Hi,
I got back to this issue this week and found the solution, but I guess it doesn't relate to most of you now as we are still running old Geonetwork 2.4.
The issue was the class org.fao.geonet.Geonetwork which was setting the "javax.net.ssl.trustStore" environment parameter to a bogus truststore. To get both JaSig and Soulwing CAS working, I commented out this code, and wrote a login filter to catch the remoteUser from the HTTP request, and then build a UserSession object using the remoteUser as the username in the Geonetwork DB's USERS table. Using the filter means you don't need to change any code in Geonetwork as its Jeeves Servlet checks for a "session" object in the session.
Cheers
Kevin
-----Original Message-----
From: Kevin Gunn [mailto:K.Gunn@…187…]
Sent: Thursday, 13 May 2010 9:10 AM
To: geonetwork-devel
Subject: Re: [GeoNetwork-devel] geonetwork and CAS
Hi,
I have made some progress with this, using both the JASIG CAS client with filters, and the Soulwing client which CASifies the entire tomcat container. Something about Geonetwork causes this exception.
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87)
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:57)
What I have done is modify the JeevesServlet to grab the RemoteUser value from the request, and then use that to build the Jeeves UserSession object. It all works fine, only this exception is biting me. Intermap doesn't exhibit this behaviour, and CAS'fies no problem. I wasn't aware of any SSL configuration/libraries in geonetwork that might be causing dependency issues when attempting the CAS handshake. All the forums on this exception suggest it's to do with not setting the javax.net.ssl.trustStore javax.net.ssl.truststorePass JVM args, but evening setting these for the tomcat java process doesn't resolve the issue. Does anyone have any suggestions as to why this exception might be occurring?
Running tomcat 6, JRE 1.6
Thx
Kevin
-----Original Message-----
From: Craig Jones [mailto:jonescc@…158…]
Sent: Friday, 7 May 2010 11:44 AM
To: geonetwork-devel
Cc: Kevin Gunn
Subject: Re: [GeoNetwork-devel] geonetwork and CAS
Hi All,
Can anyone answer Kevin's email below.
Thanks,
--
Craig Jones
eMII Infrastructure Programmer
IMOS e-Marine Information Infrastructure Facility (eMII)
Ph: +61 3 6226 8567
On Fri, 2010-05-07 at 10:43 +1000, Kevin Gunn wrote:
Hi Guys,
I’m playing with CAS and geonetwork attempting to get CAS SSO working.
The way i’m trying to do this is to intercept the RemoteUser string in
the JeevesServlet request so we have SSO without have to click on
anything. i.e. not having to exeute a Jeeves Service. Just having
Geonetwork on my tomcat seems to break the CAS authentication filters
on other CAS’ified applications that work fine without Geonetwork
there. Intermap which is also a Jeeves app as you know doesn’t cause
this issue.
Do you guys know of anyone out there in the Geonetwork community who
might have CAS working with Geonetwork for SSO?
Cheers
Kevin
--
------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return email and delete the transmission, together with any
attachments, from your system. Thank you.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
The information contained in this communication is for the use of the
individual or entity to whom it is addressed, and may contain
information which is the subject of legal privilege and/or copyright.
If you have received this communication in error, please notify the
sender by return email and delete the transmission, together with any
attachments, from your system. Thank you.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
The information contained within this transmission is for the
use of the intended recipient only and may contain confidential
and/or legally privileged material and/or material the subject
of copyright and/or personal information and/or sensitive
information that is subject to the Privacy Act 1988. Any review,
re-transmission, disclosure, dissemination or other use of, or
taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is
prohibited. If you have received this email in error please
notify the AIMS Privacy Officer on (07) 4753 4444 and delete
all copies of this transmission together with any attachments.
------------------------------------------------------------------------