Using CAS with WebSphere Portal 6.1 for SSO
This post does not explain how to configure WebSphere portal 6.1 with CAS server for SSO as there is detailed explanation given for same at this page. The purpose of this post is to provide some additional details.
One can achieve SSO between two or more WebSphere portal servers without using any external SSO mechanism provided following conditions are satisfied –
- SSO is enabled for all the servers and all servers are in same (SSO) domain.
- All servers are having same security configuration.
- LTPA keys are same in all the servers.
In this case, if you log in to one portal server and try to access a protected resource in any of other portal servers in SSO domain, you will observe that none of the other servers will prompt for username and password. This happens because of a built-in SSO mechanism called LTPA tokens in WebSphere application/portal server. So then why do we need an external SSO mechanism? The reason is that LTPA is specific to IBM family of products and can not be used with other servers. For example, if you want to achieve SSO between an application running in a tomcat server and a WebSphere portal, you can not use LTPA mechanism for SSO.
What exactly happens when an unauthenticated client try to access a protected portal resource?
Consider the above diagram. When WebSphere app/portal server receives a request for a protected resource from an unauthenticated client, request will follow route 2 as show in above diagram. In this case, WebSphere server will invoke TAI if there is a TAI configured. If TAI asserts user identity for this request, WebSphere server will invoke login modules to create Subject for the client.
Once the client is authenticated successfully, all the requests to server will follow route 1.
Assuming that WebSphere server is having a CAS TAI configured, this is what TAI will do for following possible states of an unauthenticated request –
1) There is neither a ticket parameter (this is appended by CAS server to the redirect url after authenticating the client) in the request url nor there is a LTPA token in request cookies.
This situation occurs when an unauthenticated client sends first request for a protected resource to a portal server. In this case portal will redirect user to either login portlet (this is default configuration) or to a login screen if portal has been configured for a login screen. However if portal is using CAS for SSO, it should redirect user to CAS server login screen. Where should one put the code for redirecting user to CAS server login screen? Normally this code is put either in theme assigned to login portlet page or in the login screen if portal has been configured for login screen. But it is also possible to do this redirection in TAI itself. To achieve this, you will need to do some changes in CasTAIHelper and CASTAI511 classes which are part of CAS client for WebSphere server package available from CAS website. These changes are as following –
CasTAIHelper
protected static String CAS_LOGIN_URL;
public static int initialize(Properties props) {
......
CAS_LOGIN_URL = props.getProperty("CAS_LOGIN_URL");
......
if (CAS_LOGIN_URL == null) {
System.err.println("CAS_LOGIN_URL property information missing");
return -1;
}
}
public static boolean isTargetInterceptor(HttpServletRequest request) {
if(null != request.getParameter("ticket") || null == request.getUserPrincipal()) {
return true;
}
return false;
}
I have added a property called CAS_LOGIN_URL which stores the url of CAS login screen. This property should be efined as a custom property for CAS TAI in WebSphere server admin console. Also isTargetInterceptor() method is checking whether there is any user principal available in request or not. If its not there, then this method will return true which will result in WebSphere server invoking negotiateValidateandEstablishTrust() on TAI class (see below code).
CASTAI511
public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest request, HttpServletResponse response) throws WebTrustAssociationFailedException {
TAIResult taiResult = null;
if (null != request.getParameter("ticket")) {
ServiceTicketValidator sv = new ServiceTicketValidator();
String ticket;
try {
ticket = CasTAIHelper.getTicket(request);
} catch (ServiceTicketLostException e) {
throw new WebTrustAssociationFailedException(e.getMessage());
}
String uid;
try {
uid = CasTAIHelper.negotiateValidateandEstablishTrust(ticket, request, sv);
} catch (CasException e1) {
throw new WebTrustAssociationFailedException(e1.getMessage());
}
System.out.println("Principal: '" + uid + "'");
taiResult = TAIResult.create(200, uid);
} else {
try {
StringBuffer reqURL = request.getRequestURL();
String queryString = request.getQueryString();
if(null != queryString && !queryString.equals("")){
reqURL.append("?");
reqURL.append(request.getQueryString());
}
response.sendRedirect(CasTAIHelper.CAS_LOGIN_URL + "?service=" + reqURL.toString());
//This is important. Without this redirect will not work.
taiResult = TAIResult.create(HttpServletResponse.SC_MOVED_TEMPORARILY);
} catch (Exception ex) {
//handle exception
}
}
return taiResult;
}
In a normal web application we use response.sendRedirect(url) to redirect client to a different page. However doing this alone in TAI is not sufficient to redirect user to some other page. You need to create an instance of TAIResult by calling create(int status) method of this class. Value of status code should be 302 which is also the value of HttpServletResponse.SC_MOVED_TEMPORARILY constant.
2) Request url is having ticket parameter but there is no LTPA cookie in the request
This occurs when CAS server redirects client to portal server after successful authentication. In this case TAI will assert user identity to WebSphere portal server. Behavior of TAI in this case has been already explained in many articles so it is not covered here.
3) Request is having LTPA cookie but there is no ticket parameter in the url.
This will occur when you log in to a portal server in a SSO domain and then try to access a protected resource in some other server of same SSO domain. In this case you have to decide whether you want to use TAI for identity assertion or by pass it to let the LTPA mechanism log user in the portal server.
As i mentioned in the beginning of this post that its possible to achieve SSO among a group of portal servers without using any TAI. So how does SSO works in this case? Consider the diagram shown above. When a user log in to a portal server, it will create an LTPA token after successful authentication and sent this token as a cookie in the response. So when you hit a protected url of some other server in same SSO domain, client will send this LTPA cookie to that server. During the authentication process, WebSphere server will invoke various login modules (a concept of JAAS) in a sequence in which these login modules have been configured. One of the these modules is LTPA login module (com.ibm.ws.security.server.lm.ltpaLoginModule) which uses this token to log user in to the portal. If you are interested in more details then use following trace string to see what is happening in the background –
com.ibm.ws.security.ltpa.*=all:com.ibm.ws.security.server.lm.ltpaLoginModule=all
If you are using CAS TAI, then what should you do in this case? According to me negotiateValidateandEstablishTrust() method of CAS TAI should be invoked only if there is no valid LTPA token cookie available in the request for current server. This means code of isTargetInterceptor() method of CasTAIHelper class should be as following –
public static boolean isTargetInterceptor(HttpServletRequest request) {
if(null != request.getParameter("ticket")) {
return true;
}
//pseudo code
check if LTPA cookie is available
Yes
Validate LTPA cookie for this server
Validation is successful
return false (Now LTPA login module will log user in to the portal)
Validation failed
return true (this will redirect user to CAS login screen)
No
return true (this will redirect user to CAS login screen)
return false;
}
As there is no public API/SPI available in WebSphere portal for validating a LTPA token, validating LTPA
token in TAI does not look feasible. But since this is already happening in LTPA login module, it should be possible to validate LTPA token in TAI. I will update this post if i find a solution for validating LTPA token in TAI.
Ideally there should be a component in WebSphere server which is executed before TAI and can be activated/deactivated through configuration. In active state, it should check whether there is any LTPA token in the request or not. If a valid LTPA token is available in the request for this server, TAI should not be invoked. In case this component is deactivated, processing should happen normally.
Importing CAS certificate in WebSphere server trust store
As TAI communicates with CAS validation service over https, you will need to import either CAS server or CA (Certificate Authority) certificate in WebSphere portal server trust store for successful communication over https with CAS validation service. Instead of doing it through commands using jdk keytool utility, you can do it easily using WebSphere server admin console. Here are the steps for importing the certificate in WebSphere trust store –
a. Log on to admin console.
b. Go to Security –> SSL certificate and key management section.
c. Click on Key stores and certificates link.
d. Click on NodeDefaultTrustStore link.
e. Click on Signer certificates link.
f. Now click on Retrive from port button.
g. You have two choices at this stage –
1. If you want to import CAS server certificate in WebSphere trust store, then enter CAS server host name and https port details on this page and click on Retrieve signer information button. This will show CAS server certificate details on this page. Now enter a name for alias and click on OK button to import this certificate in trust store.
2. If you want to import CA certificate in trust store, first click on Signer certificates link in breadcrumb and then on Add button. Make sure you have copied CA certificate to <portal_installation_root>\wp_profile\etc folder on portal server and it is either in Base64-encoded format or in Binary DER format. Specify an alias for this certificate and click on first Apply and then on OK button to import the CA certificate.
So which of the above options should one choose? Generally a server certificate issued by a CA will be valid for one or two years only while most ( or probably all) of the CA certificates are valid for longer time (15 years or more). So if you are importing CAS server certificate then you will need to repeat this process every one or two years for all the portal machines (and other servers) which are using this CAS server for SSO. On the other hand importing CA certificate in trust stores of CAS client servers will make sure that you don’t repeat the import process for every CAS server client every time when CAS server certificate is expired.
My knowledge about WebSphere Portal and WCM 
hey Shailendra
Nice post. I have a question though. I am trying to implement a custom TAI for my websphere portal. My current scenario is I invoke LoginPortlet, where a portal login screen is displayed, I enter uid/pwd which is then authenticated against LDAP using Sun AM SDK. If authenticated, it returns a SSOToken. I then check for this SSO token and authenticate against portal registry using LoginService. Now I want to get rid of the LoginService part and figured custom TAI is the solution. But I am having issues tryign to get this TAI invoked. All I want it to do is invoke TAI when I invoke Login screen of portal and since first time I did not enter uid/pwd, I will be displayed uid/pwd, once I enter those, it will again go through TAI and this time authenticates against Sun AM and asserts the identity. Does this make sense? How long does server store the identity. I want the user to be prompted for login everytime he tries to invoke the portal login url.
TIA for your help
raj
Shailendra,
I have CAS integrated with Websphere Portal 6.1.0.5. With “remember me” functionality in portal turned on I can authenticate using CAS to portal, but portal does not authorize the logged in user to see any pages, so all I can see is the login page.
I have the CAS client code running in debug so I see the user is authenticate in the logs. And I see the users name and logout button from the banner.jsp in the theme, but all the user seems to be authorized to see is the login page. I had remember me working correctly prior to integrating CAS. And if I disable “remember me” I can authenticate and get properly authorized by portal to see the pages I expect.
Ever seen anything like this? Any ideas about what is getting missed in the login chain when rmeberme is enabled?
Thanks,
Dana
Dana,
I have never configured WPS to use its “remember me” functionality so i don’t know how it works exactly. In my opinion you should use “remember me” feature of CAS instead of same from WPS as in case of SSO authentication is handled by CAS. Have a look at following this link – “https://wiki.jasig.org/display/CASUM/Remember+Me”
Regarding logout button i think you will need to remove it from theme if you use “remember me” feature of CAS. I don’t think WPS will hide it automcatically if you are using “remember me” feature of CAS.
CAS Remember Me might be exactly what I need, thanks.
Dana
Shailendra,
I have almost all of my CAS SSO configured. We are going to use CAS remember me as you suggested. Now I have one item remaining. In your post you talk about the automatic redirect that portal does to the login screen for requests by unauthenticated users to secure resources:
“Where should one put the code for redirecting user to CAS server login screen? Normally this code is put either in theme assigned to login portlet page or in the login screen if portal has been configured for login screen. But it is also possible to do this redirection in TAI itself.”
So I have two questions, first, when you say the code for the redirect is normally in the login portlet or screen, what method of redirection are you suggesting? A simple response.sendRedirect does not seem to work as I don’t have access to the underlying servlet response object. A client side redirect is too slow and loads the page before the redirect happens.
And second, I assume for the TAI approach, you had to build the CAS client jars from the source with your changes, then you need to maintain the changes if a new version of CAS is deployed? Just wondering what the extra effort of building and maintaining your own version of CAS buys us, that is, if there is an acceptable redirect method from the login screen?
Thanks again,
Dana
Dana,
Server side redirect is not possible with login screen so you will need to use client side redirection in this case. However if portal is configured for login portlet (default configuration) then you can use response.sendRedirect in portal theme but then it makes no sense to create a portal theme just to have redirection logic in it.
Modifications in CAS client jar is one time effort and you need not to redeploy this jar with custom changes until IBM does any change in TAI interface (as they did in WAS 5.1.1) or there is any major architecture change in CAS. Having both redirection and identity assertion logic makes sure that you can restore default security configuration for WPS just by disabling TAI in websphere server admin console.
Shailendra,
Your reply makes perfect sense and I have made the changes to the TAI just as you have outlined – it works perfect.
Thanks so much,
Dana
Hello Shailendra,
I’m having some problems to configure Websphere Portal 6.1 with CAS. After I’ve established the interceptor, the interceptor parameters and the CAS Certificated in WebSphere trust store, I have tried to get this URL :
https://mycas:9443/cas/login?service=http://localhost:10040/wps/myportal/
And the answer is the following:
CAS is Unavailable
There was an error trying to complete your request. Please notify your support desk or try again.
I guess the problem is CAS but I really don’t know why.
Thank u so much.
Elena
This problem was solved it. Now my problem is the the ticket invalid.
Thank you
Hello Shailendra,
I have a problem when I try to invoke:
https://mycas:9443/cas/login?service=http%3A%2F%2Flocalhost%3A10040%2Fwps%2Fmyportal
The exception is:
¿Can u help me, please?
…..
[21/05/12 11:02:45:194 CEST] 0000004e SystemOut O set ticket : ST-19-F4Ad3wAQfi2F9N9JIJRn-cas-aut=L
[21/05/12 11:03:06:370 CEST] 0000004e SystemOut O error during validation : Operation timed out: connect:could be due to invalid address
[21/05/12 11:03:06:496 CEST] 0000004e WebAuthentica E SECJ0126E: Se ha producido un error en la asociación de confianza durante la validación. La excepción es com.ibm.websphere.security.WebTrustAssociationFailedException: Operation timed out: connect:could be due to invalid address
at com.octo.cas.client.websphere.CasTAI511.negotiateValidateandEstablishTrust(CasTAI511.java:89)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:102)
at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:277)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1451)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1373)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:670)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:318)
at com.ibm.ws.webcontainer.webapp.WebAppSecurityCollaborator.preInvoke(WebAppSecurityCollaborator.java:141)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:486)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
Elena,
Can you check the logs of CAS server and make sure that portal is able to communicate with CAS server? If this is working fine then paste the CAS server logs here.
Thank you so much.
There is not a problem with the comunication between Webshpere Portal and CAS (I think). the process is the following:
– I invoke https://mycas:9443/cas/login?service=http://localhost:10040/wps/myportal
– Appear the login screen. I fill my credentials and the CAS logs are (The logs are not the original CAS logs, we create one lib, so the logs are in Spanish):
[22/05/12 9:58:33:604 CEST] 0000003a WebContainer E SRVE0255E: No se ha defin ido un WebGroup/Host virtual para manejar /favicon.ico.
[22/05/12 9:58:33:622 CEST] 0000003a WebContainer E SRVE0255E: No se ha defin ido un WebGroup/Host virtual para manejar /favicon.ico.
[22/05/12 9:58:33:628 CEST] 0000003a WebContainer E SRVE0255E: No se ha defin ido un WebGroup/Host virtual para manejar /favicon.ico.
login:00120112Y
[22/05/12 9:58:51:169 CEST] 0000003d SystemOut O idResultado:1
[22/05/12 9:58:51:169 CEST] 0000003d SystemOut O idTipoAutenticacion:1
[22/05/12 9:58:51:169 CEST] 0000003d SystemOut O servicio:wps/myportal
[22/05/12 9:58:51:170 CEST] 0000003d SystemOut O Fecha:Tue May 22 09:58:51 C EST 2012
[22/05/12 9:58:51:170 CEST] 0000003d SystemOut O remoteIp:10.44.93.221
[22/05/12 9:58:51:170 CEST] 0000003d SystemOut O tgt:TGT-7-61blkegFgAseK3EfV aMajSPtg1ecV3ESzKlGDRsKKkZ7LMSvsv-cas-aut=L
[22/05/12 9:58:51:170 CEST] 0000003d SystemOut O certificado:null
– Websphere logs write the following information:
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O has ticket? =true
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O request url=http://localhost:10040/wps/myportal
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O try to get ticket
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O ticket not null : ST-11-xlHaHpWYRlpdzA6qc5nX-cas-aut=L
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O new ticket validator
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O serviceUrl generated: http://localhost:10040/wps/myportal
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O set validation url :https://10.12.18.199:9443/cas/login
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O set service : http://localhost:10040/wps/myportal
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O set ticket : ST-11-xlHaHpWYRlpdzA6qc5nX-cas-aut=L
[22/05/12 9:58:57:664 CEST] 00000059 SystemOut O entering retrieve(https://10.12.18.199:9443/cas/login?service=http://localhost:10040/wps/myportal&ticket=ST-11-xlHaHpWYRlpdzA6qc5nX-cas-aut=L)
[22/05/12 9:59:18:724 CEST] 00000059 SystemOut O error during validation : Operation timed out: connect:could be due to invalid address
[22/05/12 9:59:18:724 CEST] 00000059 WebAuthentica E SECJ0126E: Se ha producido un error en la asociación de confianza durante la validación. La excepción es com.ibm.websphere.security.WebTrustAssociationFailedException: Operation timed out: connect:could be due to invalid address
at com.ibm.portal.client.websphere.CasTAI.negotiateValidateandEstablishTrust(CasTAI.java:50)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:102)
at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:277)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1451)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1373)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:670)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:318)
at com.ibm.ws.webcontainer.webapp.WebAppSecurityCollaborator.preInvoke(WebAppSecurityCollaborator.java:141)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:486)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3517)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:269)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:818)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
I added some logs in the library “casclient-2.1.1.jar” and the problem is in the class ServiceTicketValidator.java in the line:
r.parse(new InputSource(new StringReader(response)));
Thank you so much for your help
Elena,
You have specified invalid validation url. It should be something like https://myCasServer/cas/serviceValidate. Can you please have a look at this link – https://wiki.jasig.org/pages/viewpage.action?pageId=19314 and make sure that you have configured TAI properly?
Thank you so much, I didn’t realize my service validate URL was wrong.
Hello Shailendra,
I get another exeption when I try to access http://localhost:10040/wps/myportal/
The exception is the following, thanks so much for your help.
[205/12 5/05/12 14:02:59:257 CEST] 0000004b SystemOut O has ticket? =false
[25/14:02:59:257 CEST] 0000004b SystemOut O request url=http://localhost:10040/wps/myportal/
[25/05/12 14:02:59:257 CEST] 0000004b SystemOut O Redirect to CAS is done
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O has ticket? =true
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O request url=http://localhost:10040/wps/myportal/
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O try to get ticket
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O ticket not null : ST-113-IATldir5pufW7w7jGc4y-cas
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O new ticket validator
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O serviceUrl generated: http://localhost:10040/wps/myportal/
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O set validation url :https://10.12.18.199:9443/cas/serviceValidate
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O set callback url :https://localhost:10041/wps/CasProxyServlet
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O set service : http://localhost:10040/wps/myportal/
[25/05/12 14:02:59:288 CEST] 00000049 SystemOut O set ticket : ST-113-IATldir5pufW7w7jGc4y-cas
[25/05/12 14:02:59:304 CEST] 00000049 SystemOut O validation done
[25/05/12 14:02:59:304 CEST] 00000049 SystemOut O got xml response :
00120112Y
[25/05/12 14:02:59:304 CEST] 00000049 SystemOut O sucess:user=00120112Y
[25/05/12 14:02:59:304 CEST] 00000049 SystemOut O cas uid : uid=00120112Y
[25/05/12 14:02:59:304 CEST] 00000049 SystemOut O Beginning proxy ticket exchange workflow
[25/05/12 14:02:59:304 CEST] 00000049 WebAuthentica E SECJ0126E: Se ha producido un error en la asociación de confianza durante la validación. La excepción es com.ibm.websphere.security.WebTrustAssociationFailedException: Unable to retrieve the proxy ticket, check the ProxyTicketReceptorConfiguration
at com.ibm.portal.client.websphere.CasTAI.negotiateValidateandEstablishTrust(CasTAI.java:69)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:102)
at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:277)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1451)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:1373)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:670)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:318)
at com.ibm.ws.webcontainer.webapp.WebAppSecurityCollaborator.preInvoke(WebAppSecurityCollaborator.java:141)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:486)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
Hello Shailendra,
I have another question. “casclient-2.1.1.jar” use the log classes:
org.apache.commons.logging.Log;
org.apache.commons.logging.LogFactory;
¿Where I have to configure the log file? ¿In the application wps.ear/META-INF?¿It’s a log4j.properties?
I don’t see the logs of this lib, so I guess is due to log file.
Thanks!
Hello Shailendra,
My Websphere Portal and CAS are almost working good, I have solved it all the problems I wrote you above.
I have a new problem, when I logout (I mean, in the button close session) I do it only in WP, so when I try to enter again in myPortal, the session is not finish and CAS redirect to TAI without ask for my credentials. I would like to logout from WP and from CAS, how can I do this?
Thank you!!