[cas-user] Re: CAS 5 RC3: redirect to /login on 404?

[Baron Fujimoto]

On Wed, Oct 05, 2016 at 09:25:21AM -1000, Baron Fujimoto wrote:
>Another difference that has been noted between our CAS 3.4.x and
>CAS 5.0 is that CAS 3 appears to redirect to the /login endpoint
>for 404s whereas CAS 5 RC3 goes to a 404 page. I don't see where
>I might have configured our CAS 3 to redirect to /login for 404,
>so I'm assuming this was the previous default? Is there a way to
>configure this behaviour for CAS 5, or is this now inadvisable?

Following up: advisability notwithstanding, this can be done by
using an overlay for

src/main/resources/templates/error/404.html

to do the redirect to /login

-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161013230049.GI23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Re: CAS 5 RC3: not releasing cn

[Baron Fujimoto]

Just to follow up, this issue is resolved in recent RC4-SNAPSHOT.

It's no longer necessary to set the following to override default
mapping of cn to commonName.

cas.authn.attributeRepository.attributes.cn=cn

On Tue, Oct 04, 2016 at 01:32:22PM -1000, Baron Fujimoto wrote:
>While testing CAS 5 RC3, we discovered it was not releasing the cn
>attribute as we expected.
>
>We are authenticating via LDAP and using it as an attribute source.
>
>The following was defined in our cas.properties:
>
>cas.authn.ldap[0].principalAttributeList=cn,uhUuid
>cas.authn.attributeRepository.defaultAttributesToRelease=cn,uhUuid
>
>This is logged:
>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - response: 
>[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
> resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], 
>[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], 
>responseControls=null, messageId=-1], accountState=null, result=true, 
>resultCode=SUCCESS, message=null, controls=null]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - password policy to 
>[org.ldaptive.auth.AuthenticationResponse@1770400845::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
> resolvedDn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>ldapEntry=[dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu[[uid[baron]], 
>[displayName[Baron K Fujimoto]], [uhUuid[10101010]], [cn[Baron K Fujimoto]]], 
>responseControls=null, messageId=-1], accountState=null, result=true, 
>resultCode=SUCCESS, message=null, controls=null]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal id attribute baron>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal attribute: [uid[baron]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal attribute: [uhUuid[10101010]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal attribute: [displayName[Baron K Fujimoto]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - principal attribute: [cn[Baron K Fujimoto]]>
>DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - LDAP principal for id baron and 5 attributes>
>DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>
>
>DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>Fujimoto, 
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>uhUuid=10101010, uid=baron}>
>
>DEBUG [org.apereo.cas.authentication.DefaultAuthenticationResultBuilder] - 
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>displayName=Baron K Fujimoto, uhUuid=10101010}] for inclusion in this result 
>for principal [baron]>
>
>DEBUG 
>[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
>- attributes directly associated with the principal object which are 
>[{commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, 
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>uhUuid=10101010, uid=baron}]>
>2016-10-03 17:37:47,729 DEBUG 
>[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
> - {commonName=Baron K Fujimoto, displayName=Baron K Fujimoto, 
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>uhUuid=10101010, uid=baron}>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>Fujimoto, 
>LdapAuthenticationHandler.dn=uhEntry=foobar,ou=People,dc=hawaii,dc=edu, 
>uhUuid=10101010, uid=baron} for baron>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>attributes for baron>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>baron>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>any>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>DEBUG 
>[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
>
>
>At this point, it seems that cn (by virtue of having been mapped to
>commonName?) is no longer in the set of attibutes to release, and thus not
>released by default
>
>My theory, based on the observed behavior where it also gets the
>displayName, despite it not being requested or used anywhere in 

Re: [cas-user] CAS 5 RC3 attribute lookup

[Baron Fujimoto]

On Thu, Oct 13, 2016 at 05:19:19PM -0500, Richard Frovarp wrote:
>I'm very confused as to how to do attribute lookup with CAS 5.
>
>In the actual service entry I have the return all attributes policy, so that
>shouldn't be hanging me up.
>
>I am doing AD / LDAP authentication, and it's also where my attributes are
>at.
>
>I don't see how
>
>cas.authn.attributeRepository.attributes.uid=uid
>
>does anything, because if I add another attribute there, nothing happens.
>
>I don't see cas.authn.attributeRepository.ldap group of entries doing
>anything.
>
>I also don't see cas.authn.ldap[0].additionalAttributes doing much.
>
>If I set cas.authn.ldap[0].principalAttributeList to have more attributes, it
>appears to work. But it's also including uid, which isn't in my list. Is that
>because of the entry above?
>
>Do I even need to have the cas.authn.attributeRepository.ldap section?

cas.authn.attributeRepository.attributes.* are used as defaults unless set
otherwise and can have unexpected results (see my earlier post re cn being
remapped by cas.authn.attributeRepository.attributes.cn=commonName) I
believe these may be deprecated or changed in future releases.

I define all the attributes in cas.authn.ldap[0].principalAttributeList

Since we release all of them by default, what I actually do is define a
variable, and use that to factor out the list of attributes so I don't
have to replicate it in multipe places. YMMV.

our.default.attributes=\
  cn,\
  displayName,\
  ... etc ...
  mail,\
  uid

cas.authn.ldap[0].principalAttributeList=${our.default.attributes}
cas.authn.attributeRepository.defaultAttributesToRelease=${our.default.attributes}

>I know it's an RC and that the documentation isn't complete, but it feels
>like something is missing. Feels odd to be doing it in the authn area instead
>of the ldap entries under attributeRepository.
>
>Thanks,
>
>Richard

Aloha,
-baron
-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161013225446.GG23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] ehcache replication issue between CAS 4.2.5 nodes.

[Boris Pogrebitskiy]

Problem with Ehcache replication on Tomcat servers running 2 CAS 4.2.5 
nodes. Looks like ST replication isn't working between 2 nodes.

Any help is appreciated. 

This is short version of log file showing that ST ticket was created on 
SecurityService02, but not found on SecurityService01 milliseconds later.

2016-10-13T22:22:06,503Z SecurityService02 null DEBUG 
org.jasig.cas.ticket.registry.EhCacheTicketRegistry [scheduler_Worker-5] 
[] : Ticket ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com is removed
2016-10-13T22:22:06,496Z SecurityService02 null DEBUG 
org.jasig.cas.ticket.registry.TicketRegistryCleaner [scheduler_Worker-5] 
[] : Cleaning up expired service ticket 
[ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com]
2016-10-13T22:21:21,482Z SecurityService01 null ERROR 
org.jasig.cas.web.ServiceValidateController [http-bio-18180-exec-13] 
[] : Failed to create proxy granting ticket for 
https://dv01.xxx.com/falcon/secure/receptororg.jasig.cas.ticket.InvalidTicketException:
 ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com
2016-10-13T22:21:21,481Z SecurityService01 null DEBUG 
org.jasig.cas.CentralAuthenticationServiceImpl [http-bio-18180-exec-13] 
[] : Ticket [ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com] by type 
[ServiceTicket] cannot be foundin the ticket registry.
2016-10-13T22:21:21,481Z SecurityService01 null DEBUG 
org.jasig.cas.ticket.registry.EhCacheTicketRegistry 
[http-bio-18180-exec-13] [] : No ticket by id [
ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com 
] is found in the 
registry
2016-10-13T22:21:21,419Z SecurityService02 null DEBUG 
org.jasig.cas.CentralAuthenticationServiceImpl [http-bio-18280-exec-18] [] 
: Publishing 
org.jasig.cas.support.events.CasServiceTicketGrantedEvent@57d7da6a[ticketGrantingTicket=org.jasig.cas.ticket.registry.TicketGrantingTicketDelegator@9aaeddec,serviceTicket=
ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com 
]
2016-10-13T22:21:21,419Z SecurityService02 null INFO 
 org.jasig.cas.CentralAuthenticationServiceImpl [http-bio-18280-exec-18] [] 
: Granted ticket [ST-10-IAhAyqLGE6eBJAnHCViP-dv01sec001.xxx.com 
] for service [
https://dv01.xxx.com/falcon/j_spring_cas_security_check] and principal 
[ELUX/dummytest]

BUT i also see following messages in the log:
---
2016-10-13T21:59:27,865Z SecurityService01 null DEBUG 
net.sf.ehcache.distribution.RMIBootstrapCacheLoader [Bootstrap Thread for 
cache iqn_ServiceTicket] [] : Empty list of cache peers for cache 
iqn_ServiceTicket. No cache peer to bootstrap from.
2016-10-13T21:59:27,865Z SecurityService01 null DEBUG 
net.sf.ehcache.distribution.RMIBootstrapCacheLoader [Bootstrap Thread for cache 
iqn_ServiceTicket] 
[] : cache peers: []
---
2016-10-13T21:59:36,508Z SecurityService02 null DEBUG 
net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory 
[localhost-startStop-1] [] : Registering peer //
dv01sec001.xxx.com:41001/cas_st
2016-10-13T21:59:36,508Z SecurityService02 null DEBUG 
net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory 
[localhost-startStop-1] [] : Registering peer //
dv01sec001.xxx.com:41001/cas_tgt
2016-10-13T21:59:25,834Z SecurityService01 null DEBUG 
net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory 
[localhost-startStop-1] [] : Registering peer //
dv01sec001.xxx.com:41002/cas_tgt
2016-10-13T21:59:25,834Z SecurityService01 null DEBUG 
net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory 
[localhost-startStop-1] [] : Registering peer //
dv01sec001.xxx.com:41002/cas_st

CAS Ehcache configuration:
##
# Ehcache Ticket Registry settings required until we can completly remove 
Ehcache
# can skip some of these properties to use default defined in 
WEB-INF/spring-configuration/ehcache-ticket-registry.xml
#
ehcache.config.file=classpath:ehcache-replicated.xml
ehcache.cachemanager.shared=true
ehcache.cachemanager.name=iqn_ticketRegistryCacheManager
ehcache.disk.expiry.interval.seconds=0
ehcache.disk.persistent=false
ehcache.eternal=false
ehcache.max.elements.memory=1
ehcache.max.elements.disk=2
ehcache.eviction.policy=LRU
ehcache.overflow.disk=true
ehcache.cache.st.name=iqn_ServiceTicket
ehcache.cache.st.timeIdle=0
ehcache.cache.st.timeAlive=300
ehcache.cache.tgt.name=iqn_TicketGrantingTicket
ehcache.cache.tgt.timeIdle=0
ehcache.cache.tgt.timeAlive=7201
ehcache.cache.loader.async=true
ehcache.cache.loader.chunksize=500
ehcache.repl.async.interval=1
ehcache.repl.async.batch.size=100
ehcache.repl.sync.puts=true
ehcache.repl.sync.putscopy=true
ehcache.repl.sync.updates=true
ehcache.repl.sync.updatesCopy=true
ehcache.repl.sync.removals=true

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received 

[cas-user] CAS 5 RC3 attribute lookup

[Richard Frovarp]

I'm very confused as to how to do attribute lookup with CAS 5.

In the actual service entry I have the return all attributes policy, so 
that shouldn't be hanging me up.


I am doing AD / LDAP authentication, and it's also where my attributes 
are at.


I don't see how

cas.authn.attributeRepository.attributes.uid=uid

does anything, because if I add another attribute there, nothing happens.

I don't see cas.authn.attributeRepository.ldap group of entries doing 
anything.


I also don't see cas.authn.ldap[0].additionalAttributes doing much.

If I set cas.authn.ldap[0].principalAttributeList to have more 
attributes, it appears to work. But it's also including uid, which isn't 
in my list. Is that because of the entry above?


Do I even need to have the cas.authn.attributeRepository.ldap section?

I know it's an RC and that the documentation isn't complete, but it 
feels like something is missing. Feels odd to be doing it in the authn 
area instead of the ldap entries under attributeRepository.


Thanks,

Richard

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3df785ae-d9e3-e694-7ad9-1ce7721d63fa%40ndsu.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Server load w/ 4.2.6

[Tom Poage]

Afternoon,

On moving from 4.2.1 to 4.2.6, our apparent system load increased dramatically.

Run queue went from as high as 4 to nearly 30, with (Linux) load average 
jumping from a max of 0.2 to about 15 for a user base (TGT count) of 46k.

A code diff doesn’t seem to show much, except perhaps for the addition of a 
synchronous ticketTransactionManager. The only other likely candidate is either 
the bump in Hazelcast version, or that we went from 3 to 4 (single CPU) VMs in 
the cluster (point-to-point instead of multicast). CPU increased from a high of 
about 20% (usually 5-8%) to the 50% range. This is on all nodes. Ironically, 
response time doesn’t seem all that bad, though is a bit sluggish.

Anyone else experience something similar?

Thanks!
Tom.

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/F67D31AA-2CFC-4DDA-8C5D-922E0B87798F%40ucdavis.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] AcceptUsersAuthenticationHandler#0 class not found error

[Xin Gong]

Hi,

I have tried to set up cas server. I have added this for 
AcceptUsersAuthenticationHandler to pom.xml 

  org.jasig.cas
  cas-server-support-generic
  4.0.0


After I reboot tomcat container, I see cas-server-support-generic-4.0.0.jar 
under $TOMCAT_HOME/webapps/cas-server-webapp-4.0.0/WEB-INF/lib.

However, there is an error in catalina.out;

org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'scheduler' defined in ServletContext resource 
[/WEB-INF/spring-configuration/applicationContext.xml]: Invocation of init 
method failed; nested exception is 
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find 
class [org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler] for 
bean with name 
'org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler#0' defined 
in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested 
exception is java.lang.ClassNotFoundException: 
org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler

Thank you for help!

Xin

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca2f8002-57a1-40cd-acac-173fea1c6264%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] No principal was found in the response from the CAS server.

[Chip Work]

Here is my deployConfigContext.xml file.
Thanx for your assistance.

-Chip

On Thursday, October 13, 2016 at 1:22:09 PM UTC-4, Patrick Gardella wrote:
>
> Can you post your deployerConfigContext.xml file? Specifically, 
> the ldapAuthenticationHandler bean section, if you don't want to post it 
> all.
>
> You are using old instructions.  Take a look at the new instructions at: 
>
> https://apereo.github.io/cas/4.2.x/installation/Maven-Overlay-Installation.html
>
> Patrick+
>
> On Thu, Oct 13, 2016 at 1:08 PM, Chip Work  wrote:
>
>> I am using Tomcat 8 on Centos 7 with Java 8.
>> I have loaded the war file built with maven using CAS 4.2.5 including the 
>> ldap handler.
>> I have loaded the "mywebapp" war file built with maven as suggested in: 
>> https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample
>> I start tomcat and do not any significant errors in the catalina.out file 
>> or the cas.log file.
>> However when I test my cas deployment with the test site I get the 
>> following error:
>>
>> HTTP Status 500 - 
>> org.jasig.cas.client.validation.TicketValidationException: No principal was 
>> found in the response from the CAS server.
>>
>> *type* Exception report
>>
>> *message* *org.jasig.cas.client.validation.TicketValidationException: No 
>> principal was found in the response from the CAS server.*
>>
>> *description* *The server encountered an internal error that prevented 
>> it from fulfilling this request.*
>>
>> *exception*
>>
>> javax.servlet.ServletException: 
>> org.jasig.cas.client.validation.TicketValidationException: No principal was 
>> found in the response from the CAS server.
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:152)
>>
>> *root cause*
>>
>> org.jasig.cas.client.validation.TicketValidationException: No principal was 
>> found in the response from the CAS server.
>>  
>> org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:74)
>>  
>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:165)
>>  
>> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:129)
>>  
>>
>> *note* *The full stack trace of the root cause is available in the 
>> Apache Tomcat/8.0.37 logs.*
>>
>> Pls advice me as to why I might get this message.
>> Thanx. 
>>
>> -- 
>> CAS gitter chatroom: https://gitter.im/apereo/cas
>> CAS mailing list guidelines: 
>> https://apereo.github.io/cas/Mailing-Lists.html
>> CAS documentation website: https://apereo.github.io/cas
>> CAS project website: https://github.com/apereo/cas
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To post to this group, send email to cas-user@apereo.org.
>> Visit this group at 
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddf60f75-96da-4d88-9e90-85c3ded3b955%40apereo.org
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>
>

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d406a32-85e2-49b2-9dce-39b558c69a19%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.


deployerConfigContext.xml
Description: XML document

Re: [cas-user] CAS 4.1.x, use a different authentication provider based on the theme of Login page

[Zhou, Yan]

Good idea, can you elaborate how I can get this data in authentication 
handler?


the data is at entity: RegexRegisteredService.properties.values,  but 
how do I get it? If I have to look up database, I would need a key to 
look up for. If it is somewhere populated for the particular service 
user is logging into, how do I get to it from authentication handler?


Thx!



On 10/13/2016 1:32 PM, Dmitriy Kopylenko wrote:
The quick way to implement this would be to utilize Registered 
services custom properties: 
https://apereo.github.io/cas/4.1.x/installation/Configuring-Service-Custom-Properties.html and 
set which authentication source to use for each defined service. Then 
you’ll have access to this data at runtime via the ServicesManager, etc.


D.

On Oct 13, 2016, at 1:25 PM, Yan Zhou > wrote:


Hello,

We have several data source of user credentials, they come from 
different applications and we are unable to merge them into one 
single source.


Instead of configuring CAS to go through each authentication provider 
until one returns SUCCESS, I wish to select the right provider based 
on the application user is trying to login, i.e., the theme of login 
page.   Another way to explain this is that my login page has a 
"domain" field in addition to username and password field.


This is not the best idea, but I cannot think of anything better.

I can extend AbstractUsernamePasswordAuthenticationHandler and 
implement  authenticateUsernamePasswordInternal()  to carry out the 
authentication.


1) How can I pass in an additional value (such as the CSS theme of 
login page) into this method? it only supports user name and 
password. I need an additional value to indicate which authentication 
provider I should use.


2) any alternative solution?

Thanks,
Yan

--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html

CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to cas-user+unsubscr...@apereo.org 
.
To post to this group, send email to cas-user@apereo.org 
.
Visit this group at 
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6dd16c1-ee2e-4bb6-8d46-6f44d1f891ed%40apereo.org 
.

For more options, visit https://groups.google.com/a/apereo.org/d/optout.




--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b13f370-259a-ba90-058e-3ba14f167407%40gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] ldaptive documentation missing

[Daniel Fisher]

On Thu, Oct 13, 2016 at 5:05 AM, Jérôme Nenert 
wrote:

> I've got the same issue( version 4.2.6 ) . I still get this error :
>
> [org.springframework.web.context.ContextLoader] -  failed
> org.springframework.beans.factory.parsing.BeanDefinitionParsingException:
> Configuration problem: Unable to locate Spring NamespaceHandler for XML
> schema namespace [http://www.ldaptive.org/schema/spring-ext]
> Offending resource: ServletContext resource [/WEB-INF/deployerConfigContex
> t.xml]
>
> http://www.ldaptive.org/schema/spring-ext returns a 404
>

I'm not sure what to make of this. I didn't think that URN needed to be
reachable, but I added an index.html just in case. If this problem is some
quirkiness with github pages then it may take some time to reproduce.

--Daniel Fisher

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwRoaJD8KrF5ssh0UYwn0gF3QG5qGgui6EZM2wiraY5W8g%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] No principal was found in the response from the CAS server.

['Patrick Gardella' via CAS Community]

Can you post your deployerConfigContext.xml file? Specifically,
the ldapAuthenticationHandler bean section, if you don't want to post it
all.

You are using old instructions.  Take a look at the new instructions at:
https://apereo.github.io/cas/4.2.x/installation/Maven-Overlay-Installation.html

Patrick+

On Thu, Oct 13, 2016 at 1:08 PM, Chip Work  wrote:

> I am using Tomcat 8 on Centos 7 with Java 8.
> I have loaded the war file built with maven using CAS 4.2.5 including the
> ldap handler.
> I have loaded the "mywebapp" war file built with maven as suggested in:
> https://wiki.jasig.org/display/CASC/JA-SIG+Java+
> Client+Simple+WebApp+Sample
> I start tomcat and do not any significant errors in the catalina.out file
> or the cas.log file.
> However when I test my cas deployment with the test site I get the
> following error:
>
> HTTP Status 500 - org.jasig.cas.client.validation.TicketValidationException:
> No principal was found in the response from the CAS server.
>
> *type* Exception report
>
> *message* *org.jasig.cas.client.validation.TicketValidationException: No
> principal was found in the response from the CAS server.*
>
> *description* *The server encountered an internal error that prevented it
> from fulfilling this request.*
>
> *exception*
>
> javax.servlet.ServletException: 
> org.jasig.cas.client.validation.TicketValidationException: No principal was 
> found in the response from the CAS server.
>   
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:152)
>
> *root cause*
>
> org.jasig.cas.client.validation.TicketValidationException: No principal was 
> found in the response from the CAS server.
>   
> org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:74)
>   
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:165)
>   
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:129)
>
> *note* *The full stack trace of the root cause is available in the Apache
> Tomcat/8.0.37 logs.*
>
> Pls advice me as to why I might get this message.
> Thanx.
>
> --
> CAS gitter chatroom: https://gitter.im/apereo/cas
> CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> CAS documentation website: https://apereo.github.io/cas
> CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/ddf60f75-96da-4d88-9e90-
> 85c3ded3b955%40apereo.org
> 
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO6jAwt5zA%2BzTT8beyYZfwS_ki6WAUxgkHtOzjFyE3bwQNYj6Q%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] No principal was found in the response from the CAS server.

[Chip Work]

I am using Tomcat 8 on Centos 7 with Java 8.
I have loaded the war file built with maven using CAS 4.2.5 including the 
ldap handler.
I have loaded the "mywebapp" war file built with maven as suggested in: 
https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample
I start tomcat and do not any significant errors in the catalina.out file 
or the cas.log file.
However when I test my cas deployment with the test site I get the 
following error:

HTTP Status 500 - 
org.jasig.cas.client.validation.TicketValidationException: No principal was 
found in the response from the CAS server.

*type* Exception report

*message* *org.jasig.cas.client.validation.TicketValidationException: No 
principal was found in the response from the CAS server.*

*description* *The server encountered an internal error that prevented it 
from fulfilling this request.*

*exception*

javax.servlet.ServletException: 
org.jasig.cas.client.validation.TicketValidationException: No principal was 
found in the response from the CAS server.

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:152)

*root cause*

org.jasig.cas.client.validation.TicketValidationException: No principal was 
found in the response from the CAS server.

org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:74)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:165)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:129)
 

*note* *The full stack trace of the root cause is available in the Apache 
Tomcat/8.0.37 logs.*

Pls advice me as to why I might get this message.
Thanx. 

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ddf60f75-96da-4d88-9e90-85c3ded3b955%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] How does CAS 4.1.X behave like SAML IdP?

[Yan Zhou]

Hi there, 

I am a little confused on SAML support on CAS 4.1.x.  It maybe my 
understanding of SAML is very beginning, too.

I have viewed CAS as an Enterprise SSO solution, rather than a Federated 
SSO solution (across enterprises). But, I hear different things about SAML 
support in CAS. 

CAS 4.1.x doc says:  The CAS server implements the CAS protocol on server 
side and may even behave like  SAML IdP.How does CAS 4.1.X behave 
like  SAML IdP?  

The doc says that CAS supports the standardized SAML 1.1 protocol primarily 
to:  1)Support a method of attribute release  2) Single Logout.  It seems 
suggesting that it does _not_ act like SAML IdP?

The doc. also says that CAS can serve as the authentication provider for 
Shibboleth.   If CAS 4.1.X can behave like SAML IdP, why would it need 
Shibboleth?

Thanks,

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fbcd45d-6f03-4b57-a108-6045a3004132%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 5 RC4: /serviceValidate, /samlValidate fail after initial success

[Misagh Moayyed]

Your diagnosis certainly is correct, and this points to a possible bug. The 
renew flag that is passed along once seems to stay around for subsequent 
requests on the validator, and it should not. Trivial fix really.

Not that it matters, I don’t think, but let me ask: when you authn into app A 
once and login successfully, is it the same app A that fails to receive 
validated tickets next such that you log out of app A and attempt to try again 
via SSO? Or is it an entirely different app trying to take advantage of SSO? 

-- 
Misagh

From: Baron Fujimoto 
Reply: Baron Fujimoto 
Date: October 13, 2016 at 12:29:15 AM
To: CAS Users 
Subject:  [cas-user] CAS 5 RC4: /serviceValidate, /samlValidate fail after 
initial success  

We're seeing the following errors with our RC4 regression tests. Initially,  
after starting or reloading CAS, /serviceValidate and samlValidate succeed.  

Shortly thereafter however, they fail subsequent runs of the same tests.  
The failures appear to occur when the the app is accessed via SSO. An ST
is granted to the app, and it looks like it is successfully validated in  
the logs, but the app gets back "Ticket not recognized" responses.  

It looks like it may be trying to enforce a renew on the *Validate even  
when it's not specified as a parameter?  

Logs:  

DEBUG [org.apereo.cas.CentralAuthenticationServiceImpl] - 
  
DEBUG [org.apereo.cas.CentralAuthenticationServiceImpl] - https://www.example.com/app2,serviceTicket=ST-46-uItdXfm5YblKsGwcCMfB-cas]>
  
DEBUG [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - 
  
WARN [org.apereo.cas.validation.Cas20WithoutProxyingValidationSpecification] - 
  
WARN [org.apereo.cas.web.ServiceValidateController] -   

Aloha,  
-baron  
--  
Baron Fujimoto  :: UH Information Technology Services  
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum  

--  
CAS gitter chatroom: https://gitter.im/apereo/cas  
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html  
CAS documentation website: https://apereo.github.io/cas  
CAS project website: https://github.com/apereo/cas  
---  
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.  
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.  
To post to this group, send email to cas-user@apereo.org.  
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.  
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012205856.GB23083%40praenomen.mgt.hawaii.edu.
  
For more options, visit https://groups.google.com/a/apereo.org/d/optout.  

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57feb2a2.220f5b53.5303%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Re: CAS 4.2.5 - AD authentication failed

[KERAIN Stéphane]

I change my password and omit "special" characters and connection to AD 
succeed. If I have qualified the anomaly, I don't understand why: I'm using 
tomcat 8 on JDK 8 for CAS overlay webapp. I tried to 
change cas.authn.password.encoding.char property to UTF-8 in cas.properties 
but the connection with AD still failed with the original password. Do I 
have to compile CAS overlay with JDK 7 ? What is the purpose 
of cas.authn.password.encoding.char property in that case ?

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/86194ccb-a2b8-482d-9e0c-5a664a6aaceb%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.