]
Sohil Shah resolved GTNPORTAL-1046.
-----------------------------------
Resolution: Done
This can now be configured by adding the following configuration to:
02portal.war/WEB-INF/web.xml
<filter>
<filter-name>LoginRedirectFilter</filter-name>
<filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
<init-param>
<!-- This should point to your SSO authentication server -->
<param-name>LOGIN_URL</param-name>
<!--
If casRenewTicket param value of InitiateLoginServlet is: not specified or false
-->
<!--
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic</param-value>
-->
<!--
If casRenewTicket param value of InitiateLoginServlet is : true
-->
<param-value>http://localhost:8888/cas/login?service=http://localhost:8080/portal/private/classic&renew=true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>LoginRedirectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and
<servlet>
<servlet-name>InitiateLoginServlet</servlet-name>
<servlet-class>org.gatein.sso.agent.GenericSSOAgent</servlet-class>
<init-param>
<param-name>ssoServerUrl</param-name>
<param-value>http://localhost:8888/cas</param-value>
</init-param>
<init-param>
<param-name>casRenewTicket</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
Also, the re-direct URLs on the JSP and templates must be changed to a generic one which
is: /portal/sso
See an earlier bug resolution related to SSO Login Screen issue for details:
GateIn and secure CAS integration: problem with renew parameter
---------------------------------------------------------------
Key: GTNPORTAL-1046
URL:
https://jira.jboss.org/jira/browse/GTNPORTAL-1046
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Environment: GateIn+JBoss AS (localhost:8080) integrated with secure CAS,
Tomcat+CAS with secure connector enabled (
https://localhost:9443),
Sun JDK 1.6
Reporter: Marek Posolda
Attachments: cas-renew-exception.txt
I tested GateIn integration with secure CAS (because CASTGC sso cookie is by default
enabled only in secure environment). So GateIn is on localhost:8080 and Tomcat with CAS is
on
https://localhost:9443. I tried this scenario:
1) Go to
http://localhost::8080/portal/private/classic and beeing redirected to CAS page
2) Login in CAS page as root
3) I am redirected to GateIn and I am successfully authenticated as user root
4) Wait 2 minutes for session expiration (I am testing with HTTP session expiration
timeout 1 minute)
5) Going again to
http://localhost::8080/portal/private/classic
6) I am redirected to blank screen now. And exception in server log with this message:
"Ticket failed validation specification. Possible errors could include attempting to
validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew
true request."
I am attaching full exception stacktrace (cas-renew-exception.txt).
I founded that problem can occur if "renew=true" parameter is not used in login
URL but is used in validation URL. It should be used in both URLs (login and validation)
or in none of them. Some links:
http://tp.its.yale.edu/pipermail/cas/2005-October/001707.html
http://n4.nabble.com/Problem-in-Cas-renew-parameter-set-to-true-td261396....
So I tried two things:
1) Use renew in both login and validation URL. So I changed login.jsp to
"https://localhost:9443/cas/login?service=http://localhost:8080/portal/private/classic&renew=true".
This helps to avoid the issue but I am redirected to CAS screen after session expiration
in GateIn
2) Avoid renew in both login and validation URL. Now it's hardcoded in
org.gatein.sso.agent.cas.CASAgent.validateTicket so I uncomment the line setRenew(true) to
avoid renew in validation URL. This also helps and now I am not redirected to CAS screen
after session expiration. Because CAS grant me new valid ticket for new GateIn session.
So conclusion: I think that renew should be used in both places or nowhere. Is it
possible to make it configurable and avoid hardcoded setRenew(true) in CASAgent class?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: