CAS ST Generated Repeatedly on User Login; CAS Fails to Validate ST When Sites configured Over HTTPS (Doc ID 2024454.1)

Last updated on NOVEMBER 02, 2022

Applies to:

Symptoms

On user login (after entering credentials and clicking on the Login button), see the following in Sites appserver's access log:

User enters credentials and POST to cas on tomcat

<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cas/login;jsessionid=586E5E7DD867BA611E6161B87FAED180?service=https%3A%2F%2Fhostname%3Aport%2Fcs%2Fwem%2Ffatwire%2Fwem%2FWelcome HTTP/1.1" 302 -

cas  -> cs for authentication

<server IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "POST /cs/ContentServer?pagename=fatwire/wem/sso/ssoLogin HTTP/1.1" 200 505

cs notified cas - user is authenticated based on cas.log

YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: com.fatwire.wem.sso.cas.plugin.CSAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: fwadmin]

After this point, cas should respond to the browser with TGT which is stored in browser's cookie, along with a Service Ticket (ST) to allow browser to log into Sites UI. With the Service Ticket (ST), browser will try to send a request to the initial page the user tried to access. Sites will then go to cas to validate ST. CAS responds whether the ST is valid. However, it looks like CAS never validates the ST, and this process appears to be repeating after this point, e.g.:

cas.log:

YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
YYYY-MM-DD HH:mm:SS,sss INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1] for service [https://hostname:port/cs/wem/fatwire/wem/Welcome] for user [fwadmin]
...

access.log:

<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-1-zneM1X6Z9bpdhvI3Giw4-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-2-rLlHRFvxFOcuQc6NQQ2j-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-3-kWXEu1A1WByrTGfBbNvA-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-4-KdfGpvnlMwybCzHAcSEE-cas-hostname-1 HTTP/1.1" 302 -
<client IP> - - [DD/MON/YYYY:HH:mm:SS -0400] "GET /cs/wem/fatwire/wem/Welcome?ticket=ST-5-aqndgDQr6TSlD6dwbHYI-cas-hostname-1 HTTP/1.1" 302 -
...

The request for cas client to validate ST against cas server is "GET /cas/proxyValidate?&ticket=ST-...-cas-...-1&service=... HTTP/1.1", and this was never found in access log.

In sites.log with org.jasig.cas.client DEBUG and com.fatwire.wem.sso.cas.filter.CASFilter TRACE enabled, see the following:

Changes

Sites/CAS is configured to use HTTPS. Certificates are imported into a custom keystore, which is not the default JVM keystore.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.