[cas-user] CAS 5.2.2 and properties

[Matthew Hannay]

Is the following structure correct

cas-overlaytemplate/
 |
 |---etc/cas/config/cas.properties
 |
 | --overlays/org.ap.tomcat-5.2.2


when I run from c:\cas-overlaytemplate/

java -jar target\cas.war

it is not picking up the cas.properties in the etc\ directory

>From what I have read the fall back is to that directory 
Even If I add

C:\dev\git-3rdparty-repos\cas-overlay-template>java -jar target/cas.war 
-Dcas.standalone.config=./etc/cas/config/
C:\dev\git-3rdparty-repos\cas-overlay-template>java -jar target/cas.war 
-Dcas.standalone.config.file=./etc/cas/config/cas.properties


If I go into the target directory and add my configurations into the 
application.properties and run the 'maven package'

I then Run

cas-overlay-template>java -jar target/cas.war

the application picks up the properties??
This then feeds me into my next series of problems


--Matt 


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d4f8cdd-22f3-40e5-90ea-f84a55656674%40apereo.org.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

I meant to add, our pom.xml has the following dependencies (in case we’re 
missing something):



org.apereo.cas
cas-server-webapp-${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-saml
${cas.version}


org.apereo.cas

cas-server-support-hazelcast-ticket-registry
${cas.version}


org.apereo.cas
cas-server-support-duo
${cas.version}


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


org.javassist
javassist
3.17.1-GA


javax.servlet
servlet-api
2.5
jar


org.apereo.cas
cas-server-core-webflow
${cas.version}


org.apereo.cas
cas-server-core-web
${cas.version}
jar


org.apereo.cas
cas-server-core-configuration
${cas.version}
jar


org.apereo.cas
cas-server-core-authentication
${cas.version}




> On Feb 9, 2018, at 5:19 PM, Man H  wrote:
> 
> 
> add 
> 
>  org.apereo.cas
>  cas-server-core-authentication
>  ${cas.version}
> 
> 
> with: 
> 
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
> 
> you should get
> 
> 2018-02-09 19:10:39,145 DEBUG 
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] 
> -  [casuser], service [null] and provider 
> [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL 
> [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
> 
> 
> 
> 
> 
> 2018-02-09 17:11 GMT-03:00 Brian Davidson  >:
> Just to add a bit to what Brian M. provided (I’m also a Brian, and a 
> co-worker of Brian M’s):
> 
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
>  <>
> 
> We did find that CAS was unable to check to see if the user exists in Duo if 
> we used the “CAS” integration in Duo.  But it works if we set up the 
> integration as “Auth API”.
> 
> We haven’t touched webflow. With the groovy script in place, 
> 
> When we enable GROOVY bypass script, we get:
> 
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] -  handle [org.springframework.webflow.execution.FlowExecutionException: 
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root 
> cause [java.io .NotSerializableException: 
> org.springframework.core.io 
> .UrlResource]>
> 
> As well as the stack trace Brian M. provided.
> 
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.  
> Dug through source code to find that.  We’re happy to provide updates to the 
> documentation once we get this working.
> 
> Thanks for the help!
> 
>> On Feb 9, 2018, at 10:14 AM, brian mancuso > > wrote:
>> 
>> Anything that says "REMOVED" is just stuff I pulled out before posting it. I 
>> didn't want to post any private/sensitive information.
>> 
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>> What do you mean by REMOVED in properties . 
>> 
>> El viernes, 9 de febrero de 2018, brian mancuso > 
>> escribió:
>> Hey all,
>> 
>> I was originally trying to setup some custom triggers to determine who 
>> should use MFA and who is allowed to bypass. I have since been directed 
>> towards Groovy to simplify things, but I'm still having some trouble.
>> 
>> At this point, the Groovy script's purpose is strictly to test if a certain 
>> user will bypass MFA while others will not. Here's my setup:
>> 
>> /etc/cas/config/cas.properties
>> 
>> ##
>> # Duo security 2fa authentication provider
>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey 
>> 
>> #
>> cas.authn.mfa.duo[0].rank=0
>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.globalProviderId=mfa-duo
>> cas.authn.mfa.globalFailureMode=OPEN
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Added cas-server-core-authentication dependency.  Still getting the same 
exception.

I do get:

2018-02-09 23:31:04,841 DEBUG 
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass] - 


We’ve had that working since adding the bypass.type=GROOVY and 
bypass.groovy.location I mentioned in the previous email.

We then get:

2018-02-09 23:31:06,088 DEBUG 
[org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - 
<[DefaultDuoMultifactorAuthenticationProvider] voted to support this 
authentication request>
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.SubflowState] 
- 
2018-02-09 23:31:06,089 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 

2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.SubflowState] 
- 
2018-02-09 23:31:06,089 DEBUG [org.springframework.webflow.engine.Flow] - 

2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,100 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,101 DEBUG 
[org.apereo.cas.authentication.principal.WebApplicationServiceFactory] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,102 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,102 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,216 DEBUG [org.springframework.webflow.engine.ActionState] 
- 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,216 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,217 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.Transition] - 

2018-02-09 23:31:06,218 DEBUG [org.springframework.webflow.engine.ViewState] - 

2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,218 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,223 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,223 DEBUG 
[org.springframework.webflow.execution.AnnotatedAction] - 
2018-02-09 23:31:06,224 DEBUG 
[org.springframework.webflow.execution.ActionExecutor] - 
2018-02-09 23:31:06,238 DEBUG 

Re: [cas-user] Failed To Add TGT Ticket - MongoDB Ticket Registry CAS 45.2.

[michael kromarek]

Sorry, there's a bit of a history to the problem that involved several
other ticket registries.

On CAS 3.5 we where using PostgreSQL, but when I upgraded to CAS 5.x I
switched to Hazelcast.  Which work okay except that after three days
pinciple ID's start to become null after successful authentication.  WE
thought it might be something with Hazelcast so we tried Dynamo which was
an instant bust as it complained about an empty string.  We then tried
Redis with AWS but the Setex command was being given a -1 for the ticket
expiration time.  So we tried MongoDB, which wasn't writing tickets.
PostgreSQL was the fall back, though my manager prefered I find something
more performant since the JPA driver can be a bit slow (not to mention the
need to 4+ tiggers on the ticketgrantingticket table and another 2-3 on the
serviceticke table).

But now that I found that the ticket expiration time was the culprit, I
should be able to go forward with MongoDB or Redis.  Though the expiration
time problem does sound like a bug to me, but I'm not sure where to report
that.

--Mike K.

On Fri, Feb 9, 2018 at 1:03 PM, Uxío Prego  wrote:

> I’m a little lost now.
>
> Are you sure you need to waste that much energy investigating so many
> ticket registry alternatives? Shouldn’t you be trying to just assess the
> feasibility of using that data base with which you feel more comfortable?
>
> To be more clear, let’s say it works better using MongoDB than PostgreSQL.
> If you already have a large body of PostgreSQL exposure, which you have
> demonstrated, even if MongoDB performs better there are chances your total
> cost of ownership will be smaller by using PostgreSQL.
>
> I’m sorry again I can’t help you, but with these energy and eagerness you
> seem to have I’m sure you aren’t going to have a lot of trouble with CAS
> once you focus in your problem. Or is it that your thing is to assess which
> one performs better? And if so, why not just ask that?
>
> Regards,
>
> On 9 Feb 2018, at 20:55, michael kromarek  wrote:
>
> So it turns out I already had the driver turned to debug, so no new
> information there.  But I did up the verbosity level of MongoDB log to 5
> and noticed that a write attempt for the TGT ticket wasn't even made
> (subsequent fetches where made though).
>
> I decided to try pulling down the latest maven overlay and move my
> settings over one by one to see what would cause the problem, and culprit
> turned out to be
>
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
>
>
> If I comment that out, it writes the ticket no problem.  If I set it, it
> fails creating the ticket and new writes it to or even attempts to write it
> to Mongo.  I think this is an error in the ExpirationPolicy class as I have
> also tried Redis and noticed it was writing the expiration time as -1.  -1
> is not acceptable to Redis so it won't make the record.  I also tried
> DynamoDB and noticed it was complaining about an empty string being written
> (which for whatever reason Dynamo does not like empty strings at all).  I'm
> thinking PostgreSQL didn't have a problem because the expiration policy is
> stored as a large object and it probably doesn't care what it is.
>
> --Mike K.
>
> On Wed, Feb 7, 2018 at 5:51 AM, michael kromarek 
> wrote:
>
>> I'll give that a shot and let you know what I find.
>>
>> Thank you.
>>
>> On Wed, Feb 7, 2018 at 5:31 AM, David Curry 
>> wrote:
>>
>>> Ah - you just reminded me, and I should have mentioned this last time.
>>> Try adding this to your log4j2.xml:
>>>
>>> 
>>>
>>>
>>> That's the actual Java driver.
>>>
>>> --Dave
>>>
>>>
>>> --
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> 
>>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>> [image: The New School]
>>>
>>> On Wed, Feb 7, 2018 at 8:25 AM, michael kromarek 
>>> wrote:
>>>
 Hi Dave,

 I actually tried those settings first (I was following your guide, but
 only having a single server instead of a cluster for mongo).
 Unfortunately, it fails in the same way with those settings too.  I might
 be able to eek out a little  more information if I set

 org.apereo.cas.ticket.registry.MongoDbTicketRegistry

 to debug in the logger, though I  already have org.apero.cas and
 com.mongo set to debug.

 --Mike K

 On Wed, Feb 7, 2018 at 5:15 AM, David Curry 
  wrote:

> Mike,
>
> The only thing that strikes me as odd in your settings is this one:
>
> cas.ticket.registry.mongo.collectionName=cas-ticket-registry
>
>
> The Mongo ticket registry uses multiple collections:
>
> proxyGrantingTicketsCollection
> 

[cas-user] LDAP failing Silently

[Matthew Hannay]

The following page

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-authentication-1

Says bad confugurations disable cas ldap silently!!


How do I go about stopping it from failing silently?


--Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/64c6a0bf-529b-463c-b293-83c1ac611a36%40apereo.org.

Re: [cas-user] Re: Upgrade CAS 3.5.2 to CAS 5.x

[Dmitriy Kopylenko]

So, few points. On the class names between 3 and 5 - you don’t 
have to worry about it anymore (well, as long as you don’t need to extend CAS 
and program against its internals and extension points). The general theme of 
CAS v5 is so called “intention driven configuration” model - that is, you 
operate within war overlay and express your intentions to use features of CAS 
by 1) declaring dependency on modules that implement features you need 2) 
Configure those modules purely by set of key-value properties. No need to have 
deep knowledge of CAS internals e.g. class names and assemble the server 
yourself by crafting and gluing together necessary Spring beans, etc. 
As for your #2 - that is a multi-tenancy feature of the software which is 
currently not implemented in CAS. 
HTH,
D. 









On Fri, Feb 9, 2018 at 8:53 PM -0500, "Chava"  wrote:










Any one has ideas on this?



2) I also want to support multiple IDPs vendors  and use CAS as IDP  , this 
should be based on customer?  Do I need to customize login web flow to use 
different IDP based on customer?  This means one customer is using CAS login 
back end oracle db.and another customer using ADFS or OKTA  but this should be 
configurable.
3) Is there any good example for CAS delegated authentication to ADFS?  



On Sun, Feb 4, 2018 at 6:18 PM, Matthew Hannay  
wrote:
Good Question I am trying to do a similar up grade  their seems to be no 
deprecation (or very little)  path for classes from version 3-->4 -->5so If I 
use 
org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolverin
 version 3 where do I go in version 4 or 5? 

--Matt

On Saturday, 13 January 2018 11:54:05 UTC+10, Mr Rao  wrote:Hi,
I would like to upgrade CAS from 3.5.2 to  latest 5.x version, 1) Is there any 
easy way or special instructions to upgrade it?

2) I also want to support multiple IDPs vendors  and use CAS as IDP  , this 
should be based on customer?  Do I need to customize login web flow to use 
different IDP based on customer?  This means one customer is using CAS login 
back end oracle db.and another customer using ADFS or OKTA  but this should be 
configurable.
3) Is there any good example for CAS delegated authentication to ADFS?  

ThanksRao










-- 

- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7

- Contributions: https://goo.gl/mh7qDG

--- 

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.

To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d402f20c-0a29-4390-afbc-88129c5de98b%40apereo.org.








-- 

- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7

- Contributions: https://goo.gl/mh7qDG

--- 

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.

To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALU3HNrvedSiw--sKxv4hcj9UTckcSrm0ZO3togZngtiF4MsZA%40mail.gmail.com.






-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20C889EBD5E2E103.107C4E6D-3607-4BC8-8345-C8AE71F48935%40mail.outlook.com.

Re: [cas-user] Re: Upgrade CAS 3.5.2 to CAS 5.x

[Chava]

Any one has ideas on this?


2) I also want to support multiple IDPs vendors  and use CAS as IDP  , this
should be based on customer?  Do I need to customize login web flow to use
different IDP based on customer?  This means one customer is using CAS
login back end oracle db.and another customer using ADFS or OKTA  but this
should be configurable.

3) Is there any good example for CAS delegated authentication to ADFS?


On Sun, Feb 4, 2018 at 6:18 PM, Matthew Hannay 
wrote:

> Good Question I am trying to do a similar up grade  their seems to be
> no deprecation (or very little)  path for classes from version 3-->4 -->5
> so If I use
>
> org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver
>
> in version 3 where do I go in version 4 or 5?
>
>
> *--Matt*
> On Saturday, 13 January 2018 11:54:05 UTC+10, Mr Rao wrote:
>>
>> Hi,
>>
>> I would like to upgrade CAS from 3.5.2 to  latest 5.x version, 1) Is
>> there any easy way or special instructions to upgrade it?
>>
>> 2) I also want to support multiple IDPs vendors  and use CAS as IDP  ,
>> this should be based on customer?  Do I need to customize login web flow to
>> use different IDP based on customer?  This means one customer is using CAS
>> login back end oracle db.and another customer using ADFS or OKTA  but this
>> should be configurable.
>>
>> 3) Is there any good example for CAS delegated authentication to ADFS?
>>
>>
>> Thanks
>> Rao
>>
>>
>>
>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/d402f20c-0a29-4390-afbc-
> 88129c5de98b%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALU3HNrvedSiw--sKxv4hcj9UTckcSrm0ZO3togZngtiF4MsZA%40mail.gmail.com.

Re: [cas-user] Issues with service registry on 5.2.2

[Dmitriy Kopylenko]

For CAS versions 5.2+ use cas.serviceRegistry.json.location property: 
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#json-service-registry

Cheers,
D.


From: Christopher Myers 
Reply: cas-user@apereo.org 
Date: February 9, 2018 at 2:29:46 PM
To: CAS Community 
Subject:  [cas-user] Issues with service registry on 5.2.2  

I apologize in advance, I didn't realize that the jasig-cas-user list wasn't 
the current one because that's the list that showed up in my Google searches, 
and it appears to still be active based on others posting out there.

So I'm cross-posting to this list, which I guess is the current one?










Hi all,

This has been driving me nuts the last couple of days, so I decided to just 
reach out in case anyone had thoughts.

The long story is we used Apereo CAS up through version 4.x last year, then 
switched over to WSO2 per our SIS vendor's recommendation (Ellucian -- they 
developed CAS plugins for WSO2, and the promise of not having to maintain both 
CAS and Shibboleth servers was too great to pass up.) However, it's definitely 
not meeting our needs, so I'm in the process of switching us back to the 
regular Apereo CAS.

I'm using the maven overlay template, and things seem to be working ok so far, 
with the exception of the service registry (specifically, the JSON registry.) 
I'm running into two problems that I'm hoping someone can help out with.

1.) How in the world do you get CAS to not include the default Apereo and 
HTTPS/IMAPS service configuration when you package?
2.) It seems as if the ability to do an external file location for the service 
registry isn't functional on the latest version?

At this point I've googled my fingers to the bone on both issues, but haven't 
come up with the magical working combination. Based on threads like the 
following, it seems like things should just work, but none of the things 
suggested have:
https://groups.google.com/forum/#!topic/jasig-cas-user/UpflUgRKtT0
https://groups.google.com/forum/#!topic/jasig-cas-user/fukomW8Ayos
https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/IXIrh-ZqzrY
https://apereo.github.io/cas/5.1.x/installation/JSON-Service-Management.html
(and several others)

I've verified that I've got the cas-server-support-json-
service-registry dependency added, and tried every which way to set the 
cas.serviceRegistry.config.location option (colon vs equals sign, file:, 
file://, no "file" at all, etc.) and still, it always ignores the external 
location that I've set (/etc/cas/services folder.) I've checked filesystem 
permissions (even set to 777 for a while,) and after each attempt would go 
through the regimen of:
- undeploy war
- ./build.sh clean
- ./build.sh package
- redeploy war

all to no avail, and with nothing in the catalina or CAS logs. Even if I set a 
totally bogus cas.serviceRegistry.config.location, it doesn't throw any 
errors/warnings/etc.

If I create a "src/main/resources/services" folder in the cas-overlay-template 
folder, and put a .json file in it, it gets picked up and dumped in the 
"classpath:/services" folder of the deployed application 
(/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), as expected. Which I 
guess works (except for the fact that I don't want the two default .json 
services.) But I'd much rather have the .json files saved to that /etc/ folder 
if at all possible.

I'm curious if the problem is related to the 
cas-server-support-json-service-registry plugin? The reason I'm wondering that 
is because I tried to set up the cas-management webap, and it's doing the same 
thing -- instead of following my request to pull the services from the CAS 
classpath:/services location 
(file:/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), it's pulling 
from its own WEB-INF/classes/services folder.

(Obviously, I'd rather have them pull from /etc/cas/services...or anywhere 
else...but barring that, I'd like for the management webapp to at least be 
functional.)

We're currently on version 5.2.2 2018-01-31T22:29Z on SLES 12 SP3, Tomcat 
8.0.43, Java 8.

Thanks much!

Chris
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc670ef-36b7-4248-860c-9dc3f40e6abd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" 

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

On Fri, Feb 9, 2018 at 4:00 PM, Mukunthini Jeyakumar
 wrote:
> Hi
>
> I'm seeing the same error even If I use /serviceValidate endpoint. As soon
> as I turn on CASValidateSAML, I'm getting the error
>
> Here is my mod_auth_cas. (I've used David Curry's Guide )
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
>
> 
>
> AuthType CAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
> 
> AuthTypeCAS
> CASAuthNHeader  On
> 
> Require valid-user
> 
>
> 
>CASCertificatePath /etc/pki/tls/certs/
> CASCookiePath /var/lib/cas/
> CASValidateURL https://:8443/cas/serviceValidate
> #CASValidateURL https://:8443/cas/samlValidate
> CASLoginURL https://:8443/cas/login
> CASSSOEnabled On
> CASDebug  On
> CASValidateSAML   On
> LogLevel debug
> 

Use:

CASValidateURL https://:8443/cas/serviceValidate
CASValidateSAML   Off

or:

CASValidateURL https://:8443/cas/samlValidate
CASValidateSAML   On

What you have posted here will not work.

> 2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound]
> - 

SAML validation requires POST. Make sure you aren't mixing up your
directives (see above) and ensure that you can POST to
https://:8443/cas/samlValidate.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCsEnNxGKB%2BiRYaT1aeoq3i7tUtTF9h8yAhnstHEUp03Q%40mail.gmail.com.

Re: [cas-user] inspektr

[Man H]

This is for creating your own audit entry points.
Cas already defined them, so you just use it.

2018-02-09 17:30 GMT-03:00 Cheltenham, Chris :

> Does anyone have better documentation for inspektr?
>
>
>
>
>
> I just read this
>
>
>
> https://github.com/apereo/inspektr/blob/master/README.md
>
>
>
> and I have NO clue what any of it means.
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00e101d3a1e4%24d132a910%
> 247397fb30%24%40philasd.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifoC7h77CeR4JWWUsZ0WC6V8PpYvmZnAnuatiXeK74CrQ%40mail.gmail.com.

Re: [cas-user] Issues with service registry on 5.2.2

[Man H]

if you edit build.sh youl see
function copy() {
echo -e "Creating configuration directory under /etc/cas"
mkdir -p /etc/cas/config

echo -e "Copying configuration files from etc/cas to /etc/cas"
cp -rfv etc/cas/* /etc/cas
}


instead run mvn clean package

2018-02-09 16:29 GMT-03:00 Christopher Myers :

> I apologize in advance, I didn't realize that the jasig-cas-user list
> wasn't the current one because that's the list that showed up in my Google
> searches, and it appears to still be active based on others posting out
> there.
>
> So I'm cross-posting to this list, which I guess is the current one?
>
>
>
>
>
>
>
>
>
>
> Hi all,
>
> This has been driving me nuts the last couple of days, so I decided to
> just reach out in case anyone had thoughts.
>
> The long story is we used Apereo CAS up through version 4.x last year,
> then switched over to WSO2 per our SIS vendor's recommendation (Ellucian --
> they developed CAS plugins for WSO2, and the promise of not having to
> maintain both CAS and Shibboleth servers was too great to pass up.)
> However, it's definitely not meeting our needs, so I'm in the process of
> switching us back to the regular Apereo CAS.
>
> I'm using the maven overlay template, and things seem to be working ok so
> far, with the exception of the service registry (specifically, the JSON
> registry.) I'm running into two problems that I'm hoping someone can help
> out with.
>
> 1.) How in the world do you get CAS to not include the default Apereo and
> HTTPS/IMAPS service configuration when you package?
> 2.) It seems as if the ability to do an external file location for the
> service registry isn't functional on the latest version?
>
> At this point I've googled my fingers to the bone on both issues, but
> haven't come up with the magical working combination. Based on threads like
> the following, it seems like things should just work, but none of the
> things suggested have:
> https://groups.google.com/forum/#!topic/jasig-cas-user/UpflUgRKtT0
> https://groups.google.com/forum/#!topic/jasig-cas-user/fukomW8Ayos
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/IXIrh-ZqzrY
> https://apereo.github.io/cas/5.1.x/installation/JSON-Service
> -Management.html
> (and several others)
>
> I've verified that I've got the cas-server-support-json-
> service-registry dependency added, and tried every which way to set the
> cas.serviceRegistry.config.location option (colon vs equals sign, file:,
> file://, no "file" at all, etc.) and still, it always ignores the external
> location that I've set (/etc/cas/services folder.) I've checked filesystem
> permissions (even set to 777 for a while,) and after each attempt would go
> through the regimen of:
> - undeploy war
> - ./build.sh clean
> - ./build.sh package
> - redeploy war
>
> all to no avail, and with nothing in the catalina or CAS logs. Even if I
> set a totally bogus cas.serviceRegistry.config.location, it doesn't throw
> any errors/warnings/etc.
>
> If I create a "src/main/resources/services" folder in the
> cas-overlay-template folder, and put a .json file in it, it gets picked up
> and dumped in the "classpath:/services" folder of the deployed application
> (/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), as expected.
> Which I guess works (except for the fact that I don't want the two default
> .json services.) But I'd much rather have the .json files saved to that
> /etc/ folder if at all possible.
>
> I'm curious if the problem is related to the 
> cas-server-support-json-service-registry
> plugin? The reason I'm wondering that is because I tried to set up the
> cas-management webap, and it's doing the same thing -- instead of following
> my request to pull the services from the CAS classpath:/services location
> (file:/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), it's
> pulling from its own WEB-INF/classes/services folder.
>
> (Obviously, I'd rather have them pull from /etc/cas/services...or anywhere
> else...but barring that, I'd like for the management webapp to at least be
> functional.)
>
> We're currently on version 5.2.2 2018-01-31T22:29Z
>  on SLES 12 SP3, Tomcat 8.0.43, Java 8.
>
> Thanks much!
>
> Chris
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/bcc670ef-36b7-4248-860c-
> 9dc3f40e6abd%40apereo.org
> 
> .
>

-- 
- Website: 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

add

 org.apereo.cas
 cas-server-core-authentication
 ${cas.version}


with:

cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy

you should get

2018-02-09 19:10:39,145 DEBUG
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
- 





2018-02-09 17:11 GMT-03:00 Brian Davidson :

> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
> co-worker of Brian M’s):
>
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/
> cas/selectiveDuo.groovy
>
> We did find that CAS was unable to check to see if the user exists in Duo
> if we used the “CAS” integration in Duo.  But it works if we set up the
> integration as “Auth API”.
>
> We haven’t touched webflow. With the groovy script in place,
>
> When we enable GROOVY bypass script, we get:
>
> 2018-02-09 15:04:55,638 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
> -  [org.springframework.webflow.execution.FlowExecutionException:
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root
> cause [java.io.NotSerializableException: org.springframework.core.io.
> UrlResource]>
>
> As well as the stack trace Brian M. provided.
>
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
> yesterday.  Dug through source code to find that.  We’re happy to provide
> updates to the documentation once we get this working.
>
> Thanks for the help!
>
> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
>
> Anything that says "REMOVED" is just stuff I pulled out before posting it.
> I didn't want to post any private/sensitive information.
>
> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>>
>> What do you mean by REMOVED in properties .
>>
>> El viernes, 9 de febrero de 2018, brian mancuso 
>> escribió:
>>
>>> Hey all,
>>>
>>> I was originally trying to setup some custom triggers to determine who
>>> should use MFA and who is allowed to bypass. I have since been directed
>>> towards Groovy to simplify things, but I'm still having some trouble.
>>>
>>> At this point, the Groovy script's purpose is strictly to test if a
>>> certain user will bypass MFA while others will not. Here's my setup:
>>>
>>> */etc/cas/config/cas.properties*
>>>
>>> ##
>>> # Duo security 2fa authentication provider
>>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
>>> #
>>> cas.authn.mfa.duo[0].rank=0
>>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>>> cas.authn.mfa.duo[0].id=mfa-duo
>>> cas.authn.mfa.globalProviderId=mfa-duo
>>> cas.authn.mfa.globalFailureMode=OPEN
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>>> selectiveDuo.groovy
>>>
>>>
>>> */etc/cas/selectiveDuo.groovy*
>>>
>>> def boolean run(final Object... args) {
>>> def authentication = args[0]
>>> def principal = args[1]
>>> def service = args[2]
>>> def provider = args[3]
>>> def logger = args[4]
>>> def httpRequest = args[5]
>>>
>>> logger.info("Evaluating principal attributes
>>> ${principal.attributes}")
>>>
>>> def bypass = principal.attributes['uid']
>>> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
>>> logger.info("Skipping bypass for principal ${principal.id}")
>>> return false
>>> }
>>>
>>> return true
>>> }
>>>
>>>
>>> When I try to login though, whenever a user would be sent to DUO, I get
>>> a 500 error:
>>>
>>>
>>> 
>>>
>>> Here's a small snippet from the output:
>>>
>>> 2018-02-09 09:04:05,717 DEBUG 
>>> [org.apereo.cas.web.FlowExecutionExceptionResolver]
>>> - 
>>> org.springframework.webflow.execution.FlowExecutionException: Exception
>>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>> at 
>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>>> sume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume
>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[?:1.8.0_151]
>>>
>>> Caused by: 
>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>>> Error encoding flow execution

Re: [cas-user] Failed To Add TGT Ticket - MongoDB Ticket Registry CAS 45.2.

[Uxío Prego]

I’m a little lost now.

Are you sure you need to waste that much energy investigating so many ticket 
registry alternatives? Shouldn’t you be trying to just assess the feasibility 
of using that data base with which you feel more comfortable?

To be more clear, let’s say it works better using MongoDB than PostgreSQL. If 
you already have a large body of PostgreSQL exposure, which you have 
demonstrated, even if MongoDB performs better there are chances your total cost 
of ownership will be smaller by using PostgreSQL.

I’m sorry again I can’t help you, but with these energy and eagerness you seem 
to have I’m sure you aren’t going to have a lot of trouble with CAS once you 
focus in your problem. Or is it that your thing is to assess which one performs 
better? And if so, why not just ask that?

Regards,

> On 9 Feb 2018, at 20:55, michael kromarek  wrote:
> 
> So it turns out I already had the driver turned to debug, so no new 
> information there.  But I did up the verbosity level of MongoDB log to 5 and 
> noticed that a write attempt for the TGT ticket wasn't even made (subsequent 
> fetches where made though).
> 
> I decided to try pulling down the latest maven overlay and move my settings 
> over one by one to see what would cause the problem, and culprit turned out 
> to be 
> 
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
> 
> If I comment that out, it writes the ticket no problem.  If I set it, it 
> fails creating the ticket and new writes it to or even attempts to write it 
> to Mongo.  I think this is an error in the ExpirationPolicy class as I have 
> also tried Redis and noticed it was writing the expiration time as -1.  -1 is 
> not acceptable to Redis so it won't make the record.  I also tried DynamoDB 
> and noticed it was complaining about an empty string being written (which for 
> whatever reason Dynamo does not like empty strings at all).  I'm thinking 
> PostgreSQL didn't have a problem because the expiration policy is stored as a 
> large object and it probably doesn't care what it is.
> 
> --Mike K.
> 
> On Wed, Feb 7, 2018 at 5:51 AM, michael kromarek  > wrote:
> I'll give that a shot and let you know what I find.
> 
> Thank you.
> 
> On Wed, Feb 7, 2018 at 5:31 AM, David Curry  > wrote:
> Ah - you just reminded me, and I should have mentioned this last time. Try 
> adding this to your log4j2.xml:
> 
> 
> 
> That's the actual Java driver.
> 
> --Dave
> 
> 
> --
> DAVID A. CURRY, CISSP
> DIRECTOR OF INFORMATION SECURITY
> INFORMATION TECHNOLOGY
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
> 
> +1 212 229-5300 x4728  • david.cu...@newschool.edu 
> 
> 
> 
> On Wed, Feb 7, 2018 at 8:25 AM, michael kromarek  > wrote:
> Hi Dave,
> 
> I actually tried those settings first (I was following your guide, but only 
> having a single server instead of a cluster for mongo).  Unfortunately, it 
> fails in the same way with those settings too.  I might be able to eek out a 
> little  more information if I set
> org.apereo.cas.ticket.registry.MongoDbTicketRegistry
> to debug in the logger, though I  already have org.apero.cas and com.mongo 
> set to debug.
> 
> --Mike K
> 
> On Wed, Feb 7, 2018 at 5:15 AM, David Curry  > wrote:
> Mike,
> 
> The only thing that strikes me as odd in your settings is this one:
> 
> cas.ticket.registry.mongo.collectionName=cas-ticket-registry
> 
> The Mongo ticket registry uses multiple collections:
> 
> proxyGrantingTicketsCollection
> proxyTicketsCollection
> samlArtifactsCache
> samlAttributeQueryCache
> serviceTicketsCollection
> ticketGrantingTicketsCollection
> 
> So while I'm not sure if that setting is having any impact on your 
> configuration at all, I suspect that if it _is_ having an impact, it's a 
> negative one. Although, I don't see anything in the logs to suggest that it 
> is -- the server seems to be using the "right" collection:
> 
> 2018-02-07 00:46:30,159 DEBUG 
> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] -  name [ticketGrantingTicketsCollection] for ticket definition 
> [org.apereo.cas.ticket.DefaultTicketDefinition@28556a8b[implementationClass=class
>  org.apereo.cas.ticket.TicketGrantingTicketImpl,prefix=TGT]]>
> 2018-02-07 00:46:30,159 DEBUG 
> [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] -  collection instance [ticketGrantingTicketsCollection]>
> 2018-02-07 00:46:30,160 DEBUG [org.mongodb.driver.protocol.command] - 
>  to database casdb on connection [connectionId{localValue:6, serverValue:68}] 
> to server localhost:27017>
> 2018-02-07 00:46:30,161 DEBUG [org.mongodb.driver.protocol.command] - 
> 
> 
> For what it's worth, mine is 

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Hi

I'm seeing the same error even If I use /serviceValidate endpoint. As soon 
as I turn on CASValidateSAML, I'm getting the error

Here is my mod_auth_cas. (I've used David Curry's Guide )

LoadModule auth_cas_module modules/mod_auth_cas.so


   
AuthType CAS
CASAuthNHeader  On

Require valid-user




AuthTypeCAS
CASAuthNHeader  On

Require valid-user



   CASCertificatePath /etc/pki/tls/certs/
CASCookiePath /var/lib/cas/
CASValidateURL https://:8443/cas/serviceValidate
#CASValidateURL https://:8443/cas/samlValidate
CASLoginURL https://:8443/cas/login
CASSSOEnabled On
CASDebug  On
CASValidateSAML   On
LogLevel debug


>From the CAS Server, I do see the SERVICE_TICKET_CREATED but I don't see 
the Service Validation
But I'm seeing the following warning.

2018-02-09 15:55:50,016 WARN [org.springframework.web.servlet.PageNotFound] 
- 

I'm using CAS 5.2.2 and mod_auth_cas from github 
9https://github.com/apereo/mod_auth_cas)

And I've added support for SAML when I build the CAS

org.apereo.cas
cas-server-support-saml
${cas.version}


Thanks
Thini

>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/49e89131-1f58-42b6-b311-7d8c5480d3c8%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Are you sure your server supports /samlValidate? Are you able to use
/serviceValidate?

Post your full mod_auth_cas config here.

The 406 you see is from the CAS server. Do you have any logs on the
CAS server that indicate why the request failed?

On Fri, Feb 9, 2018 at 2:09 PM, Mukunthini Jeyakumar
 wrote:
> Hi dhawes,
>
> With the debug on,
>
>
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client
> 129.100.6.30] Entering cas_authenticate(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client
> 129.100.6.30] Modified r->args (now ''), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client
> 129.100.6.30] entering getResponseFromServer(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client
> 129.100.6.30] CAS Service
> 'https%3a%2f%2f%2freturn-mapped%2findex.php', referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client
> 129.100.6.30] Validation response:  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client
> 129.100.6.30] entering isValidCASTicket(), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client
> 129.100.6.30] MOD_AUTH_CAS: response =  lang="en">HTTP Status 406 \xe2\x80\x93 Not
> Acceptableh1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> h2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> h3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> body
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> p
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#525D76;border:none;}HTTP
> Status 406 \xe2\x80\x93 Not AcceptableType
> Status ReportDescription The target resource does not have a
> current representation that would be acceptable to the user agent, according
> to the proactive negotiation header fields received in the request, and the
> server is unwilling to supply a default representation. />Apache Tomcat/8.5.23, referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
> [Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: error
> parsing CASv2 response: XML parser error code: syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
>
> MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code:
> syntax error (2), referer:
> https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
>
> Thanks
> Thini
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: 

[cas-user] inspektr

[Cheltenham, Chris]

Does anyone have better documentation for inspektr?

 

 

I just read this 

 

https://github.com/apereo/inspektr/blob/master/README.md

 

and I have NO clue what any of it means.

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00e101d3a1e4%24d132a910%247397fb30%24%40philasd.org.

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Brian Davidson]

Just to add a bit to what Brian M. provided (I’m also a Brian, and a co-worker 
of Brian M’s):

We have Duo MFA working if we comment out:
cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy 


We did find that CAS was unable to check to see if the user exists in Duo if we 
used the “CAS” integration in Duo.  But it works if we set up the integration 
as “Auth API”.

We haven’t touched webflow. With the groovy script in place, 

When we enable GROOVY bypass script, we get:

2018-02-09 15:04:55,638 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - 

As well as the stack trace Brian M. provided.

cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.  
Dug through source code to find that.  We’re happy to provide updates to the 
documentation once we get this working.

Thanks for the help!

> On Feb 9, 2018, at 10:14 AM, brian mancuso  wrote:
> 
> Anything that says "REMOVED" is just stuff I pulled out before posting it. I 
> didn't want to post any private/sensitive information.
> 
> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
> What do you mean by REMOVED in properties . 
> 
> El viernes, 9 de febrero de 2018, brian mancuso > 
> escribió:
> Hey all,
> 
> I was originally trying to setup some custom triggers to determine who should 
> use MFA and who is allowed to bypass. I have since been directed towards 
> Groovy to simplify things, but I'm still having some trouble.
> 
> At this point, the Groovy script's purpose is strictly to test if a certain 
> user will bypass MFA while others will not. Here's my setup:
> 
> /etc/cas/config/cas.properties
> 
> ##
> # Duo security 2fa authentication provider
> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey 
> 
> #
> cas.authn.mfa.duo[0].rank=0
> cas.authn.mfa.duo[0].duoApiHost=REMOVED
> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
> cas.authn.mfa.duo[0].id=mfa-duo
> cas.authn.mfa.globalProviderId=mfa-duo
> cas.authn.mfa.globalFailureMode=OPEN
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
> 
> 
> /etc/cas/selectiveDuo.groovy
> 
> def boolean run(final Object... args) {
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
> 
> logger.info("Evaluating principal attributes ${principal.attributes}")
> 
> def bypass = principal.attributes['uid']
> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
> logger.info("Skipping bypass for principal ${principal.id 
> }")
> return false
> }
> 
> return true
> }
> 
> 
> When I try to login though, whenever a user would be sent to DUO, I get a 500 
> error:
> 
>  
> 
> 
> Here's a small snippet from the output:
> 
> 2018-02-09 09:04:05,717 DEBUG 
> [org.apereo.cas.web.FlowExecutionExceptionResolver] -  exception due to a type mismatch>
> org.springframework.webflow.execution.FlowExecutionException: Exception 
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_151]
> 
> Caused by: 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
> Error encoding flow execution
>   at 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>  ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>   at 
> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>  ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> 
> Caused by: java.io .NotSerializableException: 
> org.springframework.core.io .UrlResource
>   at 
> 

Re: [cas-user] Failed To Add TGT Ticket - MongoDB Ticket Registry CAS 45.2.

[michael kromarek]

So it turns out I already had the driver turned to debug, so no new
information there.  But I did up the verbosity level of MongoDB log to 5
and noticed that a write attempt for the TGT ticket wasn't even made
(subsequent fetches where made though).

I decided to try pulling down the latest maven overlay and move my settings
over one by one to see what would cause the problem, and culprit turned out
to be

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800


If I comment that out, it writes the ticket no problem.  If I set it, it
fails creating the ticket and new writes it to or even attempts to write it
to Mongo.  I think this is an error in the ExpirationPolicy class as I have
also tried Redis and noticed it was writing the expiration time as -1.  -1
is not acceptable to Redis so it won't make the record.  I also tried
DynamoDB and noticed it was complaining about an empty string being written
(which for whatever reason Dynamo does not like empty strings at all).  I'm
thinking PostgreSQL didn't have a problem because the expiration policy is
stored as a large object and it probably doesn't care what it is.

--Mike K.

On Wed, Feb 7, 2018 at 5:51 AM, michael kromarek 
wrote:

> I'll give that a shot and let you know what I find.
>
> Thank you.
>
> On Wed, Feb 7, 2018 at 5:31 AM, David Curry 
> wrote:
>
>> Ah - you just reminded me, and I should have mentioned this last time.
>> Try adding this to your log4j2.xml:
>>
>> 
>>
>>
>> That's the actual Java driver.
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> 
>> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Wed, Feb 7, 2018 at 8:25 AM, michael kromarek 
>> wrote:
>>
>>> Hi Dave,
>>>
>>> I actually tried those settings first (I was following your guide, but
>>> only having a single server instead of a cluster for mongo).
>>> Unfortunately, it fails in the same way with those settings too.  I might
>>> be able to eek out a little  more information if I set
>>>
>>> org.apereo.cas.ticket.registry.MongoDbTicketRegistry
>>>
>>> to debug in the logger, though I  already have org.apero.cas and
>>> com.mongo set to debug.
>>>
>>> --Mike K
>>>
>>> On Wed, Feb 7, 2018 at 5:15 AM, David Curry 
>>> wrote:
>>>
 Mike,

 The only thing that strikes me as odd in your settings is this one:

 cas.ticket.registry.mongo.collectionName=cas-ticket-registry


 The Mongo ticket registry uses multiple collections:

 proxyGrantingTicketsCollection
 proxyTicketsCollection
 samlArtifactsCache
 samlAttributeQueryCache
 serviceTicketsCollection
 ticketGrantingTicketsCollection


 So while I'm not sure if that setting is having any impact on your
 configuration at all, I suspect that if it _is_ having an impact, it's a
 negative one. Although, I don't see anything in the logs to suggest that it
 is -- the server seems to be using the "right" collection:

 2018-02-07 00:46:30,159 DEBUG 
 [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
 - >>> ticket definition [org.apereo.cas.ticket.Default
 TicketDefinition@28556a8b[implementationClass=class
 org.apereo.cas.ticket.TicketGrantingTicketImpl,prefix=TGT]]>
 2018-02-07 00:46:30,159 DEBUG 
 [org.apereo.cas.ticket.registry.MongoDbTicketRegistry]
 - >>> ]>
 2018-02-07 00:46:30,160 DEBUG [org.mongodb.driver.protocol.command] -
 >>> [connectionId{localValue:6, serverValue:68}] to server localhost:27017>
 2018-02-07 00:46:30,161 DEBUG [org.mongodb.driver.protocol.command] -
 

 For what it's worth, mine is working on 5.2.2 using these settings
 (essentially the same as yours except I have a replica set):

 #
 # Components of the MongoDB connection string broken out for ease of
 editing.
 # See https://docs.mongodb.com/manual/reference/connection-string/
 #
 mongo.db:   casdb
 mongo.rs:   rs0
 mongo.opts: =true
 mongo.creds:mongocas:
 mongo.hosts:casdev-srv01-lid.newschool.edu
 ,casdev-srv02-lid.newschool.edu,casdev-srv03-lid.newschool.edu

 #
 # The connection string, assembled
 #
 mongo.uri:  mongodb://${mongo.creds}@${mon
 go.hosts}/${mongo.db}?replicaSet=${mongo.rs}${mongo.opts}

 #
 # Ticket registry
 #
 cas.ticket.registry.mongo.clientUri:${mongo.uri}

 #
 # Service registry
 #
 cas.serviceRegistry.mongo.clientUri:${mongo.uri}
 

[cas-user] Issues with service registry on 5.2.2

[Christopher Myers]

I apologize in advance, I didn't realize that the jasig-cas-user list 
wasn't the current one because that's the list that showed up in my Google 
searches, and it appears to still be active based on others posting out 
there.

So I'm cross-posting to this list, which I guess is the current one?










Hi all,

This has been driving me nuts the last couple of days, so I decided to just 
reach out in case anyone had thoughts.

The long story is we used Apereo CAS up through version 4.x last year, then 
switched over to WSO2 per our SIS vendor's recommendation (Ellucian -- they 
developed CAS plugins for WSO2, and the promise of not having to maintain 
both CAS and Shibboleth servers was too great to pass up.) However, it's 
definitely not meeting our needs, so I'm in the process of switching us 
back to the regular Apereo CAS.

I'm using the maven overlay template, and things seem to be working ok so 
far, with the exception of the service registry (specifically, the JSON 
registry.) I'm running into two problems that I'm hoping someone can help 
out with.

1.) How in the world do you get CAS to not include the default Apereo and 
HTTPS/IMAPS service configuration when you package?
2.) It seems as if the ability to do an external file location for the 
service registry isn't functional on the latest version?

At this point I've googled my fingers to the bone on both issues, but 
haven't come up with the magical working combination. Based on threads like 
the following, it seems like things should just work, but none of the 
things suggested have:
https://groups.google.com/forum/#!topic/jasig-cas-user/UpflUgRKtT0
https://groups.google.com/forum/#!topic/jasig-cas-user/fukomW8Ayos
https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/IXIrh-ZqzrY
https://apereo.github.io/cas/5.1.x/installation/JSON-Service-Management.html
(and several others)

I've verified that I've got the cas-server-support-json-
service-registry dependency added, and tried every which way to set the 
cas.serviceRegistry.config.location option (colon vs equals sign, file:, 
file://, no "file" at all, etc.) and still, it always ignores the external 
location that I've set (/etc/cas/services folder.) I've checked filesystem 
permissions (even set to 777 for a while,) and after each attempt would go 
through the regimen of:
- undeploy war
- ./build.sh clean
- ./build.sh package
- redeploy war

all to no avail, and with nothing in the catalina or CAS logs. Even if I 
set a totally bogus cas.serviceRegistry.config.location, it doesn't throw 
any errors/warnings/etc.

If I create a "src/main/resources/services" folder in the 
cas-overlay-template folder, and put a .json file in it, it gets picked up 
and dumped in the "classpath:/services" folder of the deployed application 
(/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), as expected. 
Which I guess works (except for the fact that I don't want the two default 
.json services.) But I'd much rather have the .json files saved to that 
/etc/ folder if at all possible.

I'm curious if the problem is related to the 
cas-server-support-json-service-registry plugin? The reason I'm wondering 
that is because I tried to set up the cas-management webap, and it's doing 
the same thing -- instead of following my request to pull the services from 
the CAS classpath:/services location 
(file:/usr/share/tomcat/webapps/cas/WEB-INF/classes/services), it's pulling 
from its own WEB-INF/classes/services folder.

(Obviously, I'd rather have them pull from /etc/cas/services...or anywhere 
else...but barring that, I'd like for the management webapp to at least be 
functional.)

We're currently on version 5.2.2 2018-01-31T22:29Z 
 on SLES 12 SP3, Tomcat 8.0.43, Java 8.

Thanks much!

Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcc670ef-36b7-4248-860c-9dc3f40e6abd%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[Mukunthini Jeyakumar]

Hi dhawes,

With the debug on,


[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(2076): [client 
129.100.6.30] Entering cas_authenticate(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(654): [client 
129.100.6.30] Modified r->args (now ''), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1779): [client 
129.100.6.30] entering getResponseFromServer(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(584): [client 
129.100.6.30] CAS Service 
'https%3a%2f%2f%2freturn-mapped%2findex.php', referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1856): [client 
129.100.6.30] Validation response: HTTP Status 406 \xe2\x80\x93 Not 
Acceptableh1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 
h2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 
h3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 
body 
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
p 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
 
a {color:black;} a.name {color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 406 \xe2\x80\x93 Not AcceptableType Status ReportDescription The target resource 
does not have a current representation that would be acceptable to the user 
agent, according to the proactive negotiation header fields received in the 
request, and the server is unwilling to supply a default 
representation.Apache 
Tomcat/8.5.23, referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1440): [client 
129.100.6.30] entering isValidCASTicket(), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [debug] mod_auth_cas.c(1446): [client 
129.100.6.30] MOD_AUTH_CAS: response = HTTP Status 406 \xe2\x80\x93 Not 
Acceptableh1 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
 
h2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
 
h3 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
 
body 
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} 
p 
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
 
a {color:black;} a.name {color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 406 \xe2\x80\x93 Not AcceptableType Status ReportDescription The target resource 
does not have a current representation that would be acceptable to the user 
agent, according to the proactive negotiation header fields received in the 
request, and the server is unwilling to supply a default 
representation.Apache 
Tomcat/8.5.23, referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
[Thu Feb 08 16:07:44 2018] [error] [client 129.100.6.30] MOD_AUTH_CAS: 
error parsing CASv2 response: XML parser error code: syntax error (2), 
referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php


 MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: 
syntax error (2), referer: 
https://:8443/cas/login?service=https%3a%2f%2f%2freturn-mapped%2findex.php
 


Thanks
Thini

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8020e24a-fa21-4a35-af09-5eb5a2a274dd%40apereo.org.

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

[crdaudt]

Thanks! :)

On Friday, February 9, 2018 at 11:57:07 AM UTC-5, Dmitriy Kopylenko wrote:
>
> I’m not sure that’s possible. 
>
> One other option would be for you to implement Inspektr’s audit log at 
> that audit point and contribute back to CAS project :-)
>
> D. 
>
>
>
>
> On Fri, Feb 9, 2018 at 11:38 AM -0500, "crdaudt"  > wrote:
>
> Thanks for the quick response Dmitriy.
>>
>> As a workaround, might it be possible for me to replace the following:
>> "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/
>> ",
>> ...with something like the following:
>> "unauthorizedRedirectUrl" : "
>> https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com=%sAMAccountName%
>>  
>> ",
>> ...where %sAMAccountName% could be a variable replaced with the username 
>> of the user who is denied access?
>> If there is a way for me to grab and use the value of the username, the 
>> tomcat access log would capture the denied attempt for me.
>>
>> Carl
>>
>> On Friday, February 9, 2018 at 10:06:44 AM UTC-5, Dmitriy Kopylenko wrote:
>>>
>>> The short answer is - there is currently no audit trail advice weaved at 
>>> the audit point you are after.
>>>
>>> Best,
>>> D.
>>>
>>>
>>> From: crdaudt 
>>> Reply: cas-...@apereo.org 
>>> Date: February 9, 2018 at 10:00:18 AM
>>> To: CAS Community 
>>> Subject:  Re: [cas-user] how do I capture audit log trail for 
>>> unauthorized users who are denied access to a service in an accessStrategy 
>>> configuration of one of my JSON files? 
>>>
>>> Yes, the configuration is there in log4j2 but the audit log is only 
>>> providing entries for users who are authorized, not for those who are 
>>> denied access.
>>> I am attaching an annotated copy of my cas_audit.log, and also copies of 
>>> my service's JSON file and log4j2.xml file.
>>>
>>> My goals:
>>>
>>>- To log attempts of a user to gain a service ticket, both when: 
>>>- 
>>>   - the user is authorized (and therefore successful) and, 
>>>   - unauthorized (and therefore denied access). 
>>>- To keep the log verbosity reasonably trim (I do not want to set 
>>>debug for the entire log)
>>>
>>>
>>> On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote: 

 Carl,

 This already should be in log4j2:

 
 >>> level="info" includeLocation="true" >
 
 
 

 Ray 

 On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:

 For one of my services, I have the following accessStrategy defined in 
 my JSON file:

 ---begin---
   "accessStrategy" :
   {
 "@class" : 
 "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
 "enabled" : true,
 "unauthorizedRedirectUrl" : "
 https://ssohost.mydomain.edu/cas_nowayjose/;,
 "requireAllAttributes" : false,
 "ssoEnabled" : true,
 "requiredAttributes" :
 {
   "@class" : "java.util.HashMap",
   "memberOf" : [ "java.util.HashSet", [ 
 "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
  
 ] ]
 }
   }
 ---end---

 This works nicely to redirect unauthorized users who do not belong to 
 either of the memberOf AD groups.  However, the default log settings in 
 log4j2.xml do not provide any indication that an unauthorized user 
 attempted to obtain a service ticket.

 How can I set up my CAS (v5.2.2) instance to log failed attempts by 
 unauthorized users to obtain a service ticket?

 Carl

 --  
 Ray Bon
 Programmer analyst
 Development Services, University Systems
 2507218831 | CLE 019 | rb...@uvic.ca

 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org
>>>  
>>> 
>>> .
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.

RE: [cas-user] cas 5 management

[Cheltenham, Chris]

Thanks David, I really appreciate your help.

Its saved me tons of time.



I almost forgot about your documentation but it has helped me a lot.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David 
Curry
Sent: Friday, February 9, 2018 12:03 PM
To: cas-user@apereo.org
Subject: Re: [cas-user] cas 5 management



Chris,



In my setup, I did not configure the management webapp to use LDAP directly. 
Rather, I set it up to authenticate against the CAS server, and just use the 
userPropertiesFile to control who can actually log into it. I used the same 
"admusers.properties" file that I used to control access to the admin pages 
(dashboard, etc.) since for us it's the same set of users for both, but you 
can use different files for each if you want.



Since we only have a handful of people who will use the management webapp 
(or the admin pages), and the list doesn't change very often, this seemed 
like a simpler approach than messing around with LDAP groups, etc. Just a 
thought...YMMV of course.



--Dave






--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 •   
david.cu...@newschool.edu

  



On Fri, Feb 9, 2018 at 11:52 AM, Cheltenham, Chris 
 > wrote:

Thanks Travis,



I am using David Curry’s docs.

I don’t understand the CAS docs from Apereo.

I think they document with the thinking of a developer, which I am not.

Therefore, I have a lot of trouble understanding them.



I appreciate your help.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org  
[mailto:cas-user@apereo.org  ] On Behalf Of 
Travis Schmidt
Sent: Friday, February 9, 2018 11:08 AM
To: cas-user@apereo.org 
Subject: Re: [cas-user] cas 5 management



Here is a link to getting started with CAS Management with 5.2.x



https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html



As far as LDAP is concerned, it is mostly a preference.  The management app 
will contact a CAS Server for authenticating a user in whichever way you 
have it set up.  For the management app you usually only have a few people 
authorized to use it, so users.json or static list is an acceptable way to 
limit who can use it.  The management app can be configured to call back to 
LDAP and query for the ROLE_* attributes on the authenticated user, but in 
my opinion is a lot more work to make something dynamic that is mostly 
static.







On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris 
 > wrote:



Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
 

 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com
 

Re: [cas-user] cas 5 management

[David Curry]

Chris,

In my setup, I did not configure the management webapp to use LDAP
directly. Rather, I set it up to authenticate against the CAS server, and
just use the userPropertiesFile to control who can actually log into it. I
used the same "admusers.properties" file that I used to control access to
the admin pages (dashboard, etc.) since for us it's the same set of users
for both, but you can use different files for each if you want.

Since we only have a handful of people who will use the management webapp
(or the admin pages), and the list doesn't change very often, this seemed
like a simpler approach than messing around with LDAP groups, etc. Just a
thought...YMMV of course.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 9, 2018 at 11:52 AM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> Thanks Travis,
>
>
>
> I am using David Curry’s docs.
>
> I don’t understand the CAS docs from Apereo.
>
> I think they document with the thinking of a developer, which I am not.
>
> Therefore, I have a lot of trouble understanding them.
>
>
>
> I appreciate your help.
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Travis
> Schmidt
> *Sent:* Friday, February 9, 2018 11:08 AM
> *To:* cas-user@apereo.org
> *Subject:* Re: [cas-user] cas 5 management
>
>
>
> Here is a link to getting started with CAS Management with 5.2.x
>
>
>
> https://apereo.github.io/cas/5.2.x/installation/Installing-
> ServicesMgmt-Webapp.html
>
>
>
> As far as LDAP is concerned, it is mostly a preference.  The management
> app will contact a CAS Server for authenticating a user in whichever way
> you have it set up.  For the management app you usually only have a few
> people authorized to use it, so users.json or static list is an acceptable
> way to limit who can use it.  The management app can be configured to call
> back to LDAP and query for the ROLE_* attributes on the authenticated user,
> but in my opinion is a lot more work to make something dynamic that is
> mostly static.
>
>
>
>
>
>
>
> On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris <
> ccheltenham-...@philasd.org> wrote:
>
> Hello ,
>
>
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp
> dependency is you use ldap.
>
>
>
> Is that correct?
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025 <(215)%20400-5025>
> Cell # 215-301-6571 <(215)%20301-6571>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%
> 24c6b59af0%24%40philasd.org
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-
> 27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00b001d3a1c6%2463677f00%
> 242a367d00%24%40philasd.org
> 

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

[Dmitriy Kopylenko]

I’m not sure that’s possible. 
One other option would be for you to implement Inspektr’s audit log at that 
audit point and contribute back to CAS project :-)
D. 









On Fri, Feb 9, 2018 at 11:38 AM -0500, "crdaudt"  wrote:










Thanks for the quick response Dmitriy.

As a workaround, might it be possible for me to replace the following:
 "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/;,
...with something like the following:
"unauthorizedRedirectUrl" : 
"https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com=%sAMAccountName%;,
...where %sAMAccountName% could be a variable replaced with the username of the 
user who is denied access?
If there is a way for me to grab and use the value of the username, the tomcat 
access log would capture the denied attempt for me.

Carl

On Friday, February 9, 2018 at 10:06:44 AM UTC-5, Dmitriy Kopylenko wrote:The 
short answer is - there is currently no audit trail advice weaved at the audit 
point you are after.
Best,D. 
  
From: crdaudt 
Reply: cas-...@apereo.org 
Date: February 9, 2018 at 10:00:18 AM
To: CAS Community 
Subject:  Re: [cas-user] how do I capture audit log trail for unauthorized 
users who are denied access to a service in an accessStrategy configuration of 
one of my JSON files? 

 





Yes, the configuration is there in log4j2 but the
audit log is only providing entries for users who are authorized,
not for those who are denied access.

I am attaching an annotated copy of my cas_audit.log, and also
copies of my service's JSON file and log4j2.xml file.



My goals:


To log attempts of a user to gain a service ticket, both
when:


the user is authorized (and therefore successful) and,
unauthorized (and therefore denied access).


To keep the log verbosity reasonably trim (I do not want to set
debug for the entire log)




On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote:


Carl,


This already should be in log4j2:





            






Ray 


On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:

For one of my services, I have the following
accessStrategy defined in my JSON file:



---begin---

  "accessStrategy" :

  {

    "@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",


    "enabled" : true,

    "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/;,


    "requireAllAttributes" : false,

    "ssoEnabled" : true,

    "requiredAttributes" :

    {

  "@class" :
"java.util.HashMap",

  "memberOf" : [ "java.util.HashSet",
[
"CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
] ]

    }

  }

---end---



This works nicely to redirect unauthorized users who do not belong
to either of the memberOf AD groups.  However, the default log
settings in log4j2.xml do not provide any indication that an
unauthorized user attempted to obtain a service ticket.



How can I set up my CAS (v5.2.2) instance to log failed attempts by
unauthorized users to obtain a service ticket?



Carl



--  
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca



--

- Website: https://apereo.github.io/cas


- Gitter Chatroom: https://gitter.im/apereo/cas


- List Guidelines: https://goo.gl/1VRrw7

- Contributions: https://goo.gl/mh7qDG

---

You received this message because you are subscribed to the Google
Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+u...@apereo.org.


To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.









-- 

- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7

- Contributions: https://goo.gl/mh7qDG

--- 

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.

To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org.






-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

RE: [cas-user] cas 5 management

[Cheltenham, Chris]

Thanks Travis,



I am using David Curry’s docs.

I don’t understand the CAS docs from Apereo.

I think they document with the thinking of a developer, which I am not.

Therefore, I have a lot of trouble understanding them.



I appreciate your help.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Travis 
Schmidt
Sent: Friday, February 9, 2018 11:08 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] cas 5 management



Here is a link to getting started with CAS Management with 5.2.x



https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html



As far as LDAP is concerned, it is mostly a preference.  The management app 
will contact a CAS Server for authenticating a user in whichever way you 
have it set up.  For the management app you usually only have a few people 
authorized to use it, so users.json or static list is an acceptable way to 
limit who can use it.  The management app can be configured to call back to 
LDAP and query for the ROLE_* attributes on the authenticated user, but in 
my opinion is a lot more work to make something dynamic that is mostly 
static.







On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris 
 > wrote:



Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025 
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
 

 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com
 

 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00b001d3a1c6%2463677f00%242a367d00%24%40philasd.org.

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

[crdaudt]

Thanks for the quick response Dmitriy.

As a workaround, might it be possible for me to replace the following:
"unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/;,
...with something like the following:
"unauthorizedRedirectUrl" : "
https://ssohost.mydomain.edu/cas_nowayjose/?service=junktest.com=%sAMAccountName%
 
",
...where %sAMAccountName% could be a variable replaced with the username of 
the user who is denied access?
If there is a way for me to grab and use the value of the username, the 
tomcat access log would capture the denied attempt for me.

Carl

On Friday, February 9, 2018 at 10:06:44 AM UTC-5, Dmitriy Kopylenko wrote:
>
> The short answer is - there is currently no audit trail advice weaved at 
> the audit point you are after.
>
> Best,
> D.
>
>
> From: crdaudt  
> Reply: cas-...@apereo.org   
> Date: February 9, 2018 at 10:00:18 AM
> To: CAS Community  
> Subject:  Re: [cas-user] how do I capture audit log trail for 
> unauthorized users who are denied access to a service in an accessStrategy 
> configuration of one of my JSON files? 
>
> Yes, the configuration is there in log4j2 but the audit log is only 
> providing entries for users who are authorized, not for those who are 
> denied access.
> I am attaching an annotated copy of my cas_audit.log, and also copies of 
> my service's JSON file and log4j2.xml file.
>
> My goals:
>
>- To log attempts of a user to gain a service ticket, both when: 
>- 
>   - the user is authorized (and therefore successful) and, 
>   - unauthorized (and therefore denied access). 
>- To keep the log verbosity reasonably trim (I do not want to set 
>debug for the entire log)
>
>
> On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote: 
>>
>> Carl,
>>
>> This already should be in log4j2:
>>
>> 
>> > level="info" includeLocation="true" >
>> 
>> 
>> 
>>
>> Ray 
>>
>> On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:
>>
>> For one of my services, I have the following accessStrategy defined in my 
>> JSON file:
>>
>> ---begin---
>>   "accessStrategy" :
>>   {
>> "@class" : 
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>> "enabled" : true,
>> "unauthorizedRedirectUrl" : "
>> https://ssohost.mydomain.edu/cas_nowayjose/;,
>> "requireAllAttributes" : false,
>> "ssoEnabled" : true,
>> "requiredAttributes" :
>> {
>>   "@class" : "java.util.HashMap",
>>   "memberOf" : [ "java.util.HashSet", [ 
>> "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
>>  
>> ] ]
>> }
>>   }
>> ---end---
>>
>> This works nicely to redirect unauthorized users who do not belong to 
>> either of the memberOf AD groups.  However, the default log settings in 
>> log4j2.xml do not provide any indication that an unauthorized user 
>> attempted to obtain a service ticket.
>>
>> How can I set up my CAS (v5.2.2) instance to log failed attempts by 
>> unauthorized users to obtain a service ticket?
>>
>> Carl
>>
>> --  
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org
>  
> 
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4afed875-afb7-40d4-b9b1-3c89de2f8a5f%40apereo.org.

Re: [cas-user] Cannot retrieve user attributes from PHP application behind mod_auth_cas

[David Hawes]

Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

On Thu, Feb 8, 2018 at 1:13 PM, Mukunthini Jeyakumar
 wrote:
> Hi David,
>
> I'm using mod_auth_cas configured to use the "samlValidate" endpoint. When I
> turn on CASValidateSAML and configure saml endpoint I'm getting the
> following error
>
> Authorization Required
>
> This server could not verify that you are authorized to access the document
> requested. Either you supplied the wrong credentials (e.g., bad password),
> or your browser doesn't understand how to supply the credentials required.
>
>
> But I was able to get the principal user id without SAML endpoint
>
> I'm using CAS 5.2.2
>
>
> Thanks
>
> Thini
>
>
>>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1892e8-e858-459a-9107-6b1b93d46ac2%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDtfkG6iC6eE%2B0Ju-4-Uz%2BPH6Yh2U5TyEL_f%3D81yAMhqw%40mail.gmail.com.

Re: [cas-user] cas 5 management

[Travis Schmidt]

Here is a link to getting started with CAS Management with 5.2.x

https://apereo.github.io/cas/5.2.x/installation/Installing-ServicesMgmt-Webapp.html

As far as LDAP is concerned, it is mostly a preference.  The management app
will contact a CAS Server for authenticating a user in whichever way you
have it set up.  For the management app you usually only have a few people
authorized to use it, so users.json or static list is an acceptable way to
limit who can use it.  The management app can be configured to call back to
LDAP and query for the ROLE_* attributes on the authenticated user, but in
my opinion is a lot more work to make something dynamic that is mostly
static.



On Fri, Feb 9, 2018 at 7:13 AM Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:

> Hello ,
>
>
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp
> dependency is you use ldap.
>
>
>
> Is that correct?
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025 <(215)%20400-5025>
> Cell # 215-301-6571 <(215)%20301-6571>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZmsgzrQq82Dg4r_QR-27U6v4EbG8O-qq2eXmE_GKeZng%40mail.gmail.com.

RE: [cas-user] Re: cas 5 management

[Cheltenham, Chris]

Yes, great thank you.







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of William 
E.
Sent: Friday, February 9, 2018 11:02 AM
To: CAS Community 
Subject: [cas-user] Re: cas 5 management



Exactly.  cas-management-overlay/target/cas-management.war





Since we use json registry, and ldap, we add the below.





org.apereo.cas

cas-server-support-json-service-registry

${cas.version}





 org.apereo.cas

 cas-server-support-ldap

 ${cas.version}








On Friday, February 9, 2018 at 9:13:54 AM UTC-6, Chris Cheltenham wrote:

  


Hello ,



I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp 
dependency is you use ldap.



Is that correct?







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org
 

 
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a001d3a1bf%24fd4c5520%24f7e4ff60%24%40philasd.org.

[cas-user] Re: cas 5 management

[William E.]

Exactly.  cas-management-overlay/target/cas-management.war


Since we use json registry, and ldap, we add the below.


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}




On Friday, February 9, 2018 at 9:13:54 AM UTC-6, Chris Cheltenham wrote:
>
> Hello ,
>
>  
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp 
> dependency is you use ldap.
>
>  
>
> Is that correct?
>
>  
>
>  
>
>  
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org.

[cas-user] cas 5 management

[Cheltenham, Chris]

Hello ,

 

I have embarked on building cas-management via the overlay.

I am assuming you build a totally separate war file with the ldapp
dependency is you use ldap.

 

Is that correct?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/008401d3a1b8%249791de50%24c6b59af0%24%40philasd.org.

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

[Dmitriy Kopylenko]

The short answer is - there is currently no audit trail advice weaved at the 
audit point you are after.

Best,
D.


From: crdaudt 
Reply: cas-user@apereo.org 
Date: February 9, 2018 at 10:00:18 AM
To: CAS Community 
Subject:  Re: [cas-user] how do I capture audit log trail for unauthorized 
users who are denied access to a service in an accessStrategy configuration of 
one of my JSON files?  

Yes, the configuration is there in log4j2 but the audit log is only providing 
entries for users who are authorized, not for those who are denied access.
I am attaching an annotated copy of my cas_audit.log, and also copies of my 
service's JSON file and log4j2.xml file.

My goals:
To log attempts of a user to gain a service ticket, both when:
the user is authorized (and therefore successful) and,
unauthorized (and therefore denied access).
To keep the log verbosity reasonably trim (I do not want to set debug for the 
entire log)

On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote:
Carl,

This already should be in log4j2:



            



Ray 

On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:
For one of my services, I have the following accessStrategy defined in my JSON 
file:

---begin---
  "accessStrategy" :
  {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "unauthorizedRedirectUrl" : "https://ssohost.mydomain.edu/cas_nowayjose/;,
    "requireAllAttributes" : false,
    "ssoEnabled" : true,
    "requiredAttributes" :
    {
  "@class" : "java.util.HashMap",
  "memberOf" : [ "java.util.HashSet", [ 
"CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
 ] ]
    }
  }
---end---

This works nicely to redirect unauthorized users who do not belong to either of 
the memberOf AD groups.  However, the default log settings in log4j2.xml do not 
provide any indication that an unauthorized user attempted to obtain a service 
ticket.

How can I set up my CAS (v5.2.2) instance to log failed attempts by 
unauthorized users to obtain a service ticket?

Carl
--  
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5a7db8fc.33ff2575.946%40unicon.net.

Re: [cas-user] how do I capture audit log trail for unauthorized users who are denied access to a service in an accessStrategy configuration of one of my JSON files?

[crdaudt]

Yes, the configuration is there in log4j2 but the audit log is only 
providing entries for users who are authorized, not for those who are 
denied access.
I am attaching an annotated copy of my cas_audit.log, and also copies of my 
service's JSON file and log4j2.xml file.

My goals:

   - To log attempts of a user to gain a service ticket, both when:
  - the user is authorized (and therefore successful) and,
  - unauthorized (and therefore denied access).
   - To keep the log verbosity reasonably trim (I do not want to set debug 
   for the entire log) 
   

On Thursday, February 8, 2018 at 4:35:22 PM UTC-5, rbon wrote:
>
> Carl,
>
> This already should be in log4j2:
>
> 
>  includeLocation="true" >
> 
> 
> 
>
> Ray 
>
> On Thu, 2018-02-08 at 13:06 -0800, crdaudt wrote:
>
> For one of my services, I have the following accessStrategy defined in my 
> JSON file:
>
> ---begin---
>   "accessStrategy" :
>   {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "unauthorizedRedirectUrl" : "
> https://ssohost.mydomain.edu/cas_nowayjose/;,
> "requireAllAttributes" : false,
> "ssoEnabled" : true,
> "requiredAttributes" :
> {
>   "@class" : "java.util.HashMap",
>   "memberOf" : [ "java.util.HashSet", [ 
> "CN=some_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=my_domain,DC=edu","CN=some_other_cn,OU=some_subgroup,OU=some_group,DC=my_subdomain,DC=mydomain,DC=edu"
>  
> ] ]
> }
>   }
> ---end---
>
> This works nicely to redirect unauthorized users who do not belong to 
> either of the memberOf AD groups.  However, the default log settings in 
> log4j2.xml do not provide any indication that an unauthorized user 
> attempted to obtain a service ticket.
>
> How can I set up my CAS (v5.2.2) instance to log failed attempts by 
> unauthorized users to obtain a service ticket?
>
> Carl
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4b2b2c3f-34c2-4c8a-acf3-8bc5a9a34e98%40apereo.org.
## User joe_shmo_unauthorized attempts to go to 
https://ssotest.myuniversity.edu/cas/login?service=https://junktest.com .
## Joe has a valid AD account, but is not authorized to use the service at 
junktest.com (based on accessStrategy restrictions in the service's JSON 
configuration).
## Once he authenticates, he is redirected to the unauthorizedRedirectUrl .
2018-02-09 08:28:50,537 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:28:50 EST 2018|CAS|[event=success,timestamp=Fri Feb 09 08:28:50 EST 
2018,source=RankedAuthenticationProviderWebflowEventResolver]|AUTHENTICATION_EVENT_TRIGGERED|audit:unknown|10.10.50.11|10.2.100.100
2018-02-09 08:29:24,868 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:29:24 EST 2018|CAS|Supplied credentials: 
[joe_shmo_unauthorized]|AUTHENTICATION_SUCCESS|joe_shmo_unauthorized|10.10.50.11|10.2.100.100

## Contrast the log entries above with those for user jhonny_good_authorized.
## Johnny is authorized to use the service provided at junktest.com, so he is 
successful in gaining a service ticket.
2018-02-09 08:31:50,358 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:31:50 EST 2018|CAS|[event=success,timestamp=Fri Feb 09 08:31:50 EST 
2018,source=RankedAuthenticationProviderWebflowEventResolver]|AUTHENTICATION_EVENT_TRIGGERED|audit:unknown|10.10.50.12|10.2.100.100
2018-02-09 08:32:00,285 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:32:00 EST 2018|CAS|Supplied credentials: 
[jhonny_good_authorized]|AUTHENTICATION_SUCCESS|jhonny_good_authorized|10.10.50.12|10.2.100.100
2018-02-09 08:32:00,295 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:32:00 EST 
2018|CAS|TGT-***1bzJUQBD9l-a7RdWFk-ssotest.myuniversity.edu|TICKET_GRANTING_TICKET_CREATED|jhonny_good_authorized|10.10.50.12|10.2.100.100
2018-02-09 08:32:00,304 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Fri Feb 09 
08:32:00 EST 2018|CAS|ST-5-KotmLKRwu7tOn7YCvlJvOkyM5gs-ssotest.myuniversity.edu 
for 
https://junktest.com|SERVICE_TICKET_CREATED|jhonny_good_authorized|10.10.50.12|10.2.100.100


junktest-14004001.json
Description: application/json


log4j2.xml
Description: XML 

Re: [cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[Man H]

What do you mean by REMOVED in properties .

El viernes, 9 de febrero de 2018, brian mancuso 
escribió:

> Hey all,
>
> I was originally trying to setup some custom triggers to determine who
> should use MFA and who is allowed to bypass. I have since been directed
> towards Groovy to simplify things, but I'm still having some trouble.
>
> At this point, the Groovy script's purpose is strictly to test if a
> certain user will bypass MFA while others will not. Here's my setup:
>
> */etc/cas/config/cas.properties*
>
> ##
> # Duo security 2fa authentication provider
> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
> #
> cas.authn.mfa.duo[0].rank=0
> cas.authn.mfa.duo[0].duoApiHost=REMOVED
> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
> cas.authn.mfa.duo[0].id=mfa-duo
> cas.authn.mfa.globalProviderId=mfa-duo
> cas.authn.mfa.globalFailureMode=OPEN
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
> selectiveDuo.groovy
>
>
> */etc/cas/selectiveDuo.groovy*
>
> def boolean run(final Object... args) {
> def authentication = args[0]
> def principal = args[1]
> def service = args[2]
> def provider = args[3]
> def logger = args[4]
> def httpRequest = args[5]
>
> logger.info("Evaluating principal attributes ${principal.attributes}")
>
> def bypass = principal.attributes['uid']
> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
> logger.info("Skipping bypass for principal ${principal.id}")
> return false
> }
>
> return true
> }
>
>
> When I try to login though, whenever a user would be sent to DUO, I get a
> 500 error:
>
>
> 
>
> Here's a small snippet from the output:
>
> 2018-02-09 09:04:05,717 DEBUG [org.apereo.cas.web.
> FlowExecutionExceptionResolver] -  a type mismatch>
> org.springframework.webflow.execution.FlowExecutionException: Exception
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_151]
>
> Caused by: 
> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
> Error encoding flow execution
> at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(
> ClientFlowExecutionRepository.java:114) ~[spring-webflow-client-repo-
> 1.0.3.jar:1.0.3]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> assignKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.RequestControlContextImpl.
> assignFlowExecutionKey(RequestControlContextImpl.java:193)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>
> Caused by: java.io.NotSerializableException: org.springframework.core.io.
> UrlResource
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
> ~[?:1.8.0_151]
> at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
> ~[?:1.8.0_151]
> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
> ~[?:1.8.0_151]
>
> 2018-02-09 09:04:05,717 ERROR 
> [org.springframework.boot.web.support.ErrorPageFilter]
> -  [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']>
> org.springframework.webflow.execution.FlowExecutionException: Exception
> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> wrap(FlowExecutionImpl.java:573) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at org.springframework.webflow.engine.impl.FlowExecutionImpl.
> resume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.
> RELEASE.jar:2.4.6.RELEASE]
> at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at 

[cas-user] CAS 5.2.3 "500:Internal Server Error" with Groovy

[brian mancuso]

Hey all,

I was originally trying to setup some custom triggers to determine who 
should use MFA and who is allowed to bypass. I have since been directed 
towards Groovy to simplify things, but I'm still having some trouble.

At this point, the Groovy script's purpose is strictly to test if a certain 
user will bypass MFA while others will not. Here's my setup:

*/etc/cas/config/cas.properties*

##
# Duo security 2fa authentication provider
# https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
#
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].duoApiHost=REMOVED
cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
cas.authn.mfa.duo[0].duoSecretKey=REMOVED
cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.globalProviderId=mfa-duo
cas.authn.mfa.globalFailureMode=OPEN
cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:
///etc/cas/selectiveDuo.groovy


*/etc/cas/selectiveDuo.groovy*

def boolean run(final Object... args) {
def authentication = args[0]
def principal = args[1]
def service = args[2]
def provider = args[3]
def logger = args[4]
def httpRequest = args[5]

logger.info("Evaluating principal attributes ${principal.attributes}")

def bypass = principal.attributes['uid']
if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
logger.info("Skipping bypass for principal ${principal.id}")
return false
}

return true
}


When I try to login though, whenever a user would be sent to DUO, I get a 
500 error:



Here's a small snippet from the output:

2018-02-09 09:04:05,717 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
org.springframework.webflow.execution.FlowExecutionException: Exception 
thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_151]

Caused by: 
org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
Error encoding flow execution
at 
org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
 
~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.assignKey(FlowExecutionImpl.java:419)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]

Caused by: java.io.NotSerializableException: 
org.springframework.core.io.UrlResource
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) 
~[?:1.8.0_151]
at 
java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
~[?:1.8.0_151]
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
~[?:1.8.0_151]
at 
java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) 
~[?:1.8.0_151]
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) 
~[?:1.8.0_151]
at 
java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) 
~[?:1.8.0_151]
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) 
~[?:1.8.0_151]

2018-02-09 09:04:05,717 ERROR 
[org.springframework.boot.web.support.ErrorPageFilter] - 
org.springframework.webflow.execution.FlowExecutionException: Exception 
thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
 
~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_151]
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:1.8.0_151]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]

Caused by: 
org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: 
Error