Re: [cas-user] CAS 6.4, Skip MFA for NonInteractiveCredentialsAction

2021-12-16 Thread Ray Bon 
Yan,

Below are a couple methods I use to see the flow.

Ray


protected void flowToFile(final Flow flow, final String fileName) {
String s = flow.toString().trim();
String formatted = formatFlow(s);
try (BufferedWriter writer = new BufferedWriter(new FileWriter(fileName))) {
//writer.write(s);
writer.write("\n\n\n\n");
writer.write(formatted);
} catch (IOException e) {
LOGGER.error(e.getMessage());
}
}

/**
* Formats a spring webflow flow to help determine how to modify a flow.
* Adds new lines and indents to make it easier to read.
* @param input flow.toString()
* @return nicely formatted flow
*/
public String formatFlow(final String input) {
//LOGGER.debug("input: ." + input + ".");
// used to add an extra indent for an object's field members
java.util.Stack stack = new 
java.util.Stack<>();
int currPosition = 0;
String indent = "";
String indentor = "\t";
String newLine = "\n";
// object identifier
java.util.regex.Pattern objPattern = Pattern.compile("^(\\w+@\\w+)\\b.*");

String in = input.trim();
StringBuilder out = new StringBuilder();
while (in.length() > currPosition) {
java.util.regex.Matcher m = objPattern.matcher(in.substring(currPosition));
String firstTwo = "";
// capture first two characters to match against ']' or '],'
if (1 < in.length() - currPosition) {
firstTwo = in.substring(currPosition, currPosition + 2);
} else {
// at end of input
firstTwo = in.substring(currPosition, currPosition + 1);
}
if (in.startsWith("[", currPosition)) {
out.append(indent).append(in.charAt(currPosition)).append(newLine);
indent += indentor;
currPosition++;
if (!stack.empty()) {
java.util.AbstractMap.SimpleEntry se = stack.pop();
se.setValue(se.getValue() + 1);
stack.push(se);
}
} else if (firstTwo.startsWith("]")) {
if (!stack.empty()) {
java.util.AbstractMap.SimpleEntry se = stack.pop();
if (1 > se.getValue()) {
// outdent after printing member variables
indent = indent.replaceFirst(indentor, "");
if (!stack.empty()) {
// this ] closes from outer object
java.util.AbstractMap.SimpleEntry seOuter = stack.pop();
seOuter.setValue(seOuter.getValue() - 1);
stack.push(seOuter);
}
} else {
se.setValue(se.getValue() - 1);
stack.push(se);
}
}
indent = indent.replaceFirst(indentor, "");
out.append(indent).append("]");
if ("],".equals(firstTwo)) {
out.append(",");
currPosition++;
}
out.append(newLine);
currPosition++;
} else if (m.matches()) {
String obj = m.group(1);
out.append(indent).append(obj).append(newLine);
indent = indent + indentor;
// prepare for members
stack.push(new java.util.AbstractMap.SimpleEntry(obj, 0));
currPosition += obj.length();
} else {
int nextOpenBracket = in.indexOf("[", currPosition);
int nextCloseBracket = in.indexOf("]", currPosition);
int nextComma = in.indexOf(",", currPosition);
int nextMark = 0;
boolean increaseIndent = false;
// if [ or , not found, push beyond last position which would be ]
if (0 > nextOpenBracket) {
nextOpenBracket = in.length();
}
if (0 > nextComma) {
nextComma = in.length();
}
// add 1 when [ and , since they should remain on same line and ] should be on 
next line
if (nextCloseBracket > nextOpenBracket) {
if (nextOpenBracket > nextComma) {
nextMark = nextComma + 1;
} else {
nextMark = nextOpenBracket + 1;
// bypass empty and null
if ((in.substring(nextMark).startsWith("[empty]]"))
|| (in.substring(nextMark).startsWith("null]"))) {
if (in.substring(nextMark).startsWith("[empty]],")) {
nextMark += 9;
} else if (in.substring(nextMark).startsWith("[empty]]")) {
nextMark += 8;
} else if (in.substring(nextMark).startsWith("null],")) {
nextMark += 6;
} else if (in.substring(nextMark).startsWith("null]")) {
nextMark += 5;
}
} else {
// indent members
increaseIndent = true;
if (!stack.empty()) {
java.util.AbstractMap.SimpleEntry se = stack.pop();
se.setValue(se.getValue() + 1);
stack.push(se);
}
}
}
} else if (nextCloseBracket > nextComma) {
nextMark = nextComma + 1;
} else {
nextMark = nextCloseBracket;
}
String s = in.substring(currPosition, nextMark).trim();
if (0 < s.length()) {
out.append(indent).append(s).append(newLine);
currPosition = nextMark;
}
if (increaseIndent) {
// for next line
indent = indent + indentor;
}
}
}
String formatted = out.toString().trim();
//LOGGER.debug("formatted: ." + formatted + ".");

return formatted;
}

On Thu, 2021-12-16 at 16:54 -0800, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi there,

CAS 6.4.x.  we have global MFA turned on for all requests, but we want our SSO 
traffic to skip MFA.   I run into problem with CAS looking for simple-mfa 
during our SSO login flow.  I followed the CAS' source on token authentication, 
but has not found a solution.

The following are some info.  Thanks in advance!

cas.properties:

cas.authn.mfa.triggers.global.global-provider-id=mfa-simple
cas.authn.mfa.simple.name=mfa-simple
cas.authn.mfa.simple.order=1

service json:

  "multifactorPolicy" : {
"@class" :

[cas-user] CAS 6.4, Skip MFA for NonInteractiveCredentialsAction

2021-12-16 Thread Yan Zhou 
Hi there,

CAS 6.4.x.  we have global MFA turned on for all requests, but we want our 
SSO traffic to skip MFA.   I run into problem with CAS looking for 
simple-mfa during our SSO login flow.  I followed the CAS' source on token 
authentication, but has not found a solution.

The following are some info.  Thanks in advance!  

cas.properties:

cas.authn.mfa.triggers.global.global-provider-id=mfa-simple
cas.authn.mfa.simple.name=mfa-simple
cas.authn.mfa.simple.order=1

service json:

  "multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"bypassPrincipalAttributeName": "questSkipMFA"
  }

we have a separate SSO authenticationHandler that will set principal 
attribute, so that MFA module will know to skip MFA.

this is my SSO webflow, once SSO passes, we issue TGT,  and authN 
completes. 

public class SsoLoginWebflowConfigurer  extends 
AbstractCasWebflowConfigurer  {
} 

@Override
protected void doInitialize() {
val flow = getLoginFlow();
if (flow != null) {
val state = getState(flow, 
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class);
createTransitionForState(state, 
TRANSITION_ID_SSO_AUTHENTICATION_CHECK, STATE_ID_SSO_AUTHENTICATION_CHECK);

val actionState = createActionState(flow, 
STATE_ID_SSO_AUTHENTICATION_CHECK,

createEvaluateAction("oktaSamlNonInteractiveCredentialsAction"));

createTransitionForState(actionState, 
CasWebflowConstants.TRANSITION_ID_ERROR, "lsmSAMLFailed");
val lsmSamlFailed = createViewState(flow, "lsmSAMLFailed", 
"error/casLsmTokenErrorView");
createStateDefaultTransition(lsmSamlFailed, "viewLoginForm");

createTransitionForState(actionState, 
CasWebflowConstants.TRANSITION_ID_SUCCESS, 

CasWebflowConstants.STATE_ID_CREATE_TICKET_GRANTING_TICKET);

  
   .

here is the error I get. I looks like CAS is looking for mfa-simple state 
(probably because I have globally turned on MFA).   How can I append the 
mfa-simple flow into this flow definition?  And when I do so, I assume it 
will note the attribute and skip the actual mfa flow?

2021-12-17 00:42:17,828 DEBUG 
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
 
- 
2021-12-17 00:42:17,832 DEBUG 
[org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger]
 
- 
2021-12-17 00:42:17,832 TRACE 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 

2021-12-17 00:42:17,833 TRACE 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
2021-12-17 00:42:17,834 ERROR 
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
2021-12-17 00:42:17,836 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 


== end ==

Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df95fadd-0fbc-4944-8668-51f6443f4fd9n%40apereo.org.

Re: [cas-user] Identity provider has no single logout service available

2021-12-16 Thread Noelette Stout 
I tried setting the logoutType to none for this service, but I'm still
getting the same error. Strangely, it works just fine in CAS 6.3.x. It
only started happening when I started testing the upgrade to 6.4.x.

On Thu, Dec 16, 2021 at 12:19 PM Ray Bon  wrote:

> Noelette,
>
> You can try setting the logoutType to none for the service,
> https://apereo.github.io/cas/6.4.x/services/Service-Management.html#registered-services
>
> Ray
>
> On Thu, 2021-12-16 at 08:20 -0800, Noelette Stout wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> CAS version - 6.4.4.1
> Java Version: 11.0.12
>
> I'm getting a 500 error on logout when using delegated authentication to a
> third-party SAML IdP.
>
> The initial error is:
> org.springframework.webflow.execution.ActionExecutionException: Exception
> thrown executing
> org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction@290aa707
> in state 'terminateSession' of flow 'logout' -- action execution attributes
> were 'map[[empty]]'
>
> which eventually gets to:
> Caused by: org.pac4j.saml.exceptions.SAMLException: Identity provider has
> no single logout service available for the selected profile
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>
> I checked the IdP metadata, and sure enough, all lines for
> SingleLogoutService have been commented out. Is there a setting I can use
> locally to override this? I tried setting cas.slo.disabled=true, but I'm
> still getting the same error. I've been looking through the documentation
> for a setting to address this, but I can't seem to find it. Any help would
> be appreciated.
>
> Thanks,
> Noelette
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/1c0Vig-1zHg/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d668898f183dff5b8e7d4cc526dd6ff94b2b89a.camel%40uvic.ca
> 
> .
>


-- 
Noelette Stout
ITS Enterprise Applications - Senior Application Administrator
Idaho State University
E-mail: stounoel "at" isu "dot" edu
Desk: 208-282-2554

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC3gc2Gp7TkZXVRNaz7M47%2BZJeSZ6cqXOE-_VTiXza2TDRWVcA%40mail.gmail.com.

Re: [cas-user] log4j vulnerability remediation

2021-12-16 Thread Raph C 
Hi,

You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
correct version as dependency( use 2.16.0 instead, a new CVE appeared on
Tuesday)
Regards,

Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
écrit :

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTFH2iCfbQQMe31WtoJtCgatasTAw4TCZWBUx8tZLirSXg%40mail.gmail.com.

Re: [cas-user] Identity provider has no single logout service available

2021-12-16 Thread Ray Bon 
Noelette,

You can try setting the logoutType to none for the service, 
https://apereo.github.io/cas/6.4.x/services/Service-Management.html#registered-services

Ray

On Thu, 2021-12-16 at 08:20 -0800, Noelette Stout wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

CAS version - 6.4.4.1
Java Version: 11.0.12

I'm getting a 500 error on logout when using delegated authentication to a 
third-party SAML IdP.

The initial error is:
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction@290aa707 in 
state 'terminateSession' of flow 'logout' -- action execution attributes were 
'map[[empty]]'

which eventually gets to:
Caused by: org.pac4j.saml.exceptions.SAMLException: Identity provider has no 
single logout service available for the selected profile 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

I checked the IdP metadata, and sure enough, all lines for SingleLogoutService 
have been commented out. Is there a setting I can use locally to override this? 
I tried setting cas.slo.disabled=true, but I'm still getting the same error. 
I've been looking through the documentation for a setting to address this, but 
I can't seem to find it. Any help would be appreciated.

Thanks,
Noelette

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d668898f183dff5b8e7d4cc526dd6ff94b2b89a.camel%40uvic.ca.

Re: [cas-user] CAS JDK version question

2021-12-16 Thread Baba Ndiaye 
Hello
I'm trying to install CAS 6.4.4.1 Ubuntu 18.04 Tomcat9 openjdk-11 (failed)
openjdk-17 (failed) 16 doesnt exist in ubuntu18.04
When i do ./gradlew clean is success but ./gradlew clean
copyCasConfiguration build failed  Deprecated Gradle  Incompatible with
8.0 (i use gradle 7.3.2)

Le jeu. 16 déc. 2021 à 16:13, Misagh  a écrit :

> > Is JDK 11 an exact requirement?  Or are later versions of the JDK also
> acceptable?
>
> 6.4, JDK 16:
>
> https://apereo.github.io/cas/6.4.x/release_notes/RC3.html#jdk-16-compatibility
>
> 6.5, JDK 17:
>
> https://apereo.github.io/cas/development/release_notes/RC1.html#jdk-17-compatibility
>
> Also 6.5 now passing builds for 18-ea.
>
> Also see:
> https://wiki.openjdk.java.net/display/quality/Quality+Outreach
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkdpif4GOwX26FetyLU42YS_Ysn65eBAU7cHoQvW%2BD6zvQ%40mail.gmail.com
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRtZrr8ZopAfbOAALCc1n60B%2BzH46dVgtHC8GWk4tZuZrw%40mail.gmail.com.

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-16 Thread Jennifer LaVoie 
Thanks, Lars.  Very helpful

On Thu, Dec 16, 2021 at 11:18 AM Lars Feistner 
wrote:

> Hi,
>
> just in case anyone out there is still using the 5.3.x version and
> building the overlay with maven.
> I have added these lines to the dependencies section:
> 
>   org.apache.logging.log4j
>   log4j-api
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-core
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-jcl
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-slf4j-impl
>   ${log4j.version}
>   runtime
> 
> 
>   org.apache.logging.log4j
>   log4j-web
>   ${log4j.version}
>   runtime
> 
> and these lines to the excludes section of the maven-war-plugin
> 
> 
>   org.apereo.cas
>   cas-server-webapp${app.server}
>   
> WEB-INF/lib/log4j-api-2.12.1.jar
> WEB-INF/lib/log4j-core-2.12.1.jar
> WEB-INF/lib/log4j-jcl-2.12.1.jar
> WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar
> WEB-INF/lib/log4j-web-2.12.1.jar
>   
> 
>   
>
> Best regards,
> Lars
>
>
>
> On 15.12.21 21:24, Baba Ndiaye wrote:
>
> Thank you Jeff
>
> Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a
> écrit :
>
>> I did this based on what was posted earlier in the thread to update 6.2.
>>
>> -- add to build.gradle dependencies section
>>
>> implementation "org.apache.logging.log4j:log4j-api:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-core:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-web:2.16.0"
>> implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
>>
>> -- add to the end of build.gradle
>>
>> bootWar {
>> entryCompression = ZipEntryCompression.STORED
>> overlays {
>> cas {
>> from
>> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war
>> "
>> provided = false
>> excludes =
>> ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
>> }
>> }
>> }
>>
>> I would recommend you unpack the new war once it is built and update the
>> excludes list as needed.
>>
>> -Jeff
>> -Jeff
>>
>>
>> On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye  wrote:
>>
>>> good evening
>>>
>>> I would like to know if we make an update of log4j 2.16 how to know if CAS 
>>> has supported it (use it) and also for the update we only need to add this 
>>> lines
>>>
>>>
>>> dependencies {compile "org.apache.logging.log4j:log4j-api:2.15.0"
>>> compile "org.apache.logging.log4j:log4j-core:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-jcl:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-jul:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-web:2.15.0"compile 
>>> "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"}
>>>
>>>
>>> Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay  a
>>> écrit :
>>>
 Robert and Joe,

 Your examples were really helpful. I was able to combine the steps and
 patch our systems.

 Thanks,
 -Jeff

 On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri 
 wrote:

> Note v2.16.0 is now out  a patch for the patch
>
> On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6 apereo_cas_user
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have 
>> issues
>> when upgrading to 6.3.7.2
>>
>> Thanks
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org
> 
> .
>
 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions:

[cas-user] Identity provider has no single logout service available

2021-12-16 Thread Noelette Stout 
CAS version - 6.4.4.1 
Java Version: 11.0.12

I'm getting a 500 error on logout when using delegated authentication to a 
third-party SAML IdP. 

The initial error is:
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction@290aa707 
in state 'terminateSession' of flow 'logout' -- action execution attributes 
were 'map[[empty]]'

which eventually gets to:
Caused by: org.pac4j.saml.exceptions.SAMLException: Identity provider has 
no single logout service available for the selected profile 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 

I checked the IdP metadata, and sure enough, all lines for 
SingleLogoutService have been commented out. Is there a setting I can use 
locally to override this? I tried setting cas.slo.disabled=true, but I'm 
still getting the same error. I've been looking through the documentation 
for a setting to address this, but I can't seem to find it. Any help would 
be appreciated.

Thanks,
Noelette

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05b9c109-73af-4669-ab75-c58eac14cf2fn%40apereo.org.

Re: [cas-user] Re: log4j vulnerability remediation

2021-12-16 Thread Lars Feistner 

Hi,

just in case anyone out there is still using the 5.3.x version and 
building the overlay with maven.

I have added these lines to the dependencies section:

  org.apache.logging.log4j
  log4j-api
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-core
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-jcl
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-slf4j-impl
  ${log4j.version}
  runtime
    
    
  org.apache.logging.log4j
  log4j-web
  ${log4j.version}
  runtime
    
and these lines to the excludes section of the maven-war-plugin

    
  org.apereo.cas
cas-server-webapp${app.server}
  
WEB-INF/lib/log4j-api-2.12.1.jar
WEB-INF/lib/log4j-core-2.12.1.jar
WEB-INF/lib/log4j-jcl-2.12.1.jar
WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar
WEB-INF/lib/log4j-web-2.12.1.jar
  
    
  

Best regards,
Lars



On 15.12.21 21:24, Baba Ndiaye wrote:

Thank you Jeff

Le mercredi 15 décembre 2021 à 19:46:39 UTC, jeffrey...@gmail.com a 
écrit :


I did this based on what was posted earlier in the thread
to update 6.2.

-- add to build.gradle dependencies section

    implementation "org.apache.logging.log4j:log4j-api:2.16.0"
    implementation "org.apache.logging.log4j:log4j-core:2.16.0"
    implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
    implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
    implementation "org.apache.logging.log4j:log4j-web:2.16.0"
    implementation
"org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"

-- add to the end of build.gradle

bootWar {
    entryCompression = ZipEntryCompression.STORED
    overlays {
        cas {
            from

"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
            provided = false
            excludes =
["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
        }
    }
}

I would recommend you unpack the new war once it is built and
update the excludes list as needed.

-Jeff
-Jeff


On Wed, Dec 15, 2021 at 2:22 PM Baba Ndiaye 
wrote:

good evening

I would like to know if we make an update of log4j 2.16 how to
know if CAS has supported it (use it) and also for the update
we only need to add this lines

dependencies {     compile
"org.apache.logging.log4j:log4j-api:2.15.0"     compile
"org.apache.logging.log4j:log4j-core:2.15.0"     compile
"org.apache.logging.log4j:log4j-jcl:2.15.0"     compile
"org.apache.logging.log4j:log4j-jul:2.15.0"     compile
"org.apache.logging.log4j:log4j-web:2.15.0"     compile
"org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0" }


Le mer. 15 déc. 2021 à 03:43, Jeffrey Ramsay
 a écrit :

Robert and Joe,

Your examples were really helpful. I was able to combine
the steps and patch our systems.

Thanks,
-Jeff

On Tue, Dec 14, 2021 at 1:58 PM Pablo Vidaurri
 wrote:

Note v2.16.0 is now out  a patch for the patch

On Tuesday, December 14, 2021 at 10:02:48 AM UTC-6
apereo_cas_user wrote:

We use cas 6.1.7  overlay template [still in
pre-prod] for delegated authentication.
As a temp solution we replaced log4j 2.12.1 with
2.15.0 manually and bounced tomcat.
Is there a way we can exclude 2.12.1 from the
build . [I can pull in 2.15.0 by adding in
build.gradle but conflict with 2.12.1]. We have
issues when upgrading to 6.3.7.2

Thanks

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed
to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org

.

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List

Re: [cas-user] CAS JDK version question

2021-12-16 Thread Misagh 
> Is JDK 11 an exact requirement?  Or are later versions of the JDK also 
> acceptable?

6.4, JDK 16:
https://apereo.github.io/cas/6.4.x/release_notes/RC3.html#jdk-16-compatibility

6.5, JDK 17:
https://apereo.github.io/cas/development/release_notes/RC1.html#jdk-17-compatibility

Also 6.5 now passing builds for 18-ea.

Also see:
https://wiki.openjdk.java.net/display/quality/Quality+Outreach

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkdpif4GOwX26FetyLU42YS_Ysn65eBAU7cHoQvW%2BD6zvQ%40mail.gmail.com.

Re: [cas-user] CAS 6.2 to 6.3.7.2 upgrade

2021-12-16 Thread Colin Ryan 
I'm not concerned about the Log4J in 6.3.7.2, a gradlew clean build 
fixed that up...but curious about any big mismatches with 
mfa-gauth/mongo that could be causing the exception stack below. 
Specifically "java.lang.IllegalArgumentException: Collation not 
supported by wire version: 4"


C

On 12/15/21 4:33 PM, Colin Ryan wrote:
As a longer view on Log4J mitigation we are doing test upgrades from 
6.2.x to 6.3...


We are using Mongo for service registry, ticketregistry and GAuth 
registry.


When testing the GAuth functions we are getting an exception from the 
following mongo related error.



2021-12-15 21:15:06,696 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - received exception 
[org.springframework.webflow.execution.ActionExecutionException: 
Exception thrown executing 
org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@1cdb280b 
in state 'accountRegistrationCheck' of flow 'mfa-gauth' -- action 
execution attributes were 'map['resolvedAuthenticationEvents' -> 
list[mfa-gauth]]'] due to a type mismatch with handler 
[[FlowHandlerMapping.DefaultFlowHandler@2b6ccf3e]]>
2021-12-15 21:15:06,696 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - received exception 
[org.springframework.webflow.execution.ActionExecutionException: 
Exception thrown executing 
org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@1cdb280b 
in state 'accountRegistrationCheck' of flow 'mfa-gauth' -- action 
execution attributes were 'map['resolvedAuthenticationEvents' -> 
list[mfa-gauth]]'] due to a type mismatch with handler 
[[FlowHandlerMapping.DefaultFlowHandler@2b6ccf3e]]>
2021-12-15 21:15:06,701 ERROR 
[org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] 
- path [/cas] threw exception [Request processing failed; nested 
exception is 
org.springframework.webflow.execution.ActionExecutionException: 
Exception thrown executing 
org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction@1cdb280b 
in state 'accountRegistrationCheck' of flow 'mfa-gauth' -- action 
execution attributes were 'map['resolvedAuthenticationEvents' -> 
list[mfa-gauth]]'] with root cause>
java.lang.IllegalArgumentException: Collation not supported by wire 
version: 4
    at 
com.mongodb.internal.operation.OperationHelper.validateCollation(OperationHelper.java:132) 
~[mongodb-driver-core-4.1.1.jar!/:?]
    at 
com.mongodb.internal.operation.OperationHelper.validateReadConcernAndCollation(OperationHelper.java:326) 
~[mongodb-driver-core-4.1.1.jar!/:?]




We are using Mongo 3.4.14-4


Thoughts


Sincerely


Colin




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1c9e70d-40d6-f7e6-4f51-b1c749966ffa%40caveo.ca.

Re: [cas-user] CAS 6.3.7.2 And Twilio SMS (mfa-simple provider)

2021-12-16 Thread Guillaume EGRON 
Thanks Ray

problem solved
and i updated to v6.3.7.3 successfully

Le mercredi 15 décembre 2021 à 17:27:47 UTC+1, Ray Bon a écrit :

> Guillaume,
>
> This looks like a library conflict. There have been a few recent posts on 
> this list on how to exclude the older version of log4j.
>
> Ray
>
> On Wed, 2021-12-15 at 00:17 -0800, Guillaume EGRON wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hello 
>
> Since CAS 6.3.7.2, adding the dependency cas-server-support-sms-twilio 
> still brings log4j-api 2.14.0 and log4j-core 2.14.0 into the app libs.
>
> When I deploy my cas.war into an external Tomcat 9.0.43, through IntelliJ 
> IDEA, cas can't start with error
>
> Caused by: java.lang.NoSuchMethodError: 
> org.apache.logging.log4j.spi.LoggerContextFactory.isClassLoaderDependent()Z
> at 
> org.apache.logging.slf4j.Log4jLoggerFactory.getContext(Log4jLoggerFactory.java:56)
> at 
> org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:48)
> Artifact Cas:war exploded: Error during artifact deployment. See server 
> log for details.
> at 
> org.apache.logging.slf4j.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:33)
> at 
> org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:354)
> at 
> org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:155)
> at 
> org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:132)
> at 
> org.apache.commons.logging.LogFactory.getLog(LogFactory.java:655)
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:94)
> at 
> org.apereo.cas.web.CasWebApplicationServletInitializer.onStartup(CasWebApplicationServletInitializer.java:24)
> at 
> org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:172)
> at 
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5166)
> at 
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional 
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ 
> peoples whose historical relationships with the land continue to this day.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74c1a528-6dc2-4419-a1b0-a4afe44f6365n%40apereo.org.