[GeoNetwork-devel] Can't get CAS authentication to work with GN 2.10.2

Hi,

i'm trying to setup CAS auth on a pristine GN 2.10.2, with the CAS server from georchestra (master from one or two weeks), following http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html.

My geonetwork is hosted (altogether with mapfishapp & geoserver) on a backend tomcat instance listening on port 9080 behind a frontend tomcat instance listening on port 8080 & 8443, running the security-proxy and CAS server from georchestra. A nginx reverse-proxy redirects ports 80 & 443 to the frontend tomcat instance running the sec-proxy & CAS.

The frontend tomcat receives all the requests, and i correctly setupped it to proxify /geonetwork-2.10/:
<entry key="geonetwork-2.10" value="http://localhost:9080/geonetwork-2.10/&quot;/&gt;

In the settings in the geonetwork database, the host, port & securePort setting are SERVERNAME, 80 & 443.

First, even in a working configuration, each time a login is done, this error message is shown in the cas log, and just seems to add noise:

2014-01-24 10:40:00 AuthenticationManagerImpl [INFO] AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: [callbackUrl: https://localhost:8443/receptor\]
2014-01-24 10:40:00 ServiceValidateController [ERROR] TicketException generating ticket for: [callbackUrl: https://localhost:8443/receptor\]

That doesnt seem to directly affect CAS working or not.

So far here's what i tried:
- setting plain ldap auth works fine, i can login and fetch profile/groups from ldap.

- cas auth with cas.baseURL=https://SERVERNAME:443/cas and default geonetwork.https.url in config-security.properties (so it's https://SERVERNAME/geonetwork-2.10/) -> clinking on the login link (ie srv/eng/main.home?casLogin) in GN redirects to https://SERVERNAME/cas/login?service=https%3A%2F%2FSERVERNAME%3A443%2Fj_spring_cas_security_check (as for other working services, geoserver, old geonetwork & mapfishapp)

after logging in, i see this in the cas log:
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [INFO] Granted service ticket [ST-16-MWHHcXHHi54E202CX1ma-cas] for service [https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check\] for user [MYUSER]
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [ERROR] ServiceTicket [ST-16-MWHHcXHHi54E202CX1ma-cas] with service [https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check does not match supplied service [https://SERVERNAME:443/j_spring_cas_security_check\]

In the browser, i'm getting a 401 auth failed/bad creds on this url:
https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check?ticket=ST-22-5ypOMHCRhZpg4bv2IlqJ-cas

So there seems to be a mismatch between the service url request and the url attached to the service ticket for geonetwork ? Note that i'm successfully logged in for the services that were already working, only geonetwork-2.10 fails to see me logged (and xml.info?type=me still seems me unauthenticated)

- fine, i tried setting geonetwork.https.url to https://SERVERNAME:443 to match what CAS seems to expect. If i do this, there is no mismatch error message in the log:
2014-01-24 11:02:54 CentralAuthenticationServiceImpl [INFO] Granted service ticket [ST-26-G5bWoqW5IOdbT4KHGDZv-cas] for service [https://SERVERNAME:443/j_spring_cas_security_check\] for user [breuil]
but after logging in i'm redirected to the root of the server (ie https://SERVERNAME). If i go back to /geonetwork-2.10/ it still doesnt see me as authenticated.

Note that the login link with CAS seems to be broken in the extjs UI, as i reported in https://github.com/geonetwork/core-geonetwork/issues/361

The only ref to this problem i could find so far is https://groups.google.com/forum/#!msg/georchestra-dev/GqlUfCZkVTA/BoqCOF00V1EJ but there doesnt seem to be a solution..

Does CAS keep a list of services it will grant auth to ? What could be the problem here ? Does anyone have a working setup & could show me its configuration in details ?

--
Landry Breuil
Mouton a 5 pattes du CRAIG

On 01/24/14 11:08, Landry Breuil wrote:

Hi,

i'm trying to setup CAS auth on a pristine GN 2.10.2, with the CAS
server from georchestra (master from one or two weeks), following
http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html.

My geonetwork is hosted (altogether with mapfishapp & geoserver) on a
backend tomcat instance listening on port 9080 behind a frontend tomcat
instance listening on port 8080 & 8443, running the security-proxy and
CAS server from georchestra. A nginx reverse-proxy redirects ports 80 &
443 to the frontend tomcat instance running the sec-proxy & CAS.

The frontend tomcat receives all the requests, and i correctly setupped
it to proxify /geonetwork-2.10/:
<entry key="geonetwork-2.10"
value="http://localhost:9080/geonetwork-2.10/&quot;/&gt;

In the settings in the geonetwork database, the host, port & securePort
setting are SERVERNAME, 80 & 443.

First, even in a working configuration, each time a login is done, this
error message is shown in the cas log, and just seems to add noise:

2014-01-24 10:40:00 AuthenticationManagerImpl [INFO]
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
failed to authenticate the user which provided the following
credentials: [callbackUrl: https://localhost:8443/receptor\]
2014-01-24 10:40:00 ServiceValidateController [ERROR] TicketException
generating ticket for: [callbackUrl: https://localhost:8443/receptor\]

That doesnt seem to directly affect CAS working or not.

So far here's what i tried:
- setting plain ldap auth works fine, i can login and fetch
profile/groups from ldap.

- cas auth with cas.baseURL=https://SERVERNAME:443/cas and default
geonetwork.https.url in config-security.properties (so it's
https://SERVERNAME/geonetwork-2.10/) -> clinking on the login link (ie
srv/eng/main.home?casLogin) in GN redirects to
https://SERVERNAME/cas/login?service=https%3A%2F%2FSERVERNAME%3A443%2Fj_spring_cas_security_check
(as for other working services, geoserver, old geonetwork & mapfishapp)

after logging in, i see this in the cas log:
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [INFO] Granted
service ticket [ST-16-MWHHcXHHi54E202CX1ma-cas] for service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check\] for
user [MYUSER]
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [ERROR]
ServiceTicket [ST-16-MWHHcXHHi54E202CX1ma-cas] with service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check does
not match supplied service
[https://SERVERNAME:443/j_spring_cas_security_check\]

In the browser, i'm getting a 401 auth failed/bad creds on this url:
https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check?ticket=ST-22-5ypOMHCRhZpg4bv2IlqJ-cas

So there seems to be a mismatch between the service url request and the
url attached to the service ticket for geonetwork ? Note that i'm
successfully logged in for the services that were already working, only
geonetwork-2.10 fails to see me logged (and xml.info?type=me still seems
me unauthenticated)

- fine, i tried setting geonetwork.https.url to https://SERVERNAME:443
to match what CAS seems to expect. If i do this, there is no mismatch
error message in the log:
2014-01-24 11:02:54 CentralAuthenticationServiceImpl [INFO] Granted
service ticket [ST-26-G5bWoqW5IOdbT4KHGDZv-cas] for service
[https://SERVERNAME:443/j_spring_cas_security_check\] for user [breuil]
but after logging in i'm redirected to the root of the server (ie
https://SERVERNAME). If i go back to /geonetwork-2.10/ it still doesnt
see me as authenticated.

Note that the login link with CAS seems to be broken in the extjs UI, as
i reported in https://github.com/geonetwork/core-geonetwork/issues/361

The only ref to this problem i could find so far is
https://groups.google.com/forum/#!msg/georchestra-dev/GqlUfCZkVTA/BoqCOF00V1EJ
but there doesnt seem to be a solution..

This gave me a hint to look at what ldap sees as requests/searches in its debug log:

- in the case of a successful auth from my working GN to cas (or the broken GN with geonetwork.https.url set to SERVERNAME:443), 3 searches are made, 2 with uid=username on the base tree of users and one on the group tree with memberUid=username.

- in the broken case (ie use default geonetwork.https.url), an additional search is made before getting the 401 auth fail page, on the base tree of users with a strange '(uid=_cas_stateful_)' filter... i dont know if this is the cause of the general failure, but that looks strange.

--
Landry Breuil
Mouton a 5 pattes du CRAIG

On 01/24/14 11:34, Landry Breuil wrote:

On 01/24/14 11:08, Landry Breuil wrote:

Hi,

i'm trying to setup CAS auth on a pristine GN 2.10.2, with the CAS
server from georchestra (master from one or two weeks), following
http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html.

My geonetwork is hosted (altogether with mapfishapp & geoserver) on a
backend tomcat instance listening on port 9080 behind a frontend tomcat
instance listening on port 8080 & 8443, running the security-proxy and
CAS server from georchestra. A nginx reverse-proxy redirects ports 80 &
443 to the frontend tomcat instance running the sec-proxy & CAS.

The frontend tomcat receives all the requests, and i correctly setupped
it to proxify /geonetwork-2.10/:
<entry key="geonetwork-2.10"
value="http://localhost:9080/geonetwork-2.10/&quot;/&gt;

In the settings in the geonetwork database, the host, port & securePort
setting are SERVERNAME, 80 & 443.

First, even in a working configuration, each time a login is done, this
error message is shown in the cas log, and just seems to add noise:

2014-01-24 10:40:00 AuthenticationManagerImpl [INFO]
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler

failed to authenticate the user which provided the following
credentials: [callbackUrl: https://localhost:8443/receptor\]
2014-01-24 10:40:00 ServiceValidateController [ERROR] TicketException
generating ticket for: [callbackUrl: https://localhost:8443/receptor\]

That doesnt seem to directly affect CAS working or not.

So far here's what i tried:
- setting plain ldap auth works fine, i can login and fetch
profile/groups from ldap.

- cas auth with cas.baseURL=https://SERVERNAME:443/cas and default
geonetwork.https.url in config-security.properties (so it's
https://SERVERNAME/geonetwork-2.10/) -> clinking on the login link (ie
srv/eng/main.home?casLogin) in GN redirects to
https://SERVERNAME/cas/login?service=https%3A%2F%2FSERVERNAME%3A443%2Fj_spring_cas_security_check

(as for other working services, geoserver, old geonetwork & mapfishapp)

after logging in, i see this in the cas log:
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [INFO] Granted
service ticket [ST-16-MWHHcXHHi54E202CX1ma-cas] for service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check\] for
user [MYUSER]
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [ERROR]
ServiceTicket [ST-16-MWHHcXHHi54E202CX1ma-cas] with service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check does
not match supplied service
[https://SERVERNAME:443/j_spring_cas_security_check\]

In the browser, i'm getting a 401 auth failed/bad creds on this url:
https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check?ticket=ST-22-5ypOMHCRhZpg4bv2IlqJ-cas

So there seems to be a mismatch between the service url request and the
url attached to the service ticket for geonetwork ? Note that i'm
successfully logged in for the services that were already working, only
geonetwork-2.10 fails to see me logged (and xml.info?type=me still seems
me unauthenticated)

- fine, i tried setting geonetwork.https.url to https://SERVERNAME:443
to match what CAS seems to expect. If i do this, there is no mismatch
error message in the log:
2014-01-24 11:02:54 CentralAuthenticationServiceImpl [INFO] Granted
service ticket [ST-26-G5bWoqW5IOdbT4KHGDZv-cas] for service
[https://SERVERNAME:443/j_spring_cas_security_check\] for user [breuil]
but after logging in i'm redirected to the root of the server (ie
https://SERVERNAME). If i go back to /geonetwork-2.10/ it still doesnt
see me as authenticated.

Note that the login link with CAS seems to be broken in the extjs UI, as
i reported in https://github.com/geonetwork/core-geonetwork/issues/361

The only ref to this problem i could find so far is
https://groups.google.com/forum/#!msg/georchestra-dev/GqlUfCZkVTA/BoqCOF00V1EJ

but there doesnt seem to be a solution..

This gave me a hint to look at what ldap sees as requests/searches in
its debug log:

- in the case of a successful auth from my working GN to cas (or the
broken GN with geonetwork.https.url set to SERVERNAME:443), 3 searches
are made, 2 with uid=username on the base tree of users and one on the
group tree with memberUid=username.

- in the broken case (ie use default geonetwork.https.url), an
additional search is made before getting the 401 auth fail page, on the
base tree of users with a strange '(uid=_cas_stateful_)' filter... i
dont know if this is the cause of the general failure, but that looks
strange.

Fwiw, after help on irc from jesse, i managed to fix the issue - since georchestra's security-proxy was already talking to cas, i didnt need to setup geonetwork to talk to cas, i only had to override the preAuth filter (which defaults to a passthrough one) to use the header sent by the sec-proxy.

Ie import the provided config-security-ldap.xml and config-security-georchestra.xml from https://github.com/georchestra/geonetwork/blob/georchestra-13.12/web/src/main/webapp/WEB-INF/config-security-georchestra.xml

-> with only that, i'm now able to successfully auth my users.

--
Landry Breuil
Mouton a 5 pattes du CRAIG

Thanks for updating this thread.

Jesse

···

On Tue, Jan 28, 2014 at 3:34 PM, Landry Breuil <breuil@anonymised.com> wrote:

On 01/24/14 11:34, Landry Breuil wrote:

On 01/24/14 11:08, Landry Breuil wrote:

Hi,

i’m trying to setup CAS auth on a pristine GN 2.10.2, with the CAS
server from georchestra (master from one or two weeks), following
http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html.

My geonetwork is hosted (altogether with mapfishapp & geoserver) on a
backend tomcat instance listening on port 9080 behind a frontend tomcat
instance listening on port 8080 & 8443, running the security-proxy and
CAS server from georchestra. A nginx reverse-proxy redirects ports 80 &
443 to the frontend tomcat instance running the sec-proxy & CAS.

The frontend tomcat receives all the requests, and i correctly setupped
it to proxify /geonetwork-2.10/:

In the settings in the geonetwork database, the host, port & securePort
setting are SERVERNAME, 80 & 443.

First, even in a working configuration, each time a login is done, this
error message is shown in the cas log, and just seems to add noise:

2014-01-24 10:40:00 AuthenticationManagerImpl [INFO]
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler

failed to authenticate the user which provided the following
credentials: [callbackUrl: https://localhost:8443/receptor]
2014-01-24 10:40:00 ServiceValidateController [ERROR] TicketException
generating ticket for: [callbackUrl: https://localhost:8443/receptor]

That doesnt seem to directly affect CAS working or not.

So far here’s what i tried:

(as for other working services, geoserver, old geonetwork & mapfishapp)

after logging in, i see this in the cas log:
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [INFO] Granted
service ticket [ST-16-MWHHcXHHi54E202CX1ma-cas] for service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check] for
user [MYUSER]
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [ERROR]
ServiceTicket [ST-16-MWHHcXHHi54E202CX1ma-cas] with service
[https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check does
not match supplied service
[https://SERVERNAME:443/j_spring_cas_security_check]

In the browser, i’m getting a 401 auth failed/bad creds on this url:
https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check?ticket=ST-22-5ypOMHCRhZpg4bv2IlqJ-cas

So there seems to be a mismatch between the service url request and the
url attached to the service ticket for geonetwork ? Note that i’m
successfully logged in for the services that were already working, only
geonetwork-2.10 fails to see me logged (and xml.info?type=me still seems
me unauthenticated)

  • fine, i tried setting geonetwork.https.url to https://SERVERNAME:443
    to match what CAS seems to expect. If i do this, there is no mismatch
    error message in the log:
    2014-01-24 11:02:54 CentralAuthenticationServiceImpl [INFO] Granted
    service ticket [ST-26-G5bWoqW5IOdbT4KHGDZv-cas] for service
    [https://SERVERNAME:443/j_spring_cas_security_check] for user [breuil]
    but after logging in i’m redirected to the root of the server (ie
    https://SERVERNAME). If i go back to /geonetwork-2.10/ it still doesnt
    see me as authenticated.

Note that the login link with CAS seems to be broken in the extjs UI, as
i reported in https://github.com/geonetwork/core-geonetwork/issues/361

The only ref to this problem i could find so far is
https://groups.google.com/forum/#!msg/georchestra-dev/GqlUfCZkVTA/BoqCOF00V1EJ

but there doesnt seem to be a solution…

This gave me a hint to look at what ldap sees as requests/searches in
its debug log:

  • in the case of a successful auth from my working GN to cas (or the
    broken GN with geonetwork.https.url set to SERVERNAME:443), 3 searches
    are made, 2 with uid=username on the base tree of users and one on the
    group tree with memberUid=username.

  • in the broken case (ie use default geonetwork.https.url), an
    additional search is made before getting the 401 auth fail page, on the
    base tree of users with a strange ‘(uid=cas_stateful)’ filter… i
    dont know if this is the cause of the general failure, but that looks
    strange.

Fwiw, after help on irc from jesse, i managed to fix the issue - since
georchestra’s security-proxy was already talking to cas, i didnt need to
setup geonetwork to talk to cas, i only had to override the preAuth
filter (which defaults to a passthrough one) to use the header sent by
the sec-proxy.

Ie import the provided config-security-ldap.xml and
config-security-georchestra.xml from
https://github.com/georchestra/geonetwork/blob/georchestra-13.12/web/src/main/webapp/WEB-INF/config-security-georchestra.xml

→ with only that, i’m now able to successfully auth my users.


Landry Breuil
Mouton a 5 pattes du CRAIG


WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk


GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork