Reputation: 41
not recognized cas ticket
I have a REST api in my web application where I get cas ticket generated by another webapp.
That webapp intern use cas20proxyticketvalidator to validate the ticket. Therefore, I also use Cas20ProxyTicketValidator in my custom filter to validate the ticket.
But it always give me following error:
ticket = ST-148008-jWXKeEdHkxmuktvYqXF6-cas
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-148008-jWXKeEdHkxmuktvYqXF6-cas' not recognized
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidat
or.java:86)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java
:217)
Why my ticket is not recognized?
Upvotes: 4
Views: 13476
Answers (3)
Reputation: 41
In my case, the ticket was expiring before validation. Default expiry of service ticket is 10s.
Upvotes: 1
Reputation: 2474
Check the serviceUrl generated, so change the log level for package org.jasig.
With SpringBoot, in the application.properties add
logging.level.org.jasig=DEBUG
In the console
org.jasig.cas.client.util.CommonUtils : serviceUrl generated: https://xxx
Verify and adapt your cas.client-host-url in the application.properties
## CAS[2.0]
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=xxx
cas.validation-type=CAS
Be careful with cas.client-host-url, no slash at the end of url.
Don't forget mvn clean package after modifying .properties
Upvotes: 0
Reputation: 558
The way that cas validates tickets is:
- Your client (or the other web app) requests a ticket from the relay server for a particular service, for example case http%3A%2F%2Fwww.mywebapp.com
- The cas server generates a row that stores the user's ssoguid, the service and the ticket. It returns the ticket to the client (or other web app)
- The client (or other webapp) sends the ticket to your server
- Your server then sends a request to the serviceValidate endpoint of the cas server with the ticket and the service, http%3A%2F%2Fmywebapp.com
- The cas server uses the ticket and service pair to find the row it generated. If it finds the row it: a) checks to see if the service is real by sending a request to that url b) deletes the row to invalidate the ticket after this validation check c) it returns the user attached to the ticket to your server. Now the ticket can not be validated again.
The problem you are experiencing could arise for several reasons:
- The ticket has already been validated (I don't think that is the case for you)
- The service you send when generating the ticket is different to the service you send to the serviceValidate endpoint (they have to be identical). (I would guess that this is the problem you are experiencing, especially if another webapp generated the ticket. The cas server would have http%3A%2F%2Fotherwebapp.com on file but would be trying to find a row with http%3A%2F%2Fmywebapp.com, which doesn't exist because you didn't create it)
- The service sent can not be contacted by the relay server (I'm not exactly sure of the details about how this works or exactly when the check it done but it is recommended that you use a service that can be contacted)
Upvotes: 11
Related Questions
- Application Not Authorized to Use CAS The application you attempted to authenticate to is not authorized to use CAS
- CAS service ticket validate failed
- Getting a HTTP 404 CAS Server SingleLogoutService
- error in build cas (SSO) apereo
- Cas Client Ticket Vlidation failed with error No subject alternative DNS name matching cas URL found
- The CAS server returned no response
- CAS ticket validation always fails
- Single Sign On with CAS server in JAVA
- Single Sign on Authentication with CAS
- CAS Single Sign Out not worked in drupal