date:20220222

[cas-user] Re: 6.4.x - Error at logout - TS not found (couchdb)

2022-02-22 Thread Vittore Zen

Addendum. Into storage there are TGT and correct TS.



Il giorno mer 23 feb 2022 alle ore 07:47 Vittore Zen  ha
scritto:

> Hi,
>
> when an already authenticated user logout there is this error and logout
> does not work. The TGT cookie isn't deleted.
>
> org.springframework.webflow.execution.ActionExecutionException: Exception
> thrown executing
> org.apereo.cas.web.flow.logout.TerminateSessionAction@3d50a3d9 in state
> 'terminateSession' of flow 'logout' -- action execution attributes were
> 'map[[empty]]'
>
> [...]
>
> Caused by: org.ektorp.DocumentNotFoundException: nothing found on db path: 
> /cas/ST-1-mZELY128traRq0jeIdRh8q34IxA-cas, Response body: null
>
>
> Into storage there is TGT but there isn't TS.
>
> Where is my mistake?
>
> v.
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO79vSArKYcRAKZ0pTc0iN4ufQfH4HF4xH-zD8tZzii3mLZGLQ%40mail.gmail.com.

[cas-user] 6.4.x - Error at logout - TS not found (couchdb)

2022-02-22 Thread Vittore Zen

Hi,

when an already authenticated user logout there is this error and logout
does not work. The TGT cookie isn't deleted.

org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing
org.apereo.cas.web.flow.logout.TerminateSessionAction@3d50a3d9 in state
'terminateSession' of flow 'logout' -- action execution attributes were
'map[[empty]]'

[...]

Caused by: org.ektorp.DocumentNotFoundException: nothing found on db
path: /cas/ST-1-mZELY128traRq0jeIdRh8q34IxA-cas, Response body: null


Into storage there is TGT but there isn't TS.

Where is my mistake?

v.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAO79vSB0-hAf0wzkKAR4v%2B8%3DJQchuXoFhGBzs-LvqmBC4CW1kw%40mail.gmail.com.

Re: [cas-user] "Partial Login" strategies

2022-02-22 Thread Carl Waldbieser

I agree with Ray that most of the heavy lifting for that scenario would be
in the application.  However, what is going on is that there are different
levels of access based on the session context.
So if I am able to log in simply because of a long-lived session cookie, I
have access to some parts of my user data.  But to make changes or spend
money, I need to have additional authorization, often in the form of a more
recent authentication.

CAS can still be a component in that kind of authentication/access control
decision, but the enforcement of such a policy is *typically* within the
application.  For example, an application may allow you to view your data
with a simple authentication.  But in order to modify or access your stored
credit card information, you may be required to authenticate with some kind
of MFA.  CAS can provide attributes that can aid the application in
deciding whether or not this type of access should be granted.  But it is
*typically* the application's responsibility to enforce that kind of access
control.

Thanks,
Carl Waldbieser

On Tue, Feb 22, 2022 at 3:15 PM Ray Bon  wrote:

> Pablo,
>
> That kind of behaviour is in your application and has nothing to do with
> cas. If the application determines that a user needs to log in, then send
> them to cas.
>
> Ray
>
> On Tue, 2022-02-22 at 09:15 -0800, Pablo Vidaurri wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hi, not sure exactly what this is called but I'm sure you have seen it on
> Amazon, Best Buy, etc. You have access to view browsing history, shopping
> cart, etc but when you actually click on order history, profile, etc you
> are prompted to log in.
>
> So some items are viewable but once you start to interact you get prompted
> to login.
>
> How does a site do something like that? I'm assuming CAS doesn't offer
> anything like that, correct?
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional
> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ
> peoples whose historical relationships with the land continue to this day.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d0192fbf57df796bb01fc65893443b1064903ce.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbN8sNrT9_m7M7cbwEQcp0_VmvRgTRR2xSr5D2jTs547gg%40mail.gmail.com.

Re: [cas-user] "Partial Login" strategies

2022-02-22 Thread Ray Bon

Pablo,

That kind of behaviour is in your application and has nothing to do with cas. 
If the application determines that a user needs to log in, then send them to 
cas.

Ray

On Tue, 2022-02-22 at 09:15 -0800, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi, not sure exactly what this is called but I'm sure you have seen it on 
Amazon, Best Buy, etc. You have access to view browsing history, shopping cart, 
etc but when you actually click on order history, profile, etc you are prompted 
to log in.

So some items are viewable but once you start to interact you get prompted to 
login.

How does a site do something like that? I'm assuming CAS doesn't offer anything 
like that, correct?

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d0192fbf57df796bb01fc65893443b1064903ce.camel%40uvic.ca.

[cas-user] "Partial Login" strategies

2022-02-22 Thread Pablo Vidaurri

Hi, not sure exactly what this is called but I'm sure you have seen it on 
Amazon, Best Buy, etc. You have access to view browsing history, shopping 
cart, etc but when you actually click on order history, profile, etc you 
are prompted to log in.

So some items are viewable but once you start to interact you get prompted 
to login.

How does a site do something like that? I'm assuming CAS doesn't offer 
anything like that, correct?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e29a34a7-cf50-4601-9d41-ed2c1baa10cdn%40apereo.org.

Re: [cas-user] SAML Service not authorized

2022-02-22 Thread Ray Bon

Jorge,

In your service definition. You only need to add metadata location to the 
service if you are using custom IdP metadata for that service.

Ray

On Mon, 2022-02-21 at 11:10 +0100, Jorge Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Ray,

the time is synchronized at CAS server and SP, they have the same time.

The Redirect/SSO endpoint is defined at IDP Metadata.

Which metadate entry do you refer? The metadataSignatureLocation label??

El vie, 18 feb 2022 a las 17:07, Ray Bon (mailto:r...@uvic.ca>>) 
escribió:
Jorge,

Assuming you are east of UTC by one hour, the issue instant is 36 seconds ahead 
of your log entries. Not sure if this is enough drift to cause a problem. I 
would also expect a different error.

Make sure your IdP metadata has the Redirect/SSO endpoint. Again I would expect 
a different error message.

You may not need the metadata entry in the service definition. See 
https://apereo.github.io/cas/6.4.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service

Ray

On Fri, 2022-02-18 at 09:27 +0100, Jorge Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi Ray, I have defined another service provider and I have the same problem 
with it, but let me focus on the first one.

This is the log generated when connecting the SP to the CAS via SAML:

2022-02-18 09:17:00,781 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.sso.request.DefaultSSOSamlHttpRequestExtractor]
 - 
2022-02-18 09:17:00,789 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
 - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
 from authentication request>
2022-02-18 09:17:00,810 DEBUG 
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
 - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
 
originalUrl=https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719,
 artifactId=null, principal=null, source=null, loggedOutAlready=false, 
format=XML, 
attributes={entityId=[https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719],
 
SAMLRequest=[tVRNj9owEL33V0S+k8QhJMECVhS6KhLbRcD20Evl2BOw5Nip7bC7/74OH1tatVSq1FMkz5t5897MZHT3UsvgAMYKrcYIhzEKQDHNhdqN0dP2vlegu8m7kaW1TBoybd1ereFbC9YFU2vBOJ8308q2NZgNmINg8LRejtHeucaSKKLc2uZ5H/p6oATlUGtJyxAsGSYDHHV1l3onVJRznKc4rmhWAi76wAYZGxQlx+UA8z6nWVVlgxwPUTD35EJRd+z4wsOoDc/FPZvUjEpSpGm/C0SCN1FjdCUkRJvpwzKJ1sCFAeaizeYRBYv5GH3N+zxj8QAneRYD62c0zVkKMeVlmfXztPAwa1tYKOuocmOUxEnSi5MeLrZxQXBGkjRMh8MvKFgZ7TTT8r1QJx9bo4imVliiaO2lO0a6NkgSxqQ8gSz5uN2ueqvHzfZY4CA4mE8ePUYPVNEdfFDeJQim8w3I6ux0sJKtRcHny/iSbnx+oMqS08BuUzfnPtHkNF9yFGiCe21q6m7ndi+C96ojlIBywr3+xH07nV52B03+26aMomtVk8sOd6Yu5istBXsNplLq55kB6rzRzrSA/qoeh/gX9a2yDTBRCeAoeuM5nwnw49H4G3Hw4oKZrhtqhO3GBS+UuTfzr2Ez6Q1aQ/VPht6EMcK62v555T/P2vBuW/0lAN8a6oVo4y7G/a6jyTn4B30/wte/isl3],
 
RelayState=[aHR0cHM6Ly9hZHNzcHdoLmluZ2VuaWFkZW1vbGFiLmVzOjkyNTEvc2FtbExvZ2luL0xPR0lOX0FVVEg=]})]>
2022-02-18 09:17:00,818 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
 - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]
 by attempting to run through the metadata chain...>
2022-02-18 09:17:00,819 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
 - 
2022-02-18 09:17:00,828 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
 - 
2022-02-18 09:17:00,830 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceMetadataResolverCacheLoader]
 - 
2022-02-18 09:17:00,833 INFO 
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.FileSystemResourceMetadataResolver]
 - 
2022-02-18 09:17:00,835 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
 - 
2022-02-18 09:17:00,837 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
 - 
2022-02-18 09:17:00,842 DEBUG [org.apereo.cas.support.saml.SamlUtils] - 

2022-02-18 09:17:00,850 INFO [org.apereo.cas.support.saml.SamlUtils] - 

2022-02-18 09:17:00,851 DEBUG [org.apereo.cas.support.saml.SamlUtils] - 

2022-02-18 09:17:00,859 DEBUG [org.apereo.cas.support.saml.SamlUtils] - 
2022-02-18 09:17:00,869 DEBUG [org.apereo.cas.support.saml.SamlUtils] - 
2022-02-18 09:17:00,870 DEBUG 
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
 - https://adsspwh.ingeniademolab.es:9251/samlLogin/7d17410fa6be183ec56c58bd1b51d3da6ff65719]>
2022-02-18 09:17:00,872

Re: [cas-user] cas.properties reference

2022-02-22 Thread spfma . tech

Hi, Thank both of you ! I don't have a GH account right now, but I will
remember it if I have one in the future. Grepping is what I am doing, but
it's a bit time consuming (especially when I don't know the name of the
property I could be looking for) and I am regulary asked why it takes so long
to install a new version and put the LDAP properties in a config file. Because
there is nothing else to do, isn't it ? :-) Regards

Le 18-Feb-2022 21:34:26 +0100, li...@whitman.edu a crit:
Haha, glad you find it useful!
On Fri, Feb 18, 2022 at 11:50 AM Ray Bon wrote:
Oh my, Ocean Liu, you are my new best friend! Thanks Ray On Fri,
2022-02-18 at 10:02 -0800, Ocean Liu wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hey Ray, > I keep a copy of the cas project locally. I use it to search for
properties, log messages and classes.
I used to do the same thing until I found github.dev ,
https://docs.github.com/en/codespaces/the-githubdev-web-based-editor It is a
web-based VSCode editor, it can also sync your VSCode configuration. Whenever
you are on a github.com repo, you can:

* Press . (the dot key) while browsing any repository on GitHub.
* Change the URL from "github.com" to "github.dev".

Then you will have a VSCode in your browser, you can do global search very
easily, supports regex and all that stuff.Hope this will be helpful, I love
that tool. On Friday, February 18, 2022 at 7:37:39 AM UTC-8 Ray Bon wrote:
I keep a copy of the cas project locally. I use it to search for properties,
log messages and classes. $ grep -rln cifsServicePrincipal # leave out the
first letter since it may be lower or upper case in files
api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoAuthenticationProperties.java

support/cas-server-support-spnego/src/test/java/org/apereo/cas/support/spnego/authentication/handler/support/JcifsConfigTests.java

support/cas-server-support-spnego/src/main/java/org/apereo/cas/config/SpnegoConfiguration.java

support/cas-server-support-spnego/src/main/java/org/apereo/cas/support/spnego/authentication/handler/support/JcifsConfig.java
The first hit has the property you were asking about. You can then open that
file locally or on github to see what other properties are at that level. The
next search you can perform going up the property hierarchy, $ grep -rln
SpnegoAuthenticationProperties
api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoProperties.java

api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/spnego/SpnegoAuthenticationProperties.java
The first one has the properties field and it is a list. The properties
are in cascading classes, the top one being CasConfigurationProperties,
https://github.com/apereo/cas/blob/6.4.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/CasConfigurationProperties.java
You may need to turn on debug logging to see which properties are identified
as incorrect. There might be a way to tell spring to fail if a property is
incorrect. Ray On Fri, 2022-02-18 at 09:06 +0100, spfma...@e.mail.fr
wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi, Thank you very much for your help ! Even if it is still not working,
I see in the logfiles that the parameter is now taken recognized. So it's
confusing when there is no error but the parameter is still ignored ! Here is
what I have, it looks like all the config blocks I have seen coming from
previous versions ::
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit, curl
cas.authn.spnego.system.login-conf=file:///etc/jaas.conf
cas.authn.spnego.system.kerberos-conf=file:/etc/krb5.conf
cas.authn.spnego.system.kerberos-realm=MY_REALM
cas.authn.spnego.system.kerberos-kdc=krb-master.my.domain
cas.authn.spnego.properties[0].jcifs-service-principal=HTTP/ssodev.my.domain@MY_REALM
cas.authn.spnego.system.kerberos-debug=true
cas.authn.spnego.mixed-mode-authentication=true
cas.authn.spnego.send401OnAuthenticationFailure=false
cas.authn.spnego.ips-to-check-pattern=.+
cas.authn.spnego.ntlm-allowed=true
cas.authn.spnego.ntlm=false
cas.authn.spnego.spnego-attribute-name=sAMAccountName
cas.authn.spnego.ldap.base-dn: dc=my,dc=domain
cas.authn.spnego.ldap.bind-credential: PASS
cas.authn.spnego.ldap.bind-dn: cn=casldap,dc=my,dc=fr
cas.authn.spnego.ldap.ldap-url: ldaps://ldap.my.domain:636
cas.authn.spnego.ldap.search-filter: (uid={user}) So maybe my other SPNEGO
and CIFS properties need to be adjusted too ?Regards

Le 18-Feb-2022 06:53:17 +0100, rb...@uvic.ca a crit:
Use the kabob case

Re: [cas-user] Resource: all-cas-properties.ref

2022-02-22 Thread spfma . tech

Hi,   Thank you very much for this information !I though I had no use of 
Initializr, but maybe it can help me.   Regards 

Le 18-Feb-2022 18:52:05 +0100, oster...@whitman.edu a crit: 
 Since I don't want to muddle the troubleshooting going on in the 
"cas.properties reference" thread, I'm starting a new one.   I wanted to plug a 
reference that is an answer (Ray's technique is also solid) that I've found 
very helpful from Initializr that Misagh writes about here: 
https://fawnoos.com/2020/11/14/cas63-cas-initializr/#properties--references   
Specifically, the etc/cas/config/all-cas-properties.ref it produces. Unicon 
showed this to us when helping us revise our properties to the new kebab case, 
and it made the process much less painful.   -Mike   

  -- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXbXPyv_QHBhyLjz1u9yTuOo5pSoE%2BOBXU9zzZdyFEHww%40mail.gmail.com.
 

-
FreeMail powered by mail.fr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220222124434.F05FDC1D41%40smtp04.mail.de.

[cas-user] Re: 6.4.x - Error at logout - TS not found (couchdb)

[cas-user] 6.4.x - Error at logout - TS not found (couchdb)

Re: [cas-user] "Partial Login" strategies

Re: [cas-user] "Partial Login" strategies

[cas-user] "Partial Login" strategies

Re: [cas-user] SAML Service not authorized

Re: [cas-user] cas.properties reference

Re: [cas-user] Resource: all-cas-properties.ref

8 matches

Site Navigation

Mail list logo

Footer information