CAS ST Generated Repeatedly on User Login; CAS Fails to Validate ST When Sites configured Over HTTPS
(Doc ID 2024454.1)
Last updated on APRIL 25, 2024
Applies to:
Oracle WebCenter Sites - Version 11.1.1.6.1 and laterInformation in this document applies to any platform.
Symptoms
On user login (after entering credentials and clicking on the Login button), see the following in Sites appserver's access log:
User enters credentials and POST to cas on tomcat
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cas/login;jsessionid=586E5E7DD867BA611E6161B87FAED180?service=https%3A%2F%2Fhostname%3Aport%2Fcs%2Fwem%2Ffatwire%2Fwem%2FWelcome HTTP/1.1" 302 -
cas -> cs for authentication
<server IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cs/ContentServer?pagename=fatwire/wem/sso/ssoLogin HTTP/1.1" 200 505
cs notified cas - user is authenticated based on cas.log
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: com.fatwire.wem.sso.cas.plugin.CSAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: fwadmin]
After this point, cas should respond to the browser with TGT which is stored in browser's cookie, along with a Service Ticket (ST) to allow browser to log into Sites UI. With the Service Ticket (ST), browser will try to send a request to the initial page the user tried to access. Sites will then go to cas to validate ST. CAS responds whether the ST is valid. However, it looks like CAS never validates the ST, and this process appears to be repeating after this point, e.g.:
cas.log:
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
...
access.log:
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1 HTTP/1.1" 302 -
...
The request for cas client to validate ST against cas server is "GET /cas/proxyValidate?&ticket=ST-...-cas-...-1&service=... HTTP/1.1", and this was never found in access log.
In sites.log with org.jasig.cas.client DEBUG and com.fatwire.wem.sso.cas.filter.CASFilter TRACE enabled, see the following:
Changes
Sites/CAS is configured to use HTTPS. Certificates are imported into a custom keystore, which is not the default JVM keystore.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |