Hi Thomas:
Im not seeing this problem with my test CAS server.
Hi Thomas: basically the authentication is interfering with the .ascii request.
I think this doesnt happen if you ask for the binary data (.dods). I will
investigate more.
Thomas LOUBRIEU wrote:
Hi John,
I am happy that you succeed but I have a problem on my side. I didn't
see that the restricted URL request is not understood by the thredds
opendap server. When I try to request data I get the following error (in
threddsServlet.log) :
2007-01-23T18:49:33.494 +0100 [ 77114][ 24] INFO -
thredds.servlet.ServletUtil - Remote host: 134.246.144.168 - Reques
t: "GET
/thredds/dodsC/restricted/CORIOLIS-GLOBAL-RTOA/sea_water_salinity/aggregated_time_serie.ascii?latitude[0:1:498]
HTTP/1.1
"
2007-01-23T18:49:33.559 +0100 [ 77179][ 24] ERROR -
dods.servlet.DODSServlet - DODSServlet.anyExceptionHandler
java.lang.NullPointerException
at dods.dap.ServerVersion.<init>(ServerVersion.java:45)
at dods.dap.DConnect.openConnection(DConnect.java:221)
at dods.dap.DConnect.getDataFromUrl(DConnect.java:455)
at dods.dap.DConnect.getData(DConnect.java:404)
at dods.servlet.dodsASCII.sendASCII(dodsASCII.java:91)
at dods.servlet.DODSServlet.doGetASC(DODSServlet.java:874)
at dods.servlet.DODSServlet.doGet(DODSServlet.java:1457)
at dods.servers.netcdf.NcDODSServlet.doGet(NcDODSServlet.java:271)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:317)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
2007-01-23T18:49:33.564 +0100 [ 77184][ 24] INFO -
thredds.servlet.ServletUtil - Request Completed - 200 - -1 - 70
Is it alright for you ? I think the browser use http header or
parameters to send the 'CAS ticket'. Is there something wrong with that ?
Thanks,
Thomas
John Caron a écrit :
Hi Thomas:
Thank you very much! I was able to get it working finally (I had the
certificate installed in the wrong JVM!)
In looking at how CAS works with TDS, it appears that a user will get
sent to the CAS login page. However, it may be that the user is not in
a browser, but in another application or even a web service that does
not process HTML FORMs. I am wondering if you know if its possible to
configure CAS to do a HTTP 401 challenge instead of a login page?
I am concerned that some OPeNDAP clients may not be able to work with
a TDS server protected by CAS. I am trying to make recomendations to
the OPeNDAP conference next month on how to create interoperable
OPeNDAP clients and servers that implement security. Do you have plans
to attend that conference? Any thoughts that you have about these
issues would be helpful to me.
John
Thomas LOUBRIEU wrote:
Hi John,
Perhaps you can test your CAS-ification with our CAS authentification
server (https://auth.ifremer.fr). To do so, you'll have to configure
your TDS web.xml file as follow :
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://auth.ifremer.fr/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://auth.ifremer.fr/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>your application server dns:your port</param-value>
</init-param>
</filter>
You can download the convenient cas.keystore (the public certificate
for our server) at :
http://secure.globalsign.net/cacert/sureserverEDU.crt
And then use the jvm options :
JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MaxPermSize=256m
-Djavax.net.ssl.trustStore=sureserverEDU.cert"
to launch the tomcat server.
I have created a login for you, it is :
login : jc1eed0
passwd : aze321
I hope this will help you,
Thomas
John Caron a écrit :
Thomas LOUBRIEU wrote:
Hi Jon,
up to now it is what we are using "as this". Our project, in the
coming weeks, is to extend the 'filter' functions (I don't know yet
which they are) so that we can't check the CAS-authentification (as
it now is) AND if the user login if authorized to access the
current URL according to a configuration file as follow (in XML or
java properties) :
URL_pattern1
login2
login3
login4
URL pattern2
login1
login5
...
where URL_patternX are base URL under which the access is restricted
and loginY are the authorized CAS logins.
otherwise access is free.
It a very simple authorization configuration but we have short
delays to built a demonstration system for an European operational
project.
Hi Thomas, im having trouble getting CAS to work, i keep getting the
following errors. I think Ive installed a certificate correctly in
both tomcat keystore and in JRE cacert. So you have any advice?
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to
validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null]
[edu.yale.its.tp.cas.client.ServiceTicketValidator
casValidateUrl=[https://localhost:8443/cas/proxyValidate]
ticket=[ST-2-rduetdijO1DSxhaUv6EPioZdgItQERr7ufZ-20]
service=[http%3A%2F%2Flocalhost%3A8080%2Fthredds%2FdodsC%2FtestCAS%2FtestData.nc.html]
renew=false]]]
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
at
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
at
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:938)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at
edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
at
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 31 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 36 more