[Using Sakai] CAS related sakai problem

Steve Swinsburg steve.swinsburg at gmail.com
Sat Mar 24 01:56:27 PDT 2012 

First thing would be to use the Jasig cas client rather than the Yale one. 

The ssl issue Sam noted also should be addressed. 

Also, what's the ticket registry storage on the CAS server? We used to use a jpa database backend which was clustered but not replicating fast enough so it was causing this exact issue. 

Cheers
Steve


Sent from my iPhone

On 24/03/2012, at 1:49, Sam Ottenhoff <ottenhoff at longsight.com> wrote:

> It seems like your Sakai is running on HTTPS: https://scio.his.se/portal
> 
> But your service parameter to CAS is saying that you are running on plain HTTP: service=http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer
> 
> --Sam
> 
> On Fri, Mar 23, 2012 at 10:38 AM, Anders Nordkvist <anders.nordqvist at his.se> wrote:
> Hi,
> 
>  
> 
> We have sakai version 2.7.X and use CAS version 3.4.6 for authentication. We have two Sakai nodes and two CAS nodes in a load balanced environment. We use a mysql database server. Today we had a rather strange problem. A problem that’s returning with say a month interval. The problem is that Sakai users get this error log when logging in to our CAS authentication server:tus500 -
> 
> type Exception report
> 
> message
> 
> description The server encountered an internal error () that prevented it from fulfilling this request.
> 
> exception
> 
> javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039;  not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]]
> 
>         edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
> 
>         org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:658)
> 
> root cause
> 
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039;  not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]]
> 
>         edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62)
> 
>         edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
> 
>         edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
> 
>         org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:658)
> 
> note The full stack trace of the root cause is available in the Apache Tomcat/5.5.31 logs.
> 
>  
> 
> This is the log from one of our Sakai nodes:
> 
>  
> 
> 2012-03-23 10:53:49,883 ERROR http-8080-Processor6 edu.yale.its.tp.cas.client.CASReceipt - validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                 ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039; not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]] was not successful.
> 
> 2012-03-23 10:53:49,883 ERROR http-8080-Processor6 edu.yale.its.tp.cas.client.filter.CASFilter - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                 ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039; not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]]
> 
> 2012-03-23 10:53:49,884  WARN http-8080-Processor6 org.sakaiproject.util.RequestFilter - Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                 ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039; not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]]
> 
> javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                 ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039; not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
> ]]]]
> 
>         at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381)
> 
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 
>         at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:658)
> 
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
> 
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
> 
>         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> 
>         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
> 
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> 
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> 
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> 
>         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
> 
>         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
> 
>         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
> 
>         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
> 
>         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
> 
>         at java.lang.Thread.run(Thread.java:662)
> 
> 2012-03-23 10:53:49,884 ERROR http-8080-Processor6 org.apache.catalina.core.ContainerBase.[Catalina].[sakai1.hs.local].[/sakai-login-tool].[sakai.login.container] - Servlet.service() for servlet sakai.login.container threw exception
> 
> edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://hscas.his.se/cas/serviceValidate] ticket=[ST-408-N0ZlV2izrLYiEZ4qficK-cas] service=[http%3A%2F%2Fscio.his.se%2Fsakai-login-tool%2Fcontainer] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-408-N0ZlV2izrLYiEZ4qficK-cas' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 
>         <cas:authenticationFailure code='INVALID_TICKET'>
> 
>                 ticket &#039;ST-408-N0ZlV2izrLYiEZ4qficK-cas&#039; not recognized
> 
>         </cas:authenticationFailure>
> 
> </cas:serviceResponse>
> 
>  
> 
> Does anyone have an idea of what the problem might be here?
> 
> Your welcome to request more logs if you need them!
> 
>  
> 
>  
> 
> Regards
> 
> Anders Nordkvist
> 
> System administrator
> 
> University Of Skövde
> 
> Sweden
> 
>  
> 
>  
> 
> 
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
> 
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
> 
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120324/b7fb26bc/attachment-0001.html

More information about the sakai-user mailing list