (https://localhost:9443),
> Sun JDK 1.6
>            Reporter: Marek Posolda
>         Attachments: cas-renew-exception.txt
>
>
> I tested GateIn integration with secure CAS (because CASTGC sso cookie is by default enabled only in secure environment). So GateIn is on localhost:8080 and Tomcat with CAS is on https://localhost:9443. I tried this scenario:
> 1) Go to http://localhost::8080/portal/private/classic and beeing redirected to CAS page
> 2) Login in CAS page as root
> 3) I am redirected to GateIn and I am successfully authenticated as user root
> 4) Wait 2 minutes for session expiration (I am testing with HTTP session expiration timeout 1 minute)
> 5) Going again to http://localhost::8080/portal/private/classic
> 6) I am redirected to blank screen now. And exception in server log with this message: 	"Ticket failed validation specification. Possible errors could include attempting to validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew true request."
> I am attaching full exception stacktrace (cas-renew-exception.txt).
> I founded that problem can occur if "renew=true" parameter is not used in login URL but is used in validation URL. It should be used in both URLs (login and validation) or in none of them. Some links:
> http://tp.its.yale.edu/pipermail/cas/2005-October/001707.html
> http://n4.nabble.com/Problem-in-Cas-renew-parameter-set-to-true-td261396.html
> So I tried two things:
> 1) Use renew in both login and validation URL. So I changed login.jsp to "https://localhost:9443/cas/login?service=http://localhost:8080/portal/private/classic&renew=true". This helps to avoid the issue but I am redirected to CAS screen after session expiration in GateIn
> 2) Avoid renew in both login and validation URL. Now it's hardcoded in org.gatein.sso.agent.cas.CASAgent.validateTicket so I uncomment the line setRenew(true) to avoid renew in validation URL. This also helps and now I am not redirected to CAS screen after session expiration. Because CAS grant me new valid ticket for new GateIn session.
> So conclusion: I think that renew should be used in both places or nowhere. Is it possible to make it configurable and avoid hardcoded setRenew(true) in CASAgent class?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list