Re: [cas-user] Re: Suppress the GET for /cas/v1/tickets

[Raheem Shaik]

This issue has been suppressed or fixed in cas 6 version 

 @Andy, thank you very much for the help

 

On Tuesday, December 17, 2019 at 9:38:18 AM UTC+5:30, Andy Ng wrote:
>
> Hi Raheem,
>
> I don't have time today to do a full test, but I suspect the problem 
> exists in the pathing:
>
> When using CAS 5.2.x overlay, the structure seems like this:
>
> ├── *cas*
> │   └── src
> │   └── main
> │   └── resources
> │   ├── hbmsu.properties
>
> │   ├── services
> │   │   └── testJSONFILE-123.json
> │   ├── static
> │   │   └── themes
> │   │   └── hbmsu
> │   │ └── cas.css
> │   └── templates
>
>
> See this for more detail: 
> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/Andy$20%22cas$2Fsrc$2Fmain$2Fresources%22|sort:date/cas-user/wkaESyEDyZo/5_vew52XBAAJ
>  
> 
>
> Soo, I suspect maybe if you put it like so it would work? I didn't try it 
> since don't have time to setup:
> FROM apereo/cas:v5.2.6
> # A keypair is needed for SSL, and CAS simply will not work if you can't 
> do SSL regardless of whether you actually need it.
> RUN keytool -genkeypair -alias cas -keyalg RSA 
> **
>
> RUN mkdir -p /cas-overlay/src/main/resources/
> RUN cd /cas-overlay/cas/src/main
> RUN mkdir -p my/company/cas/rest/
>
> COPY spring.factories /cas-overlay/cas/src/main/resources/spring.factories
> COPY MyCompanyRestConfiguraiton.java /cas-overlay/cas/
> src/main/my/company/cas/rest/MyCompanyRestConfiguraiton.java
> COPY MyCompanyTicketGrantingTicketResourceGetMapper.java /cas-overlay/cas/
> src/main/my/company/cas/rest/MyCompanyTicketGrantingTicketResourceGetMapper.java
>
> COPY cas.properties /cas-overlay/etc/cas/config/cas.properties
> COPY pom.xml /cas-overlay/pom.xml
> COPY JWTServices.json /cas-overlay/etc/cas/services/JWTServices.json
> COPY log4j2.xml /cas-overlay/etc/cas/config/log4j2.xml
> COPY run-cas.sh cas-overlay/bin/run-cas.sh
> COPY build.sh /cas-overlay/build.sh
>
>
> Just speculation, might or might not work, but worth a try if you have 
> time.
>
> - Andy
>
>
-- 






 

*Inmar Confidentiality 
Note*:  This e-mail and any attachments are confidential and intended to be 
viewed and used solely by the intended recipient.  If you are not the 
intended recipient, be aware that any disclosure, dissemination, 
distribution, copying or use of this e-mail or any attachment is 
prohibited.  If you received this e-mail in error, please notify us 
immediately by returning it to the sender and delete this copy and all 
attachments from your system and destroy any printed copies.  Thank you for 
your cooperation.



 

*Notice of Protected Rights*:  The removal of any 
copyright, trademark, or proprietary legend contained in this e-mail or any 
attachment is prohibited without the express, written permission of Inmar, 
Inc.  Furthermore, the intended recipient must maintain all copyright 
notices, trademarks, and proprietary legends within this e-mail and any 
attachments in their original form and location if the e-mail or any 
attachments are reproduced, printed or distributed.

 




-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/72d65810-ec4e-428f-ade4-04a6f5a905e5%40apereo.org.

[cas-user] Re: logging saml response xml

[Alin Tomoiaga]

It works great. Great advice. Thank you.

On Wednesday, February 5, 2020 at 7:23:50 PM UTC-6, Alin Tomoiaga wrote:
>
> Hi Andy, thank you very much for the help. I will try it tomorrow and 
> report my findings 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/451a889b-1fd7-46c5-8fea-278fc53cf544%40apereo.org.

Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry

['Maksim Kopeyka' via CAS Community]

I used asyncBackupCount=3 before and behavior was the same.
Regarding UDP I may try to use it but it should work with tcpIpEnabled too 
so it's not an issue.

I guess this problem is related to docker environment somehow. I don't have 
an access to configuration of VM. Probably I have to expose some additional 
port(s) on docker. I found thread about dockerized env of CAS with 
hazelcast in this group but this env is based on docker swarm but my env 
doesn't support docker swarm.
I saw this property in the documentation of CAS 

# ${configurationKey}.cluster.outboundPorts[0]=45000


But container stops with exception if I add it to properties file:

Binding to target [Bindable@2dd2e270 type = 
> org.apereo.cas.configuration.CasConfigurationProperties, value = 
> 'provided', annotations = 
> array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
>  
> ignoreUnknownFields=false, prefix=cas, value=cas)]] failed:
> Property: cas.ticket.registry.hazelcast.cluster.outboundports[0]
> Value: 33000-33100
> Origin: class path resource [application-dev.properties]:82:56
> Reason: The elements 
> [cas.ticket.registry.hazelcast.cluster.outboundports[0]] were left unbound.

 

On Friday, February 7, 2020 at 12:31:02 AM UTC+2, David Curry wrote:
>
> I believe, if you have 4 members, that asyncBackupCount should be 3. 
> Because a node doesn't back itself up. (Hazelcast might be smart enough to 
> fix that itself, but I don't know.)
>
> Also, I'm curious as to why you have tcpIpEnabled set to true? You'd be 
> much better off, from a performance standpoint, setting it to false and 
> using UDP. TCP blocks, UDP doesn't.
>
> I've never run this in docker, so I don't know what, if anything, you need 
> to do differently. But I would be at least a little suspicious of the 
> interactions there -- it should work of course, but could you be missing 
> something in the docker config, or the config on the host?
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu 
>
>
> On Thu, Feb 6, 2020 at 4:36 PM 'Maksim Kopeyka' via CAS Community <
> cas-...@apereo.org > wrote:
>
>> Hi David,
>>
>> I tried similar config with 4 nodes:
>>
>>>
>>> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
>>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
>>> cas.ticket.registry.hazelcast.cluster.backupCount=0
>>> cas.ticket.registry.hazelcast.cluster.port=5701
>>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
>>> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>>>
>>> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
>>> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>>> cas.ticket.registry.hazelcast.crypto.enabled=false
>>
>>
>> I see this output on each node i.e. hazelcast creates a cluster and sees 
>> all nodes:
>>
>> 2020-02-06 21:20:49,235 INFO 
>>> [com.hazelcast.internal.cluster.ClusterService] - 
>>> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
>>> Members {size:4, ver:4} [
>>> Member [wcdc-rant-affiliateidp-dev-1]:5701 - 
>>> a245c93b-beb0-4929-b831-e40a323cad8b
>>> Member [ecdc-rant-affiliateidp-dev-2]:5701 - 
>>> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
>>> Member [wcdc-rant-affiliateidp-dev-2]:5701 - 
>>> 9d3f52c9-1475-462e-844a-1b534efdca73
>>> Member [ecdc-rant-affiliateidp-dev-1]:5701 - 
>>> e9f81f52-7a99-4428-a402-5a2f48cba838 this
>>> ]
>>> >
>>
>>
>> However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about 
>> session on Node 4.
>>
>> I don't see any errors in the logs related to hazelcast but this one 
>> appears time to time
>>
>>> 2020-02-06 17:31:56,248 ERROR 
>>> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
>>> java.lang.IllegalArgumentException: Null input buffer
>>> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
>>> at 
>>> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>>>  
>>> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]
>>
>>
>>
>> On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>>>
>>> Maksim,
>>>
>>> If you don't want to ever lose tickets, then you would want all nodes to 
>>> back up all other nodes. So if you have 3 member nodes, you would want 2 
>>> async backup nodes (asyncBackupCount) and also you'd probably want to 
>>> disable the default sync backup (backupCount) node since it will block. 
>>> Here are the settings we're running with in production (although this is 
>>> CAS 5):
>>>
>>> cas.ticket.registry.hazelcast.cluster.members:  
>>> cas01.newschool.edu,cas02.newschool.edu,cas03.newschool.edu,
>>> cas04.newschool.edu,cas05.newschool.edu
>>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
>>> 

Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry

[David Curry]

I believe, if you have 4 members, that asyncBackupCount should be 3.
Because a node doesn't back itself up. (Hazelcast might be smart enough to
fix that itself, but I don't know.)

Also, I'm curious as to why you have tcpIpEnabled set to true? You'd be
much better off, from a performance standpoint, setting it to false and
using UDP. TCP blocks, UDP doesn't.

I've never run this in docker, so I don't know what, if anything, you need
to do differently. But I would be at least a little suspicious of the
interactions there -- it should work of course, but could you be missing
something in the docker config, or the config on the host?


--

DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david.cu...@newschool.edu


On Thu, Feb 6, 2020 at 4:36 PM 'Maksim Kopeyka' via CAS Community <
cas-user@apereo.org> wrote:

> Hi David,
>
> I tried similar config with 4 nodes:
>
>> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
>> cas.ticket.registry.hazelcast.cluster.backupCount=0
>> cas.ticket.registry.hazelcast.cluster.port=5701
>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
>> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>>
>> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
>> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>> cas.ticket.registry.hazelcast.crypto.enabled=false
>
>
> I see this output on each node i.e. hazelcast creates a cluster and sees
> all nodes:
>
> 2020-02-06 21:20:49,235 INFO
>> [com.hazelcast.internal.cluster.ClusterService] -
>> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
>> Members {size:4, ver:4} [
>> Member [wcdc-rant-affiliateidp-dev-1]:5701 -
>> a245c93b-beb0-4929-b831-e40a323cad8b
>> Member [ecdc-rant-affiliateidp-dev-2]:5701 -
>> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
>> Member [wcdc-rant-affiliateidp-dev-2]:5701 -
>> 9d3f52c9-1475-462e-844a-1b534efdca73
>> Member [ecdc-rant-affiliateidp-dev-1]:5701 -
>> e9f81f52-7a99-4428-a402-5a2f48cba838 this
>> ]
>> >
>
>
> However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about
> session on Node 4.
>
> I don't see any errors in the logs related to hazelcast but this one
> appears time to time
>
>> 2020-02-06 17:31:56,248 ERROR
>> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
>> java.lang.IllegalArgumentException: Null input buffer
>> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
>> at
>> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]
>
>
>
> On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>>
>> Maksim,
>>
>> If you don't want to ever lose tickets, then you would want all nodes to
>> back up all other nodes. So if you have 3 member nodes, you would want 2
>> async backup nodes (asyncBackupCount) and also you'd probably want to
>> disable the default sync backup (backupCount) node since it will block.
>> Here are the settings we're running with in production (although this is
>> CAS 5):
>>
>> cas.ticket.registry.hazelcast.cluster.members:
>> cas01.newschool.edu,cas02.newschool.edu,cas03.newschool.edu,
>> cas04.newschool.edu,cas05.newschool.edu
>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
>> cas.ticket.registry.hazelcast.cluster.backupCount:  0
>> cas.ticket.registry.hazelcast.cluster.port: 5701
>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
>> cas.ticket.registry.hazelcast.crypto.encryption.key:
>> xxxIoXN6SBU5bF+iAVTKgw==
>> cas.ticket.registry.hazelcast.crypto.signing.key:
>>  
>> xxxmEbPGT_MXg0JWYLTe4oFaOaklocCqlY2VuHBdAHuh0V6-PdQxmgi4tTA3CZZos8TUbzg-L9nYHJpA5RqcvA
>> cas.ticket.registry.hazelcast.crypto.enabled:   true
>>
>> This works well for us behind an F5 load balancer; we do not use sticky
>> sessions. We can (and do) reboot servers in the pool without anyone getting
>> re-prompted to log in (just don't reboot them all at once).
>>
>> The crypto stuff (last three lines) is not needed for this to work, but
>> you (arguably) might want it in production. You can leave it off while
>> getting things to work and enable it later.
>>
>> One other thing -- did you remember to open 5701 in the firewall on all
>> the servers?
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • david...@newschool.edu
>>
>>
>> On Wed, Feb 5, 2020 at 1:40 PM Ray Bon  wrote:
>>
>>> Maksim,
>>>
>>> There is this config setting
>>> cas.ticket.registry.hazelcast.cluster.members=
>>> Add IPs of all members to the list.
>>> 

Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry

['Maksim Kopeyka' via CAS Community]

Hi David,

I tried similar config with 4 nodes:

> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
> cas.ticket.registry.hazelcast.cluster.backupCount=0
> cas.ticket.registry.hazelcast.cluster.port=5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>
> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
> cas.ticket.registry.hazelcast.crypto.enabled=false


I see this output on each node i.e. hazelcast creates a cluster and sees 
all nodes:

2020-02-06 21:20:49,235 INFO 
> [com.hazelcast.internal.cluster.ClusterService] - 
> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
> Members {size:4, ver:4} [
> Member [wcdc-rant-affiliateidp-dev-1]:5701 - 
> a245c93b-beb0-4929-b831-e40a323cad8b
> Member [ecdc-rant-affiliateidp-dev-2]:5701 - 
> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
> Member [wcdc-rant-affiliateidp-dev-2]:5701 - 
> 9d3f52c9-1475-462e-844a-1b534efdca73
> Member [ecdc-rant-affiliateidp-dev-1]:5701 - 
> e9f81f52-7a99-4428-a402-5a2f48cba838 this
> ]
> >


However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about 
session on Node 4.

I don't see any errors in the logs related to hazelcast but this one 
appears time to time

> 2020-02-06 17:31:56,248 ERROR 
> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
> java.lang.IllegalArgumentException: Null input buffer
> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
> at 
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>  
> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]



On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>
> Maksim,
>
> If you don't want to ever lose tickets, then you would want all nodes to 
> back up all other nodes. So if you have 3 member nodes, you would want 2 
> async backup nodes (asyncBackupCount) and also you'd probably want to 
> disable the default sync backup (backupCount) node since it will block. 
> Here are the settings we're running with in production (although this is 
> CAS 5):
>
> cas.ticket.registry.hazelcast.cluster.members:  
> cas01.newschool.edu,cas02.newschool.edu,cas03.newschool.edu,
> cas04.newschool.edu,cas05.newschool.edu
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
> cas.ticket.registry.hazelcast.cluster.backupCount:  0
> cas.ticket.registry.hazelcast.cluster.port: 5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
> cas.ticket.registry.hazelcast.crypto.encryption.key:
> xxxIoXN6SBU5bF+iAVTKgw==
> cas.ticket.registry.hazelcast.crypto.signing.key:  
>  
> xxxmEbPGT_MXg0JWYLTe4oFaOaklocCqlY2VuHBdAHuh0V6-PdQxmgi4tTA3CZZos8TUbzg-L9nYHJpA5RqcvA
> cas.ticket.registry.hazelcast.crypto.enabled:   true
>
> This works well for us behind an F5 load balancer; we do not use sticky 
> sessions. We can (and do) reboot servers in the pool without anyone getting 
> re-prompted to log in (just don't reboot them all at once).
>
> The crypto stuff (last three lines) is not needed for this to work, but 
> you (arguably) might want it in production. You can leave it off while 
> getting things to work and enable it later.
>
> One other thing -- did you remember to open 5701 in the firewall on all 
> the servers?
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu 
>
>
> On Wed, Feb 5, 2020 at 1:40 PM Ray Bon > 
> wrote:
>
>> Maksim,
>>
>> There is this config setting
>> cas.ticket.registry.hazelcast.cluster.members=
>> Add IPs of all members to the list. 
>> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#hazelcast-ticket-registry
>>  
>> and the link to common settings.
>>
>> There are some hazelcast loggers in log4j2.xml
>>
>> > level="${sys:hazelcast.log.level}" includeLocation="true" />
>>
>> Ray
>>
>> On Wed, 2020-02-05 at 09:16 -0800, 'Maksim Kopeyka' via CAS Community 
>> wrote:
>>
>> Ray, 
>>
>> I asked about CAS functionality to distribute tickets across nodes. I 
>> need specific CAS functionality based on Hazelcast and seems to me this 
>> functionality doesn't work as expected so I need to check it somehow. Maybe 
>> with some debug logging.
>> I have a cluster with several nodes of CAS with hazelcast ticket registry 
>> and I have a load balancer. If I turn off sticky sessions CAS asks me about 
>> username/password every time. This cluster works in the same way without 
>> hazelcast ticket registry. So seems to me this functionality doesn't work 
>> and I don't see any errors in the logs.
>>
>> On Wednesday, February 5, 2020 at 7:03:55 PM UTC+2, rbon 

[cas-user] CAS Management: How to do authorization?

[Richard Frovarp]

How does one do authorization checks in CAS Management 5.3.6 using CAS 
attribute return? In 5.1, I have this:

cas.mgmt.adminRoles[0]=CN=,OU=,DC=dc,DC=ndsu,DC=edu
cas.mgmt.authzAttributes[0]=memberOf

Not entirely sure why that is failing on 5.3.6. Part of me says that it 
is due to pac4j splitting on the commas.

So I get the bright idea of using eduPersonEntitlement, so

mgmt.adminRoles[0]=https://www.ndsu.edu/eci/entitlement

mgmt.authzAttributes[0]=eduPersonEntitlement

But that isn't working either. In the log for the application I can see 
that my list of entitlements is being returned, but I see no roles.

What am I missing?

Thanks,

Richard

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3789f7f-c186-1451-89da-ea4f694c6fb4%40ndsu.edu.