Re: [cas-user] authentication throttling and temporary account lockout

[Fabio Martelli]

Il 11/01/2018 19:49, Ray Bon ha scritto:

Fabio,

The threshold throttle is a rate. In your example it works out to 1 
failed attempt in 100 seconds. Any user will try a second time within 
that 100 seconds. Set the numbers to a reasonable user action time - 
how long does it take for a user to type and press enter, maybe 5 
seconds. Set threshold at 1 and range at 5.


Hi Ray, thanks a lot for your reply.
Unfortunately this is not my requirements. I need to lock a user out 
after three consecutive failed login attempts.

As far as you know, is there a way to implement this feature?

Thank you in advance for your further reply.
BR,
F.



Ray

On Thu, 2018-01-11 at 15:13 +0100, Fabio Martelli wrote:


Hi All, is there someone that can give me some tips to implement 
*temporary account lockout after 3 consecutive failed login attempts*?



It seems that authentication throttling is something really 
different. If I got it, authentication throttling is used to 
temporary inhibit successful authentication attempts after a failed one.


For example, with a configuration like as

  * *failureThreshold*: 3
  * *failureRangeInSeconds*: 300

If a failed authentication attempt occurs, all the following attempts 
will fails (resulting in 423) for 100 seconds (300/3 -> 
*thresholdRate* 0.01).



As anticipated, I would lockout a user after 3 consecutive failed 
login attempts occurred within 60 seconds. Is it possible?


Thank you in advance for your help.

BR,

F.

--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/ 


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515696550.1878.110.camel%40uvic.ca 
.



--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a24a0a1-37fc-6df1-f36e-c5ec4c276cd6%40gmail.com.

Re: [cas-user] Extending CAS 5 Webflows - build instructions?

[Pablo Vidaurri]

Just to confirm, in CAS 5.1.x and 5.2.x there is no absolute requirement to 
have classes in org/apereo/cas package ... correct?

On Friday, May 12, 2017 at 10:25:41 AM UTC-5, Dmitriy Kopylenko wrote:
>
> Try this one for the info on configuration mechanism: 
> https://apereo.github.io/2017/02/21/cas-autocfg-strategy/ Note, this 
> applies to CAS 5.1. In CAS 5.0.x line, the configuration classes are 
> contributed to Spring app ctx. by means of component scanning, so in order 
> for CAS to pick ‘em up in 5.0.x, put your custom @Configuration classes in 
> `org/apereo.cas` base package
>
> Best,
> D.
>
>
> From: Adam Causey  
> Reply: cas-...@apereo.org   
> Date: May 12, 2017 at 11:16:44 AM
> To: cas-...@apereo.org   
> Subject:  [cas-user] Extending CAS 5 Webflows - build instructions? 
>
> I've gone through the blog entry "Extending CAS 5 Webflows" (
> https://apereo.github.io/2016/10/07/webflow-extcfg/), but I can't figure 
> out where I put my module code and how to I build it?  I attempted putting 
> my Java files in their own project and then adding the jar as a dependency 
> to my WAR overlay, but it doesn't pickup the @Configuration class.
>
> Has anyone customized the webflow in this manner?
>
> Thanks,
> Adam
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5OFzsdefiRdx9B2gw4YL2%3Dk0BknqnBPtqXuPy0bagm5Ew%40mail.gmail.com
>  
> 
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af845086-8ce2-49f1-9112-9d68072b7e77%40apereo.org.

[cas-user] Re: Extends LdapAuthenticationHandler in cas 5.2

[Pablo Vidaurri]

Are you trying to map/release attributes? If so try to define a mapping in 
your service config:

"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "mail" : "Email",
  "GivenName" : "GivenName",
  "commonName" : "Aliases"   <-- retrieves commonName from ldap but 
released as "Aliases" to client
}
  }

On Thursday, January 11, 2018 at 5:37:05 PM UTC-6, satnam wrote:
>
> Hello,
>
> We are trying to upgrade CAS from 4.2.7 to 5.2.x.  In 4.2, we extended 
> LdapAuthenticationHandler to make our customization (to convert GUID to 
> databaseUserID.. we use LDAP to verifty password, then return database 
> mapped ID to application, which application use latter in the process).  
> When we try to do same thing in 5.2, we get error on build.  
>
> Is there better way to do this in 5.2.x?  
>
>
> [ERROR] 
> /C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[16,8]
>  
> cannot access 
> org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
>   class file for 
> org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
>  
> not found
> [ERROR] 
> /C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[10,37]
>  
> cannot find symbol
>   symbol:   class UsernamePasswordCredential
>   location: package org.apereo.cas.authentication
> [ERROR] 
> /C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[11,47]
>  
> cannot find symbol
>   symbol:   class DefaultPrincipalFactory
>   location: package org.apereo.cas.authentication.principal
>
>
>
> package org.apereo.cas;
>
> import java.util.Map;
>
> import javax.validation.constraints.NotNull;
>
> import org.apereo.cas.authentication.HandlerResult;
> import org.apereo.cas.authentication.LdapAuthenticationHandler;
> import org.apereo.cas.authentication.Credential;
> import org.apereo.cas.authentication.UsernamePasswordCredential;
> import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
> import org.apereo.cas.authentication.principal.Principal;
> import org.apereo.cas.authentication.principal.PrincipalFactory;
> import org.ldaptive.auth.Authenticator;
>
> public class PostLdapAuthenticationHandler extends 
> LdapAuthenticationHandler {
> private IDAL dal = null;
>
> public PostLdapAuthenticationHandler(@NotNull final Authenticator 
> authenticator, final IDAL dal) {
> super(authenticator);
> this.dal = dal;
> }
>
>
> ..
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9948b9c5-4e1c-4b92-a0d7-7b7d1d4735e2%40apereo.org.

[cas-user] Extends LdapAuthenticationHandler in cas 5.2

[satnam]

Hello,

We are trying to upgrade CAS from 4.2.7 to 5.2.x.  In 4.2, we extended 
LdapAuthenticationHandler to make our customization (to convert GUID to 
databaseUserID.. we use LDAP to verifty password, then return database 
mapped ID to application, which application use latter in the process).  
When we try to do same thing in 5.2, we get error on build.  

Is there better way to do this in 5.2.x?  


[ERROR] 
/C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[16,8]
 
cannot access 
org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
  class file for 
org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
 
not found
[ERROR] 
/C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[10,37]
 
cannot find symbol
  symbol:   class UsernamePasswordCredential
  location: package org.apereo.cas.authentication
[ERROR] 
/C:/Projects/PASS5.2/trunk/build/CAS_Server/post-cas-server/src/main/java/gov/ca/post/PostLdapAuthenticationHandler.java:[11,47]
 
cannot find symbol
  symbol:   class DefaultPrincipalFactory
  location: package org.apereo.cas.authentication.principal



package org.apereo.cas;

import java.util.Map;

import javax.validation.constraints.NotNull;

import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.authentication.LdapAuthenticationHandler;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.ldaptive.auth.Authenticator;

public class PostLdapAuthenticationHandler extends 
LdapAuthenticationHandler {
private IDAL dal = null;

public PostLdapAuthenticationHandler(@NotNull final Authenticator 
authenticator, final IDAL dal) {
super(authenticator);
this.dal = dal;
}


..

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccad8716-a0bc-41c3-8167-d452570c7fad%40apereo.org.

[cas-user] /oauth2.0/authorize not redirect to callbackurl (CAS Version: 5.1.4)

[Leo Pintos]

Hi,
I'm trying to redirect the authorize to h
ttps://localhost:8443/clienteoauth/recepcionCode 

but doesn't work and I can se the follow in the log:

2018-01-11 16:42:34,287 DEBUG 
[org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] (default 
task-3) Final resolved callback URL is 
[https://localhost:8443/cas/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=app_prueba_uri=https://localhost:8443/clienteoauth/recepcionCode]

*2018-01-11 16:42:34,287 DEBUG 
[org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder]
 
(default task-3) Final redirect url is 
[https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dapp_prueba%26redirect_uri%3Dhttps%3A%2F%2Flocalhost%3A8443%2Fclienteoauth%2FrecepcionCode]*

Next, my json configuration:
{
  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
  "clientId": "app_prueba",
  "clientSecret": "clientSecret",
  "bypassApprovalPrompt": false,
  "generateRefreshToken": false,
  "serviceId" : "^(https?|http?):.*",
  "name" : "MyOAuthservice",
  "id" : 1002,
}

I don't know what's wrong and maybe it's a CAS bug.
Any help?
Thank in advance.
Leo.



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9be25512-7279-4b78-8c53-3d41e80d85bf%40apereo.org.

[cas-user] Setting up google authenticator

[Pablo Vidaurri]

I 
reviewed 
https://apereo.github.io/cas/5.0.x/installation/GoogleAuthenticator-Authentication.html
and the configuration options to setup 2FA via google authenticator but the 
config options are not clear.

Has anyone attempted to use Google Auth? Can anyone provide clarification 
on what the settings are?

Thanks
-psv

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b43ae9e-2a5d-4e20-b9c9-3e6bc782a99d%40apereo.org.

Re: [cas-user] authentication throttling and temporary account lockout

[Ray Bon]

Fabio,

The threshold throttle is a rate. In your example it works out to 1 failed 
attempt in 100 seconds. Any user will try a second time within that 100 
seconds. Set the numbers to a reasonable user action time - how long does it 
take for a user to type and press enter, maybe 5 seconds. Set threshold at 1 
and range at 5.

Ray

On Thu, 2018-01-11 at 15:13 +0100, Fabio Martelli wrote:

Hi All, is there someone that can give me some tips to implement temporary 
account lockout after 3 consecutive failed login attempts?


It seems that authentication throttling is something really different. If I got 
it, authentication throttling is used to temporary inhibit successful 
authentication attempts after a failed one.

For example, with a configuration like as

  *   failureThreshold: 3
  *   failureRangeInSeconds: 300

If a failed authentication attempt occurs, all the following attempts will 
fails (resulting in 423) for 100 seconds (300/3 -> thresholdRate 0.01).


As anticipated, I would lockout a user after 3 consecutive failed login 
attempts occurred within 60 seconds. Is it possible?

Thank you in advance for your help.

BR,

F.

--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515696550.1878.110.camel%40uvic.ca.

[cas-user] CAS 5.0.6, VersionResourceResolver and Cache-Busting

[John Sampson]

Hello, I'm currently upgrading a highly customized 4.X CAS version to 5.0.6 
and running into a problem with cached assets on our F5 Appliance. 

The problem is that many of the customized assets have the same name (ex. 
cas.js) but different content, and while we can clear the F5 Ram Cache, 
this does not allow us the flexibility to switch cleanly back and 
forth between the two versioned deployments and we would rather add 
a VersionResourceResolver to the newer version (5.0.X) of the application 
so that all assets have hash codes in the file names so that the F5 
appliance will cache the proper version, and the two applications will not 
be getting one another's assets. 

 If someone has already done this and could provide some pointers I would 
appreciate it. I think I'm half way there, but am not sure I'm not mixing 
solutions. We have a desire to get away from our highly customized versions 
and back inline with the direction of the underlying CAS software (and this 
is out first step).

I've read several articles and gotten as far as encoding the urls in the 
templates, but when the login page is accessed, the server returns a 404 
for the javascript assets, so here is what I have in the 5.0.6 application:

*Background/Environment:*

 

   - Software: CAS 5.0.6 built with an overlay
   - Application.properties in src/main/resources
   - JavaScript resources in: src/main/resources/static/js
   - Thymeleaf templates in in: src/main/resources/static/templates
   - Environment:
  -  Local: build and run locally via a fat jar.
  -  Everywhere else: fat jar built on Jenkins, Docker Image deployed 
  to K8S Cluster with an F5
   

*Resources I've reviewed:*


   - CAS User Interface Customization 
   

 (No 
   real info)
   - Spring Boot 1.4.2 Reference 
   

 (Static 
   Content, which suggests that the ResourceUrlEncodingFilter should be 
   AutoConfigured and handled internally by Thymeleaf but it doesn't seem to 
   be, which is why I added the bean and additional syntax to the templates 
   below).


*Application.properties*

*spring.resources.chain.strategy.content.enabled*=*true**spring.resources.chain.strategy.content.paths*=*/***

*StaticResourceConfig.java*

@Configuration*public class *StaticResourceConfig *extends 
*WebMvcConfigurerAdapter {
@Override*public void *addResourceHandlers(ResourceHandlerRegistry 
registry) {
VersionResourceResolver versionResourceResolver = *new 
*VersionResourceResolver()
.addVersionStrategy(*new *ContentVersionStrategy(), 
*"/js/*.js"*);

registry.addResourceHandler(*"/js/**"*)
.addResourceLocations(*"classpath:/static/"*)
.setCachePeriod(60 * 60 * 24 * 365) */* one year */*
.resourceChain(*true*)
.addResolver(versionResourceResolver);
}

*/ * Enables usage of versioned assets in thyme leaf templates.**   
  * **@return* **/*@Bean*public *ResourceUrlEncodingFilter 
resourceUrlEncodingFilter(){
*return new *ResourceUrlEncodingFilter();
}
} 

*LoginForm.html* 

 ... 

<*script **type=**"text/javascript" 
**th**:src=**"${@mvcResourceUrlProvider.getForLookupPath('/js/login.js')}" 
*/> 

...

 
The the script tag above  is rendered properly in the page by 
the ResourceUrlEncodingFilter:




However, the server responds with a 404 when the file is requested. 

*Conculsion:*

I feel like I'm missing some component that maps 
login-5082a374b0db842cb10cbe96ee10ecbc.js back to login.js when the request 
is received but don't know where to go and debug to look for it. 

In my Google searches, I've seen a few bugs listed with regards to the 
ordering of Resolvers and the Ant Path Matching Patterns in 
Spring/SpringBoot, but am just getting around to figuring out which classes 
log to debug and can report back when I find anything there, but wanted to 
get this email in the event anyone has some experience or advice with this.

Thanks,

-John

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2c886b2e-5b24-47e8-9ada-78dd9eb04d7c%40apereo.org.

[cas-user] Steam OpenId2 auth

[FritzTheWonderMutt]

 

I need to add Steam auth to our CAS 5.1.7 implementation, but Steam only 
offers OpenId2.

I see that the Pac4j code has an older Yahoo OpenId client that I could use 
as a template:

https://github.com/pac4j/pac4j/blob/master/pac4j-openid/src/main/java/org/pac4j/openid/client/YahooOpenIdClient.java

 

And i found that on line 414 of 
org.apereo.cas.support.pac4j.config.support.authentication.Pac4jAuthenticationEventExecutionPlanConfiguration
 the clients are built and added to the ClientAuthenticationHandler.


The question is, what is the best way to add a new OpenId2 client into the 
pac4j ClientAuthenticationHandler.clients?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca2f7c49-14d7-461c-94d8-3b04baa7b5b2%40apereo.org.

[cas-user]

[Jeffrey Ramsay]

All -

I need some help getting a somewhat crazy idea I have started. We use CAS
with Ellucian Banner and those of you familiar with the application and
support multiple instances will probably understand why I'm attempting to
do this.

We have around nine instances of Banner and each requires a CAS instance
for authentication because there are different passwords used. CAS allows
for multiple user stores however, the first match is used for
authentication and that is not what we want.

So, I've decided to try and consolidate our instances and is attempting to
get this started however, I'm not successful in retrieving the "instance"
value in calls to the Credentials controller.

@loginform.html:

.
.
.

Database:


BANDEV
BANTMP
BANQA




Where do I start? I just want to be able to log the value after a couple of
days hitting my head against the wall.

Thanks,
-Jeff

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYORXyX1YCu3ob7LWeOz3xQTTdrxaGW%3DAKA9a%3DsbOjC2JQQ%40mail.gmail.com.

Re: [cas-user] Re: Webflow error in CAS 5.1.4

[Adam Causey]

Misagh,

I discovered that our app vulnerability scanner is creating the 500 errors
with a bad request; however, I believe a better practice would be for CAS
to handle these errors and return a 400 (Bad Request) HTTP response code
instead of 500, which indicates there is an unhandled exception in the code.

Can CAS be updated to better handle these errors and return a more
appropriate response?

Thanks,
Adam

On Mon, Jan 8, 2018 at 2:39 PM, Misagh Moayyed  wrote:

> This is about a bad webflow execution key, indicated by the execution
> parameter that is badly provided or parsed. Either you have someone trying
> to POST to the CAS login endpoint from the outside, or you have someone
> send you a bad request to a page/endpoint that causes the blowup.
> Coincidentally, a project I am working on today reported a similar issue
> and it turned out to be a saml request sent to the CAS logout endpoint
> (which was wrong to begin with it) You may also want to look at your
> access-log and see where the requests are coming from.
>
> --Misagh
>
> --
>
> *From: *"Adam Causey" 
> *To: *cas-user@apereo.org
> *Sent: *Friday, January 5, 2018 6:40:42 PM
> *Subject: *Re: [cas-user] Re: Webflow error in CAS 5.1.4
>
> Misagh,
>
> The login page loads fine for users. Is there something on the page that I
> should check?
>
> Thanks!
>
> On Fri, Jan 5, 2018, 11:45 AM Misagh Moayyed  wrote:
>
>> You have a bad login page.
>>
>> Also you're to upgrade to the latest 5.1.x release line. Any patch
>> release that goes out unofficially invalidates its predecessors.
>>
>> --Misagh
>>
>> --
>>
>> *From: *"Adam Causey" 
>> *To: *cas-user@apereo.org
>> *Sent: *Friday, January 5, 2018 8:16:21 AM
>> *Subject: *[cas-user] Re: Webflow error in CAS 5.1.4
>>
>> We have kept version 5.1.4 in production, however we still see the errors
>> in the logs. We haven't received any user complaints, and there is no
>> username coming back with the error message.  Does anyone know how I might
>> be able to trace back what page is creating the error?
>>
>>
>> On Thu, Jan 4, 2018 at 7:21 AM, Adam Causey  wrote:
>>
>>> I recently rolled out CAS 5.1.4 to our production environment, however
>>> we started to see these errors in our logs. We performed a great deal of
>>> testing but never encountered this error. Any ideas of what could be
>>> causing this?
>>>
>>>
>>> 2018-01-04 07:18:13,905 [ajp-nio-8011-exec-1] ERROR
>>> org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]
>>> - Servlet.service() for servlet [dispatcherServlet] in context with path
>>> [/cas] threw exception [Request processing failed; nested exception is
>>> org.springframework.webflow.execution.repository.
>>> BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution
>>> key 'e2s1', the expected format is '_']
>>> with root cause
>>>
>>> org.springframework.webflow.execution.repository.
>>> BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution
>>> key 'e2s1', the expected format is '_'
>>>
>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionKey.
>>> parse(ClientFlowExecutionKey.java:102) ~[spring-webflow-client-repo-
>>> 1.0.3.jar!/:1.0.3]
>>>
>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.
>>> parseFlowExecutionKey(ClientFlowExecutionRepository.java:74)
>>> ~[spring-webflow-client-repo-1.0.3.jar!/:1.0.3]
>>>
>>> at org.springframework.webflow.executor.FlowExecutorImpl.
>>> resumeExecution(FlowExecutorImpl.java:164) ~[spring-webflow-2.4.4.
>>> RELEASE.jar!/:2.4.4.RELEASE]
>>>
>>> at sun.reflect.GeneratedMethodAccessor293.invoke(Unknown Source) ~[?:?]
>>>
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]
>>>
>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]
>>>
>>> at org.springframework.aop.support.AopUtils.
>>> invokeJoinpointUsingReflection(AopUtils.java:333)
>>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]
>>>
>>> at org.springframework.aop.framework.ReflectiveMethodInvocation.
>>> invokeJoinpoint(ReflectiveMethodInvocation.java:190)
>>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]
>>>
>>> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
>>> ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.11.RELEASE.
>>> jar!/:4.3.11.RELEASE]
>>>
>>> at org.springframework.aop.support.DelegatingIntroductionIntercep
>>> tor.doProceed(DelegatingIntroductionInterceptor.java:133)
>>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]
>>>
>>> at org.springframework.aop.support.DelegatingIntroductionIntercep
>>> tor.invoke(DelegatingIntroductionInterceptor.java:121)
>>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]
>>>
>>> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
>>> ReflectiveMethodInvocation.java:179) 

[cas-user] authentication throttling and temporary account lockout

[Fabio Martelli]

Hi All, is there someone that can give me some tips to implement 
*temporary account lockout after 3 consecutive failed login attempts*?



It seems that authentication throttling is something really different. 
If I got it, authentication throttling is used to temporary inhibit 
successful authentication attempts after a failed one.


For example, with a configuration like as

 * *failureThreshold*: 3
 * *failureRangeInSeconds*: 300

If a failed authentication attempt occurs, all the following attempts 
will fails (resulting in 423) for 100 seconds (300/3 -> *thresholdRate* 
0.01).



As anticipated, I would lockout a user after 3 consecutive failed login 
attempts occurred within 60 seconds. Is it possible?


Thank you in advance for your help.

BR,

F.

--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.html

Tirasa - Open Source Excellence
http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm

Apache Syncope PMC
http://people.apache.org/~fmartelli/

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a4e9a50-f57d-6c87-9383-39123efcd62f%40gmail.com.

[cas-user] SAML FriendlyName and Name using same value

[Bergner, Arnold]

Hi William,

I think we trying to do the same, and I have to confirm the only I solution I 
found was exactly mapping the attributes to the uri name.

We want to use the consent module along with it and really don’t want those 
uri’s appear in the consent view for our users.

It would be great if the SAML uri, e.g. “urn:oid:2.5.4.42” could be 
configurable similarly to the name format, that is globally for available 
attributes, and as well as part of the service definition to override.

I would take up the task some time, if no one else does first.

Regards
Arnold

Von: cas-user@apereo.org [mailto:cas-user@apereo.org] Im Auftrag von William E.
Gesendet: Mittwoch, 10. Januar 2018 22:29
An: CAS Community 
Betreff: [cas-user] SAML FriendlyName and Name using same value

Hi all,

I'm pretty sure this is not a current feature of CAS 5.2.x, but I just wanted 
to ask this community if they found any way to do so by some config trickery.  
If not, would the awesome CAS developers be interested in putting this on the 
list of future feature enhancements please?

So we're trying to use the saml idp of cas 5.2 to replace our shibboleth 
service.  Seems most SP's work but a few don't and unfortunately getting logs 
from vendors or technical insight is sometimes challenging.  But one distinct 
difference between the attributes shibboleth returns and cas IDP returns is 
that with cas, while you can specify the "return attribute x as name y" part, 
it's used for both the name and friendlyname values.

For example, in our config shibboleth returns the givenName like so:


http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



With Name="urn:oid:2.5.4.42" and FriendlyName="givenName".


In the cas service definition I can specify givenName should be returned as 
urn:oid:2.5.4.42, which is awesome, but the urn:oid... is used for both Name 
and FriendlyName values.


  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class: java.util.TreeMap
  givenName: "urn:oid:2.5.4.42"
...



http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



Anyone know of a way to specify a different value for FriendlyName than Name?


Thanks,
William

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a58be248-9a81-4d24-a3b4-701eaf90c9e9%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/acf8e06df1ff44888eb570f4181fea9b%40hrz.tu-darmstadt.de.

[cas-user] Re: JSON registered services infos not appearing in the login page!!

[noumann.f]

Got it, thanks a lot.

Best regards,

On Thursday, January 11, 2018 at 4:56:04 AM UTC+2, Andy Ng wrote:
>
> Are you directly accessing your site like this:
> https://www.example.com/cas
>
> Instead of giving it a service param
> https://www.example.com/cas?service=https://www.yourpage.com
>
>
> If you want your website "https://www.example.com/cas; to have your logo, 
> and not giving a service paramter
>
> you might check out this: 
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#themes
>
> - Andy
>
> On Wednesday, 10 January 2018 22:22:12 UTC+8, noumann.f wrote:
>>
>> Hi,
>>
>> I'm running* cas v5.1.x* and I'd registered a test JSON service in the 
>> file `/etc/cas/config/services/HTTPSandIMAPS-10001.json` and setup the 
>> entry in the `cas.properties` file like this:
>> ...
>> cas.serviceRegistry.config.location=file:/etc/cas/config/services
>> ...
>>
>>
>>
>> Here is the file content:
>> {
>>   /*
>> Generic service definition that applies to https/imaps urls
>> that wish to register with CAS for authentication.
>>   */
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^(https|imaps)://.*",
>>   "name" : "HTTPSandIMAPS",
>>   "description" : "This ia a test registered service for everything.",
>>   "logo" : "
>> https://d1e4pidl3fu268.cloudfront.net/66963e4a-ccba-4fdd-ba18-d5862fb4dba7/test.png
>> ",
>>   "id" : 10001,
>> }
>>
>> And the log showed it's been loaded like in here:
>>
>> ...
>>
>> 2018-01-10 16:09:49,858 DEBUG [org.apereo.cas.services.
>> DefaultServicesManager] - > ]>
>> 2018-01-10 16:09:49,860 DEBUG [org.apereo.cas.services.
>> DefaultServicesManager] - > //.*]>
>> 2018-01-10 16:09:49,860 INFO [org.apereo.cas.services.
>> DefaultServicesManager] - > JsonServiceRegistryDao].>
>>
>> ...
>>
>>
>> What should I do to get the service details (meta data and logo) being 
>> displayed in the login page !??
>>
>> Regards,
>>
>>
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/055b5767-befc-467c-b74d-aa772abe8faf%40apereo.org.