Jasig › Jasig CAS › CAS Users

help with - Step 5: CASify HelloWorld Servlet

2 messages Options
Embed this post
Permalink
michael thorne-5

help with - Step 5: CASify HelloWorld Servlet

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)
I'm working through the Demo at

http://www.ja-sig.org/wiki/display/CASUM/Demo

and Tomcat is throwing a 500 error.   :-(

The server is running RHEL 5.3 with the IBM Java.

[~] $ java -version

   java version "1.5.0"
   Java(TM) 2 Runtime Environment, Standard Edition
      (build pxa64dev-20090707 (SR10))
   IBM J9 VM build 2.3, J2RE 1.5.0 IBM J9 2.3
      Linux amd64-64 j9vmxa6423-20090707 (JIT enabled)
   J9VM - 20090706_38445_LHdSMr
   JIT  - 20090623_1334_r8
   GC   - 200906_09
   JCL  - 20090705

CAS is running I can use the default login/out URLs and
see the green "successful" messages.

 I've attached the web.xml file with the CAS filter
declarations and the 500 error message with the stack
trace.

  Something to do with the "PKIX path building failed" ...
"unable to find valid certification path to requested target"

???

Suggestions please.

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">

    <display-name>Servlet 2.4 Examples</display-name>
    <description>
      Servlet 2.4 Examples.
    </description>

    <!-- Define servlet-mapped and path-mapped example filters -->
    <filter>
        <filter-name>Servlet Mapped Filter</filter-name>
        <filter-class>filters.ExampleFilter</filter-class>
        <init-param>
            <param-name>attribute</param-name>
            <param-value>filters.ExampleFilter.SERVLET_MAPPED</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Path Mapped Filter</filter-name>
        <filter-class>filters.ExampleFilter</filter-class>
        <init-param>
            <param-name>attribute</param-name>
            <param-value>filters.ExampleFilter.PATH_MAPPED</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Request Dumper Filter</filter-name>
        <filter-class>filters.RequestDumperFilter</filter-class>
    </filter>

    <!-- Example filter to set character encoding on each request -->
    <filter>
        <filter-name>Set Character Encoding</filter-name>
        <filter-class>filters.SetCharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>EUC_JP</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Compression Filter</filter-name>
        <filter-class>compressionFilters.CompressionFilter</filter-class>

        <init-param>
          <param-name>compressionThreshold</param-name>
          <param-value>10</param-value>
        </init-param>
        <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
        </init-param>
    </filter>

<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://jordan.bccampus.ca/cas/login</param-value> <!-- :8443 -->
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://jordan.bccampus.ca/cas/serviceValidate</param-value> <!-- :8443 -->
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>jordan.bccampus.ca</param-value> <!-- :8080 -->
</init-param>
</filter>

    <!-- Define filter mappings for the defined filters -->
    <filter-mapping>
        <filter-name>Servlet Mapped Filter</filter-name>
        <servlet-name>invoker</servlet-name>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Path Mapped Filter</filter-name>
        <url-pattern>/servlet/*</url-pattern>
    </filter-mapping>

<filter-mapping>
   <filter-name>CAS Filter</filter-name>
   <url-pattern>/servlet/HelloWorldExample</url-pattern>
</filter-mapping>


<!-- Example filter mapping to apply the "Set Character Encoding" filter
     to *all* requests processed by this web application -->
<!--
    <filter-mapping>
        <filter-name>Set Character Encoding</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
-->

<!--
    <filter-mapping>
      <filter-name>Compression Filter</filter-name>
      <url-pattern>/CompressionTest</url-pattern>
    </filter-mapping>
-->

<!--
    <filter-mapping>
        <filter-name>Request Dumper Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
-->

    <!-- Define example application events listeners -->
    <listener>
        <listener-class>listeners.ContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>listeners.SessionListener</listener-class>
    </listener>

    <!-- Define servlets that are included in the example application -->

    <servlet>
        <servlet-name>CompressionFilterTestServlet</servlet-name>
        <servlet-class>compressionFilters.CompressionFilterTestServlet</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>HelloWorldExample</servlet-name>
        <servlet-class>HelloWorldExample</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>RequestInfoExample</servlet-name>
        <servlet-class>RequestInfoExample</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>RequestHeaderExample</servlet-name>
        <servlet-class>RequestHeaderExample</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>RequestParamExample</servlet-name>
        <servlet-class>RequestParamExample</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>CookieExample</servlet-name>
        <servlet-class>CookieExample</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>SessionExample</servlet-name>
        <servlet-class>SessionExample</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>CompressionFilterTestServlet</servlet-name>
        <url-pattern>/CompressionTest</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>HelloWorldExample</servlet-name>
        <url-pattern>/servlet/HelloWorldExample</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>RequestInfoExample</servlet-name>
        <url-pattern>/servlet/RequestInfoExample/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>RequestHeaderExample</servlet-name>
        <url-pattern>/servlet/RequestHeaderExample</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>RequestParamExample</servlet-name>
        <url-pattern>/servlet/RequestParamExample</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>CookieExample</servlet-name>
        <url-pattern>/servlet/CookieExample</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>SessionExample</servlet-name>
        <url-pattern>/servlet/SessionExample</url-pattern>
    </servlet-mapping>

    <security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/jsp/security/protected/*</url-pattern>
         <!-- If you list http methods, only those methods are protected -->
         <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
         <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
         <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
        <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
      </form-login-config>
    </login-config>

    <!-- Security roles referenced by this web application -->
    <security-role>
      <role-name>role1</role-name>
    </security-role>
    <security-role>
      <role-name>tomcat</role-name>
    </security-role>

    <!-- Environment entry examples -->
    <!--env-entry>
      <env-entry-description>
         The maximum number of tax exemptions allowed to be set.
      </env-entry-description>
      <env-entry-name>maxExemptions</env-entry-name>
      <env-entry-value>15</env-entry-value>
      <env-entry-type>java.lang.Integer</env-entry-type>
    </env-entry-->
    <env-entry>
      <env-entry-name>minExemptions</env-entry-name>
      <env-entry-type>java.lang.Integer</env-entry-type>
      <env-entry-value>1</env-entry-value>
    </env-entry>
    <env-entry>
      <env-entry-name>foo/name1</env-entry-name>
      <env-entry-type>java.lang.String</env-entry-type>
      <env-entry-value>value1</env-entry-value>
    </env-entry>
    <env-entry>
      <env-entry-name>foo/bar/name2</env-entry-name>
      <env-entry-type>java.lang.Boolean</env-entry-type>
      <env-entry-value>true</env-entry-value>
    </env-entry>
    <env-entry>
      <env-entry-name>name3</env-entry-name>
      <env-entry-type>java.lang.Integer</env-entry-type>
      <env-entry-value>1</env-entry-value>
    </env-entry>
    <env-entry>
      <env-entry-name>foo/name4</env-entry-name>
      <env-entry-type>java.lang.Integer</env-entry-type>
      <env-entry-value>10</env-entry-value>
    </env-entry>

</web-app>


Apache Tomcat/5.5.23 - Error report

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception 

javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://jordan.bccampus.ca/cas/serviceValidate] ticket=[ST-6-nvCOGCdgwpJsIuLSeD21-cas] service=[http%3A%2F%2Fjordan.bccampus.ca%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
	filters.ExampleFilter.doFilter(ExampleFilter.java:102)

root cause 

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://jordan.bccampus.ca/cas/serviceValidate] ticket=[ST-6-nvCOGCdgwpJsIuLSeD21-cas] service=[http%3A%2F%2Fjordan.bccampus.ca%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
	edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
	filters.ExampleFilter.doFilter(ExampleFilter.java:102)

root cause 

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
	com.ibm.jsse2.n.a(n.java:3)
	com.ibm.jsse2.jc.a(jc.java:501)
	com.ibm.jsse2.db.a(db.java:144)
	com.ibm.jsse2.db.a(db.java:416)
	com.ibm.jsse2.eb.a(eb.java:89)
	com.ibm.jsse2.eb.a(eb.java:291)
	com.ibm.jsse2.db.m(db.java:192)
	com.ibm.jsse2.db.a(db.java:79)
	com.ibm.jsse2.jc.a(jc.java:184)
	com.ibm.jsse2.jc.g(jc.java:257)
	com.ibm.jsse2.jc.a(jc.java:361)
	com.ibm.jsse2.jc.startHandshake(jc.java:304)
	com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:125)
	com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:28)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:959)
	com.ibm.net.ssl.www2.protocol.https.a.getInputStream(a.java:34)
	edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
	edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
	edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
	filters.ExampleFilter.doFilter(ExampleFilter.java:102)

root cause 

com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
	com.ibm.jsse2.util.f.b(f.java:49)
	com.ibm.jsse2.util.f.b(f.java:16)
	com.ibm.jsse2.util.e.a(e.java:2)
	com.ibm.jsse2.yb.checkServerTrusted(yb.java:46)
	com.ibm.jsse2.hb.checkServerTrusted(hb.java:22)
	com.ibm.jsse2.eb.a(eb.java:8)
	com.ibm.jsse2.eb.a(eb.java:291)
	com.ibm.jsse2.db.m(db.java:192)
	com.ibm.jsse2.db.a(db.java:79)
	com.ibm.jsse2.jc.a(jc.java:184)
	com.ibm.jsse2.jc.g(jc.java:257)
	com.ibm.jsse2.jc.a(jc.java:361)
	com.ibm.jsse2.jc.startHandshake(jc.java:304)
	com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:125)
	com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:28)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:959)
	com.ibm.net.ssl.www2.protocol.https.a.getInputStream(a.java:34)
	edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
	edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
	edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
	filters.ExampleFilter.doFilter(ExampleFilter.java:102)

root cause 

java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
	com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:379)
	com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:195)
	java.security.cert.CertPathBuilder.build(CertPathBuilder.java:215)
	com.ibm.jsse2.util.f.b(f.java:82)
	com.ibm.jsse2.util.f.b(f.java:16)
	com.ibm.jsse2.util.e.a(e.java:2)
	com.ibm.jsse2.yb.checkServerTrusted(yb.java:46)
	com.ibm.jsse2.hb.checkServerTrusted(hb.java:22)
	com.ibm.jsse2.eb.a(eb.java:8)
	com.ibm.jsse2.eb.a(eb.java:291)
	com.ibm.jsse2.db.m(db.java:192)
	com.ibm.jsse2.db.a(db.java:79)
	com.ibm.jsse2.jc.a(jc.java:184)
	com.ibm.jsse2.jc.g(jc.java:257)
	com.ibm.jsse2.jc.a(jc.java:361)
	com.ibm.jsse2.jc.startHandshake(jc.java:304)
	com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:125)
	com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:28)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:959)
	com.ibm.net.ssl.www2.protocol.https.a.getInputStream(a.java:34)
	edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
	edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
	edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
	filters.ExampleFilter.doFilter(ExampleFilter.java:102)

note The full stack trace of the root cause is available in the Apache Tomcat/5.5.23 logs.

Apache Tomcat/5.5.23
Marvin Addison

Re: help with - Step 5: CASify HelloWorld Servlet

Reply Threaded More More options
Print post
Permalink
The error in your attached log

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path
building failed: java.security.cert.CertPathBuilderException: unable
to find valid certification path to requested target
        com.ibm.jsse2.n.a(n.java:3)

is almost always caused SSL trust problems in the CAS client where the
client does not trust the certificate/chain presented by the CAS
server.  I am totally unfamiliar with the IBM JRE, but hopefully you
can translate the instructions for the Sun JRE into your environment.
Import the CAS server cert (or issuer cert if you have a PKI) into the
truststore used by JRE of the CAS client; the default system
truststore is $JAVA_HOME/jre/lib/security/cacerts.  We use keytool,
http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html, for
keystore management, but there are GUI tools avalilable (e.g.
http://portecle.sourceforge.net/) if you would prefer a graphical
tool.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Free Embeddable Forum Powered by Nabble Help