[cas-user] Re: Saml service provider for testing

[AT]

Okta.com worked for me.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/08ed2aab-e0bf-4fc2-8199-706bdf162be4%40apereo.org.

[cas-user] Re: CAS 5.2 WS-Federation IDP

[AT]

>
> Hi,
>

I am not sure why but some things got clearer for me when I started reading 
about Apache Fediz, that this module is based on 
http://cxf.apache.org/fediz-architecture.html
(You may have already known this)
 

We also have a related thread going here: 
> https://groups.google.com/a/apereo.org/forum/#!topicsearch/ws$20federation/cas-user/VP7GxJ1xkmk
>  
> in case you want to look over it (not the same issue)
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/44cc06d9-7516-4862-8b5e-899e0dd00d26%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[AT]

>
> But now I have a problem with integrating with a client; 
>>
> The client app needs (from the documentation)

   - The Federation Service Identifier of the ADFS server, which is located 
   on the main ADFS properties dialog in the ADFS management application. –

 I gave them: https:///xxx/ 
ws/sts/CAS

   - The WS-Federation Passive endpoint for the ADFS server. The format is 
   usually "https://myadfsserver.com/adfs/ls/; or similar. It is located in 
   the ADFS management application, under the Endpoints section.

 I gave them: https:///xxx/ 
ws/idp/federation
 

Now tthe app redirects to https:////xxx/ 

/ws/idp/federation?wa=wsignin1.0=https://clientapp/

and my cas server displays an error message: "
Application Not Authorized to Use CAS
". I did however register the client url as described 
here: https://apereo.github.io/cas/5.2.x/protocol/WS-Federation-Protocol.html.


If anyone has more information on how and where configuration should go, it 
would be greatly appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb782235-15ad-4e1f-a1a4-9aa8470a8822%40apereo.org.

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[AT]

Here is my pom.xml.

On Thursday, April 19, 2018 at 8:03:32 PM UTC-5, AT wrote:
>
> My cas.properties:
>>>
>>
> cas.server.name: https:///xxx
> cas.server.prefix: https:///xxx
>
> cas.serviceRegistry.initFromJson=true
>
> cas.authn.wsfedIdp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
> cas.authn.wsfedIdp.idp.realmName=CAS
>
>
> cas.authn.wsfedIdp.sts.signingKeystoreFile=
> cas.authn.wsfedIdp.sts.signingKeystorePassword=
> cas.authn.wsfedIdp.sts.encryptionKeystoreFile=
> cas.authn.wsfedIdp.sts.encryptionKeystorePassword=
>
> # cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified
> cas.authn.wsfedIdp.sts.encryptTokens=false
>
>
>
> cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/configadvise/stscasrealm.jks
> cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass
> cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas
> cas.authn.wsfedIdp.sts.realm.keyPassword=storepass
> cas.authn.wsfedIdp.sts.crypto.enabled=false
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f185be9a-9b18-4864-add4-6ba1b0b1b3cd%40apereo.org.


pom.xml
Description: XML document

[cas-user] Re: Problem integrating CAS 5.2.2 with WS Federation Identity Provider

[AT]

>
> My cas.properties:
>>
>
cas.server.name: https:///xxx
cas.server.prefix: https:///xxx

cas.serviceRegistry.initFromJson=true

cas.authn.wsfedIdp.idp.realm=urn:org:apereo:cas:ws:idp:realm-CAS
cas.authn.wsfedIdp.idp.realmName=CAS


cas.authn.wsfedIdp.sts.signingKeystoreFile=
cas.authn.wsfedIdp.sts.signingKeystorePassword=
cas.authn.wsfedIdp.sts.encryptionKeystoreFile=
cas.authn.wsfedIdp.sts.encryptionKeystorePassword=

# cas.authn.wsfedIdp.sts.subjectNameIdFormat=unspecified
cas.authn.wsfedIdp.sts.encryptTokens=false


cas.authn.wsfedIdp.sts.realm.keystoreFile=/etc/cas/configadvise/stscasrealm.jks
cas.authn.wsfedIdp.sts.realm.keystorePassword=storepass
cas.authn.wsfedIdp.sts.realm.keystoreAlias=realmcas
cas.authn.wsfedIdp.sts.realm.keyPassword=storepass
cas.authn.wsfedIdp.sts.crypto.enabled=false

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d39484cd-2bc3-4bdc-a916-bdf281c6fb97%40apereo.org.

Re: [cas-user] Problem with authentication of remote application to CAS server

[Man H]

 make test without nginx




2018-04-19 18:29 GMT-03:00 carlos maddaleno cuellar <
iamcarlosmaddal...@gmail.com>:

> Hi i have a cas server on a nginx reverse proxy and my application with
> the shiro.ini file are configureted to authenticated to this CAS server so
> this application are ok
>
> the problem now is with a remote application that is not in the same
> server of the and its web.xml has this configuration:
>
> 
>   
> CAS Authentication Filter
> org.jasig.cas.client.authentication.
> AuthenticationFilter
> 
>   casServerLoginUrl
>   https://siampapps.mp/cas/login
> 
> 
>   serverName
>   https://selectronicas.mp:8443
> 
>   
>
> Im not sure whether to use the filter
>
> org.jasig.cas.client.validation.Cas10TicketValidationFilte
>  OR
>
>
> CAS Validation Filter
> org.jasig.cas.client.validation.
> Cas20ProxyReceivingTicketValidationFilter
> 
>
> could you tell me whats the difference
>
>
>   
> CAS Validation Filter
> org.jasig.cas.client.validation.
> Cas10TicketValidationFilter
> 
>   casServerUrlPrefix
>   https://siampapps.mp/cas
> 
> 
>   serverName
>   https://selectronicas.mp:8443
> 
> 
>   redirectAfterValidation
>   true
> 
>   
>
>   
> CAS HttpServletRequest Wrapper Filter
> org.jasig.cas.client.util.HttpServletRequestWrapperFilte
> r
>   
>
>   
> CAS Authentication Filter
> /*
>   
>
>   
> CAS Validation Filter
> /*
>   
>
>   
> CAS HttpServletRequest Wrapper Filter
> /*
>   
>   
>
>
> and my nginx cas configuration is this:
>
> location /cas {
> proxy_pass http://siampv5.mp;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_http_version 1.1;
> proxy_request_buffering off;
> proxy_set_header Connection "";
> proxy_set_header X-Forwarded-Proto https;
> }
>
>
> but when a user try to authenticate to my cas it show the next error on
> the log of the server:
>
> thanks for your help
>
> [2018-04-19T14:58:29.452-0600] [Payara 4.1] [WARNING] []
> [javax.enterprise.web] [tid: _ThreadID=35 _ThreadName=http-thread-pool(6)]
> [timeMillis: 1524171509452] [levelValue: 900] [[
>   StandardWrapperValve[cas]: Servlet.service() for servlet cas threw
> exception
> java.util.ConcurrentModificationException
> at java.util.ArrayList$Itr.checkForComodification(
> ArrayList.java:901)
> at java.util.ArrayList$Itr.next(ArrayList.java:851)
> at java.util.AbstractCollection.toString(AbstractCollection.
> java:461)
> at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(
> TraceLogAspect.java:48)
> at org.jasig.cas.ticket.TicketGrantingTicketImpl.
> getSupplementalAuthentications(TicketGrantingTicketImpl.java:247)
> at org.jasig.cas.CentralAuthenticationServiceImpl.
> evaluatePossibilityOfMixedPrincipals(CentralAuthenticationServiceIm
> pl.java:209)
> at org.jasig.cas.CentralAuthenticationServiceIm
> pl.grantServiceTicket_aroundBody2(CentralAuthenticationServiceIm
> pl.java:145)
> at org.jasig.cas.CentralAuthenticationServiceImpl$AjcClosure3.run(
> CentralAuthenticationServiceImpl.java:1)
> at org.aspectj.runtime.reflect.JoinPointImpl.proceed(
> JoinPointImpl.java:149)
> at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(
> TraceLogAspect.java:44)
> at org.jasig.cas.CentralAuthenticationServiceIm
> pl.grantServiceTicket(CentralAuthenticationServiceImpl.java:136)
> at sun.reflect.GeneratedMethodAccessor24429.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.springframework.aop.support.AopUtils.
> invokeJoinpointUsingReflection(AopUtils.java:302)
> at org.springframework.aop.framework.ReflectiveMethodInvocation.
> invokeJoinpoint(ReflectiveMethodInvocation.java:190)
> at org.springframework.aop.framework.ReflectiveMethodInvocation.
> proceed(ReflectiveMethodInvocation.java:157)
> at org.springframework.aop.aspectj.MethodInvocationProceedingJoin
> Point.proceed(MethodInvocationProceedingJoinPoint.java:85)
> at org.jasig.inspektr.audit.AuditTrailManagementAspect.
> handleAuditTrail(AuditTrailManagementAspect.java:128)
> at sun.reflect.GeneratedMethodAccessor24425.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.springframework.aop.aspectj.AbstractAspectJAdvice.
> invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
> at org.springframework.aop.aspectj.AbstractAspectJAdvice.
> invokeAdviceMethod(AbstractAspectJAdvice.java:610)

[cas-user] Problem with authentication of remote application to CAS server

[carlos maddaleno cuellar]

Hi i have a cas server on a nginx reverse proxy and my application with the
shiro.ini file are configureted to authenticated to this CAS server so this
application are ok

the problem now is with a remote application that is not in the same server
of the and its web.xml has this configuration:


  
CAS Authentication Filter

org.jasig.cas.client.authentication.AuthenticationFilter

  casServerLoginUrl
  https://siampapps.mp/cas/login


  serverName
  https://selectronicas.mp:8443

  

Im not sure whether to use the filter

org.jasig.cas.client.validation.Cas10TicketValidationFilte
 OR


CAS Validation Filter

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter


could you tell me whats the difference


  
CAS Validation Filter

org.jasig.cas.client.validation.Cas10TicketValidationFilter

  casServerUrlPrefix
  https://siampapps.mp/cas


  serverName
  https://selectronicas.mp:8443


  redirectAfterValidation
  true

  

  
CAS HttpServletRequest Wrapper Filter

org.jasig.cas.client.util.HttpServletRequestWrapperFilter
  

  
CAS Authentication Filter
/*
  

  
CAS Validation Filter
/*
  

  
CAS HttpServletRequest Wrapper Filter
/*
  
  


and my nginx cas configuration is this:

location /cas {
proxy_pass http://siampv5.mp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Proto https;
}


but when a user try to authenticate to my cas it show the next error on the
log of the server:

thanks for your help

[2018-04-19T14:58:29.452-0600] [Payara 4.1] [WARNING] []
[javax.enterprise.web] [tid: _ThreadID=35 _ThreadName=http-thread-pool(6)]
[timeMillis: 1524171509452] [levelValue: 900] [[
  StandardWrapperValve[cas]: Servlet.service() for servlet cas threw
exception
java.util.ConcurrentModificationException
at
java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
at java.util.ArrayList$Itr.next(ArrayList.java:851)
at
java.util.AbstractCollection.toString(AbstractCollection.java:461)
at
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:48)
at
org.jasig.cas.ticket.TicketGrantingTicketImpl.getSupplementalAuthentications(TicketGrantingTicketImpl.java:247)
at
org.jasig.cas.CentralAuthenticationServiceImpl.evaluatePossibilityOfMixedPrincipals(CentralAuthenticationServiceImpl.java:209)
at
org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket_aroundBody2(CentralAuthenticationServiceImpl.java:145)
at
org.jasig.cas.CentralAuthenticationServiceImpl$AjcClosure3.run(CentralAuthenticationServiceImpl.java:1)
at
org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at
org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
at
org.jasig.cas.CentralAuthenticationServiceImpl.grantServiceTicket(CentralAuthenticationServiceImpl.java:136)
at sun.reflect.GeneratedMethodAccessor24429.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
at
org.jasig.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:128)
at sun.reflect.GeneratedMethodAccessor24425.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:68)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at

Re: [cas-user] buji-pac4j-demo-master, CAS delegation through pac4j-webflow and 1 OIDC provider

[Steve Hespelt]

Well, I stumbled across a few config properties I decided to try (desperate 
people do desperate things...)

cas.http-web-request.cors.allow-credentials=true
# ? where are login requests coming from? Our webapp server name(s)
# is this needed to get the final redirect back to our app ??
cas.http-web-request.cors.allow-origins=localhost
# ?? 
cas.webflow.redirect-same-state=true

Restarted CAS, same test case.
now I see this warning log:
2018-04-19 15:47:48,430 WARN 
[org.apereo.cas.web.flow.ServiceAuthorizationCheck] - https://localhost:8449/callback?client_name=CasClient] is not found in 
service registry.>
 I have to have a Service defined for the call back to the initial app 
???


2018-04-19 15:47:48,432 DEBUG 
[org.springframework.webflow.engine.impl.FlowExecutionImpl] - https://localhost:8449/callback?client_name=CasClient] 
is not found in service registry.]>

Has anyone actually gotten delegated authentication to flow from CAS back 
to an app that used the CAS protocol to request authentication to work? 
using CAS 5.2.x ?  Reading tons of CAS docs have provided no magic beans, 
nor did any page mention having to have a call back service defined...
Am I frustrated? You bet.
Is it correct for me to assume that this use case is 'typical' and that 
being 
tyhttps://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.htmlpical,
 
the default webflow definitions in CAS 5.2.2 ought to provide for it 
working? The docs 
at https://apereo.github.io/cas/5.2.x/installation/Webflow-Customization.html 
certainly suggest to me that's the case.
Sure would like to make use of many of the positive features described in 
CAS 5.2.x. But I have to wonder if I'm missing much of the necessary 
details.  I would like to avoid implementing all the features myself. Never 
been a big fan of the "let's reinvent the wheel" school of development. 
But...

Any insights, magic beans greatly appreciated.
-steve 


On Thursday, April 19, 2018 at 1:46:35 PM UTC-4, Steve Hespelt wrote:
>
> Hi Jérôme,
> I found an earlier posting 
> 
>  
> from 12/21/17 regarding the NPEs, so as suggested by that posting, I 
> restarted CAS & then cleared all related cookies from the browser. Once I 
> restart CAS & re-initiated the same flow, no more NPE as shown in my log. 
> But I still have the problem with the webflow not finishing as I expect.
> I increased the log level to trace on a few packages:
> org.apereo.cas.web.flow
> org.springframework.webflow
> org.springframework.session
> org.springframework.web
> org.springframework.web.socket
> Some log entries of interest (to me): (and I'm currently guessing the 
> issue may be related to a SSO log msg at 2018-04-19 11:53:23,186  below.  
> Why would a service not be allowed to use SSO ?
> -steve
>
> 2018-04-19 11:53:01,183 TRACE 
> [org.springframework.web.servlet.DispatcherServlet] -  context to thread: org.apache.catalina.connector.RequestFacade@33327a12>  
>   <- this object ref# shows up later, at the bottom so I'm correlating 
> this initial log with the later ('completion' ) log msg below with the same 
> object ref#...
> 2018-04-19 11:53:01,183 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] -  with name 'dispatcherServlet' processing GET request for [/cas/login]>
>
> 2018-04-19 11:53:01,209 TRACE 
> [org.apereo.cas.web.CasWebApplicationContext] -  org.apereo.cas.web.CasWebApplicationContext@222545dc: 
> ServletRequestHandledEvent: url=[/cas/login]; client=[0:0:0:0:0:0:0:1]; 
> method=[GET]; servlet=[dispatcherServlet]; 
> session=[2C34A85ABE5CF428636B86D697AA5B56]; user=[null]; time=[26ms]; 
> status=[OK]>  <- From the pac4j demo's SecurityFilter redirect to initial 
> request on /cas/index.jsp
>
> 2018-04-19 11:53:22,914 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] -  with name 'dispatcherServlet' processing GET request for [/cas/login]>
>
> 2018-04-19 11:53:22,921 TRACE 
> [org.springframework.web.servlet.DispatcherServlet] -  [org.springframework.webflow.mvc.servlet.FlowHandlerMapping@2ee91bdf] in 
> DispatcherServlet with name 'dispatcherServlet'>
> 2018-04-19 11:53:22,921 DEBUG 
> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] -  request with URI '/cas/login' to flow with id 'login'>
>
> 2018-04-19 11:53:22,921 DEBUG 
> [org.springframework.webflow.executor.FlowExecutorImpl] -  execution of flow 'login' with input map['state' -> 
> 'ldCrbo4sRBQJJ6MWsbMyEwW9aEbB2SXH4-qaq69Zz6s', 'code' -> 
> '4/AAAp_BeFI-e0zZCTS9wDDdIcKYhrXd2QDMej_cpXiigGC_jCEZ43E_FrsaW-dPvESPMcVV32AFlPmaDHAVPg_ME',
>  
> 'session_state' -> '6cd666a9989ac714aac38521f950f380ba3fcfc0..b199', 
> 'client_name' -> 'GoogleOIDC', 'prompt' -> 'none', 'authuser' -> '0']>
> 2018-04-19 11:53:22,921 DEBUG 
> [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] 
> - 
> 2018-04-19 11:53:22,921 DEBUG 
> [org.springframework.webflow.engine.impl.FlowExecutionImplFactory] - 

Re: [cas-user] Is it possible to delegate CAS authentication to a custom remote identity provider ?

[JON]

Hi
I have found a workaround to solve the compilation problem, simply by 
removing the class that caused the compile error: 
"ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java"

First, I went back to the original "cas-overlay-template-master" 
distribution, and added only the maven dependencies. The compilation was 
correct. But by adding the source classes corresponding to 
"cas-server-support-trusted-webflow" and "cas-server-support-trusted", the 
compilation error reappeared. I don't know why.

Now, I have Trusted Authentication running.
I also have CAS running as SAML IdP.

Everything works, almost as I need. Although, I need to be able to delegate 
SAML IdP authentication in Trusted Authentication.

When a SAML Authentication Request is done, it redirects the user to the 
CAS login screen.
Instead, I need to redirect the user to a remote server (custom IdP) that 
can return to the CAS server with a Trusted Authentication Request. Where 
the SAML Authentication Response can finally be completed.

Is there an easy way to get it, without having to dive a lot ?
If not, which one is the recommended way to do it ?


Thanks a lot !!

   Jon


El viernes, 13 de abril de 2018, 21:21:50 (UTC+2), rbon escribió:
>
> Are you trying to build CAS or did you download the code just for Trusted 
> Authentication?
> Building a single class (or even a few) can result in a lot of dependency 
> management (as you have seen). Sometimes the dependency you add brings in 
> others behind the scenes (transitive dependencies). Your error may be a 
> result of mismatched versions.
> If you still want to proceed down this route, you can see what libraries 
> are being pulled into your build with:
> mvn dependency:tree
>
> There is a grails command to do the same if that is what you are using.
>
> Ray
>
> On Fri, 2018-04-13 at 10:25 -0700, JON wrote:
>
> Hi
> Before following your advice, I must tell you that if I delete the code, 
> everything works fine (including SAML IdP), with the exception of Trusted 
> Authentication.
> The code that I am trying to compile, is the original downloaded from the 
> repository repository.
> I just inserted it to start with a known stable version.
>
>
>
> El viernes, 13 de abril de 2018, 17:33:20 (UTC+2), Manfredo Hopp escribió: 
>
> Hi you just add maven/gradle dependency to original overlay
>
> El viernes, 13 de abril de 2018, JON  escribió:
>
> Hi again
>
> I am trying to test the Trusted Authentication, adding code in the Maven 
> Overlay. The code is the one existing in the cas-server-support-trusted 
> module. I have been falling in a cascade of compilation errors that I have 
> tried to overcome by adding dependencies in pom.xml
> The errors have been getting more and more primitive. And in the end I 
> have come to
>
> [ERROR] 
> /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[26,31]
>  
> cannot find symbol
> [ERROR]   symbol:   method toUpperCase()
> [ERROR]   location: variable t of type java.lang.Object
> [ERROR] 
> /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[27,71]
>  
> incompatible types: java.lang.Object cannot be converted to java.lang.String
> [ERROR] 
> /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[28,49]
>  
> incompatible types: java.lang.Object cannot be converted to java.lang.String
> [ERROR] 
> /H:/aplic_saml_apereo_v5.2.0/cas-overlay-template-master/src/main/java/org/apereo/cas/adaptors/trusted/authentication/principal/ShibbolethServiceProviderRequestPrincipalAttributesExtractor.java:[29,25]
>  
> incompatible types: java.lang.Object cannot be converted to 
> java.util.Map
> [ERROR] -> [Help 1]
> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute 
> goal org.apache.maven.plugins:maven-compiler-plugin:3.3:compile 
> (default-compile) on project cas-overlay: Compilation failure
>
>
> Thank you very much
>
>
> El domingo, 1 de abril de 2018, 23:46:07 (UTC+2), Manfredo Hopp escribió: 
>
> See trusted authentication. 
> Local cas server should receive translated remote id entity through valve 
> or other mechanism. 
>
>
> El domingo, 1 de abril de 2018, JON JON  escribió:
>
> Hi
>
> Is it possible to delegate authentication to a custom remote identity 
> provider?
>
> This does not speak CAS, SAML, OAuth or OpenId Connect. It has its own SSO 
> mechanism. End users use web browser to interact.
>
> Our identity provider has its own authentication mechanism, based on http, 
> over j2ee, for users registered in a 

Re: [cas-user] CAS IdP integration with service provider that does not provide metadata

[Mihai Petracovici]

Hello Dave,

Thanks for that link. We were floating the idea around of creating the SP 
metadata ourselves and that tool would make the process trivial. I guess 
providing metadata files is not as widespread as I thought.

Thanks,

Mihai Petracovici
uTech — Infrastructure
m-petracov...@wiu.edu



> On Apr 19, 2018, at 11:40, David Curry  wrote:
> 
> Would this little tool help? It's what we used to create the metadata for a 
> couple of the services we have that don't provide metadata.
> 
> https://www.samltool.com/sp_metadata.php 
> 
> 
> (This is the same service that the CAS documentation points to.)
> 
> --Dave
> 
> 
> --
> DAVID A. CURRY, CISSP
> DIRECTOR OF INFORMATION SECURITY
> INFORMATION TECHNOLOGY
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
> 
> 
> 
> On Thu, Apr 19, 2018 at 12:25 PM, Mihai Petracovici  > wrote:
> Hello,
> 
> We are looking at SAML2 integration with a certain service provider that does 
> not appear to provide metadata. Their preliminary instructions give two URLs 
> one they call the Reply URL and the other the Sign On URL which after a quick 
> Google search look to be parameters for ADFS/Azure SSO setup 
> (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
>  
> ).
>  Is CAS able to configure a SAML service with only those parameters? As far 
> as I know, we need a SP metadata file or link for the SAML service definition 
> to work; are we out of luck if they can't or won't provide one? 
> 
> Any ideas would be welcome.
> 
> Thanks,
> 
> Mihai Petracovici
> 
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d99e25dd-85b8-49bf-a41e-cba892c95a28%40apereo.org
>  
> .
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "CAS Community" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/a/apereo.org/d/topic/cas-user/HQS0zecrZKI/unsubscribe
>  
> .
> To unsubscribe from this group and all its topics, send an email to 
> cas-user+unsubscr...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOiDqnnDCiDxiJmP%3DB%2BS4792Np41rSdHgnNT2SrWm0Tjg%40mail.gmail.com
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/85716177-2392-47DC-A938-AB716E327806%40wiu.edu.

Re: [cas-user] CAS IdP integration with service provider that does not provide metadata

[David Curry]

Would this little tool help? It's what we used to create the metadata for a
couple of the services we have that don't provide metadata.

https://www.samltool.com/sp_metadata.php

(This is the same service that the CAS documentation points to.)

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Apr 19, 2018 at 12:25 PM, Mihai Petracovici 
wrote:

> Hello,
>
> We are looking at SAML2 integration with a certain service provider that
> does not appear to provide metadata. Their preliminary instructions give
> two URLs one they call the Reply URL and the other the Sign On URL which
> after a quick Google search look to be parameters for ADFS/Azure SSO setup (
> https://docs.microsoft.com/en-us/azure/active-directory/
> active-directory-saas-custom-apps). Is CAS able to configure a SAML
> service with only those parameters? As far as I know, we need a SP metadata
> file or link for the SAML service definition to work; are we out of luck if
> they can't or won't provide one?
>
> Any ideas would be welcome.
>
> Thanks,
>
> Mihai Petracovici
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/d99e25dd-85b8-49bf-a41e-
> cba892c95a28%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOiDqnnDCiDxiJmP%3DB%2BS4792Np41rSdHgnNT2SrWm0Tjg%40mail.gmail.com.

[cas-user] CAS IdP integration with service provider that does not provide metadata

[Mihai Petracovici]

Hello,

We are looking at SAML2 integration with a certain service provider that 
does not appear to provide metadata. Their preliminary instructions give 
two URLs one they call the Reply URL and the other the Sign On URL which 
after a quick Google search look to be parameters for ADFS/Azure SSO setup 
(https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps).
 
Is CAS able to configure a SAML service with only those parameters? As far 
as I know, we need a SP metadata file or link for the SAML service 
definition to work; are we out of luck if they can't or won't provide one? 

Any ideas would be welcome.

Thanks,

Mihai Petracovici


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d99e25dd-85b8-49bf-a41e-cba892c95a28%40apereo.org.

[cas-user] Re: CAS JWT/JWK oddities

[William E.]

I feel ya...  :-)

My biggest concern at the moment, as others have posted about here as well, 
is the jwt is a url parameter when passed back to the client app.  I would 
much rather it be a header or cookie or post param or anything really 
because my concern is until the jwt expiration time anyone who has access 
to the apache logs, syslogs, etc. of the cas server or the server hosting 
the client app, or has access to the network logs, or sniff the traffic in 
some way, could grab that url parameter and masquerade as that user to the 
client app.

I'm looking at the cas source code in hopes that I can make this an 
option(and make a pull request) but being a non-spring java developer my 
head is currently exploding with all the spring/lombok/etc. "magic" I am 
having to learn.  Not to mention the large amount of highly modularized 
code.  It's looks well written and well commented, it's just a lot to take 
in.  Importing it into eclipse created about a hundred or so source folders 
I am currently perusing.  Argh.



On Wednesday, April 18, 2018 at 7:21:43 AM UTC-5, Karl Banke wrote:
>
> Hello there,
>
> I am using CAS 5.2 and have spent a long time (which translates to a lot 
> of money) on getting JWT Service Tickets to work. 
>
> The CAS documentation states here 
>
>
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>  
> that this should be configured using the 
>
> jwtAsServiceTicket Property
>
> It also states here 
>
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#jwt-tickets
>
> that the signing key is a JWK 
>
> My findings so far: 
>
> JWT service tickets do not work at all in CAS 5.2.0. They work in 5.2.4.
>
> But there are some weired "limitations" that I only figured out running CAS 
> inside my debugger. 
>
> (a) The property name is wrong. The property that actually leads to anything 
> happening is jwtAsResponse, as others have pointed out in this community.
>
> But even thenI would like to sign my JWTs with a public RSA key in order 
> to allow Single Page Web Applications to validate the keys. 
>
> (b) When trying to read the private key, the code does never look for a JWK, 
> but - in PrivateKeyFactoryBean - tries to parse a PEM file.
> (c) Even if one is lucky enough to eventually have a RSA key inside the 
> privateKey by supplying a PEM file, you run in trouble because.
> -- taataaa --
> the AbstractCipherExecutor calls a hardcoded method called 
> EncodingUtils.signJwsHMACSha512
> (d) If you chose not to encrypt the JWT payload, you may rest assured that 
> you get another problem, because someone chose to Base64 encode the payload 
> twice rather than once. 
>
>
> I have also considered using the OpenID Connect flow instead of the JWT 
> Service tokens, but since this is a much more complicated interface my 
> expectation 
> is that it's implementation is even more broken and its documentation more 
> inaccurate. 
>
> Sorry for the rant, but I am really about to lose patience with CAS that 
> used to be a very usable, well documented and extensible tool. 
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd5502dd-f0bc-46b4-bedb-942d162ab5ff%40apereo.org.

Re: [cas-user] Proxy ticket is always null. Please help

[Ray Bon]

Attach logs and json service file.

Ray

On Thu, 2018-04-19 at 03:47 -0700, Corsair Hxw wrote:
Hello,

Thank you for guiding me to the proxy authentication link. Found tons of 
information regarding the proxying applications.

I am very new to CAS world. There could be many things that could be wrong in 
my configuration. So thank you providing the information attributeReleasePolicy.

I changed the service json and authorizedToReleaseProxyGrantingTicket property 
is now set to "true".
Even after making these chagnes, null proxy ticket is returned.

Is there anything else that I could be missing?

Regards

On Thursday, April 19, 2018 at 12:40:26 AM UTC+5:30, Manfredo Hopp wrote:

read 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html

The service must also be authorized to receive the PGT as an attribute for the 
given attribute release policy of choice.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16



{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.+;,
  "name" : "test",
  "id" : 1,
  "evaluationOrder" : 0,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"authorizedToReleaseProxyGrantingTicket" : true
  },



2018-04-18 10:08 GMT-03:00 Corsair Hxw :
Hello,

I am using CAS Maven Overlay (version 5.2.3) to build CAS server.
The CAS server is running on http://localhost:8080/cas

I have changed POM and added dependency for json service registry:


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}



I have provided two service json files in /services:
greet-1.json
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "http://localhost:8090/greet;,
  "name" : "greet",
  "id" : 1,
  "evaluationOrder" : 1
}

user-2.json
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "http://localhost:8090/user;,
  "name" : "user",
  "id" : 2,
  "evaluationOrder" : 2
}

>From my web application 1, I am trying to get the proxy ticket for another web 
>application 2.
Web Application 1 Controller class is as below:
package com.learn.cas.proxyticket;

import org.jasig.cas.client.authentication.AttributePrincipal;
import org.springframework.security.cas.authentication.CasAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class GreetingsController {

 @GetMapping("/greet")
 public String greetWithProxyTicket(Authentication authentication) {
 String proxyTicket = null;


 if (authentication != null && authentication instanceof CasAuthenticationToken 
{
 AttributePrincipal principal = ((CasAuthenticationToken) 
authentication).getAssertion().getPrincipal();

 if (principal != null) {
 proxyTicket = 
principal.getProxyTicketFor("http://localhost:8090/user;);
 }
 }

 return proxyTicket;
 }
}

Here, the returned value is always null. getProxyTicketFor always gives me null 
value.
Web application 1 pom.xml and application.yml files are attached in case they 
are needed.

Any help on this is appreciated. Stuck on this for like month now :(

Best Regards,
Corsair


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc0cd2d2-5eb4-4d85-af80-71ea06696044%40apereo.org.




--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1524154270.1811.67.camel%40uvic.ca.

Re: [cas-user] Proxy ticket is always null. Please help

[Lalot Dominique]

Something changed with CAS. They check now for what service you're asking a 
PT
For uPortal, I was obliged to put this in the web.xml: for the client side


*allowedProxyChains*
*.**

In the CAS filter parameter

And for the service, you can change .* with the name of the service you're 
proxying to

 *proxyPolicy:*
*  {*
*@class: 
org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy*
*pattern: .**
*  }*
and in the attributerelease section:
*authorizedToReleaseProxyGrantingTicket: true*


Le jeudi 19 avril 2018 12:47:13 UTC+2, Corsair Hxw a écrit :
>
> Hello,
>
> Thank you for guiding me to the proxy authentication link. Found tons of 
> information regarding the proxying applications.
>
> I am very new to CAS world. There could be many things that could be wrong 
> in my configuration. So thank you providing the information 
> *attributeReleasePolicy*.
>
> I changed the service json and *authorizedToReleaseProxyGrantingTicket 
> *property 
> is now set to "true".
> Even after making these chagnes, null proxy ticket is returned.
>
> Is there anything else that I could be missing?
>
> Regards
>
> On Thursday, April 19, 2018 at 12:40:26 AM UTC+5:30, Manfredo Hopp wrote:
>>
>> read 
>> https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html
>>
>> The service must also be authorized to receive the PGT as an attribute 
>> for the given attribute release policy of choice.
>>
>> 1
>> 2
>> 3
>> 4
>> 5
>> 6
>> 7
>> 8
>> 9
>> 10
>> 11
>> 12
>> 13
>> 14
>> 15
>> 16
>>
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^https://.+;,
>>   "name" : "test",
>>   "id" : 1,
>>   "evaluationOrder" : 0,
>>   "attributeReleasePolicy" : {
>> "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
>> "authorizedToReleaseProxyGrantingTicket" : true
>>   },
>>
>>
>>
>> 2018-04-18 10:08 GMT-03:00 Corsair Hxw :
>>
>>> Hello,
>>>
>>> I am using CAS Maven Overlay (*version 5.2.3*) to build CAS server.
>>> The CAS server is running on http://localhost:8080/cas
>>>
>>> I have changed POM and added dependency for json service registry:
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-json-service-registry
>>> 
>>> ${cas.version}
>>> 
>>>  
>>>
>>> I have provided two service json files in /services:
>>> *greet-1.json*
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "http://localhost:8090/greet;,
>>>   "name" : "greet",
>>>   "id" : 1,
>>>   "evaluationOrder" : 1
>>> }
>>>
>>> *user-2.json*
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "http://localhost:8090/user;,
>>>   "name" : "user",
>>>   "id" : 2,
>>>   "evaluationOrder" : 2
>>> }
>>>
>>> From my web application 1, I am trying to get the proxy ticket for 
>>> another web application 2.
>>> Web Application 1 Controller class is as below:
>>> package com.learn.cas.proxyticket;
>>>
>>> import org.jasig.cas.client.authentication.AttributePrincipal;
>>> import org.springframework.security.cas.authentication.
>>> CasAuthenticationToken;
>>> import org.springframework.security.core.Authentication;
>>> import org.springframework.web.bind.annotation.GetMapping;
>>> import org.springframework.web.bind.annotation.RestController;
>>>
>>> @RestController
>>> public class GreetingsController {
>>>
>>>  @GetMapping("/greet")
>>>  public String greetWithProxyTicket(Authentication authentication) {
>>>  String proxyTicket = null;
>>>
>>>
>>>  if (authentication != null && authentication instanceof 
>>> CasAuthenticationToken {
>>>  AttributePrincipal principal = ((CasAuthenticationToken) 
>>> authentication).getAssertion().getPrincipal();
>>>
>>>  if (principal != null) {
>>>  proxyTicket = principal.getProxyTicketFor("
>>> http://localhost:8090/user;);
>>>  }
>>>  }
>>>
>>>  return proxyTicket;
>>>  }
>>> }
>>>
>>> Here, the returned value is always null. getProxyTicketFor always gives 
>>> me *null *value. 
>>> Web application 1 pom.xml and application.yml files are attached in case 
>>> they are needed.
>>>
>>> Any help on this is appreciated. Stuck on this for like month now :(
>>>
>>> Best Regards,
>>> Corsair
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc0cd2d2-5eb4-4d85-af80-71ea06696044%40apereo.org
>>>  
>>> 

Re: [cas-user] Re: Cookies Problem in Clustered Environment

[Tom Andersson]

Hi,

We seem to have the following in server.xml:


...

...




On Thursday, 19 April 2018 10:35:54 UTC+3, Priyambada Madala wrote:
>
> Hi Tom, 
>
> I am facing similar problem . Would you mind sharing the exact changes in 
> server.xml of tomcat . 
>
> On Tuesday, April 5, 2016 at 4:15:57 PM UTC+5:30, Tom Andersson wrote:
>>
>> Just in case anyone else is experiencing this issue, I got this resolved 
>> by using RemoteIpValve on Tomcat end:
>>
>>
>> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>>
>> Tom
>>
>> On Tuesday, 5 April 2016 11:23:19 UTC+3, Tom Andersson wrote:
>>>
>>> Just to fill up on this, I'm guessing that using the X-Forwarded-For 
>>> -header instead of HttpServletRequest.getRemoteAddr() would work, but I 
>>> would not like to go forking the CAS code.. is that the only way if 
>>> 'session stickiness' on the proxy level is out of the question? 
>>>
>>> BR,
>>> Tom
>>>
>>> On Tuesday, 5 April 2016 10:14:45 UTC+3, Tom Andersson wrote:

 Hi!

 Were you able to resolve this issue? I am having a similar problem, 
 where I have a clustered reverse proxy in front of CAS. It seems that the 
 TGC can only be verified when the request is coming from the same proxy IP 
 than the request by which the cookie was generated. What might be the most 
 meaningful way to resolve this issue?

 2016-04-05 06:55:19,244 DEBUG 
 [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid 
 cookie. Required remote addres
 s does not match 157.200.40.117
 java.lang.IllegalStateException: Invalid cookie. Required remote 
 address does not match 157.200.40.117
 at 
 org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)

 Thanks you for any suggestions!
 Tom

 On Wednesday, 20 January 2016 18:46:46 UTC+2, Artur Stöcklin wrote:
>
> Hi Community
>
> We are facing the following problem with TGC cookies in clustered 
> environment.
>
> 1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. 
> The tickets are synchronized through EhCache
> 2. Each tomcat is behind a Apache Webserver which does the proxy.
> 3. Both webserver are behind a load balancer.
>
>
> When the user logs in and gets a valid TGC from node 1 then in a next 
> request the LoadBalancer sends him to node 2 the second CAS node throws a 
>
> java.lang.IllegalStateException: Invalid cookie. Required remote 
> address does not match "IP adress of node one"
>  at 
> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110)
> at 
> org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1)
> at 
> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
> at 
> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
> at 
> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)
> at 
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109)
> at 
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1)
> at 
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1)
> at 
> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
> at 
> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
> at 
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1)
> at 
> org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
> at 
> org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
> at 
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107)
> at 
> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91)
> at 
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
> at 
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
> at 
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>  

Re: [cas-user] Saml service provider for testing

[David Curry]

Try https://sptest.iamshowcase.com/ or http://www.testshib.org/

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Apr 19, 2018 at 7:22 AM, yashwanth chowdary <
ryashwanthkumarchowd...@gmail.com> wrote:

> Hi Team,
>
> We have enabled saml idp support for cas application we have
> customized.These are the properties we have configured.
> To test the functionality do you have a service provider from ur side.Can
> anyone share the service provider for testing purpose.
>
>
> serviceRegistry.initFromJson=true
> cas.serviceRegistry.json.location=classpath:/services
>
> cas.authn.samlIdp.entityId: $https://edwts016.lifetouch.net:8443/cas/idp
> cas.authn.samlIdp.scope: lifetouch.net
>
> Thanks & Regards,
> Yashwanth.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/67de87dd-7f7f-4e14-b78b-
> c1fe0a02dd7c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMDGk029z1xkjx1-Wqmk%3DXi9tGxxBgubtYYN%2BcjVo6_vg%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.2.x as IDP using SAML 2.0

[David Curry]

Just this week I discovered   https://sptest.iamshowcase.com/   that lets
you set up a custom SP to talk to your IdP for testing. You download their
metadata, save it somewhere on your server
(/etc/cas/saml/sp-metadata/iamshowcase.xml or something), upload your CAS
IdP metadata to them, create a service definition, and you're done. Takes
like 5 minutes.

You can also use testshib.org of course, but personally I find it to be
pretty cumbersome, both generally and because it's very
Shibboleth/InCommon-centric (it's their site, so that's okay, but it's a
hassle when you're wanting to use it for something else).

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Thu, Apr 19, 2018 at 12:52 AM, Jay 
wrote:

> Hi Matt,
>
> Thank you so much, that helped in setting up the Local CAS application as
> IDP and was able to see the metadata generated carefully by invoking the
> idp url (/idp/metadata).
>
> To test it I was looking at setting up a local Shibboleth SP application
> but couldn't since I use Windows and Apache Tomcat to run the CAS
> application. Any info in this regard would really help.
>
> Thank you,
> Jay
>
> On Thursday, April 12, 2018 at 2:47:40 PM UTC-5, Matthew Uribe wrote:
>>
>> Jay,
>>
>> I just recently went through an upgrade from CAS 3.5.2 to 5.2.0 and this
>> documentation was immeasurably helpful:
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/building_
>> server_saml_overview.html
>>
>>
>> On Thursday, April 12, 2018 at 10:40:21 AM UTC-6, Jay wrote:
>>>
>>> Hello everyone,
>>>
>>> We are recently in process of upgrading from CAS3.5 to CAS5.2 as part of
>>> this effort we need to provide support of SAML authentication to an
>>> external application (say 'abc' application).
>>>
>>> Here 'abc' will be the SP and new CAS5.x will be the identity provider.
>>>
>>> Could someone guide us or tell how to achieve since we are new to CAS5.x
>>> framework, it would be very helpful the achieve this implementation.
>>>
>>> Thanks,
>>> Jay
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/fe87891a-9508-42d3-a044-
> 207b6f3e31ac%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPsuHVh-5h5YMWQPQnfw8e7khDWE3sR5kSKfBRgh9hK0w%40mail.gmail.com.

[cas-user] Saml service provider for testing

[yashwanth chowdary]

Hi Team,

We have enabled saml idp support for cas application we have 
customized.These are the properties we have configured.
To test the functionality do you have a service provider from ur side.Can 
anyone share the service provider for testing purpose.


serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=classpath:/services

cas.authn.samlIdp.entityId: $https://edwts016.lifetouch.net:8443/cas/idp
cas.authn.samlIdp.scope: lifetouch.net

Thanks & Regards,
Yashwanth.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67de87dd-7f7f-4e14-b78b-c1fe0a02dd7c%40apereo.org.

Re: [cas-user] Proxy ticket is always null. Please help

[Corsair Hxw]

Hello,

Thank you for guiding me to the proxy authentication link. Found tons of 
information regarding the proxying applications.

I am very new to CAS world. There could be many things that could be wrong 
in my configuration. So thank you providing the information 
*attributeReleasePolicy*.

I changed the service json and *authorizedToReleaseProxyGrantingTicket 
*property 
is now set to "true".
Even after making these chagnes, null proxy ticket is returned.

Is there anything else that I could be missing?

Regards

On Thursday, April 19, 2018 at 12:40:26 AM UTC+5:30, Manfredo Hopp wrote:
>
> read 
> https://apereo.github.io/cas/5.2.x/installation/Configuring-Proxy-Authentication.html
>
> The service must also be authorized to receive the PGT as an attribute for 
> the given attribute release policy of choice.
>
> 1
> 2
> 3
> 4
> 5
> 6
> 7
> 8
> 9
> 10
> 11
> 12
> 13
> 14
> 15
> 16
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https://.+;,
>   "name" : "test",
>   "id" : 1,
>   "evaluationOrder" : 0,
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "authorizedToReleaseProxyGrantingTicket" : true
>   },
>
>
>
> 2018-04-18 10:08 GMT-03:00 Corsair Hxw :
>
>> Hello,
>>
>> I am using CAS Maven Overlay (*version 5.2.3*) to build CAS server.
>> The CAS server is running on http://localhost:8080/cas
>>
>> I have changed POM and added dependency for json service registry:
>> 
>> 
>> org.apereo.cas
>> cas-server-support-json-service-registry
>> ${cas.version}
>> 
>>  
>>
>> I have provided two service json files in /services:
>> *greet-1.json*
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "http://localhost:8090/greet;,
>>   "name" : "greet",
>>   "id" : 1,
>>   "evaluationOrder" : 1
>> }
>>
>> *user-2.json*
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "http://localhost:8090/user;,
>>   "name" : "user",
>>   "id" : 2,
>>   "evaluationOrder" : 2
>> }
>>
>> From my web application 1, I am trying to get the proxy ticket for 
>> another web application 2.
>> Web Application 1 Controller class is as below:
>> package com.learn.cas.proxyticket;
>>
>> import org.jasig.cas.client.authentication.AttributePrincipal;
>> import org.springframework.security.cas.authentication.
>> CasAuthenticationToken;
>> import org.springframework.security.core.Authentication;
>> import org.springframework.web.bind.annotation.GetMapping;
>> import org.springframework.web.bind.annotation.RestController;
>>
>> @RestController
>> public class GreetingsController {
>>
>>  @GetMapping("/greet")
>>  public String greetWithProxyTicket(Authentication authentication) {
>>  String proxyTicket = null;
>>
>>
>>  if (authentication != null && authentication instanceof 
>> CasAuthenticationToken {
>>  AttributePrincipal principal = ((CasAuthenticationToken) 
>> authentication).getAssertion().getPrincipal();
>>
>>  if (principal != null) {
>>  proxyTicket = principal.getProxyTicketFor("
>> http://localhost:8090/user;);
>>  }
>>  }
>>
>>  return proxyTicket;
>>  }
>> }
>>
>> Here, the returned value is always null. getProxyTicketFor always gives 
>> me *null *value. 
>> Web application 1 pom.xml and application.yml files are attached in case 
>> they are needed.
>>
>> Any help on this is appreciated. Stuck on this for like month now :(
>>
>> Best Regards,
>> Corsair
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc0cd2d2-5eb4-4d85-af80-71ea06696044%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e24767f5-91df-4659-9bd8-27765da2037d%40apereo.org.

Re: [cas-user] Proxy ticket is always null. Please help

[Corsair Hxw]

Thank you for the information. It will definitely help to see what is 
happening in CAS.
I will post here, if I found any warning / error.

Regards,


On Wednesday, April 18, 2018 at 10:28:26 PM UTC+5:30, rbon wrote:
>
> Corsair,
>
> Try these in the CAS log4j2.xml to see what happens on that side.
>
> 
>  name="org.apereo.cas.DefaultCentralAuthenticationService" level="debug" />
> 
>  name="org.apereo.cas.ticket.factory.DefaultProxyTicketFactory" 
> level="debug" />
> 
>  level="error" />
> 
>
> Ray
>
> On Wed, 2018-04-18 at 06:08 -0700, Corsair Hxw wrote:
>
> Hello, 
>
> I am using CAS Maven Overlay (*version 5.2.3*) to build CAS server.
> The CAS server is running on http://localhost:8080/cas
>
> I have changed POM and added dependency for json service registry:
> 
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${cas.version}
> 
>  
>
> I have provided two service json files in /services:
> *greet-1.json*
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "http://localhost:8090/greet;,
>   "name" : "greet",
>   "id" : 1,
>   "evaluationOrder" : 1
> }
>
> *user-2.json*
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "http://localhost:8090/user;,
>   "name" : "user",
>   "id" : 2,
>   "evaluationOrder" : 2
> }
>
> From my web application 1, I am trying to get the proxy ticket for another 
> web application 2.
> Web Application 1 Controller class is as below:
> package com.learn.cas.proxyticket;
>
> import org.jasig.cas.client.authentication.AttributePrincipal;
> import org.springframework.security.cas.authentication.
> CasAuthenticationToken;
> import org.springframework.security.core.Authentication;
> import org.springframework.web.bind.annotation.GetMapping;
> import org.springframework.web.bind.annotation.RestController;
>
> @RestController
> public class GreetingsController {
>
>  @GetMapping("/greet")
>  public String greetWithProxyTicket(Authentication authentication) {
>  String proxyTicket = null;
>
>
>  if (authentication != null && authentication instanceof 
> CasAuthenticationToken {
>  AttributePrincipal principal = ((CasAuthenticationToken) 
> authentication).getAssertion().getPrincipal();
>
>  if (principal != null) {
>  proxyTicket = principal.getProxyTicketFor("
> http://localhost:8090/user;);
>  }
>  }
>
>  return proxyTicket;
>  }
> }
>
> Here, the returned value is always null. getProxyTicketFor always gives 
> me *null *value. 
> Web application 1 pom.xml and application.yml files are attached in case 
> they are needed.
>
> Any help on this is appreciated. Stuck on this for like month now :(
>
> Best Regards,
> Corsair
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7817f071-a44e-4b01-abc7-42603ae8b13f%40apereo.org.

[cas-user] CAS 5.2.3 + OAuth2.0 issues

[Ivan Obradović]

Hi,

I'm using CAS server as SSO solution in my company. I'm upgrading it from 
v4.1.7 to v5.2.3 and have some issues with OAuth2.0 implementation.

1. SSOut does not work for web application which are authenticated via CAS 
server using OAuth2.0 Authorization Code Grant flow.

The problem is that on CASified application side, class 
org.jasig.cas.client.session.SingleSignOutHandler.recordSession retrieves 
Authorization Code and stores connection between session and Authorization 
Code (sessionMappingStorage.addSessionById(token, session))
On CAS server side when SSOut request is sent to all authenticated 
applications it sends service ticket in SSOut request (Bask chanell SSOut 
request is used) not Authorization Code. 
org.jasig.cas.client.session.SingleSignOutFilter on CASified application 
detects SSOut request, extracts token (service ticket) from the request and 
tries to find session, which should be invalidated, which are related to 
the token. But there is no such session because all sessions are related to 
OAuth2 Authorization Code.

Possible soolution would be:
On CAS Server side, on OAuth2.0 Authorization Code Grant authentication, 
generated Authorization Code should be stored in 
TicketGrantingTicketImpl.services, the same way as it is done for service 
tickets.
In this way, CAS LogoutManager will pull authorization codes and service 
tickets for TGT and sends SSOut request for all of them.

2. Exception handling of OAuth2.0 requests

If incomplete/invalid OAuth2.0 request is sent e.g. without grant_type 
parameter of wrong value for grant_type

https://host/cas/oauth2.0/accessToken?client_id=client1=u...@gmail.com=x
https://host/cas/oauth2.0/accessToken?grant_type=invalid_id=client1=u...@gmail.com=x

the response is: 
Status: 400 Bad Request
Body: error=invalid_request

There is no information what is wrong. In old version v4.1.7 the response 
contained information what is wrong. For instance, Google and Facebook also 
give information what is wrong with the request.


Another problem is with my custom validation during authentication which is 
not propagated correctly in case of OAuth2.0 implementation.

For example if user is disabled, my custom AuthenticationHandler throws an 
exception. In case of CAS Rest protocol, the exception is detected and 
transformed to specific HTTP Status code and error message e.g.
Request:
  POST https://host/cas/v2/tickets
  username=u...@gmail.com
  password=x
Response:
  Status: 469
  Body: User account is disabled
  
In case of OAuth2.0 protocol
https://lucas.c3d.com:8443/lucas/oauth2.0/accessToken?grant_type=password_id=client1=u...@gmail.com=x
Response:
Status: 500 Internal Server Error
Body: {
"timestamp": 1524128050368,
"status": 469,
"error": "Http Status 469",
"message": "No message available",
"path": "/lucas/oauth2.0/accessToken"
}
The problem is that my custom status code is propagated in the response 
body not in the response status. It is not convenient to get status 500 
Internal Server Error in this case. Error message also is not propagated 
but that is not big deal, the status code is important. Client should use 
the response status code to know what is wrong.

To get my custom error code in OAuth2.0 response I overrode the class 
org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator and 
modified exception catch part of code from :

 } catch (final Exception e) {
throw new CredentialsException("Cannot login user using CAS 
internal authentication", e);
}

to: 

 } catch (AuthenticationException e) {
ErrorInfo error = handleError(e);
return HttpAction.status(error.getErrorMessage(), 
error.getErrorCode(), context);
 } catch (final Exception e) {
throw new CredentialsException("Cannot login user using CAS 
internal authentication", e);
}
Can you please help with this issues ? Did I do something wrong or should 
something be fixed in CAS ?

Regards,
Ivan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5ee9585-06c1-42ae-a3db-64d11e9cbde9%40apereo.org.

Re: [cas-user] Re: Cookies Problem in Clustered Environment

[Priyambada Madala]

Hi Tom, 

I am facing similar problem . Would you mind sharing the exact changes in 
server.xml of tomcat . 

On Tuesday, April 5, 2016 at 4:15:57 PM UTC+5:30, Tom Andersson wrote:
>
> Just in case anyone else is experiencing this issue, I got this resolved 
> by using RemoteIpValve on Tomcat end:
>
>
> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>
> Tom
>
> On Tuesday, 5 April 2016 11:23:19 UTC+3, Tom Andersson wrote:
>>
>> Just to fill up on this, I'm guessing that using the X-Forwarded-For 
>> -header instead of HttpServletRequest.getRemoteAddr() would work, but I 
>> would not like to go forking the CAS code.. is that the only way if 
>> 'session stickiness' on the proxy level is out of the question? 
>>
>> BR,
>> Tom
>>
>> On Tuesday, 5 April 2016 10:14:45 UTC+3, Tom Andersson wrote:
>>>
>>> Hi!
>>>
>>> Were you able to resolve this issue? I am having a similar problem, 
>>> where I have a clustered reverse proxy in front of CAS. It seems that the 
>>> TGC can only be verified when the request is coming from the same proxy IP 
>>> than the request by which the cookie was generated. What might be the most 
>>> meaningful way to resolve this issue?
>>>
>>> 2016-04-05 06:55:19,244 DEBUG 
>>> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Invalid 
>>> cookie. Required remote addres
>>> s does not match 157.200.40.117
>>> java.lang.IllegalStateException: Invalid cookie. Required remote address 
>>> does not match 157.200.40.117
>>> at 
>>> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:110)
>>> at 
>>> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)
>>>
>>> Thanks you for any suggestions!
>>> Tom
>>>
>>> On Wednesday, 20 January 2016 18:46:46 UTC+2, Artur Stöcklin wrote:

 Hi Community

 We are facing the following problem with TGC cookies in clustered 
 environment.

 1. We have 2 active /active CAS nodes installed on Apache Tomcat 8.0. 
 The tickets are synchronized through EhCache
 2. Each tomcat is behind a Apache Webserver which does the proxy.
 3. Both webserver are behind a load balancer.


 When the user logs in and gets a valid TGC from node 1 then in a next 
 request the LoadBalancer sends him to node 2 the second CAS node throws a 

 java.lang.IllegalStateException: Invalid cookie. Required remote 
 address does not match "IP adress of node one"
  at 
 org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue_aroundBody2(DefaultCasCookieValueManager.java:110)
 at 
 org.jasig.cas.web.support.DefaultCasCookieValueManager$AjcClosure3.run(DefaultCasCookieValueManager.java:1)
 at 
 org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
 at 
 org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
 at 
 org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue_aroundBody2(CookieRetrievingCookieGenerator.java:109)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run_aroundBody0(CookieRetrievingCookieGenerator.java:1)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3$AjcClosure1.run(CookieRetrievingCookieGenerator.java:1)
 at 
 org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
 at 
 org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator$AjcClosure3.run(CookieRetrievingCookieGenerator.java:1)
 at 
 org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
 at 
 org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)
 at 
 org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:107)
 at 
 org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:91)
 at 
 org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 at 
 org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
 at 
 org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
 at 
 org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 at 
 org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
 at