sim51 / logisima-play-cas Goto Github PK

Hello,

In the method filter() why using this ?
if (session.contains("username")) {

Why not using this code ?
if (Security.isConnected()) {

I'm trying to use CAS module in my applicatoin. I configured like in example from README.
I successfully redirected to CAS login page. But after LOGIN action i'm getting

RuntimeException occured : java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-27-7MealT7CewdQcBzHm4qG-cas01.example.org

In {module:cas-3.1}/app/controllers/modules/cas/SecureCAS.java (around line 96)

92: Boolean isAuthenticated = Boolean.FALSE;
93: String ticket = params.get("ticket");
94: if (ticket != null) {
95: Logger.debug("[SecureCAS]: Try to validate ticket " + ticket);
96: CASUser user = CASUtils.valideCasTicket(ticket);
97: if (user != null) {
98: isAuthenticated = Boolean.TRUE;
99: session.put("username", user.getUsername());
100: // we invoke the implementation of onAuthenticate
101: Security.invoke("onAuthenticated", user);

stacktrace:

@6j5nc6099
Internal Server Error (500) for request GET /authenticate?ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org

Execution exception (In {module:cas-3.1}/app/controllers/modules/cas/SecureCAS.java around line 96)
RuntimeException occured : java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org

play.exceptions.JavaExecutionException: java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org
at play.mvc.ActionInvoker.invoke(ActionInvoker.java:237)
at Invocation.HTTP Request(Play!)
Caused by: java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org
at play.libs.ws.WSAsync$WSAsyncRequest.get(WSAsync.java:223)
at play.modules.cas.CASUtils.valideCasTicket(CASUtils.java:214)
at controllers.modules.cas.SecureCAS.authenticate(SecureCAS.java:96)
at play.mvc.ActionInvoker.invokeWithContinuation(ActionInvoker.java:557)
at play.mvc.ActionInvoker.invoke(ActionInvoker.java:508)
at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:484)
at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:479)
at play.mvc.ActionInvoker.invoke(ActionInvoker.java:161)
... 1 more
Caused by: java.util.concurrent.ExecutionException: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org
at com.ning.http.client.providers.netty.NettyResponseFuture.abort(NettyResponseFuture.java:297)
at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:104)
at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:428)
at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:414)
at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:381)
at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1307)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1186)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:814)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:422)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:558)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:553)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:84)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.processSelectedKeys(AbstractNioWorker.java:471)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:332)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:35)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:102)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.net.ConnectException: Received fatal alert: handshake_failure to https://localhost:8443/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A9000%2Fauthenticate&ticket=ST-26-gLYCJQezIsinwDodBALH-cas01.example.org
at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:100)
... 22 more
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1447)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1415)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1581)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1011)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1118)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:814)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:422)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:84)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.processSelectedKeys(AbstractNioWorker.java:471)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:332)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:35)
... 3 more
12:00:31,391 ERROR ~

Hi,

I notice that Play! use "application.baseUrl" (see http://www.playframework.org/documentation/1.2.1/emails)
So in application.conf file "application.baseUrl" (for Play!) and "application.url" (for CAS module) are the same

In the CAS module, change CASUtils.getCasServiceUrl()
/1/ use Router.getFullUrl(...) instead of "application.url" and append authenticate url
/2/ or String casServiceUrl = Router.getFullUrl("/"); and append authenticate url

May be I'm wrong, I don't test it. But it will be great to not duplicate properties.

Regards,
Neoh

Between 3.0 and 3.1, in SecureCAS you have moved from using the flash scope to store the application url when you get bounced to CAS to using the cache. However, you seem to still be using flash in filter() (line 160 and 161). This means that when you pull the variable out of cache (line 109) it isn't there and the app always redirects to "/".

If it helps, I fixed this locally (crudely) by copying:

if (!Router.route(request).action.equals("modules.cas.SecureCAS.login")) {
        // we put into session the url we come from
        Cache.add("url_" + session.getId(), request.method == "GET" ? request.url : "/", "10min");
}

into line 162.

Thanks for this module - it's incredibly helpful!

Hi,

In the code, you have this line:
https://github.com/sim51/logisima-play-cas/blob/master/app/controllers/modules/cas/SecureCAS.java#L59

String are compared using == instead of equals, which will fail

By the way, when you leave to another page (CAS login page, different domain), then come back to your original page, won't your session id be different? We are having trouble with the CAS module that won't redirect to the original URL because it seems it can't find the key in the cache (even after the == fix)

Thanks,
Fabien

getServiceUrl() at CASUtils uses Router.getFullUrl to get the Service URL, this approach does not work in production environments that use a reverse proxy (i.e. Apache + Tomcat). In those cases the service URL has the proxified machine domain instead of the reverse proxy machine domain.

I believe this method should rely on the application.url configuration value.

When I Logout from another application, for example JBoss application I need to detect it on Play. Is there any SingleSignOutHandler? Because my Play session still exist

Hi,

I found this on my app logs :

Internal Server Error (500)
Template not found (In {module:cas-2.0-adeo}/app/controllers/modules/cas/SecureCAS.java around line 78)
The template modules/cas/SecureCAS/fail.html does not exist.

play.exceptions.TemplateNotFoundException: Template not found : modules/cas/SecureCAS/fail.html
at play.mvc.Controller.renderTemplate(Controller.java:595)
at play.mvc.Controller.renderTemplate(Controller.java:568)
at play.mvc.Controller.render(Controller.java:623)

at controllers.modules.cas.SecureCAS.fail(SecureCAS.java:78)

I don't know how this occured.
Do I create a fail.html template ? Or is it missing in the module ?

Thanks

The invoke method in controllers.modules.cas.Security (version 3.1 of the module) relies on the following code to detect the user Security class:

Class security = null;
List<Class> classes = Play.classloader.getAssignableClasses(Security.class);
if (classes.size() == 0) {
    security = Security.class;
}
else {
    security = classes.get(0);
}

This algorithm only supports direct subclassing of the controllers.modules.cas.Security. That is a problem when some common behaviour is needed and code is refactored into an intermediate class. Current algorithm uses the first assignable class, however the getAssignableClasses does not return the deepest subclass first (actually I do not think that any order is guaranteed).

I cannot find any suitable methods in the Play API to avoid this problem. Maybe the solution is to be less "magical" and more explicit (maybe annotating the user Security class). Current code force the implementator of custom Security class to rely on composition instead of inheritance to especialize the code and that feels a bit ankward in this case.

Some ideas to share about this topic?

Hi,

In the Play! official website and when I use the "play install cas" command, the version is 1.0

Is there any reason to not flag the 3.0 as the default version ?

Thanks.

XML is not processed at all and a null value is returned.

Hi,
any chance to see this module ported to Play 2.0 ?