Hi,
i'm trying to setup CAS auth on a pristine GN 2.10.2, with the CAS server from georchestra (master from one or two weeks), following http://geonetwork-opensource.org/manuals/trunk/eng/users/admin/authentication/index.html.
My geonetwork is hosted (altogether with mapfishapp & geoserver) on a backend tomcat instance listening on port 9080 behind a frontend tomcat instance listening on port 8080 & 8443, running the security-proxy and CAS server from georchestra. A nginx reverse-proxy redirects ports 80 & 443 to the frontend tomcat instance running the sec-proxy & CAS.
The frontend tomcat receives all the requests, and i correctly setupped it to proxify /geonetwork-2.10/:
<entry key="geonetwork-2.10" value="http://localhost:9080/geonetwork-2.10/"/>
In the settings in the geonetwork database, the host, port & securePort setting are SERVERNAME, 80 & 443.
First, even in a working configuration, each time a login is done, this error message is shown in the cas log, and just seems to add noise:
2014-01-24 10:40:00 AuthenticationManagerImpl [INFO] AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate the user which provided the following credentials: [callbackUrl: https://localhost:8443/receptor\]
2014-01-24 10:40:00 ServiceValidateController [ERROR] TicketException generating ticket for: [callbackUrl: https://localhost:8443/receptor\]
That doesnt seem to directly affect CAS working or not.
So far here's what i tried:
- setting plain ldap auth works fine, i can login and fetch profile/groups from ldap.
- cas auth with cas.baseURL=https://SERVERNAME:443/cas and default geonetwork.https.url in config-security.properties (so it's https://SERVERNAME/geonetwork-2.10/) -> clinking on the login link (ie srv/eng/main.home?casLogin) in GN redirects to https://SERVERNAME/cas/login?service=https%3A%2F%2FSERVERNAME%3A443%2Fj_spring_cas_security_check (as for other working services, geoserver, old geonetwork & mapfishapp)
after logging in, i see this in the cas log:
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [INFO] Granted service ticket [ST-16-MWHHcXHHi54E202CX1ma-cas] for service [https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check\] for user [MYUSER]
2014-01-24 10:40:00 CentralAuthenticationServiceImpl [ERROR] ServiceTicket [ST-16-MWHHcXHHi54E202CX1ma-cas] with service [https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check does not match supplied service [https://SERVERNAME:443/j_spring_cas_security_check\]
In the browser, i'm getting a 401 auth failed/bad creds on this url:
https://SERVERNAME/geonetwork-2.10//j_spring_cas_security_check?ticket=ST-22-5ypOMHCRhZpg4bv2IlqJ-cas
So there seems to be a mismatch between the service url request and the url attached to the service ticket for geonetwork ? Note that i'm successfully logged in for the services that were already working, only geonetwork-2.10 fails to see me logged (and xml.info?type=me still seems me unauthenticated)
- fine, i tried setting geonetwork.https.url to https://SERVERNAME:443 to match what CAS seems to expect. If i do this, there is no mismatch error message in the log:
2014-01-24 11:02:54 CentralAuthenticationServiceImpl [INFO] Granted service ticket [ST-26-G5bWoqW5IOdbT4KHGDZv-cas] for service [https://SERVERNAME:443/j_spring_cas_security_check\] for user [breuil]
but after logging in i'm redirected to the root of the server (ie https://SERVERNAME). If i go back to /geonetwork-2.10/ it still doesnt see me as authenticated.
Note that the login link with CAS seems to be broken in the extjs UI, as i reported in https://github.com/geonetwork/core-geonetwork/issues/361
The only ref to this problem i could find so far is https://groups.google.com/forum/#!msg/georchestra-dev/GqlUfCZkVTA/BoqCOF00V1EJ but there doesnt seem to be a solution..
Does CAS keep a list of services it will grant auth to ? What could be the problem here ? Does anyone have a working setup & could show me its configuration in details ?
--
Landry Breuil
Mouton a 5 pattes du CRAIG