Re: [cas-user] Question about using CAS with LDAP...?

2021-02-12 Thread David Hawes 
On Fri, 12 Feb 2021 at 12:25, KC Pullen  wrote:
>
>
> Ray,
>
> I'll take a look at the LDAP logs and see if I can find anything...

What do your mod_authnz_ldap logs say?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wC76gvQ%3DBgo%2BkoqPv6zAw9tdLDYf6BB7xUY7vt0PZ1bKw%40mail.gmail.com.

Re: [cas-user] CAS client 3.6.2 is not redirecting with samlArt param and 302 http status code.

2021-02-12 Thread Ray Bon 
Morning,

You do not need to override any classes/filters in cas client for it to work.
Turn up your cas server logs to debug to see what it is doing.
There is also this logger which will output the http client used for 
communication between the client application and cas for ticket validation etc. 
(not through the browser).



Also use the network tab in your browsers developer tools to see what redirects 
are taking place. Maybe your application is sending a redirect to cas without a 
service= or TARGET= parameter.

Ray

On Fri, 2021-02-12 at 09:41 -0800, Morning Star wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Team,

We have upgraded CAS Server to 6.2.2 and CAS client to 3.6.2. After successful 
authentication, CAS client is not redirecting to our application with samlArt 
param and 302 http status code.

We have updated the dependencies like below:



org.jasig.cas.client

   cas-client-core

   3.6.2





org.jasig.cas.client

cas-client-support-saml

3.6.2



We have overridden the Authentication & Validation filter class by providing 
Server Name, Login server url and Server URL Prefix.

Please find the code changes:

Web.xml



 EXCASAuthenticationFilter

 
com.mercuryinsurance.epresentment.essweb.filter.EPCASAuthenticationFilter

 

casServerLoginUrl

 casServerLoginUrl 

 

  

serverName

 serverName 

 

   

   



 EXCASValidationFilter

 
com.mercuryinsurance.epresentment.essweb.filter.EPCASValidationFilter

  

casServerUrlPrefix

https://example.com/cas

 

 

serverName

serverName

 

 

redirectAfterValidation

true

 

 

tolerance

5000

 

 

useSession

true

  

   

 CASHttpServletRequestWrapperFilter

 
org.jasig.cas.client.util.HttpServletRequestWrapperFilter

   



   

 CASAuthenticationFilter

 /*

   

   

 CASValidationFilter

 /*

   

   

 CASHttpServletRequestWrapperFilter

 /*

   

Java changes:

public class EXCASAuthenticationFilter extends Saml11AuthenticationFilter{



   private static final String CLASS_NAME = 
EXCASAuthenticationFilter.class.getSimpleName();



   Logger log = Logger.getLogger(getClass());

   FilterConfig filterConfig = null;



   @Override

   public void destroy() {

 // TODO Auto-generated method stub

   }



   @Override

   public void initInternal(FilterConfig arg0) throws ServletException {

 super.initInternal(arg0);

 this.filterConfig = arg0;

 String serverName = “https://example.com”

 String casServerLoginUrl = ”https://example.com/cas/login”;

 setServerName(serverName);

 setCasServerLoginUrl(casServerLoginUrl);

   }



public class EXCASValidationFilter extends Saml11TicketValidationFilter

{



   private static final String CLASS_NAME = 
EXCASValidationFilter.class.getSimpleName();



   FilterConfig filterConfig = null;

   Logger log = Logger.getLogger(getClass());

   @Override

   public void destroy() {

 // TODO Auto-generated method stub

   }



   @Override

   public void initInternal(FilterConfig arg0) throws ServletException {

 this.filterConfig = arg0;

 String serverName = ”https://example.com”;

 String casServerUrlPrefix = “https://example.com/cas”;

 Saml11TicketValidator validator = new 
Saml11TicketValidator(casServerUrlPrefix);

 super.initInternal(arg0);

 setServerName(serverName);

 setTicketValidator(validator);

 setRedirectAfterValidation(true);

   }

}

After adding these code changes, control comes to our overridden filter class 
and we are able to see logs with updated serverName, casServerUrlPrefix and 
casServerLoginUrl.

Still application gets redirected to default success page.

[cas.png]

We are expecting CAS to redirect to our application with samlArt parameter. Are 
we missing any configuration or property?

In few pages, they are asking to use Cas30ProxyReceivingTicketValidationFilter 
and AuthenticationFilter. If we use these filters, whether we will get samlArt 
param with redirection?



Please help how to proceed further.
Thanks in advance!

--

Ray Bon
Programmer Analyst

[cas-user] CAS client 3.6.2 is not redirecting with samlArt param and 302 http status code.

2021-02-12 Thread Morning Star 
Hi Team,

We have upgraded CAS Server to 6.2.2 and CAS client to 3.6.2. After 
successful authentication, CAS client is not redirecting to our application 
with samlArt param and 302 http status code.

*We have updated the dependencies like below:*



org.jasig.cas.client

   cas-client-core

   3.6.2

 



org.jasig.cas.client

cas-client-support-saml

3.6.2



We have overridden the Authentication & Validation filter class by 
providing Server Name, Login server url and Server URL Prefix.

Please find the code changes:

*Web.xml*



 EXCASAuthenticationFilter

 
com.mercuryinsurance.epresentment.essweb.filter.EPCASAuthenticationFilter

 

casServerLoginUrl

 casServerLoginUrl 

 

  

serverName

 serverName 

 

   

   

 

 EXCASValidationFilter

 
com.mercuryinsurance.epresentment.essweb.filter.EPCASValidationFilter

  

casServerUrlPrefix

https://example.com/cas

  

 

serverName

serverName

 

 

redirectAfterValidation

true

 

 

tolerance

5000

 

 

useSession

true

  

   

 CASHttpServletRequestWrapperFilter

 
org.jasig.cas.client.util.HttpServletRequestWrapperFilter

   

 

   

 CASAuthenticationFilter

 /*

   

   

 CASValidationFilter

 /*

   

   

 CASHttpServletRequestWrapperFilter

 /*

   

*Java changes:*

*public* *class* EXCASAuthenticationFilter *extends* 
Saml11AuthenticationFilter{

   

   *private* *static* *final* String *CLASS_NAME* = 
EXCASAuthenticationFilter.*class*.getSimpleName();

 

   Logger log = Logger.*getLogger*(getClass());

   FilterConfig filterConfig = *null*;

 

   @Override

   *public* *void* destroy() {

 // *TODO* Auto-generated method stub

   }

 

   @Override

   *public* *void* initInternal(FilterConfig arg0) *throws* 
ServletException {

 *super*.initInternal(arg0);

 *this*.filterConfig = arg0;

 String serverName = “https://example.com”

 String casServerLoginUrl = ”https://example.com/cas/login”;

 setServerName(serverName);

 setCasServerLoginUrl(casServerLoginUrl);

   }

 

*public* *class* EXCASValidationFilter *extends* 
Saml11TicketValidationFilter

{

   

   *private* *static* *final* String *CLASS_NAME* = 
EXCASValidationFilter.*class*.getSimpleName();

 

   FilterConfig filterConfig = *null*;

   Logger log = Logger.*getLogger*(getClass());

   @Override

   *public* *void* destroy() {

 // *TODO* Auto-generated method stub

   }

 

   @Override

   *public* *void* initInternal(FilterConfig arg0) *throws* 
ServletException {

 *this*.filterConfig = arg0;

 String serverName = ”https://example.com”;

 String casServerUrlPrefix = “https://example.com/cas”;

 Saml11TicketValidator validator = *new* 
Saml11TicketValidator(casServerUrlPrefix);

 *super*.initInternal(arg0);

 setServerName(serverName);

 setTicketValidator(validator);

 setRedirectAfterValidation(*true*);

   }

}

After adding these code changes, control comes to our overridden filter 
class and we are able to see logs with updated serverName, 
casServerUrlPrefix and casServerLoginUrl. 

Still application gets redirected to default success page. 

[image: cas.png]

We are expecting CAS to redirect to our application with samlArt parameter. 
Are we missing any configuration or property? 

In few pages, they are asking to use 
Cas30ProxyReceivingTicketValidationFilter and AuthenticationFilter. If we 
use these filters, whether we will get samlArt param with redirection?

 
Please help how to proceed further. 
Thanks in advance!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff1e9478-cc50-4211-a87b-8dcee469f4f7n%40apereo.org.

Re: [cas-user] Question about using CAS with LDAP...?

2021-02-12 Thread 'Richard Frovarp' via CAS Community 
In particular, I would either be looking at

https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Access-Strategy.html

Or
https://github.com/apereo/mod_auth_cas
Require cas-attribute :

The first page you referenced is nearly a decade old, and brings an LDAP 
dependency into your HTTPD configuration. I'm guessing you can't anonymous bind 
to LDAP from HTTPD.


On Fri, 2021-02-12 at 15:10 +, 'Richard Frovarp' via CAS Community wrote:
I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79820f4a6a14b974fa03730a95270732e45e6f1c.camel%40ndsu.edu.

Re: [cas-user] Question about using CAS with LDAP...?

2021-02-12 Thread Ray Bon 
KC,

Perhaps it is the LDAP side of things that is having problems.

Are you able to look at LDAP logs?

Ray

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/26b11e0bc14651c0c6dfab5f41d93c06f8ae2b7b.camel%40uvic.ca.

Re: [cas-user] Question about using CAS with LDAP...?

2021-02-12 Thread 'Richard Frovarp' via CAS Community 
I wouldn't mix the two methods. There's probably a way to make that work, but 
that's an HTTPD question, not a CAS question. You can have CAS authenticate 
against LDAP from the CAS IdP. That can either then return the list of 
attributes to have mod_auth_cas filter on. Or you can have the IdP do filtering 
on its side, depending on your needs.

On Thu, 2021-02-11 at 18:38 -0800, KC Pullen wrote:
Hello,

I'm currently using CAS to protect web directories on Linux Centos7 and Apache 
2.4.6.

I'd like to use LDAP to grant authorization to select groups.

The following is a list the sites/blogs that I'm using for reference:
- https://fy.blackhats.net.au/blog/html/2011/07/10/Mod_auth_cas.html
- https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl
- 
https://stackoverflow.com/questions/8939487/how-to-support-require-group-foobar-in-mod-auth-cas

Now, for "valid-user", there is no problem at all, but if I try to use LDAP and 
a filter, I'm getting the "Unauthorized" message.

Below is a snippet from my conf file:




AuthName "Test password protection for  directory"
AuthType CAS
AuthLDAPURL 
"ldaps://mysite.edu:636/cn=Users,dc=mysite,dc=edu?email?sub?(objectClass=*)"
 Require ldap-filter &(email=test...@mysite.edu)
# Require valid-user



Would anyone be able to take a look and provide a suggestion or two ?  Maybe 
share a link to a blog or web-page..?

Thank you kindly,

KP

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b73b5c47db40d3b46dc859b8c176761f45625b7f.camel%40ndsu.edu.