CAS & JBOSS SSO

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CAS & JBOSS SSO

bogdanbrudu
This post has NOT been accepted by the mailing list yet.
Hello,
I am a little bit stuck and hope you can help me... I am a J2EE noob and I am not sure I am trying in the right direction...
I have 2 Jboss clusters, one with 3 web apps that have SSO with CAS and one where I have a big ear with multiple war that have Jboss SSO solution.
How can I make the 3 apps that use CAS and the Jboss SSO work together?
For the second cluster I have added
<application-policy name="cas">
   <authentication>
      <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
         <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
         <module-option name="casServerUrlPrefix">http://yourcasserver/cas</module-option>
         <module-option name="tolerance">20000</module-option>
         <module-option name="defaultRoles">admin,user</module-option>
         <module-option name="roleAttributeNames">memberOf,eduPersonAffiliation,authorities</module-option>
         <module-option name="principalGroupName">CallerPrincipal</module-option>
         <module-option name="roleGroupName">Roles</module-option>
         <module-option name="cacheAssertions">true</module-option>
         <module-option name="cacheTimeout">480</module-option>
      </login-module>
   </authentication>
</application-policy>


but when I try to login I get this:



=============================================================
WHO: audit:unknown
WHAT: workflowuser1
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Tue Jul 14 11:27:20 EEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-2) Login failure: javax.security.auth.login.LoginException: CAS ticket validation failed: org.jasig.cas.client.validation.TicketValidationException:
                Service not allowed to validate tickets.

        at org.jasig.cas.client.jaas.CasLoginModule.login(CasLoginModule.java:299) [cas-client-core-3.2.1.jar:3.2.1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_65]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_65]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_65]
        at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_65]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_65]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_65]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:397) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
Caused by: org.jasig.cas.client.validation.TicketValidationException:
                Service not allowed to validate tickets.

        at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86) [cas-client-core-3.2.1.jar:3.2.1]
        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) [cas-client-core-3.2.1.jar:3.2.1]
        at org.jasig.cas.client.jaas.CasLoginModule.login(CasLoginModule.java:295) [cas-client-core-3.2.1.jar:3.2.1]
        ... 28 more




I believe this is because CasLoginModule is expecting Ticket to validate and not username/password.
How should I do this? Is there any way to avoid adding filters to every one of the war files in the ear?

Thank you,
Bogdan