SSL problem (I think)

Hello,

I have CAS set up and working on my development machine but now want to move the work I have been doing to another location for further testing. I think I am having problems getting the SSL working with CAS but unfortunately I don't get any error messages what-so-ever. When I hit the new CAS install I get:

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

and the log file shows:

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20067]
   org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap.lookupAttributes
      Candidate is: '/index.jsp'; pattern is /**; matched=true

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20068]
   org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter
      Request: FilterInvocation: URL: /index.jsp; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20069]
   org.acegisecurity.securechannel.RetryWithHttpsEntryPoint.commence
      Redirecting to: https://prodia.co.uk/cas/index.jsp

This error repeats several times. I have tried a few things to get the SSL working but can't seem to get it right. I have tomcat using the following:

keystoreFile="/etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore"

which works fine for SSL but not with CAS. I have tried importing my certificates (there is a root trust certificate as well as the actual domain certificate) into this keystore:

sudo $JAVA_HOME/bin/keytool -import -file /etc/apache2/ssl-keys/prodia.co.uk/godaddy-root-cert.crt -keypass changeit -keystore /etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore -alias godaddy

sudo $JAVA_HOME/bin/keytool -import -file /etc/apache2/ssl-keys/prodia.co.uk/prodia.co.uk.crt -keypass changeit -keystore /etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore -alias tomcat

I have also done the same for the cacerts file located at:

/opt/jdk1.6.0_03/jre/lib/security/cacerts

Additionally I have also tried creating a jssecacerts file using a tutorial I found and copying that to the $JAVA_HOME/jre/lib/security. This last way (creating the jssecacert) file is the method I used to get my development machine working.

As I say, I don't get any errors in either the logs or the console when I try and access CAS. I am now a little stuck as to what to try next so if anyone has any suggestions they would be welcome.

I worked out that removing this from the web.xml got things working again:

<filter>
      <filter-name>Acegi Channel Processing Filter</filter-name>
      <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
      <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>Acegi Channel Processing Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

Is this likely to cause any security issues? I think I added that in myself a long time ago but I am not absolutely sure about that. I only have this problem on the test machine but I am also having SSL issues with Spring when Tomcat is fronted by Apache so maybe this is a knock on effect of that.

doahh wrote:

Hello,

I have CAS set up and working on my development machine but now want to move the work I have been doing to another location for further testing. I think I am having problems getting the SSL working with CAS but unfortunately I don't get any error messages what-so-ever. When I hit the new CAS install I get:

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

and the log file shows:

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20067]
   org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap.lookupAttributes
      Candidate is: '/index.jsp'; pattern is /**; matched=true

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20068]
   org.acegisecurity.securechannel.ChannelProcessingFilter.doFilter
      Request: FilterInvocation: URL: /index.jsp; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]

prodia.co.uk-cas => [log level: DEBUG] [thread: TP-Processor3] [logging time (ms): 20069]
   org.acegisecurity.securechannel.RetryWithHttpsEntryPoint.commence
      Redirecting to: https://prodia.co.uk/cas/index.jsp

This error repeats several times. I have tried a few things to get the SSL working but can't seem to get it right. I have tomcat using the following:

keystoreFile="/etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore"

which works fine for SSL but not with CAS. I have tried importing my certificates (there is a root trust certificate as well as the actual domain certificate) into this keystore:

sudo $JAVA_HOME/bin/keytool -import -file /etc/apache2/ssl-keys/prodia.co.uk/godaddy-root-cert.crt -keypass changeit -keystore /etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore -alias godaddy

sudo $JAVA_HOME/bin/keytool -import -file /etc/apache2/ssl-keys/prodia.co.uk/prodia.co.uk.crt -keypass changeit -keystore /etc/apache2/ssl-keys/prodia.co.uk/tomcat.keystore -alias tomcat

I have also done the same for the cacerts file located at:

/opt/jdk1.6.0_03/jre/lib/security/cacerts

Additionally I have also tried creating a jssecacerts file using a tutorial I found and copying that to the $JAVA_HOME/jre/lib/security. This last way (creating the jssecacert) file is the method I used to get my development machine working.

As I say, I don't get any errors in either the logs or the console when I try and access CAS. I am now a little stuck as to what to try next so if anyone has any suggestions they would be welcome.