AnsweredAssumed Answered

CAS server + Share authentication

Question asked by dmmax on Mar 8, 2015
Hello!

I'm using Alfresco 4.2.f, CAS-server 4.0.0 and CAS-client(which added in share/web-inf/lib).

CAS-server 4.0.0 installed on server_tomcat (port 8081 and 8444(https protocol)).
Share installed on alfresco_tomcat (port 8080 and 8443(https protocol) <— standard configuration (server.xml))

After I commented in share/WEB-INF/web.xml:
<blockcode>
  <!–
   <filter>
      <description>MT authentication support - NOTE: does not support portlets</description>
      <filter-name>MTAuthentationFilter</filter-name>
      <filter-class>org.alfresco.web.site.servlet.MTAuthenticationFilter</filter-class>
   </filter>
   –>
<!–
   <filter>
      <description>Share SSO authentication support filter.</description>
      <filter-name>Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.site.servlet.SSOAuthenticationFilter</filter-class>
      <init-param>
         <param-name>endpoint</param-name>
         <param-value>alfresco</param-value>
      </init-param>
   </filter>
–>
</blockcode>
and added:

<blockcode>
<listener>
            <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
        </listener>


        <filter>
            <filter-name>CAS Single Sign Out Filter</filter-name>
            <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>CAS Single Sign Out Filter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        <filter>
            <filter-name>CAS Filter</filter-name>
            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
            <init-param>
                <param-name>casServerLoginUrl</param-name>
                <param-value>https://localhost:8444/cas/login</param-value>
            </init-param>
            <init-param>
                <param-name>serverName</param-name>
                <param-value>http://localhost:8080</param-value>
            </init-param>
        </filter>
        <filter-mapping>
            <filter-name>CAS Filter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

        <filter>
            <filter-name>CAS Validation Filter</filter-name>
            <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
            <init-param>
                <param-name>casServerUrlPrefix</param-name>
                <param-value>https://localhost:8444/cas</param-value>
            </init-param>
            <init-param>
                <param-name>serverName</param-name>
                <param-value>http://localhost:8080</param-value>
            </init-param>
        </filter>
        <filter-mapping>
            <filter-name>CAS Validation Filter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

        <filter>
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
            <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
</blockcode>

The next step is created pair key(ssl):
In terminal, I typed:

1)Generate keystore
<blockcode>
keytool -genkey -alias sso -keyalg RSA -keysize 1024 -keypass cangeit -valididty 3650 -keystore /path/to/keystore/sso.keystore -storepass changeit
</blockcode>
(In this point, I should typed: FirstName and LastName: localhost (it's my host name))

2)Create certificate
<blockcode>
keytool -export -alias ssl -keystore /path/to/keystore/sso.keystore -file /path/to/keystore/sso.crt -storepass changeit
</blockcode>
3)Add certificate to trustore
<blockcode>
keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file /path/to/keystore/sso.crt -alias sso
</blockcode>

After I added in $tomcat_server$/conf/server.xml:
<blockcode>
<Connector port="8444" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/keystore/sso.keystore"
               keystorePass="changeit" keyAlias="sso"/>
</blockcode>

Then, I started tomcat_server, alfresco_tomcat.

I pass the link: http://localhost:8080/share
Due to ($alfresco_tomcat/webapps/share/WEB-INF/web.xml) share redirect me to https://localhost:8444/cas, where I see the login page.
I typed: Username: casuser, Password: Mellon <– It's standart login/password.

After that I was back redirects to http://localhost:8080/share/… ,where the validation key, but in the point I have error (in browser is 500 error)
In $alfresco_tomcat/logs/localhost.log:

<blockquote>
SEVERE: Servlet.service() for servlet [jsp] in context with path [/share] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
   at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
   at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
   at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
   at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
   at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
   at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
   at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
   … 26 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
   at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
   at sun.security.validator.Validator.validate(Validator.java:260)
   at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
   at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
   at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
   … 38 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
   … 44 more

??? 06, 2015 6:35:09 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [/share] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
   at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
   at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
   at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
   at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:724)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
   at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
   at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
   at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
   at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
   at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
   … 26 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
   at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
   at sun.security.validator.Validator.validate(Validator.java:260)
   at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
   at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
   at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
   … 38 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
   … 44 more
</blockquote>


After googled, I got information, that Share can't validate my certificate (which I added).

Please help me with the problem…

Outcomes