]
Sohil Shah commented on GTNPORTAL-1046:
---------------------------------------
Based on
should
be used even here:
login.jsp should now have:
<html>
<head>
<script type="text/javascript">
window.location = '/portal/sso';
</script>
</head>
<body>
</body>
</html>
In this way, it will use the URL specified in the filter configuration...This way both the
"Sign In" button workflow and the "JAAS Login" workflow use the same
configuration
GateIn and secure CAS integration: problem with renew parameter
---------------------------------------------------------------
Key: GTNPORTAL-1046
URL:
https://jira.jboss.org/jira/browse/GTNPORTAL-1046
Project: GateIn Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.0.0-GA
Environment: GateIn+JBoss AS (localhost:8080) integrated with secure CAS,
Tomcat+CAS with secure connector enabled (
https://localhost:9443),
Sun JDK 1.6
Reporter: Marek Posolda
Attachments: cas-renew-exception.txt
I tested GateIn integration with secure CAS (because CASTGC sso cookie is by default
enabled only in secure environment). So GateIn is on localhost:8080 and Tomcat with CAS is
on
https://localhost:9443. I tried this scenario:
1) Go to
http://localhost::8080/portal/private/classic and beeing redirected to CAS page
2) Login in CAS page as root
3) I am redirected to GateIn and I am successfully authenticated as user root
4) Wait 2 minutes for session expiration (I am testing with HTTP session expiration
timeout 1 minute)
5) Going again to
http://localhost::8080/portal/private/classic
6) I am redirected to blank screen now. And exception in server log with this message:
"Ticket failed validation specification. Possible errors could include attempting to
validate a Proxy Ticket via a Service Ticket validator, or not complying with the renew
true request."
I am attaching full exception stacktrace (cas-renew-exception.txt).
I founded that problem can occur if "renew=true" parameter is not used in login
URL but is used in validation URL. It should be used in both URLs (login and validation)
or in none of them. Some links:
http://tp.its.yale.edu/pipermail/cas/2005-October/001707.html
http://n4.nabble.com/Problem-in-Cas-renew-parameter-set-to-true-td261396....
So I tried two things:
1) Use renew in both login and validation URL. So I changed login.jsp to
"https://localhost:9443/cas/login?service=http://localhost:8080/portal/private/classic&renew=true".
This helps to avoid the issue but I am redirected to CAS screen after session expiration
in GateIn
2) Avoid renew in both login and validation URL. Now it's hardcoded in
org.gatein.sso.agent.cas.CASAgent.validateTicket so I uncomment the line setRenew(true) to
avoid renew in validation URL. This also helps and now I am not redirected to CAS screen
after session expiration. Because CAS grant me new valid ticket for new GateIn session.
So conclusion: I think that renew should be used in both places or nowhere. Is it
possible to make it configurable and avoid hardcoded setRenew(true) in CASAgent class?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: