David.Turing's blog

 

Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....

严重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator prox
yList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRv
MD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]


这个CAS异常是从CAS Client里面抛出,是当我们不使用证书的CN去访问域名的时候(比如下文是用IP访问而且证书的CN是该IP对应的域名而非该IP),CASClient无法信任,因为你证书的CN命名写着abc.com,192.168.1.111这个IP是无法被CAS Client识别。

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList = [ null ] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl = [https: // 192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRvMD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:
455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:
378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java:
101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:
80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:
684 )
    at java.lang.Thread.run(Thread.java:
595 )
Caused by: java.io.IOException: HTTPS hostname wrong:  should be 
< 192.168 . 1.111 >
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:
493 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:
418 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:
170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:
905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:
234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:
84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:
212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:
50 )

解决办法:
用域名访问,域名就是证书的CN。

posted on 2006-09-05 18:20 david.turing 阅读(8555) 评论(4)  编辑  收藏 所属分类: Security异常问题

评论

# re: Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....[未登录] 2007-03-23 02:32 lulu

client 怎么得到授权??
就keytool -import....到jvm就行了???

但是我还是报上面的错误..  回复  更多评论   

# re: Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....[未登录] 2008-12-25 16:04 1

要是别的机器访问你的机器,用ip访问,cn我也写的ip,也还是报同样错误  回复  更多评论   

# re: Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....[未登录] 2011-08-30 18:20 小猪

我的也是啊,用ip生成的cn,也是用ip访问,还是报这个错误啊  回复  更多评论   

# re: Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....[未登录] 2012-10-24 16:55 cx

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cx.com:8443/cas/proxyValidate] ticket=[ST-1-BS35zseNBoCQaZwNWjUu-cas] service=[http%3A%2F%2Fcx.com%3A8080%2Fjsp-examples%2F] renew=false]]]
使用域名依旧错误……  回复  更多评论   


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(107)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜