From jira-events at lists.jboss.org Thu Apr 15 09:41:26 2010
Content-Type: multipart/mixed; boundary="===============4678449714431518042=="
MIME-Version: 1.0
From: Sohil Shah (JIRA) <jira-events at lists.jboss.org>
To: gatein-issues at lists.jboss.org
Subject: [gatein-issues] [JBoss JIRA] Commented: (GTNPORTAL-1046) GateIn and
 secure CAS integration: problem with renew parameter
Date: Thu, 15 Apr 2010 09:41:26 -0400
Message-ID: <206420359.1271338886081.JavaMail.jboss@jira01.app.mwc.hst.phx2.redhat.com>
In-Reply-To: 798231429.1270719758779.JavaMail.jboss@jira01.app.mwc.hst.phx2.redhat.com

--===============4678449714431518042==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


    [ https://jira.jboss.org/jira/browse/GTNPORTAL-1046?page=3Dcom.atlassia=
n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D125=
25905#action_12525905 ] =


Sohil Shah commented on GTNPORTAL-1046:
---------------------------------------

Based on https://jira.jboss.org/jira/browse/GTNPORTAL-997...'/portal/sso' s=
hould be used even here:

login.jsp should now have:

<html>
  <head>
    <script type=3D"text/javascript">
       window.location =3D '/portal/sso';
    </script>
  </head>
  <body>
  </body>
</html> =


In this way, it will use the URL specified in the filter configuration...Th=
is way both the "Sign In" button workflow and the "JAAS Login" workflow use=
 the same configuration

> GateIn and secure CAS integration: problem with renew parameter
> ---------------------------------------------------------------
>
>                 Key: GTNPORTAL-1046
>                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-1046
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) =

>    Affects Versions: 3.0.0-GA
>         Environment: GateIn+JBoss AS (localhost:8080) integrated with sec=
ure CAS,
> Tomcat+CAS with secure connector enabled (https://localhost:9443),
> Sun JDK 1.6
>            Reporter: Marek Posolda
>         Attachments: cas-renew-exception.txt
>
>
> I tested GateIn integration with secure CAS (because CASTGC sso cookie is=
 by default enabled only in secure environment). So GateIn is on localhost:=
8080 and Tomcat with CAS is on https://localhost:9443. I tried this scenari=
o:
> 1) Go to http://localhost::8080/portal/private/classic and beeing redirec=
ted to CAS page
> 2) Login in CAS page as root
> 3) I am redirected to GateIn and I am successfully authenticated as user =
root
> 4) Wait 2 minutes for session expiration (I am testing with HTTP session =
expiration timeout 1 minute)
> 5) Going again to http://localhost::8080/portal/private/classic
> 6) I am redirected to blank screen now. And exception in server log with =
this message: 	"Ticket failed validation specification. Possible errors cou=
ld include attempting to validate a Proxy Ticket via a Service Ticket valid=
ator, or not complying with the renew true request."
> I am attaching full exception stacktrace (cas-renew-exception.txt).
> I founded that problem can occur if "renew=3Dtrue" parameter is not used =
in login URL but is used in validation URL. It should be used in both URLs =
(login and validation) or in none of them. Some links:
> http://tp.its.yale.edu/pipermail/cas/2005-October/001707.html
> http://n4.nabble.com/Problem-in-Cas-renew-parameter-set-to-true-td261396.=
html
> So I tried two things:
> 1) Use renew in both login and validation URL. So I changed login.jsp to =
"https://localhost:9443/cas/login?service=3Dhttp://localhost:8080/portal/pr=
ivate/classic&renew=3Dtrue". This helps to avoid the issue but I am redirec=
ted to CAS screen after session expiration in GateIn
> 2) Avoid renew in both login and validation URL. Now it's hardcoded in or=
g.gatein.sso.agent.cas.CASAgent.validateTicket so I uncomment the line setR=
enew(true) to avoid renew in validation URL. This also helps and now I am n=
ot redirected to CAS screen after session expiration. Because CAS grant me =
new valid ticket for new GateIn session.
> So conclusion: I think that renew should be used in both places or nowher=
e. Is it possible to make it configurable and avoid hardcoded setRenew(true=
) in CASAgent class?

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
ps://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============4678449714431518042==--