Re: [cas-user] Re: CAS 7 master mfa-gauth issue commit 15580dc action="@{/login}"

[Frédéric Dussurget]

Thanks Lukasz, so ... no official fix for the moment ... wait and see :)
regards,


Le mercredi 29 mai 2024 à 03:48:46 UTC+2, Łukasz Woźniak a écrit :

> We override view and Madej change from mfa-gauth to login.
>
> pon., 27 maj 2024, 11:47 użytkownik Frédéric Dussurget  
> napisał:
>
>> Hi there,
>> just asking if somebody managed to resolve this pending issue ?
>> regards,
>>
>> Le mardi 16 avril 2024 à 18:03:32 UTC+2, Frédéric Dussurget a écrit :
>>
>>> Hi,
>>> context : mfa-gauth issue, since october, we have a 401 error trying to 
>>> acces /cas/mfa-gauth when trying to register new devices.
>>>
>>> according to this commit : 
>>>
>>> https://github.com/apereo/cas/commit/15580dc#diff-217a31a51bb1b4b527e8866140a331dedf1278c2a806421a985a54ad1568986f
>>>
>>> When I roll back the "action" value in this form, from :
>>> action="@{${'/' + activeFlowId} }"
>>> to :
>>> action="@{/login}" 
>>>
>>> It is ... back to life and working again (in my case, but that is not 
>>> the case for everybody afaik ...)
>>> The webflow might have changed from CAS 6 to 7 and there might be a 
>>> blocking spring permission on the /cas/mfa-gauth endpoint ... 
>>>
>>> A lot of thanks to Al Faller, have a look at the previous discussion : 
>>> https://groups.google.com/a/apereo.org/g/cas-user/c/H4fvKej9NSs
>>>
>>> Regards,
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/79545cac-b5bb-46fa-9420-a216aa334b64n%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/79545cac-b5bb-46fa-9420-a216aa334b64n%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70d643a8-bd83-4a9c-b97e-5ca4f966b8can%40apereo.org.

[cas-user] Re: CAS 7 master mfa-gauth issue commit 15580dc action="@{/login}"

[Frédéric Dussurget]

Hi there,
just asking if somebody managed to resolve this pending issue ?
regards,

Le mardi 16 avril 2024 à 18:03:32 UTC+2, Frédéric Dussurget a écrit :

> Hi,
> context : mfa-gauth issue, since october, we have a 401 error trying to 
> acces /cas/mfa-gauth when trying to register new devices.
>
> according to this commit : 
>
> https://github.com/apereo/cas/commit/15580dc#diff-217a31a51bb1b4b527e8866140a331dedf1278c2a806421a985a54ad1568986f
>
> When I roll back the "action" value in this form, from :
> action="@{${'/' + activeFlowId} }"
> to :
> action="@{/login}" 
>
> It is ... back to life and working again (in my case, but that is not the 
> case for everybody afaik ...)
> The webflow might have changed from CAS 6 to 7 and there might be a 
> blocking spring permission on the /cas/mfa-gauth endpoint ... 
>
> A lot of thanks to Al Faller, have a look at the previous discussion : 
> https://groups.google.com/a/apereo.org/g/cas-user/c/H4fvKej9NSs
>
> Regards,
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79545cac-b5bb-46fa-9420-a216aa334b64n%40apereo.org.

Re: [cas-user] Re: mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Hi Jerome, just to confirm that mfa-webauthn device registering is working 
fine now, thanks again



Le jeudi 25 avril 2024 à 13:08:58 UTC+2, Frédéric Dussurget a écrit :

> Hi,
> thank you very much, Jérôme, that's very good news :) Be sure I'll keep 
> you posted.
> Have a good day !
>
>
> Le jeudi 25 avril 2024 à 08:45:52 UTC+2, Jérôme LELEU a écrit :
>
>> Hi,
>>
>> This is due to my change here: https://github.com/apereo/cas/pull/6015
>>
>> Though, this should be fixed in the latest 7.1.0-SNAPSHOT.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 25 avr. 2024 à 07:14, Frédéric Dussurget  a 
>> écrit :
>>
>>> Yet another info with spring web logs :
>>>
>>> 2024-04-23 16:46:27,232 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> 2024-04-23 16:46:27,232 DEBUG 
>>> [org.springframework.security.web.access.channel.ChannelProcessingFilter] - 
>>> >> [REQUIRES_SECURE_CHANNEL]>
>>> 2024-04-23 16:46:27,233 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> 2024-04-23 16:46:27,234 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch 
>>> for POST "/cas/error", parameters={masked}>
>>> 2024-04-23 16:46:27,234 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>  
>>> - >> org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
>>> 2024-04-23 16:46:27,244 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>>  
>>> - >> [application/vnd.cas.services+yaml, application/json, application/*+json, 
>>> application/cbor, application/xml;charset=UTF-8, text/xml;charset=UTF-8, 
>>> application/*+xml;charset=UTF-8]>
>>> 2024-04-23 16:46:27,244 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>>  
>>> - >> error=Forbidden, message=Forbidden, path=/cas/ (truncated)...]>
>>> 2024-04-23 16:46:27,273 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - >> "FORWARD" dispatch, status 403>
>>> 2024-04-23 16:46:27,273 DEBUG 
>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>  
>>> - 
>>>
>>> Le mercredi 24 avril 2024 à 05:54:03 UTC+2, Frédéric Dussurget a écrit :
>>>
>>>> Hi,
>>>> Some additional info : The base64 for decoded response is :
>>>>
>>>> --- !
>>>> timestamp: "2024-04-23T14:14:08.165+00:00"
>>>> status: 403
>>>> error: "Forbidden"
>>>> message: "Forbidden"
>>>> path: "/cas/webauthn/register"
>>>>
>>>>
>>>>
>>>>
>>>> Le jeudi 18 avril 2024 à 11:56:56 UTC+2, Frédéric Dussurget a écrit :
>>>>
>>>>> Hi,
>>>>> We cannot register devices anymore with mfa-webauthn since last week.
>>>>> It works with a clone of cas-overlay-template from April 11th but not 
>>>>> with today's clone (April 18th). Same dependencies and same 
>>>>> cas.properties 
>>>>> directives. Master CAS 7 branch.
>>>>>
>>>>> When trying to register a new device, I have this message on the login 
>>>>> :
>>>>>
>>>>> JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data
>>>>>
>>>>> In the firefox debugger :
>>>>>
>>>>> XHRPOST
>>>>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
>>>>> [HTTP/1.1 200  63ms]
>>>>>
>>>>> Registration failed DOMException: CredentialContainer request is not 
>>>>> allowed.
>>>>> createCredential 
>>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>>>>> executeRegisterRequest 
>>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>>>>> executeRequest 
>>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>>>>> performCeremony 
>>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>>>>> promise callback*performCeremony 
>>>>> https://mycasde

Re: [cas-user] Re: mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Hi,
thank you very much, Jérôme, that's very good news :) Be sure I'll keep you 
posted.
Have a good day !


Le jeudi 25 avril 2024 à 08:45:52 UTC+2, Jérôme LELEU a écrit :

> Hi,
>
> This is due to my change here: https://github.com/apereo/cas/pull/6015
>
> Though, this should be fixed in the latest 7.1.0-SNAPSHOT.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 25 avr. 2024 à 07:14, Frédéric Dussurget  a 
> écrit :
>
>> Yet another info with spring web logs :
>>
>> 2024-04-23 16:46:27,232 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> 2024-04-23 16:46:27,232 DEBUG 
>> [org.springframework.security.web.access.channel.ChannelProcessingFilter] - 
>> > [REQUIRES_SECURE_CHANNEL]>
>> 2024-04-23 16:46:27,233 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> 2024-04-23 16:46:27,234 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch 
>> for POST "/cas/error", parameters={masked}>
>> 2024-04-23 16:46:27,234 DEBUG 
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>  
>> - > org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)>
>> 2024-04-23 16:46:27,244 DEBUG 
>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>  
>> - > [application/vnd.cas.services+yaml, application/json, application/*+json, 
>> application/cbor, application/xml;charset=UTF-8, text/xml;charset=UTF-8, 
>> application/*+xml;charset=UTF-8]>
>> 2024-04-23 16:46:27,244 DEBUG 
>> [org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
>>  
>> - > error=Forbidden, message=Forbidden, path=/cas/ (truncated)...]>
>> 2024-04-23 16:46:27,273 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - > "FORWARD" dispatch, status 403>
>> 2024-04-23 16:46:27,273 DEBUG 
>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>  
>> - 
>>
>> Le mercredi 24 avril 2024 à 05:54:03 UTC+2, Frédéric Dussurget a écrit :
>>
>>> Hi,
>>> Some additional info : The base64 for decoded response is :
>>>
>>> --- !
>>> timestamp: "2024-04-23T14:14:08.165+00:00"
>>> status: 403
>>> error: "Forbidden"
>>> message: "Forbidden"
>>> path: "/cas/webauthn/register"
>>>
>>>
>>>
>>>
>>> Le jeudi 18 avril 2024 à 11:56:56 UTC+2, Frédéric Dussurget a écrit :
>>>
>>>> Hi,
>>>> We cannot register devices anymore with mfa-webauthn since last week.
>>>> It works with a clone of cas-overlay-template from April 11th but not 
>>>> with today's clone (April 18th). Same dependencies and same cas.properties 
>>>> directives. Master CAS 7 branch.
>>>>
>>>> When trying to register a new device, I have this message on the login :
>>>>
>>>> JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data
>>>>
>>>> In the firefox debugger :
>>>>
>>>> XHRPOST
>>>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
>>>> [HTTP/1.1 200  63ms]
>>>>
>>>> Registration failed DOMException: CredentialContainer request is not 
>>>> allowed.
>>>> createCredential 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>>>> executeRegisterRequest 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>>>> executeRequest 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>>>> performCeremony 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>>>> promise callback*performCeremony 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
>>>> register 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>>>>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>>>> webauthn.js:474:21
>>>> Uncaught (in promise) DOMException: CredentialContainer request is not 
>>>> allowed.
>>>> createCredential 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>>>> executeRegisterRequest 
>>>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>

[cas-user] Re: mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Yet another info with spring web logs :

2024-04-23 16:46:27,232 DEBUG 
[org.springframework.security.web.FilterChainProxy] - 
2024-04-23 16:46:27,232 DEBUG 
[org.springframework.security.web.access.channel.ChannelProcessingFilter] - 

2024-04-23 16:46:27,233 DEBUG 
[org.springframework.security.web.FilterChainProxy] - 
2024-04-23 16:46:27,234 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch 
for POST "/cas/error", parameters={masked}>
2024-04-23 16:46:27,234 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 
- 
2024-04-23 16:46:27,244 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
 
- 
2024-04-23 16:46:27,244 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor]
 
- 
2024-04-23 16:46:27,273 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - 
2024-04-23 16:46:27,273 DEBUG 
[org.springframework.security.web.authentication.AnonymousAuthenticationFilter] 
- 

Le mercredi 24 avril 2024 à 05:54:03 UTC+2, Frédéric Dussurget a écrit :

> Hi,
> Some additional info : The base64 for decoded response is :
>
> --- !
> timestamp: "2024-04-23T14:14:08.165+00:00"
> status: 403
> error: "Forbidden"
> message: "Forbidden"
> path: "/cas/webauthn/register"
>
>
>
>
> Le jeudi 18 avril 2024 à 11:56:56 UTC+2, Frédéric Dussurget a écrit :
>
>> Hi,
>> We cannot register devices anymore with mfa-webauthn since last week.
>> It works with a clone of cas-overlay-template from April 11th but not 
>> with today's clone (April 18th). Same dependencies and same cas.properties 
>> directives. Master CAS 7 branch.
>>
>> When trying to register a new device, I have this message on the login :
>>
>> JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data
>>
>> In the firefox debugger :
>>
>> XHRPOST
>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
>> [HTTP/1.1 200  63ms]
>>
>> Registration failed DOMException: CredentialContainer request is not 
>> allowed.
>> createCredential 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>> executeRegisterRequest 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>> executeRequest 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>> performCeremony 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>> promise callback*performCeremony 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
>> register 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>> webauthn.js:474:21
>> Uncaught (in promise) DOMException: CredentialContainer request is not 
>> allowed.
>> createCredential 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
>> executeRegisterRequest 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
>> executeRequest 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
>> performCeremony 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
>> promise callback*performCeremony 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
>> register 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>>
>>
>> If I try to reuse a device that had already been registered, I have this 
>> error in the ff debugger  with today's build :
>>
>> XHRPOST
>> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/authenticate
>> [HTTP/1.1 403  131ms]
>>
>> Authentication failed SyntaxError: JSON.parse: unexpected non-digit at 
>> line 1 column 2 of the JSON data webauthn.js:570:17
>> authenticate 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:570
>> (Asynchrone : promise callback)
>> authenticate 
>> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:561
>>  https://mycasdev.mywonderfuluniv.fr/cas/login:356
>> Uncaught (in promise) SyntaxError: JSON.parse: unexpected non-digit at 
>> line 1 column 2 of the JSON data
>>
>> Regards,
>>
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da6c1720-b0f7-4bb4-8dbf-9a4c190b8678n%40apereo.org.

[cas-user] Re: mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Hi,
Some additional info : The base64 for decoded response is :

--- !
timestamp: "2024-04-23T14:14:08.165+00:00"
status: 403
error: "Forbidden"
message: "Forbidden"
path: "/cas/webauthn/register"




Le jeudi 18 avril 2024 à 11:56:56 UTC+2, Frédéric Dussurget a écrit :

> Hi,
> We cannot register devices anymore with mfa-webauthn since last week.
> It works with a clone of cas-overlay-template from April 11th but not with 
> today's clone (April 18th). Same dependencies and same cas.properties 
> directives. Master CAS 7 branch.
>
> When trying to register a new device, I have this message on the login :
>
> JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data
>
> In the firefox debugger :
>
> XHRPOST
> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
> [HTTP/1.1 200  63ms]
>
> Registration failed DOMException: CredentialContainer request is not 
> allowed.
> createCredential 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
> executeRegisterRequest 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
> executeRequest 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
> performCeremony 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
> promise callback*performCeremony 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
> register 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
> webauthn.js:474:21
> Uncaught (in promise) DOMException: CredentialContainer request is not 
> allowed.
> createCredential 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
> executeRegisterRequest 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
> executeRequest 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
> performCeremony 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
> promise callback*performCeremony 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
> register 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
>  https://mycasdev.mywonderfuluniv.fr/cas/login:373
>
>
> If I try to reuse a device that had already been registered, I have this 
> error in the ff debugger  with today's build :
>
> XHRPOST
> https://mycasdev.mywonderfuluniv.fr/cas/webauthn/authenticate
> [HTTP/1.1 403  131ms]
>
> Authentication failed SyntaxError: JSON.parse: unexpected non-digit at 
> line 1 column 2 of the JSON data webauthn.js:570:17
> authenticate 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:570
> (Asynchrone : promise callback)
> authenticate 
> https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:561
>  https://mycasdev.mywonderfuluniv.fr/cas/login:356
> Uncaught (in promise) SyntaxError: JSON.parse: unexpected non-digit at 
> line 1 column 2 of the JSON data
>
> Regards,
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c72b84da-8f87-4416-ad71-00dd03f1c5edn%40apereo.org.

[cas-user] mfa-webauthn broken since last week. CAS 7.1.0

[Frédéric Dussurget]

Hi,
We cannot register devices anymore with mfa-webauthn since last week.
It works with a clone of cas-overlay-template from April 11th but not with 
today's clone (April 18th). Same dependencies and same cas.properties 
directives. Master CAS 7 branch.

When trying to register a new device, I have this message on the login :

JSON.parse: unexpected non-digit at line 1 column 2 of the JSON data

In the firefox debugger :

XHRPOST
https://mycasdev.mywonderfuluniv.fr/cas/webauthn/register
[HTTP/1.1 200  63ms]

Registration failed DOMException: CredentialContainer request is not 
allowed.
createCredential 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
executeRegisterRequest 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
executeRequest 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
performCeremony 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
promise callback*performCeremony 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
register 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
 https://mycasdev.mywonderfuluniv.fr/cas/login:373
webauthn.js:474:21
Uncaught (in promise) DOMException: CredentialContainer request is not 
allowed.
createCredential 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:102
executeRegisterRequest 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:347
executeRequest 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:444
performCeremony 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:400
promise callback*performCeremony 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:386
register 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:434
 https://mycasdev.mywonderfuluniv.fr/cas/login:373


If I try to reuse a device that had already been registered, I have this 
error in the ff debugger  with today's build :

XHRPOST
https://mycasdev.mywonderfuluniv.fr/cas/webauthn/authenticate
[HTTP/1.1 403  131ms]

Authentication failed SyntaxError: JSON.parse: unexpected non-digit at line 
1 column 2 of the JSON data webauthn.js:570:17
authenticate 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:570
(Asynchrone : promise callback)
authenticate 
https://mycasdev.mywonderfuluniv.fr/cas/js/webauthn/webauthn.js:561
 https://mycasdev.mywonderfuluniv.fr/cas/login:356
Uncaught (in promise) SyntaxError: JSON.parse: unexpected non-digit at line 
1 column 2 of the JSON data

Regards,



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e772b734-7db1-4b07-adb0-c56172f63488n%40apereo.org.

[cas-user] CAS 7 master mfa-gauth issue commit 15580dc action="@{/login}"

[Frédéric Dussurget]

 Hi,
context : mfa-gauth issue, since october, we have a 401 error trying to 
acces /cas/mfa-gauth when trying to register new devices.

according to this commit : 
https://github.com/apereo/cas/commit/15580dc#diff-217a31a51bb1b4b527e8866140a331dedf1278c2a806421a985a54ad1568986f

When I roll back the "action" value in this form, from :
action="@{${'/' + activeFlowId} }"
to :
action="@{/login}" 

It is ... back to life and working again (in my case, but that is not the 
case for everybody afaik ...)
The webflow might have changed from CAS 6 to 7 and there might be a 
blocking spring permission on the /cas/mfa-gauth endpoint ... 

A lot of thanks to Al Faller, have a look at the previous discussion : 
https://groups.google.com/a/apereo.org/g/cas-user/c/H4fvKej9NSs

Regards,

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/940eb22f-458e-4b2d-b263-136f88dd79adn%40apereo.org.

Re: [cas-user] Alway Error 404 after compilation deployment

[Frédéric Dussurget]

Hi Jérémie,
If you choose to go for CAS v7 and openjdk 21 on debian ... I had this 
little issue :

- I had troubles with CA certificate store when installing openjdk 21 (from 
https://download.java.net/java/GA/jdk21/./openjdk-21_linux-x64_bin.tar.gz
 
) on debian 12, because they're not bundled as they are with the default 
debian distribution's jdk package.
(If you don't provide CA certificates, you'll be able to compile, then 
you'll have the CAS banner when starting tomcat, but CAS will fail ...)
So yo might try this, using your debian's system CA certificate store :

*mv /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts 
/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts_orig*
*ln -s /etc/ssl/certs/java/cacerts 
/usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts*

*ls -alh /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts *

I do not know about Oracle's jdk ... 

- Notice that I also compiled the *.war* with the same *jdk *I run cas (
*jdk21* since last fall '23)

(adjust every path and values  according to your system
* ...)*
regards




Le lundi 12 février 2024 à 18:34:48 UTC+1, Jérémie Pilette a écrit :

> Thank you for your responses.
>
> @Vaibhav GPT : I have compiled cas 6.6.15 with openjdk-11, there were no 
> errors about class not found casAppender, but impossible to display the 
> authentication page (eoor 404 not found)
>
> @Ray Bon : I do not have .m2/repository on my test server ... Do I need to 
> install something ? Thank you
>
> Jérémie
>
> Le lundi 12 février 2024 à 15:34:56 UTC+1, Ray Bon a écrit :
>
>> Jérémie,
>>
>>
>> https://github.com/apereo/cas/blob/master/core/cas-server-core-logging-api/src/main/java/org/apereo/cas/logging/CasAppender.java
>>
>> There is no problem with that file, else most cas users would have 
>> problems.
>>
>> Start with a fresh clone of the overlay, 
>> https://github.com/apereo/cas-overlay-template
>> If you have problems with that, it means that something on your system is 
>> hosed. Could be a corrupt download or something out of alignment in 
>> .m2/repository
>> If it works, add your config items in one at a time.
>>
>> Ray
>>
>>
>> On Sun, 2024-02-11 at 11:28 -0800, Jérémie Pilette wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi,
>> I can't find casAppender.java.
>>
>> In CAS7, where can I find this class?
>>
>> Thank you,
>>
>> Jérémie
>>
>> Le vendredi 9 février 2024 à 18:32:25 UTC+1, Ray Bon a écrit :
>>
>> Jérémie,
>>
>> I do not see anything amiss with that file.
>>
>> You could comment out the CasAppender s and change all AppenderRef s to 
>> point directly to the Appenders
>>
>> 
>> becomes
>> 
>>
>> Ray
>>
>> On Fri, 2024-02-09 at 18:05 +0100, Jérémie Pilette wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>> Here this my log4j2.xml file from the cas-overlay template (after 
>> compilation)
>> ```
>> 
>> 
>> 
>> 
>> 
>> /var/log/cas
>> trace
>> warn
>> info
>> warn
>> warn
>> warn
>> warn
>> warn
>> warn
>> warn
>> warn
>> true
>> false
>> 
>> > name="log.stacktraceappender">casStackTraceFile
>> false
>> 
>> 
>> 
>>
>> 
>> 
>> 
>>
>> > append="true"
>> 
>>  filePattern="${baseDir}/cas-%d{-MM-dd-HH}-%i.log.gz"
>>  immediateFlush="false">
>> >   
>>  alwaysWriteExceptions="${sys:log.file.stacktraces}" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> > fileName="${baseDir}/cas_stacktrace.log" append="true"
>> 
>>  filePattern="${baseDir}/cas_stacktrace-%d{-MM-dd-HH}-%i.log.gz"
>>  immediateFlush="false">
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> > fileName="${baseDir}/cas_audit.log" append="true"
>> 
>>  filePattern="${baseDir}/cas_audit-%d{-MM-dd-HH}-%i.log.gz"
>>  immediateFlush="false">
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 

Re: [cas-user] help me MFA

[Frédéric Dussurget]

Hi Issaka, 
to save some of your precious time, know that Google Gauth MFA is not fixed 
yet in the master branch version (Cas 7). This is discussed here : 
https://groups.google.com/a/apereo.org/g/cas-user/c/XKFgFS__U9M
and someone found a workaround here : 
https://groups.google.com/a/apereo.org/g/cas-user/c/H4fvKej9NSs

(Actually it might have been fixed theses days, I haven't give tried since 
last week ...)

Other MFA works well, like webauthn ...

Anyway, for MFA gauth over redis (CAS 7, jdk 21, redis), I have those 
dependencies :
//MFA TOTP
implementation "org.apereo.cas:cas-server-support-gauth"
implementation "org.apereo.cas:cas-server-support-gauth-redis"
//implementation "org.apereo.cas:cas-server-support-webconfig"

and you might add those ones if you wanna trust your devices :
//MFA TRUSTED DEVICE
implementation "org.apereo.cas:cas-server-support-trusted-mfa"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"

regards,

Fred

Le mercredi 31 janvier 2024 à 12:14:58 UTC+1, Mohamed Amdouni a écrit :

> Hello,
>
> First will suggest to check the documentation here 
>
> https://apereo.github.io/cas/7.0.x/mfa/Configuring-Multifactor-Authentication.html
>
> And the blog here :
>
> https://fawnoos.com/2022/01/31/cas65x-simple-mfa-provider/
>
> Best regards 
>
> Le mer. 31 janv. 2024 à 11:26, Issaka Rabo Moutari  a 
> écrit :
>
>> Hello everyone, I am a beginner in the Cas Apereo environment, and I have 
>> inherited a Cas project that uses the following dependencies:
>>
>> compile 
>> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
>> // Autres dépendances/modules CAS peuvent être répertoriés ici...
>> compile 
>> "org.apereo.cas:cas-server-core-configuration:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-core-authentication:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-core-api-authentication:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-core-authentication-api:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-core-services-api:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-core-services-authentication:${project.'cas.version'}"
>> compile "org.apereo.cas:cas-server-core-web:${project.'cas.version'}"
>> compile "org.apereo.cas:cas-server-core-webflow:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-actions:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-x509-core:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-metrics:${project.'cas.version'}"
>> compile "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-x509-webflow:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-token-webflow:${project.'cas.version'}"
>> compile "org.apereo.cas:cas-server-support-oidc:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-rest-authentication:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-redis-service-registry:${project.'cas.version'}"
>> compile "javax.servlet:servlet-api:2.5"
>> compile "io.dropwizard.metrics:metrics-annotation:4.0.2"
>> // Pour le débogage
>> compile "org.apereo.cas:cas-server-core-util:${project.'cas.version'}"
>> compile 
>> "org.apereo.cas:cas-server-support-saml-core:${project.'cas.version'}"
>> compile "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
>> compileOnly 'org.projectlombok:lombok:1.18.12'
>> annotationProcessor 'org.projectlombok:lombok:1.18.12'
>>
>>
>> My goal is to add two multi-factor authentication (MFA) methods: Google 
>> TOTP and Simple MFA. Help me get started; I have no idea where to begin. 
>>
>> Thank you.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f7cb674-2b96-439e-89a3-ef6d08cc50f1n%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: 

[cas-user] Re: mfa-gauth issues

[Frédéric Dussurget]

Hi Al,
I've got the same issue, could not fixed it. F12 console in your browser 
might throw a 401 error ... (for info my db backend is redis)
we have a topic here : 
https://groups.google.com/a/apereo.org/g/cas-user/c/XKFgFS__U9M
regards,


Le mercredi 10 janvier 2024 à 05:26:03 UTC+1, Al Faller a écrit :

> Hi - 
>
> Trying to get mfa-gauth working with 7.0.  Unfortunately when I'm 
> attempting to "Confirm account registration" (save my new device), I 
> receive a 403 error back from CAS at /cas/mfa-gauth and an error on the 
> screen.  I can reproduce this with a clean copy of the overlay.  My steps:
>
>  - add  'implementation "org.apereo.cas:cas-server-support-gauth"' to the 
> build.gradle
> - ./gradlew build
>  - add cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth to
> /etc/cas/config/cas.properties
> - java -jar build/libs/cas.war --server.ssl.enabled=false 
> --server.port=8080
>
> From chrome developer tools, looks like the following was returned:
> --- !
> timestamp: "2024-01-09T22:48:27.384+00:00"
> status: 403
> error: "Forbidden"
> message: "Access Denied"
> path: "/cas/mfa-gauth"
>
> added debug logging - nothing useful shows up.
>
> Attached is the screenshot:
> [image: Screenshot from 2024-01-09 17-45-14.png]
>
> Any ideas why this might be breaking?  I have tried 7.0 and master with no 
> luck.
>
> Thanks in advance,
>
> Al
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5967252b-e9f9-4509-8443-ca4ed170d8c9n%40apereo.org.

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Nope, I still have the same 401 on /cas/mfa-gauth ...

same effect with gradle.properties setting 7.0.0-SNAPSHOT or 7.0.0-RC9

Are you still stuck too ?
regards,


Le jeudi 21 décembre 2023 à 16:59:03 UTC+1, Javi Finarfin a écrit :

> Did you get a different result with 
> https://github.com/apereo/cas/releases/tag/v7.0.0-RC9 ?
>
>
> El sábado, 2 de diciembre de 2023 a las 8:06:20 UTC, Javi Finarfin 
> escribió:
>
>> Im afraid we hadn't make progress
>>
>> El vie, 1 dic 2023 13:28, Frédéric Dussurget  
>> escribió:
>>
>>> Hi Javi,
>>> I also tried to add manually the endpoint in 
>>> https://github.com/apereo/cas/blob/master/support/cas-server-support-webconfig/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java
>>>
>>> ... and I also get the same 500 error as you had.
>>>
>>> Have you managed to go a little bit further ?
>>> Regards
>>>
>>> Le vendredi 3 novembre 2023 à 16:16:15 UTC+1, Javi Finarfin a écrit :
>>>
>>>> I guess you can always 
>>>> overwrite 
>>>> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)
>>>>
>>>> El vie, 3 nov 2023 a las 14:09, Javi Finarfin () 
>>>> escribió:
>>>>
>>>>> Live debugging... 
>>>>>
>>>>> El vie, 3 nov 2023 14:08, Frédéric Dussurget  
>>>>> escribió:
>>>>>
>>>>>> Hi Javi, 
>>>>>> how do you "add" this endpoint ? through your service ? or do you 
>>>>>> mean in the  cas.monitor.endpoints.endpoint section of your cas 
>>>>>> properties ?
>>>>>> Thanks a lot ...
>>>>>> Fred
>>>>>>
>>>>>> Le jeudi 2 novembre 2023 à 18:40:43 UTC+1, Javi Finarfin a écrit :
>>>>>>
>>>>>>> > For the record, it *looks like* it needs a service parameter, but 
>>>>>>> I´m yet receiving a 403
>>>>>>>
>>>>>>> This yet I don't know if it's necessary
>>>>>>>
>>>>>>> Because it was a security problem, while debugging I added the 
>>>>>>> endpoint manually 
>>>>>>> here: 
>>>>>>> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)
>>>>>>>  
>>>>>>>
>>>>>>> With that, there was no 403, but I get a 500 instead: 
>>>>>>>
>>>>>>> > 2023-11-02 15:44:19,366 TRACE 
>>>>>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>>>>>  
>>>>>>> - >>>>>> [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, 
>>>>>>> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, 
>>>>>>> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>
>>>>>>> 2023-11-02 15:44:19,366 ERROR 
>>>>>>> [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - >>>>>> adapter 
>>>>>>> for handler [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The 
>>>>>>> DispatcherServlet configuration needs to include a HandlerAdapter that 
>>>>>>> supports this handler>
>>>>>>> jakarta.servlet.ServletException: No adapter for handler 
>>>>>>> [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The 
>>>>>>> DispatcherServlet 
>>>>>>> configuration needs to include a HandlerAdapter that supports this 
>>>>>>> handler
>>>>>>> at 
>>>>>>> org.springframework.web.servlet.DispatcherServlet.getHandlerAdapter(DispatcherServlet.java:1321)
>>>>>>>  
>>>>>>> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
>>>>>>> at 
>>>>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1069)
>>>>>>>  
>>>>>>> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
>>>>>>> El martes, 31 de octubre de 2023 a las 11:30:52 UTC, Javi Finarfin 
>>>>>>> escribió:
>>>>>>>
>>>>>>>> For the record, it *looks like* it needs a service parameter, but 
>>>>>>>> I´m yet receiving a 403
>>>>>>

[cas-user] mfa-webauthn breaks accessStrategy since last build

[Frédéric Dussurget]

Context : master branch, cas-overlay-template out of yesterday (Dec, 20th)

Hello,
A new issue popped out from this week's cas-overlay-template release : 
mfa-webauthn make accessStrategy break. (For info, it still worked 10 days 
ago when I tried)

I doublechecked those two cases :
- Webauthn works like a charm  when used without accessStrategy.
- AccessStrategy works like a charm when used without mf-webauthn.

I could not give a try replacing mfa-webauthn by mfa-gauth because I've 
still got the following issue : 
https://groups.google.com/a/apereo.org/g/cas-user/c/XKFgFS__U9M

(For info, I noticed that mfa.core.provider-selection-enabled became 
mfa.core.provider-selection.provider-selection-enabled. In my case, it is 
set on true)

Regards,

My service definition when both mfa and accessStrategy are defined :

"multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" :
  [ "java.util.LinkedHashSet",
[
"mfa-webauthn", "mfa-gauth"
]
  ],
"failureMode" : "CLOSED",
"forceExecution": true
  },
  "accessStrategy": {
"@class": 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false,
"requiredAttributes": {
  "@class": "java.util.LinkedHashMap",
  "memberOf": [
"java.util.HashSet",
[
  "CN=myCasadmingroup,OU=Accounts,DC=wywonderfuluniv,DC=fr"
]
  ]
}
  },
  

Log file definition when both mfa and accessStrategy are defined :

2023-12-21 15:39:03,431 DEBUG 
[org.apereo.cas.web.flow.CasFlowHandlerMapping] - 
2023-12-21 15:39:03,439 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 

2023-12-21 15:39:03,444 WARN 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] 
- https://mysuperhost.mywonderfuluniv.fr:9447/protected}]>
2023-12-21 15:39:03,447 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
https://mysuperhost.mywonderfuluniv.fr:9447/protected,
 
originalUrl=https://mysuperhost.mywonderfuluniv.fr:9447/protected, 
artifactId=null, principal=null, source=service, loggedOutAlready=false, 
format=XML, 
attributes={jakarta.servlet.http.HttpServletRequest.header-x-forwarded-proto=[https],
 
jakarta.servlet.http.HttpServletRequest.header-accept-encoding=[gzip, 
deflate, br], jakarta.servlet.http.HttpServletRequest.header-dnt=[1], 
jakarta.servlet.http.HttpServletRequest.header-x-forwarded-for=[93.25.65.42], 
jakarta.servlet.http.HttpServletRequest.header-accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8],
 
jakarta.servlet.http.HttpServletRequest.localeName=[localhost], 
jakarta.servlet.http.HttpServletRequest.requestURL=[https://cas-pp.mywonderfuluniv.fr/cas/login],
 
jakarta.servlet.http.HttpServletRequest.header-accept-language=[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3],
 
jakarta.servlet.http.HttpServletRequest.header-sec-fetch-site=[none], 
jakarta.servlet.http.HttpServletRequest.header-sec-fetch-dest=[document], 
jakarta.servlet.http.HttpServletRequest.requestURI=[/cas/login], 
jakarta.servlet.http.HttpServletRequest.header-sec-fetch-user=[?1], 
jakarta.servlet.http.HttpServletRequest.header-upgrade-insecure-requests=[1], 
service=[https://mysuperhost.mywonderfuluniv.fr:9447/protected], 
jakarta.servlet.http.HttpServletRequest.requestId=[470d], 
jakarta.servlet.http.HttpServletRequest.contextPath=[/cas], 
jakarta.servlet.http.HttpServletRequest.header-x-real-ip=[93.25.65.42], 
jakarta.servlet.http.HttpServletRequest.header-user-agent=[Mozilla/5.0 
(Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0], 
jakarta.servlet.http.HttpServletRequest.header-connection=[close], 
jakarta.servlet.http.HttpServletRequest.header-sec-fetch-mode=[navigate], 
jakarta.servlet.http.HttpServletRequest.httpMethod=[GET], 
jakarta.servlet.http.HttpServletRequest.header-host=[cas-pp.mywonderfuluniv.fr]})]>
2023-12-21 15:39:03,447 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 

2023-12-21 15:39:03,452 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 

2023-12-21 15:39:03,452 DEBUG 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - 

2023-12-21 15:39:03,453 WARN 
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - https://mysuperhost.mywonderfuluniv.fr:9447/protected]; it is not 
authorized for use by [John.doe].>
2023-12-21 15:39:03,454 ERROR 
[org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction] - https://mysuperhost.mywonderfuluniv.fr:9447/protected 
to John.doe>
org.apereo.cas.authentication.PrincipalException: Cannot grant service 
access https://mysuperhost.mywonderfuluniv.fr:9447/protected to John.doe
at 

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi Javi,
I also tried to add manually the endpoint in 
https://github.com/apereo/cas/blob/master/support/cas-server-support-webconfig/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java

... and I also get the same 500 error as you had.

Have you managed to go a little bit further ?
Regards

Le vendredi 3 novembre 2023 à 16:16:15 UTC+1, Javi Finarfin a écrit :

> I guess you can always 
> overwrite 
> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)
>
> El vie, 3 nov 2023 a las 14:09, Javi Finarfin () 
> escribió:
>
>> Live debugging... 
>>
>> El vie, 3 nov 2023 14:08, Frédéric Dussurget  
>> escribió:
>>
>>> Hi Javi, 
>>> how do you "add" this endpoint ? through your service ? or do you mean 
>>> in the  cas.monitor.endpoints.endpoint section of your cas properties ?
>>> Thanks a lot ...
>>> Fred
>>>
>>> Le jeudi 2 novembre 2023 à 18:40:43 UTC+1, Javi Finarfin a écrit :
>>>
>>>> > For the record, it *looks like* it needs a service parameter, but 
>>>> I´m yet receiving a 403
>>>>
>>>> This yet I don't know if it's necessary
>>>>
>>>> Because it was a security problem, while debugging I added the endpoint 
>>>> manually 
>>>> here: 
>>>> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)
>>>>  
>>>>
>>>> With that, there was no 403, but I get a 500 instead: 
>>>>
>>>> > 2023-11-02 15:44:19,366 TRACE 
>>>> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>>>>  
>>>> - >>> [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, 
>>>> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, 
>>>> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>
>>>> 2023-11-02 15:44:19,366 ERROR 
>>>> [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - >>> for handler [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The 
>>>> DispatcherServlet configuration needs to include a HandlerAdapter that 
>>>> supports this handler>
>>>> jakarta.servlet.ServletException: No adapter for handler 
>>>> [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The DispatcherServlet 
>>>> configuration needs to include a HandlerAdapter that supports this handler
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.getHandlerAdapter(DispatcherServlet.java:1321)
>>>>  
>>>> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1069)
>>>>  
>>>> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
>>>> El martes, 31 de octubre de 2023 a las 11:30:52 UTC, Javi Finarfin 
>>>> escribió:
>>>>
>>>>> For the record, it *looks like* it needs a service parameter, but I´m 
>>>>> yet receiving a 403
>>>>>
>>>>> El miércoles, 25 de octubre de 2023 a las 14:45:17 UTC+1, Frédéric 
>>>>> Dussurget escribió:
>>>>>
>>>>>> Hi all,
>>>>>> update : webauthn mfa now works (today's cas-overlay-template build) 
>>>>>> ... which is great.
>>>>>>
>>>>>> But I still have an issue with mfa-gauth when I try to register my 
>>>>>> device (when submitting the OTP from gauth compliant app) :
>>>>>>
>>>>>> jquery.min.js:2 
>>>>>> POST https://cas-pp.universite-lyon.fr/cas/mfa-gauth 401 
>>>>>> (Unauthorized)
>>>>>>
>>>>>> send @ jquery.min.js:2
>>>>>> ajax @ jquery.min.js:2
>>>>>> ce. @ jquery.min.js:2
>>>>>> (anonymous) @ login:261
>>>>>>
>>>>>>
>>>>>> Le mercredi 18 octobre 2023 à 12:41:56 UTC+2, Frédéric Dussurget a 
>>>>>> écrit :
>>>>>>
>>>>>>> Hi
>>>>>>> For further investigations, I flushed the redis db (just kept my 3 
>>>>>>> services)
>>>>>>> For both MFA provider (gauth and web-authn) I'm being asked to 
>>>>>>> register my devices. (It wasn't the cas before flushing the db, after 
>>>>>>> login/p

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi Javi, 
how do you "add" this endpoint ? through your service ? or do you mean in 
the  cas.monitor.endpoints.endpoint section of your cas properties ?
Thanks a lot ...
Fred

Le jeudi 2 novembre 2023 à 18:40:43 UTC+1, Javi Finarfin a écrit :

> > For the record, it *looks like* it needs a service parameter, but I´m 
> yet receiving a 403
>
> This yet I don't know if it's necessary
>
> Because it was a security problem, while debugging I added the endpoint 
> manually 
> here: 
> org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter.configureHttpSecurity(HttpSecurity)
>  
>
> With that, there was no 403, but I get a 500 instead: 
>
> > 2023-11-02 15:44:19,366 TRACE 
> [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
>  
> -  [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, 
> Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, 
> SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]>
> 2023-11-02 15:44:19,366 ERROR 
> [org.apereo.cas.web.support.filters.AbstractSecurityFilter] -  for handler [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The 
> DispatcherServlet configuration needs to include a HandlerAdapter that 
> supports this handler>
> jakarta.servlet.ServletException: No adapter for handler 
> [[FlowHandlerMapping.DefaultFlowHandler@25be570b]]: The DispatcherServlet 
> configuration needs to include a HandlerAdapter that supports this handler
> at 
> org.springframework.web.servlet.DispatcherServlet.getHandlerAdapter(DispatcherServlet.java:1321)
>  
> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
> at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1069)
>  
> ~[spring-webmvc-6.1.0-M5.jar:6.1.0-M5]
> El martes, 31 de octubre de 2023 a las 11:30:52 UTC, Javi Finarfin 
> escribió:
>
>> For the record, it *looks like* it needs a service parameter, but I´m 
>> yet receiving a 403
>>
>> El miércoles, 25 de octubre de 2023 a las 14:45:17 UTC+1, Frédéric 
>> Dussurget escribió:
>>
>>> Hi all,
>>> update : webauthn mfa now works (today's cas-overlay-template build) ... 
>>> which is great.
>>>
>>> But I still have an issue with mfa-gauth when I try to register my 
>>> device (when submitting the OTP from gauth compliant app) :
>>>
>>> jquery.min.js:2 
>>> POST https://cas-pp.universite-lyon.fr/cas/mfa-gauth 401 (Unauthorized)
>>>
>>> send @ jquery.min.js:2
>>> ajax @ jquery.min.js:2
>>> ce. @ jquery.min.js:2
>>> (anonymous) @ login:261
>>>
>>>
>>> Le mercredi 18 octobre 2023 à 12:41:56 UTC+2, Frédéric Dussurget a 
>>> écrit :
>>>
>>>> Hi
>>>> For further investigations, I flushed the redis db (just kept my 3 
>>>> services)
>>>> For both MFA provider (gauth and web-authn) I'm being asked to register 
>>>> my devices. (It wasn't the cas before flushing the db, after login/pwd 
>>>> authentication I falled back immediatly on the same login form.)
>>>> So I guess, the devices I registered on the end of august are stored in 
>>>> a format that is just no more compatible with the newer builds ?
>>>>
>>>> (Note that the mfa slector menu is back from this morning 
>>>> cas-overlay-template build)
>>>>
>>>> But, that still does'nt work, I have the failure popup : "Unable to 
>>>> accept this token. The given token is invalid, does not belong to the 
>>>> device or has expired."
>>>>
>>>> Here are errors in the browsers (tested in FF and Chrome) consoles :
>>>>
>>>> About gauth attempt :
>>>>
>>>> jquery.min.js:2
>>>>
>>>>
>>>>POST https://casblah-myuniversity.fr/cas/mfa-gauth 401 
>>>> (Unauthorized)
>>>> send @ jquery.min.js:2
>>>> ajax @ jquery.min.js:2
>>>> ce. @ jquery.min.js:2
>>>> (anonymous) @ 
>>>> login?service=https%3A%2F%2Fblah.blah.blah%3A9447%2Fprotected:351
>>>>
>>>> maybe here -> 
>>>> [...]try{r.send(i.hasContent&||null)}catch(e){if(o)throw [...]
>>>>
>>>>
>>>> About web-authn attempt :
>>>>
>>>> login:6 
>>>> 
>>>> 
>>>>GET https:// 
>>>> asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding-indexes.js
>>>>  
>>>> net::ERR_ABORTED 403 (Forbidden)
>

[cas-user] Re: MFA with Yubikey and WebAuthn

[Frédéric Dussurget]

Hi,
I'm interessed in this issue : what did you set as js files in your 
custom_theme.properties ?
this line :
cas.standard.js.file=/js/cas.js,/js/material.js
I tried to add webauthn/webauthn.js but I had to remove it because I had a 
failure ...
regards,



Le vendredi 27 octobre 2023 à 10:30:55 UTC+2, Hartmut Trüe a écrit :

> Hello,
>
> the Problem was based on customized templates that lacked updates to newer 
> versions. After i applied the changes to the customized templates, it now 
> works fine.
>
> Regards, 
> Hartmut
>
> Hartmut Trüe schrieb am Dienstag, 24. Oktober 2023 um 08:34:01 UTC+2:
>
>> John, at the Moment it is 6.6.13 ... and not working.
>>
>> I don't know what else is missing.
>>
>> Regards, Hartmut
>> John schrieb am Donnerstag, 19. Oktober 2023 um 14:53:01 UTC+2:
>>
>>> Sounds like you are not on lastest or at least 6.6.10. There was a bug 
>>> in versions previous
>>>
>>> On Thursday, October 19, 2023 at 7:10:25 AM UTC-5 Hartmut Trüe wrote:
>>>
 No one uses Yubikey? No idea?

 Regards, 
 Hartmut
 Hartmut Trüe schrieb am Freitag, 29. September 2023 um 09:59:21 UTC+2:

> Hello,
>
> I am trying to get CAS to work with Yubikey. I have configured FIDO2 
> WebAuthn and it seems to work so far, no error messages in cas.log during 
> login process. 
> But when I try to register the yubikey on the "register device" page, 
> I get "csrfToken is not defined".
>
> CAS is running behind an Apache reverse proxy, and login without mfa 
> or with simple-mfa is working.
>
> Any ideas?
>
> Regards,
> Hartmut
>


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66b569ee-01ca-4609-992c-50a7ce823288n%40apereo.org.

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi all,
update : webauthn mfa now works (today's cas-overlay-template build) ... 
which is great.

But I still have an issue with mfa-gauth when I try to register my device 
(when submitting the OTP from gauth compliant app) :

jquery.min.js:2 
POST https://cas-pp.universite-lyon.fr/cas/mfa-gauth 401 (Unauthorized)
send @ jquery.min.js:2
ajax @ jquery.min.js:2
ce. @ jquery.min.js:2
(anonymous) @ login:261


Le mercredi 18 octobre 2023 à 12:41:56 UTC+2, Frédéric Dussurget a écrit :

> Hi
> For further investigations, I flushed the redis db (just kept my 3 
> services)
> For both MFA provider (gauth and web-authn) I'm being asked to register my 
> devices. (It wasn't the cas before flushing the db, after login/pwd 
> authentication I falled back immediatly on the same login form.)
> So I guess, the devices I registered on the end of august are stored in a 
> format that is just no more compatible with the newer builds ?
>
> (Note that the mfa slector menu is back from this morning 
> cas-overlay-template build)
>
> But, that still does'nt work, I have the failure popup : "Unable to accept 
> this token. The given token is invalid, does not belong to the device or 
> has expired."
>
> Here are errors in the browsers (tested in FF and Chrome) consoles :
>
> About gauth attempt :
>
> jquery.min.js:2
>
>
>POST https://casblah-myuniversity.fr/cas/mfa-gauth 401 
> (Unauthorized)
> send @ jquery.min.js:2
> ajax @ jquery.min.js:2
> ce. @ jquery.min.js:2
> (anonymous) @ 
> login?service=https%3A%2F%2Fblah.blah.blah%3A9447%2Fprotected:351
>
> maybe here -> 
> [...]try{r.send(i.hasContent&||null)}catch(e){if(o)throw [...]
>
>
> About web-authn attempt :
>
> login:6 
> 
> 
>GET https:// 
> asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding-indexes.js
>  
> net::ERR_ABORTED 403 (Forbidden)
> login:14 
> 
> 
>GET https:// asblah-myuniversity.fr /cas/js/webauthn/webauthn.js 
> net::ERR_ABORTED 403 (Forbidden)
> login:8 
> 
> 
>GET https:// asblah-myuniversity.fr 
> /cas/webjars/base64-js/1.5.1/base64js.min.js net::ERR_ABORTED 403 
> (Forbidden)
> login:7 
> 
> 
>GET https:// 
> asblah-myuniversity.fr/cas/webjars/whatwg-fetch/3.6.2/dist/fetch.umd.js 
> net::ERR_ABORTED 403 (Forbidden)
> login:5 
> 
> 
>GET https:// 
> asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding.js 
> net::ERR_ABORTED 403 (Forbidden)
>
>
> login:389 Uncaught ReferenceError: register is not defined
> at HTMLButtonElement. (login:389:17)
>
>
>
> That may has something to deal with spring security but, I did not change 
> anything since august. Here are my ACLs :
>
>
>   monitor:
> endpoints:
>   endpoint:
> defaults:
>   access: AUTHENTICATED
> health:
>   access: IP_ADDRESS
>   requiredIpAddresses: blah blah blah
> registeredServices:
>   access: IP_ADDRESS
>   requiredIpAddresses: blah blah blah
> importRegisteredServices:
>   access: IP_ADDRESS
>   requiredIpAddresses: blah blah blah
> multiFactorTrustedDevices:
>   access: IP_ADDRESS
>   requiredIpAddresses:  blah blah blah
>
> management:
>   endpoints:
> web:
>   exposure:
> include: '*'
> enabled-by-default: true
>
>
> Le mardi 17 octobre 2023 à 12:43:46 UTC+2, Frédéric Dussurget a écrit :
>
>> Hi Ray,
>> thank you very much for your help. There are no ERROR message except this 
>> DEBUG error 401 message at the very end :
>> 2023-10-17 12:28:46,419 DEBUG 
>> [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>>  
>> - 
>> 2023-10-17 12:28:46,419 DEBUG 
>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>> > [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>>  
>> for this context>
>>
>> For more information, you'll find below  the service I used (but it is 
>> exactly the same as the one I used in august 2nd) ...
>> Best regards,
>>
>> {
>>   "@class": "org.apereo.cas.services.CasRegisteredService",
>>   "serviceId": 
>> "https://(testserver([123])|cas-pp)(.subdomain|).myuniversity.fr:944([678]).*"
>> ,
>>   "name": "Service Test Bootiful",
>>   "id": 48,
>>  

[cas-user] Re: CAS overlay from master failed to start

[Frédéric Dussurget]

Hi,
do you have this one in your build.gradle : implementation 
"org.apereo.cas:cas-server-support-json-service-registry" ?
you also might need the dependency linked to your backend (redis, backend, 
hazelcast etc.) for your service registry. Eg, for redis : implementation 
"org.apereo.cas:cas-server-support-redis-service-registry"
regards,


Le mercredi 25 octobre 2023 à 12:15:01 UTC+2, Hartmut Trüe a écrit :

> Hello,
>
> my CAS overlay (build from master) fails to run in external tomcat due to 
> a missing dependency:
>
> CAS Version: 7.0.0-SNAPSHOT
> CAS Branch: master
> CAS Commit Id: 888edfa4dc5da86b988a1c662a102318a555dfdd
> CAS Build Date/Time: 2023-10-25T06:28:56Z
> Spring Boot Version: 3.2.0-M3
> Spring Version: 6.1.0-M5
> Java Home: /usr/lib/jvm/java-21-openjdk-amd64
> Java Vendor: Private Build
> Java Version: 21-ea
> Servlet Version: null
> JVM Free Memory: 84 MB
> JVM Maximum Memory: 5 GB
> JVM Total Memory: 316 MB
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 6.2.0-35-generic
> OS Date/Time: 2023-10-25T11:19:33.679732155
> OS Temp Directory: /tmp
> ...
> 2023-10-25 11:19:38,166 ERROR [org.springframework.boot.SpringApplication] 
> - 
> org.springframework.context.ApplicationContextException: Unable to start 
> web server
> at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:165)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:602)
>  
> ~[spring-context-6.1.0-M5.jar:6.1.0-M5]
> at 
> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.SpringApplication.refresh(SpringApplication.java:737)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.SpringApplication.run(SpringApplication.java:315) 
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:174)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:154)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.springframework.boot.web.servlet.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:96)
>  
> ~[spring-boot-3.2.0-M3.jar:3.2.0-M3]
> at 
> org.apereo.cas.util.spring.boot.AbstractCasSpringBootServletInitializer.onStartup(AbstractCasSpringBootServletInitializer.java:34)
>  
> ~[cas-server-core-util-api-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]
> at 
> org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:171)
>  
> ~[spring-web-6.1.0-M5.jar:6.1.0-M5]
> at 
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4875)
>  
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) 
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1332)
>  
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1322)
>  
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at java.util.concurrent.FutureTask.run(FutureTask.java:317) ~[?:?]
> at 
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
>  
> ~[tomcat10-util-10.1.6.jar:10.1.6]
> at 
> java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145)
>  
> ~[?:?]
> at 
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:871) 
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:846) 
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) 
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1332)
>  
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1322)
>  
> ~[tomcat10-catalina-10.1.6.jar:10.1.6]
> at java.util.concurrent.FutureTask.run(FutureTask.java:317) ~[?:?]
> at 
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
>  
> ~[tomcat10-util-10.1.6.jar:10.1.6]
> at 
> 

Re: [cas-user] CAS management overlay broken

[Frédéric Dussurget]

Hi Aleix, I managed to made it work with my CAS v7 instance with the second 
repo : https://github.com/apereo/cas-management-overlay
I also followed the 6.3 documentation : 
https://apereo.github.io/cas-management/6.3.x/installation/Installing-ServicesMgmt-Webapp.html
Tomcat 9 + jdk 11, so I kept Cas Management on a separate server.

Here is my gradle.properties that worked with cas v7 :

version=6.6.2
# CAS Management version
casmgmt.version=6.6.2
# This is the CAS server version that is compatible
# with the build/version of the CAS management web
application. cas.version=6.6.0
[...]

(You may try more recent builds)

(Do not forget to add your depedencies in build.gradle especially for 
serviceRegistry)

Le mercredi 18 octobre 2023 à 19:01:32 UTC+2, Ray Bon a écrit :

> Aleix,
>
> The second repo is the one you want. It has a 6.6 branch as most recent.
> Assuming you have checked out the 6.6 branch, it will build with 
> ./gradlew clean build
>
> It is better to post log messages as text rather than images. One, it is 
> searchable; Two, images are hard to see in a desktop email client (maybe I 
> am the last one on the desktop).
>
> Ray
>
> On Wed, 2023-10-18 at 07:52 -0700, Aleix Mariné wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> So I was following the official guide to use the CAS management overlay 
> 
>  with 
> my CAS instance.  
>
> The guide tells you to clone this repository. 
>  But it is 
> archived and in the previous version of the CAS management software. I 
> tried to run the software and I can not even build it. Is it broken or is 
> something that I am doing wrong on my side? I attach here the debug log of 
> the error:
>
> [image: Screenshot-2023-10-18-16:35:44.png]
>
> I tried to fork another repo 
>  that apparently 
> contained (also) the CAS management overlay, but this time the version used 
> is more recent (6.3) and is not archived. When I try to build it gradle 
> tells me that cannot find the pom in the central maven repository (the link 
> is actually broken). Here I attach photo of the log:
>
> [image: Screenshot-2023-10-18-16:39:38.png]
>
> So, am I doing something wrong? What is the correct way to configure an 
> overlay for my CAS server?
>
> Thank you for this project.
>
>
> Aleix
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b05f1dae-e10e-40cf-9d89-ae6f30db9243n%40apereo.org.

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi
For further investigations, I flushed the redis db (just kept my 3 services)
For both MFA provider (gauth and web-authn) I'm being asked to register my 
devices. (It wasn't the cas before flushing the db, after login/pwd 
authentication I falled back immediatly on the same login form.)
So I guess, the devices I registered on the end of august are stored in a 
format that is just no more compatible with the newer builds ?

(Note that the mfa slector menu is back from this morning 
cas-overlay-template build)

But, that still does'nt work, I have the failure popup : "Unable to accept 
this token. The given token is invalid, does not belong to the device or 
has expired."

Here are errors in the browsers (tested in FF and Chrome) consoles :

About gauth attempt :

jquery.min.js:2
   
   
   POST https://casblah-myuniversity.fr/cas/mfa-gauth 401 (Unauthorized)
send @ jquery.min.js:2
ajax @ jquery.min.js:2
ce. @ jquery.min.js:2
(anonymous) @ 
login?service=https%3A%2F%2Fblah.blah.blah%3A9447%2Fprotected:351

maybe here -> 
[...]try{r.send(i.hasContent&||null)}catch(e){if(o)throw [...]


About web-authn attempt :

login:6 


   GET https:// 
asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding-indexes.js 
net::ERR_ABORTED 403 (Forbidden)
login:14 


   GET https:// asblah-myuniversity.fr /cas/js/webauthn/webauthn.js 
net::ERR_ABORTED 403 (Forbidden)
login:8 


   GET https:// asblah-myuniversity.fr 
/cas/webjars/base64-js/1.5.1/base64js.min.js net::ERR_ABORTED 403 
(Forbidden)
login:7 


   GET https:// 
asblah-myuniversity.fr/cas/webjars/whatwg-fetch/3.6.2/dist/fetch.umd.js 
net::ERR_ABORTED 403 (Forbidden)
login:5 


   GET https:// 
asblah-myuniversity.fr/cas/webjars/text-encoding/0.7.0/lib/encoding.js 
net::ERR_ABORTED 403 (Forbidden)


login:389 Uncaught ReferenceError: register is not defined
at HTMLButtonElement. (login:389:17)



That may has something to deal with spring security but, I did not change 
anything since august. Here are my ACLs :


  monitor:
endpoints:
  endpoint:
defaults:
  access: AUTHENTICATED
health:
  access: IP_ADDRESS
  requiredIpAddresses: blah blah blah
registeredServices:
  access: IP_ADDRESS
  requiredIpAddresses: blah blah blah
importRegisteredServices:
  access: IP_ADDRESS
  requiredIpAddresses: blah blah blah
multiFactorTrustedDevices:
  access: IP_ADDRESS
  requiredIpAddresses:  blah blah blah

management:
  endpoints:
web:
  exposure:
include: '*'
enabled-by-default: true


Le mardi 17 octobre 2023 à 12:43:46 UTC+2, Frédéric Dussurget a écrit :

> Hi Ray,
> thank you very much for your help. There are no ERROR message except this 
> DEBUG error 401 message at the very end :
> 2023-10-17 12:28:46,419 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>  
> - 
> 2023-10-17 12:28:46,419 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>  [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>  
> for this context>
>
> For more information, you'll find below  the service I used (but it is 
> exactly the same as the one I used in august 2nd) ...
> Best regards,
>
> {
>   "@class": "org.apereo.cas.services.CasRegisteredService",
>   "serviceId": 
> "https://(testserver([123])|cas-pp)(.subdomain|).myuniversity.fr:944([678]).*"
> ,
>   "name": "Service Test Bootiful",
>   "id": 48,
>   "description": "Service de test Bootiful port 9446/7/8 MFA 
> gauth/webauthn",
>   "evaluationOrder": 48,
>   "attributeReleasePolicy": {
> "@class": 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "canonicalizationMode": null,
> "allowedAttributes": [
>   "java.util.ArrayList",
>   [
> "displayname mail blah givenname"
>   ]
> ]
>   },
>   "logo": "https://cas.myuniversity.fr/logo.svg;,
>   "accessStrategy": {
> "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requireAllAttributes": false,
> "requiredAttributes": {
>   "@class": "java.util.LinkedHashMap",
>   "memberOf": [
> "java.util.HashSet",
>     [
>   "OU=blahblah",
>   "

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi
For further investigations, I flushed the redis db (just kept my 3 services)
For both MFA provider (gauth and web-authn) I'm being asked to register my 
devices. (It wasn't the cas before flushing the db, after login/pwd 
authentication I falled back immediatly on the same login form.)
So I guess, the devices I registered on the end of august are stored in a 
format that is just no more compatible with the newer builds ?

But, that still does'nt work, I have the failure popup : "Unable to accept 
this token. The given token is invalid, does not belong to the device or 
has expired." 

Here are errors in the browsers (tested in FF and Chrome) consoles :

About gauth attempt :










*jquery.min.js:2POST 
https://cas-pp.universite-lyon.fr/cas/mfa-gauth 401 (Unauthorized)send @ 
jquery.min.js:2ajax @ jquery.min.js:2ce. @ 
jquery.min.js:2(anonymous) @ 
login?service=https%3A%2F%2Fsrv-cas-pp01.ad.universite-lyon.fr%3A9447%2Fprotected:351maybe
 
here -> [...]try{r.send(i.hasContent&||null)}catch(e){if(o)throw 
[...]*


About web-authn attempt :




















*login:8GET 
https://cas-pp.universite-lyon.fr/cas/webjars/base64-js/1.5.1/base64js.min.js 
net::ERR_ABORTED 403 (Forbidden)login:14GET 
https://cas-pp.universite-lyon.fr/cas/js/webauthn/webauthn.js 
net::ERR_ABORTED 403 (Forbidden)login:5GET 
https://cas-pp.universite-lyon.fr/cas/webjars/text-encoding/0.7.0/lib/encoding.js
 
net::ERR_ABORTED 403 (Forbidden)login:7GET 
https://cas-pp.universite-lyon.fr/cas/webjars/whatwg-fetch/3.6.2/dist/fetch.umd.js
 
net::ERR_ABORTED 403 (Forbidden)login:6GET 
https://cas-pp.universite-lyon.fr/cas/webjars/text-encoding/0.7.0/lib/encoding-indexes.js
 
net::ERR_ABORTED 403 (Forbidden)*


That may has something to deal with spring security but, I did not change 
anything since august. Here are my ACLs :

























*  monitor:endpoints:  endpoint:defaults:  access: 
AUTHENTICATEDhealth:  access: IP_ADDRESS  
requiredIpAddresses: blah blah blahregisteredServices:  
access: IP_ADDRESS  requiredIpAddresses: blah blah blah 
importRegisteredServices:  access: IP_ADDRESS  
requiredIpAddresses: blah blah blah multiFactorTrustedDevices:  
access: IP_ADDRESS  requiredIpAddresses:  blah blah blah 
management:  endpoints:web:  exposure:include: '*'
enabled-by-default: true*

Le mardi 17 octobre 2023 à 12:43:46 UTC+2, Frédéric Dussurget a écrit :

> Hi Ray,
> thank you very much for your help. There are no ERROR message except this 
> DEBUG error 401 message at the very end :
> 2023-10-17 12:28:46,419 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>  
> - 
> 2023-10-17 12:28:46,419 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>  [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
>  
> for this context>
>
> For more information, you'll find below  the service I used (but it is 
> exactly the same as the one I used in august 2nd) ...
> Best regards,
>
> {
>   "@class": "org.apereo.cas.services.CasRegisteredService",
>   "serviceId": 
> "https://(testserver([123])|cas-pp)(.subdomain|).myuniversity.fr:944([678]).*"
> ,
>   "name": "Service Test Bootiful",
>   "id": 48,
>   "description": "Service de test Bootiful port 9446/7/8 MFA 
> gauth/webauthn",
>   "evaluationOrder": 48,
>   "attributeReleasePolicy": {
> "@class": 
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "canonicalizationMode": null,
> "allowedAttributes": [
>   "java.util.ArrayList",
>   [
> "displayname mail blah givenname"
>   ]
> ]
>   },
>   "logo": "https://cas.myuniversity.fr/logo.svg;,
>   "accessStrategy": {
> "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "requireAllAttributes": false,
> "requiredAttributes": {
>   "@class": "java.util.LinkedHashMap",
>   "memberOf": [
> "java.util.HashSet",
>     [
>   "OU=blahblah",
>   "OU=blahblah",
>   "DC=blahblah",
>   "DC=myuniversity",
>   &quo

Re: [cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi Ray,
thank you very much for your help. There are no ERROR message except this 
DEBUG error 401 message at the very end :
2023-10-17 12:28:46,419 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-10-17 12:28:46,419 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 


For more information, you'll find below  the service I used (but it is 
exactly the same as the one I used in august 2nd) ...
Best regards,

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": 
"https://(testserver([123])|cas-pp)(.subdomain|).myuniversity.fr:944([678]).*"
,
  "name": "Service Test Bootiful",
  "id": 48,
  "description": "Service de test Bootiful port 9446/7/8 MFA 
gauth/webauthn",
  "evaluationOrder": 48,
  "attributeReleasePolicy": {
"@class": 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"canonicalizationMode": null,
"allowedAttributes": [
  "java.util.ArrayList",
  [
"displayname mail blah givenname"
  ]
]
  },
  "logo": "https://cas.myuniversity.fr/logo.svg;,
  "accessStrategy": {
"@class": 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requireAllAttributes": false,
"requiredAttributes": {
  "@class": "java.util.LinkedHashMap",
  "memberOf": [
"java.util.HashSet",
[
  "OU=blahblah",
  "OU=blahblah",
  "DC=blahblah",
      "DC=myuniversity",
  "CN=casmanagers",
  "DC=fr"
]
  ]
}
  },

Le mardi 17 octobre 2023 à 04:22:16 UTC+2, Ray Bon a écrit :

> Frédéric,
>
> Are there any error messages in the logs?
>
> Ray
>
> On Fri, 2023-10-13 at 06:26 -0700, Frédéric Dussurget wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Hi,
> latest build broke MFA (both gauth and web-authn). I have kept besides a 
> cas.war from august 22nd which is working fine with the exact same 
> build.gradle deps and /etc/cas/config/cas/yml config. One difference is 
> that the new cas.war was compiled and run (external tomcat) with openjdk 21 
> vs the other one  was compiled and run with openjdk17
> DB backend is Redis for everything.
>
> Thanks if anyone could help ...
> Regards,
>
> Fred
>
> Here are the deps I'm using :
>
> build.gradle :
>
> // ### MFA ###
>
> //MFA TOTP
> implementation 
> "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
>
> // MFA FIDO2 WEBAUTHN
> implementation 
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>
> //MFA TRUSTED DEVICE
> implementation 
> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
> implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis:
> ${project.'cas.version'}"
>
> Here is the MFA block in my cas.yml :
>
> mfa:
>   core:
> provider-selection-enabled: true
>   gauth:
> core:
>   issuer: CASIssuer
>   label: Blah
>   scratch-codes.encryption.key: blah-blah-blah
> name: OATH Authentification
> crypto:
>   encryption:
> key: blah-blah-blah
>   signing:
> key: blah-blah-blah
> redis:
>   host: localhost
>   port: 6379
>   username: default
>   password: blah-blah-blah
>   sentinel:
> node[0]: blah-blah-blah:26379
> node[1]: blah-blah-blah:26379
> node[2]: blah-blah-blah:26379
> master: instancecas
>
>   web-authn:
> core:
>   relying-party-id: blah-blah-blah.fr
>   relying-party-name: blah-blah-blah
>   allowed-origins: blah-blah-blah
>   trusted-device-enabled: false
>   application-id: blah-blah-blah
> crypto:
>   encryption:
> key: blah-blah-blah
>  

[cas-user] CAS 7 MFA broken since last build

[Frédéric Dussurget]

Hi,
latest build broke MFA (both gauth and web-authn). I have kept besides a 
cas.war from august 22nd which is working fine with the exact same 
build.gradle deps and /etc/cas/config/cas/yml config. One difference is 
that the new cas.war was compiled and run (external tomcat) with openjdk 21 
vs the other one  was compiled and run with openjdk17
DB backend is Redis for everything.

Thanks if anyone could help ...
Regards,

Fred

Here are the deps I'm using :

build.gradle :

// ### MFA ###

//MFA TOTP
implementation 
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"

// MFA FIDO2 WEBAUTHN
implementation 
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"

//MFA TRUSTED DEVICE
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis:
${project.'cas.version'}"

Here is the MFA block in my cas.yml :

mfa:
  core:
provider-selection-enabled: true
  gauth:
core:
  issuer: CASIssuer
  label: Blah
  scratch-codes.encryption.key: blah-blah-blah
name: OATH Authentification
crypto:
  encryption:
key: blah-blah-blah
  signing:
key: blah-blah-blah
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas

  web-authn:
core:
  relying-party-id: blah-blah-blah.fr
  relying-party-name: blah-blah-blah
  allowed-origins: blah-blah-blah
  trusted-device-enabled: false
  application-id: blah-blah-blah
crypto:
  encryption:
key: blah-blah-blah
  signing:
key: blah-blah-blah
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas

  trusted:
core:
  auto-assign-device-name: true
  device-registration-enabled: true
  authentication-context-attribute: 
isFromTrustedMultifactorAuthentication
redis:
  host: localhost
  port: 6379
  username: default
  password: blah-blah-blah
  sentinel:
node[0]: blah-blah-blah:26379
node[1]: blah-blah-blah:26379
node[2]: blah-blah-blah:26379
master: instancecas
crypto:
  enabled: true
  signing:
key: blah-blah-blah
  encryption:
key: blah-blah-blah
device-fingerprint:
  cookie:
crypto:
  enabled: true
  signing:
key: blah-blah-blah
  encryption:
key: blah-blah-blah

And the stacktrace :

2023-10-13 11:19:17,196 DEBUG 
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - https://blah-blah-blah:9447/protected]>
2023-10-13 11:19:17,196 DEBUG 
[org.apereo.cas.web.flow.login.InitialFlowSetupAction] - https://blah-blah-blah] with id [48] in context scope>
2023-10-13 11:19:17,197 DEBUG 
[org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy]
 
- 
2023-10-13 11:19:17,197 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 

2023-10-13 11:19:27,246 DEBUG 
[org.apereo.cas.web.flow.CasFlowHandlerMapping] - 
2023-10-13 11:19:27,250 DEBUG 
[org.apereo.cas.web.flow.CasFlowHandlerMapping] - 
2023-10-13 11:19:27,260 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2023-10-13 11:19:27,276 WARN 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] 
- https://blah-blah-blah:9447/protected}]>
2023-10-13 11:19:27,280 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
java.lang.NullPointerException: Name is null
at java.lang.Enum.valueOf(Enum.java:291) ~[?:?]
at 
org.apereo.services.persondir.util.CaseCanonicalizationMode.valueOf(CaseCanonicalizationMode.java:26)
 
~[person-directory-impl-3.0.1.jar:?]
at 
org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy.returnFinalAttributesCollection(AbstractRegisteredServiceAttributeReleasePolicy.java:250)
 
~[cas-server-core-authentication-attributes-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]
at 

[cas-user] Re: Failed to create Jar file

[Frédéric Dussurget]

Same thing here ...

Le dimanche 25 juin 2023 à 17:39:59 UTC+2, favk...@gmail.com a écrit :

> and it creates  spring.6.1.0-M1.jar.lock.lock file on my gradle cashe
>
> On Saturday, June 24, 2023 at 5:38:15 PM UTC fasr favk wrote:
>
>> Hello, i cant run my cas server anymore, i cleared .gradle cash and 
>> rebuild my project but the same issue, using jdk17,spring boot 3.1.0
>> [image: Sans titre.png]
>> my --stacktrace : * Exception is:
>> org.gradle.api.ProjectConfigurationException: A problem occurred 
>> configuring root project 'cas'.
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator.wrapException(LifecycleProjectEvaluator.java:84)
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator.addConfigurationFailure(LifecycleProjectEvaluator.java:77)
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator.access$400(LifecycleProjectEvaluator.java:55)
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator$EvaluateProject.lambda$run$0(LifecycleProjectEvaluator.java:111)
>> at 
>> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.lambda$applyToMutableState$1(DefaultProjectStateRegistry.java:395)
>> at 
>> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.fromMutableState(DefaultProjectStateRegistry.java:413)
>> at 
>> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.applyToMutableState(DefaultProjectStateRegistry.java:394)
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator$EvaluateProject.run(LifecycleProjectEvaluator.java:100)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
>> at 
>> org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
>> at 
>> org.gradle.configuration.project.LifecycleProjectEvaluator.evaluate(LifecycleProjectEvaluator.java:72)
>> at 
>> org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:779)
>> at 
>> org.gradle.api.internal.project.DefaultProject.evaluate(DefaultProject.java:156)
>> at 
>> org.gradle.api.internal.project.ProjectLifecycleController.lambda$ensureSelfConfigured$2(ProjectLifecycleController.java:84)
>> at 
>> org.gradle.internal.model.StateTransitionController.lambda$doTransition$14(StateTransitionController.java:255)
>> at 
>> org.gradle.internal.model.StateTransitionController.doTransition(StateTransitionController.java:266)
>> at 
>> org.gradle.internal.model.StateTransitionController.doTransition(StateTransitionController.java:254)
>> at 
>> org.gradle.internal.model.StateTransitionController.lambda$maybeTransitionIfNotCurrentlyTransitioning$10(StateTransitionController.java:199)
>> at 
>> org.gradle.internal.work.DefaultSynchronizer.withLock(DefaultSynchronizer.java:34)
>> at 
>> org.gradle.internal.model.StateTransitionController.maybeTransitionIfNotCurrentlyTransitioning(StateTransitionController.java:195)
>> at 
>> org.gradle.api.internal.project.ProjectLifecycleController.ensureSelfConfigured(ProjectLifecycleController.java:84)
>> at 
>> org.gradle.api.internal.project.DefaultProjectStateRegistry$ProjectStateImpl.ensureConfigured(DefaultProjectStateRegistry.java:369)
>> at 
>> org.gradle.execution.TaskPathProjectEvaluator.configure(TaskPathProjectEvaluator.java:33)
>> at 
>> org.gradle.execution.TaskPathProjectEvaluator.configureHierarchy(TaskPathProjectEvaluator.java:47)
>> at 
>> org.gradle.execution.DefaultTaskSelector.getSelection(DefaultTaskSelector.java:61)
>> at 
>> org.gradle.execution.selection.DefaultBuildTaskSelector.resolveTaskName(DefaultBuildTaskSelector.java:98)
>> at 
>> org.gradle.execution.commandline.CommandLineTaskParser.parseTasks(CommandLineTaskParser.java:49)
>> at 
>> org.gradle.execution.TaskNameResolvingBuildTaskScheduler.scheduleRequestedTasks(TaskNameResolvingBuildTaskScheduler.java:50)
>> at 
>> 

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

[Frédéric Dussurget]

Hi Graham,

I gave it a try this morning (but on branch master 7.0.0-SNAPSHOT) and ...
it's eventually working great :) Thanks to Misagh and the dev team !

What I've done is removing every workaround we did on this topic : removed
config/WebAuthnConfiguration.java + webauthn/web/WebAuthnController.java,
removed the extra pack of deps linked to those two files, flushed my dev db
and imported just one mfa-webauthn service, removed custom theme and
finally recompiled and restarted tomcat10 (mine is not bundled, it is
marked as external thru gradle.properties). I can now register my fido2
device and then login without any error.

build.gradle linked deps :

// MFA FIDO2 WEBAUTHN
> implementation
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>


cas.yml :

  web-authn:
> core:
>   relying-party-id: mydomain.fr
>   relying-party-name: mynickname
>   allowed-origins: https://cas.mydomain.fr
>   trusted-device-enabled: false
>   application-id: https://www.mydomain.fr
>



Le ven. 12 mai 2023 à 01:41, Graham Ballantyne 
a écrit :

> Hi all,
>
> I'm having a similar issue with webauthn device registration failing on
> CAS 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the
> server logs have an invalid CSRF token error:
>
> web_1  | 2023-05-11 23:11:38,248 DEBUG
> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
>  [REQUIRES_SECURE_CHANNEL]>
> web_1  | 2023-05-11 23:11:38,250 DEBUG
> [org.springframework.security.web.csrf.CsrfFilter] -  found for https://cas_server/cas/webauthn/register>
> web_1  | 2023-05-11 23:11:38,250 DEBUG
> [org.springframework.security.web.access.AccessDeniedHandlerImpl] -
> 
>
> I'm not able to implement the workaround here (commenting out
> @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as
> WebAuthnController.java no longer contains that line. It looks like Misagh
> changed how this works in a recent commit (
> https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3
> ).
>
> I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins
> property (which the docs say defaults to the server name, so I'd think it
> wouldn't be necessary) and it still fails. My webauthn settings from
> cas.properties are:
>
> cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca
> cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev
> cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca
> cas.authn.mfa.web-authn.core.display-name-attribute=displayName
> cas.authn.mfa.web-authn.core.allow-primary-authentication=true
> cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
> cas.authn.mfa.web-authn.core.trusted-device-enabled=true
> cas.authn.mfa.web-authn.crypto.encryption.key=xxx
> cas.authn.mfa.web-authn.crypto.signing.key=yyy
> cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca
>
> I'm not a Java developer so I'm a little out of my element in trying to
> see where the problem is. Any tips would be appreciated!
>
> Cheers,
> Graham.
>
>
> On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 dussu...@gmail.com wrote:
>
>
> Hi,
> I'm now able to register my webauthn device, to login, and trust my device.
>
> What I noticed is that the allowed-origins (device registering) property
> and application-id extension (connect) seem now mandatory to me, (though it
> was not in 6.5.9).
> Without those two settings, I'm stuck.
>
>   web-authn:
> core:
>   relying-party-id: mydomain.fr
>   relying-party-name: myrpname
>   allowed-origins: https://cas-dev.mydomain.fr
>   trusted-device-enabled: true
>   application-id: https://cas-dev.mydomain.fr/test
>
> First, I want to say that I thank you all for your precious advices !
> (@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick)
> This won't go in production right now, because I wonder about the security
> impact when accessing the webauthn/register endpoint ... ?
>
> Regards,
> Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit :
>
> What does your cas.log state for error? Are you using a valid ssl
> certificate, cas host name matches whats in config? Also, in 7.x/master you
> have to edit this,
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN +
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
> There's actually 2 bugs, maybe more. One is the PreAuthorize and the other
> is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed
> the csrf issue and still working 

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

[Frédéric Dussurget]

I forgot, here is what I have about endpoints spring security management in
cas.yml :

  monitor:
> endpoints:
>   endpoint:
> defaults:
>   access: AUTHENTICATED
> health:
>   access: IP_ADDRESS
>   requiredIpAddresses: xx.yy.www.zz, aa.bb.cc.dd,etc.
> [...]
> registeredServices:
>   access: IP_ADDRESS
>   requiredIpAddresses:  xx.yy.www.zz, aa.bb.cc.dd,etc.
> importRegisteredServices:
>   access: IP_ADDRESS
>   requiredIpAddresses:  xx.yy.www.zz, aa.bb.cc.dd,etc.
> [...]
> management:
>   endpoints:
> web:
>   exposure:
> include: '*'
> enabled-by-default: true
>


Le ven. 12 mai 2023 à 12:10, Frédéric Dussurget  a
écrit :

> Hi Graham,
>
> I gave it a try this morning (but on branch master 7.0.0-SNAPSHOT) and ...
> it's eventually working great :) Thanks to Misagh and the dev team !
>
> What I've done is removing every workaround we did on this topic : removed
> config/WebAuthnConfiguration.java + webauthn/web/WebAuthnController.java,
> removed the extra pack of deps linked to those two files, flushed my dev db
> and imported just one mfa-webauthn service, removed custom theme and
> finally recompiled and restarted tomcat10 (mine is not bundled, it is
> marked as external thru gradle.properties). I can now register my fido2
> device and then login without any error.
>
> build.gradle linked deps :
>
> // MFA FIDO2 WEBAUTHN
>> implementation
>> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
>> implementation
>> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>>
>
>
> cas.yml :
>
>   web-authn:
>> core:
>>   relying-party-id: mydomain.fr
>>   relying-party-name: mynickname
>>   allowed-origins: https://cas.mydomain.fr
>>   trusted-device-enabled: false
>>   application-id: https://www.mydomain.fr
>>
>
>
>
> Le ven. 12 mai 2023 à 01:41, Graham Ballantyne 
> a écrit :
>
>> Hi all,
>>
>> I'm having a similar issue with webauthn device registration failing on
>> CAS 6.6.x; the /cas/webauthn/register endpoint returns a 403 error, and the
>> server logs have an invalid CSRF token error:
>>
>> web_1  | 2023-05-11 23:11:38,248 DEBUG
>> [org.springframework.security.web.access.channel.ChannelProcessingFilter] -
>> > [REQUIRES_SECURE_CHANNEL]>
>> web_1  | 2023-05-11 23:11:38,250 DEBUG
>> [org.springframework.security.web.csrf.CsrfFilter] - > found for https://cas_server/cas/webauthn/register>
>> web_1  | 2023-05-11 23:11:38,250 DEBUG
>> [org.springframework.security.web.access.AccessDeniedHandlerImpl] -
>> 
>>
>> I'm not able to implement the workaround here (commenting out
>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java) as
>> WebAuthnController.java no longer contains that line. It looks like Misagh
>> changed how this works in a recent commit (
>> https://github.com/apereo/cas/commit/b9233b0731004fdc85994539c67fe0cd0f01c2c3
>> ).
>>
>> I've tried adding the cas.authn.mfa.web-authn.core.allowed-origins
>> property (which the docs say defaults to the server name, so I'd think it
>> wouldn't be necessary) and it still fails. My webauthn settings from
>> cas.properties are:
>>
>> cas.authn.mfa.web-authn.core.application-id=https://mycasdomain.ca
>> cas.authn.mfa.web-authn.core.relying-party-name=Graham CAS Dev
>> cas.authn.mfa.web-authn.core.relying-party-id=mycasdomain.ca
>> cas.authn.mfa.web-authn.core.display-name-attribute=displayName
>> cas.authn.mfa.web-authn.core.allow-primary-authentication=true
>> cas.authn.mfa.web-authn.core.allow-untrusted-attestation=true
>> cas.authn.mfa.web-authn.core.trusted-device-enabled=true
>> cas.authn.mfa.web-authn.crypto.encryption.key=xxx
>> cas.authn.mfa.web-authn.crypto.signing.key=yyy
>> cas.authn.mfa.web-authn.core.allowed-origins:https://mycasdomain.ca
>>
>> I'm not a Java developer so I'm a little out of my element in trying to
>> see where the problem is. Any tips would be appreciated!
>>
>> Cheers,
>> Graham.
>>
>>
>> On Thursday, April 6, 2023 at 4:59:11 AM UTC-7 dussu...@gmail.com wrote:
>>
>>
>> Hi,
>> I'm now able to register my webauthn device, to login, and trust my
>> device.
>>
>> What I noticed is that the allowed-origins (device registering) property
>> and application-id extension (connect) seem now mandatory to me, (though it
>> 

Re: [cas-user] Installation and configuration of CAS with jdk17, tomcat9, ldap and lam...

[Frédéric Dussurget]

 Hi,
as the cas alias "existe déjà",  you might list certificates that are 
stored in your keystore (/etc/cas/thekeystore) then delete the cas entry :

keytool -list -v -keystore /etc/cas/thekeystore -storepass changeit (or 
whatever your password is)
keytool -delete -alias your_cas_server_alias -keystore thekeystore 
-storepass changeit  (or whatever your password is) 

(and , this said, I would go for tomcat 10 over jdk 17, especially for cas 
v7.x - You can stay with tomcat 9/jdk 11 with cas 6.x especially if you 
want to implement cas-management besides)



Le dimanche 30 avril 2023 à 19:40:50 UTC+2, tyuio...@gmail.com a écrit :

> Task :createKeystore FAILED
> erreur keytool : java.lang.Exception: Paire de clés non générée, l'alias 
>  existe déjà
>
> FAILURE: Build failed with an exception.
>
> * Where:
> Script '/opt/cas-overlay-template/gradle/tasks.gradle' line: 160
>
> * What went wrong:
> Execution failed for task ':createKeystore'.
> > Process 'command 'keytool'' finished with non-zero exit value 1
>
> Le vendredi 28 avril 2023 à 17:11:43 UTC+1, Ray Bon a écrit :
>
>> Coeurcy,
>>
>> And the problem is...?
>>
>> Ray
>>
>> On Fri, 2023-04-28 at 03:57 -0700, Coeurcy Mokoko wrote:
>>
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> Hello, I am working on the implementation of an SSO with CAS using, 
>> tomcat9, ldap, lam, jdk17, I encounter several errors that I can not solve 
>> for a week already including the compilation of the build.gradle file, I 
>> really need help it's urgent...!
>>
>> I thank you in advance!
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a3bcd23-a575-4fac-95fd-be7addd631e5n%40apereo.org.

[cas-user] Re: latest v7.0.0-SNAPSHOT CreateTicketGrantingTicketAction Issue

[Frédéric Dussurget]

This issue has been fixed this morning with a fresh new 7-snapshot, thanks 
to the devs :) 
Regards,

Le jeudi 13 avril 2023 à 06:38:00 UTC+2, Frédéric Dussurget a écrit :

> Hi, 
> I have been facing a new issue on the latest master branch since I 
> recompiled everything from cas-overlay-template v7.0.0-SNAPSHOT from Github 
> last week (around april 6th or 7th 2023)
>
> After tweaking gradle.properties, I can state that :
> version=7.0.0-RC3 Works
> version=7.0.0-RC4 does not because of somer other environment reasons
> version=7.0.0-RC5 Works
> version=7.0.0-SNAPSHOT does not work 
>
> With the latest 7.0.0-SNAPSHOT I have this error 500 after login 
> (/cas/login or any existing CasRegisteredService) :
> org.springframework.webflow.execution.ActionExecutionException: Exception 
> thrown executing 
> org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction@1daa4a1b in 
> state 'createTicketGrantingTicket' of flow 'login' -- action execution 
> attributes were 'map[[empty]]'
> (see fullstack at the bottom)
>
> My context is master 7.0.0, jdk 17, tomcat 10.1.7 (not bundled). 
> For the test, I also rolledback in the latest 6.6 (+jdk11+tomcat9) and it 
> works well with the same conf (deps+cas.properties).
>
> My extra deps are (I also tried to disable surrogate, MFAs, etc.):
> implementation 
> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-redis-service-registry:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-aup-webflow:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-aup-ldap:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-core-monitor:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-discovery-profile:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-surrogate-webflow:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-surrogate-authentication-ldap:${project.'cas.version'}"
>
> // ### MFA ###
> //MFA TOTP
> implementation 
> "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
>
> // MFA FIDO2 WEBAUTHN
> implementation 
> "org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
>
> //MFA TRUSTED DEVICE
> implementation 
> "org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
> implementation 
> "org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"
>
> Here is the fullstack :
>
> =
> WHO: audit:unknown
> WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
> event=success, timestamp=Wed Apr 12 12:17:37 CEST 2023}
> ACTION: AUTHENTICATION_EVENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Wed Apr 12 12:17:37 CEST 2023
> CLIENT IP ADDRESS: xxx.yyy.zzz.www
> SERVER IP ADDRESS: 127.0.0.1
> =
>
> >
> 2023-04-12 12:17:43,128 DEBUG 
> [org.apereo.cas.web.flow.CasFlowHandlerMapping] -  [FlowHandlerMapping.DefaultFlowHandler@424002d]>
> 2023-04-12 12:17:43,128 DEBUG 
> [org.apereo.cas.web.flow.CasFlowHandlerMapping] -  [FlowHandlerMapping.DefaultFlowHandler@2630561b]>
> 2023-04-12 12:17:43,132 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
>  
> - 
> 2023-04-12 12:17:43,147 WARN 
> [org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] 
> -  [{principal=frederic.dussurget, aupAccepted=[true], cn=[Frederic 
> Dussurget], displayName=[Frederic Dussurget], eduPersonPrincipalName=[
> frederic@ad.myorganization.fr], givenName=[Frédéric], mail=[
> frederic@myorganization.fr], 
> memberOf=[CN=CasSurogate-Pierre.Michu,OU=Surrogate,OU=CAS,OU=Groupes,DC=ad,DC=myorganization,DC=fr],
>  
> msDS-UserPasswordExpiryTimeComputed=[133488381091429409], 
> pwdLastS

[cas-user] latest v7.0.0-SNAPSHOT CreateTicketGrantingTicketAction Issue

[Frédéric Dussurget]

Hi, 
I have been facing a new issue on the latest master branch since I 
recompiled everything from cas-overlay-template v7.0.0-SNAPSHOT from Github 
last week (around april 6th or 7th 2023)

After tweaking gradle.properties, I can state that :
version=7.0.0-RC3 Works
version=7.0.0-RC4 does not because of somer other environment reasons
version=7.0.0-RC5 Works
version=7.0.0-SNAPSHOT does not work 

With the latest 7.0.0-SNAPSHOT I have this error 500 after login 
(/cas/login or any existing CasRegisteredService) :
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction@1daa4a1b in 
state 'createTicketGrantingTicket' of flow 'login' -- action execution 
attributes were 'map[[empty]]'
(see fullstack at the bottom)

My context is master 7.0.0, jdk 17, tomcat 10.1.7 (not bundled). 
For the test, I also rolledback in the latest 6.6 (+jdk11+tomcat9) and it 
works well with the same conf (deps+cas.properties).

My extra deps are (I also tried to disable surrogate, MFAs, etc.):
implementation 
"org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-redis-service-registry:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-aup-webflow:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-aup-ldap:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-core-monitor:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-discovery-profile:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-surrogate-webflow:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-surrogate-authentication-ldap:${project.'cas.version'}"

// ### MFA ###
//MFA TOTP
implementation 
"org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"

// MFA FIDO2 WEBAUTHN
implementation 
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"

//MFA TRUSTED DEVICE
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"

Here is the fullstack :

=
WHO: audit:unknown
WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
event=success, timestamp=Wed Apr 12 12:17:37 CEST 2023}
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Apr 12 12:17:37 CEST 2023
CLIENT IP ADDRESS: xxx.yyy.zzz.www
SERVER IP ADDRESS: 127.0.0.1
=

>
2023-04-12 12:17:43,128 DEBUG 
[org.apereo.cas.web.flow.CasFlowHandlerMapping] - 
2023-04-12 12:17:43,128 DEBUG 
[org.apereo.cas.web.flow.CasFlowHandlerMapping] - 
2023-04-12 12:17:43,132 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver]
 
- 
2023-04-12 12:17:43,147 WARN 
[org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher] 
- 
2023-04-12 12:17:43,149 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.authentication.BaseMultifactorAuthenticationProviderEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.authentication.BaseMultifactorAuthenticationProviderEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.authentication.BaseMultifactorAuthenticationProviderEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.authentication.BaseMultifactorAuthenticationProviderEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 
[org.apereo.cas.web.flow.authentication.BaseMultifactorAuthenticationProviderEventResolver]
 
- 
2023-04-12 12:17:43,150 DEBUG 

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

[Frédéric Dussurget]

Hi,
I'm now able to register my webauthn device, to login, and trust my device.

What I noticed is that the allowed-origins (device registering) property 
and application-id extension (connect) seem now mandatory to me, (though it 
was not in 6.5.9).
Without those two settings, I'm stuck.

  web-authn:
core:
  relying-party-id: mydomain.fr
  relying-party-name: myrpname
  allowed-origins: https://cas-dev.mydomain.fr
  trusted-device-enabled: true
  application-id: https://cas-dev.mydomain.fr/test

First, I want to say that I thank you all for your precious advices ! 
(@PreAuthorize("isAuthenticated()") + WebAuthnConfiguration.java trick)
This won't go in production right now, because I wonder about the security 
impact when accessing the webauthn/register endpoint ... ?

Regards,
Le mercredi 29 mars 2023 à 16:15:00 UTC+2, John a écrit :

> What does your cas.log state for error? Are you using a valid ssl 
> certificate, cas host name matches whats in config? Also, in 7.x/master you 
> have to edit this,
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
> There's actually 2 bugs, maybe more. One is the PreAuthorize and the other 
> is CSRF related to spring 6/spring boot 3 and possible another bug. I fixed 
> the csrf issue and still working through the other as time permits.
>
>
> On Wednesday, March 29, 2023 at 4:29:34 AM UTC-5 dussu...@gmail.com wrote:
>
>> Thank you, you saved me lots of time, actually I needed those two :
>> implementation "org.springframework.security:spring-security-config"
>> implementation "org.springframework.security:spring-security-web"
>>
>> But I still have an js issue (JSON.Parse) when registering my device :
>>
>> "Registration failed SyntaxError: JSON.parse: unexpected non-digit at 
>> line 1 column 2 of the JSON data" after the POST request on 
>> https://cas-xx.xxx.fr/cas/webauthn/register.
>> (Chrome says the same: Registration failed SyntaxError: No number after 
>> minus sign in JSON at position 1.)
>>
>> The error is caught here : 
>> # register https://cas-xx.xx.fr/cas/js/webauthn/webauthn.js:477.
>> # (Asynchrone : promise callback) / register 
>> https://cas-xx..fr/cas/js/webauthn/webauthn.js:475
>> # 
>> https://cas-xx.xx.fr/cas/login?service=https://node-cas-x.addomain.xxx.fr:9446/sample/=true:390
>> .
>>
>> (The webapp is an instance of cas-sample-java-webapp running on port 
>> 9446.)
>>
>> About JSON.Parse :
>> https://cas/login?service=https://x:9446/sample/=true at 
>> lines 386 and 390 : register(username, displayName, credentialNickname, 
>> csrfToken);
>>
>> In my browser debugger, data seems present, as I can see them parsed by 
>> the function getRegisterRequest in webauthn.js line 327:
>>
>> arguments: Arguments
>> 0: {…}
>> authenticate: "webauthn/authenticate"
>> register: "webauthn/register"
>> : {…}
>> 1: "frederic.dussurget"
>> 2: "Frederic Dussurget"
>> 3: "wonderful_borg"
>> 4: false
>> callee:
>> length: 5
>> Symbol(Symbol.iterator):values()
>> : ()
>> : ()
>> : {…
>> credentialNickname: "wonderful_borg"
>> displayName: "Frederic Dussurget"
>> requireResidentKey: false
>> urls: {…}
>> authenticate: "webauthn/authenticate"
>> register: "webauthn/register"
>> : {…}
>> username: "frederic.dussurget"
>>
>> I you guys have any idea ...
>> Regards,
>> Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit :
>>
>>> Spring security and probably one or 2 of the webauthn, I dont remeber at 
>>> the moment with looking at local commit history but here is all from gradle,
>>>
>>>
>>> /** Core **/
>>> implementation 
>>> "org.apereo.cas:cas-server-core-api-configuration-model"
>>> implementation "org.apereo.cas:cas-server-core-api-mfa"
>>> implementation "org.apereo.cas:cas-server-core-events-configuration"
>>> implementation "org.apereo.cas:cas-server-core-notifications"
>>> implementation "org.apereo.cas:cas-server-core-authentication"
>>> implementation "org.apereo.cas:cas-server-core-authentication-api"
>>> implementation 
>>> "org.apereo.cas:cas-server-core-authentication-mfa-api"
>>> implementation "org.apereo.cas:cas-server-core-util"
>>> implementation "org.apereo.cas:cas-server-core-web-api"
>>> implementation "org.apereo.cas:cas-server-core-webflow"
>>> implementation "org.apereo.cas:cas-server-core-webflow-api"
>>> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
>>> implementation "org.apereo.cas:cas-server-webapp"
>>> implementation "org.apereo.cas:cas-server-webapp-init"
>>> implementation "org.apereo.cas:cas-server-webapp-config"

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

[Frédéric Dussurget]

Thank you, you saved me lots of time, actually I needed those two :
implementation "org.springframework.security:spring-security-config"
implementation "org.springframework.security:spring-security-web"

But I still have an js issue (JSON.Parse) when registering my device :

"Registration failed SyntaxError: JSON.parse: unexpected non-digit at line 
1 column 2 of the JSON data" after the POST request on 
https://cas-xx.xxx.fr/cas/webauthn/register.
(Chrome says the same: Registration failed SyntaxError: No number after 
minus sign in JSON at position 1.)

The error is caught here : 
# register https://cas-xx.xx.fr/cas/js/webauthn/webauthn.js:477.
# (Asynchrone : promise callback) / register 
https://cas-xx..fr/cas/js/webauthn/webauthn.js:475
# 
https://cas-xx.xx.fr/cas/login?service=https://node-cas-x.addomain.xxx.fr:9446/sample/=true:390.

(The webapp is an instance of cas-sample-java-webapp running on port 9446.)

About JSON.Parse :
https://cas/login?service=https://x:9446/sample/=true at 
lines 386 and 390 : register(username, displayName, credentialNickname, 
csrfToken);

In my browser debugger, data seems present, as I can see them parsed by the 
function getRegisterRequest in webauthn.js line 327:

arguments: Arguments
0: {…}
authenticate: "webauthn/authenticate"
register: "webauthn/register"
: {…}
1: "frederic.dussurget"
2: "Frederic Dussurget"
3: "wonderful_borg"
4: false
callee:
length: 5
Symbol(Symbol.iterator):values()
: ()
: ()
: {…
credentialNickname: "wonderful_borg"
displayName: "Frederic Dussurget"
requireResidentKey: false
urls: {…}
authenticate: "webauthn/authenticate"
register: "webauthn/register"
: {…}
username: "frederic.dussurget"

I you guys have any idea ...
Regards,
Le vendredi 24 mars 2023 à 04:57:51 UTC+1, John a écrit :

> Spring security and probably one or 2 of the webauthn, I dont remeber at 
> the moment with looking at local commit history but here is all from gradle,
>
>
> /** Core **/
> implementation "org.apereo.cas:cas-server-core-api-configuration-model"
> implementation "org.apereo.cas:cas-server-core-api-mfa"
> implementation "org.apereo.cas:cas-server-core-events-configuration"
> implementation "org.apereo.cas:cas-server-core-notifications"
> implementation "org.apereo.cas:cas-server-core-authentication"
> implementation "org.apereo.cas:cas-server-core-authentication-api"
> implementation "org.apereo.cas:cas-server-core-authentication-mfa-api"
> implementation "org.apereo.cas:cas-server-core-util"
> implementation "org.apereo.cas:cas-server-core-web-api"
> implementation "org.apereo.cas:cas-server-core-webflow"
> implementation "org.apereo.cas:cas-server-core-webflow-api"
> implementation "org.apereo.cas:cas-server-core-webflow-mfa-api"
> implementation "org.apereo.cas:cas-server-webapp"
> implementation "org.apereo.cas:cas-server-webapp-init"
> implementation "org.apereo.cas:cas-server-webapp-config"
>
> /** Rest Plugins **/
> implementation 
> "org.apereo.cas:cas-server-support-configuration-cloud-rest"
> implementation "org.apereo.cas:cas-server-support-rest-authentication"
>
> /** LDAP Support **/
> implementation "org.apereo.cas:cas-server-support-ldap"
> implementation "org.apereo.cas:cas-server-support-pm-ldap"
> implementation "org.apereo.cas:cas-server-support-pm-rest"
>
> /** Database Support **/
> implementation "org.apereo.cas:cas-server-support-jdbc"
> implementation "org.apereo.cas:cas-server-support-jpa-util"
> implementation "mysql:mysql-connector-java:${project.mysqlVerison}"
> implementation 
> "com.microsoft.sqlserver:mssql-jdbc:${project.mssqlVersion}"
>
> /** Interrupt Support **/
> implementation "org.apereo.cas:cas-server-support-interrupt-webflow"
>
> /** Multifactor Auth **/
> implementation "org.apereo.cas:cas-server-support-gauth"
> implementation "org.apereo.cas:cas-server-support-gauth-ldap"
> implementation "org.apereo.cas:cas-server-support-webauthn"
> implementation "org.apereo.cas:cas-server-support-webauthn-ldap"
> implementation "org.apereo.cas:cas-server-support-webauthn-core"
> implementation 
> "org.apereo.cas:cas-server-support-webauthn-core-webflow"
> implementation "org.apereo.cas:cas-server-support-simple-mfa"
> implementation "org.apereo.cas:cas-server-support-trusted-mfa"
>
> /** Protocols **/
> implementation "org.apereo.cas:cas-server-support-ws-idp"
> implementation "org.apereo.cas:cas-server-support-saml-idp"
> implementation "org.apereo.cas:cas-server-support-saml-sp-integrations"
>
>
> /** Services **/
> /** implementation 
> "org.apereo.cas:cas-server-support-json-service-registry" **/
> implementation 
> "org.apereo.cas:cas-server-support-rest-service-registry"
>
> implementation 
> "org.springframework.security:spring-security-config:5.7.3"
> implementation 

Re: [cas-user] CAS 6.6.x WebAuthn Registration Failing,

[Frédéric Dussurget]

Hi, I've got quite the same issue : it works perfectly with CAS 6.5.9 but 
not on 6.6 nor on the master branch 7.x. 
On 6.6, after basic auth, a popup asks for the Yubikey pin and then, when I 
press the register button,the flow breaks at POST 
https://xxx.xx/cas/webauthn/register/finish. 
(FF : err 400 strict-origin-when-cross-origin)

(The service app I use for my tests is the same when I wetn thru every CAS 
version)

webAuthnDevices.acces endpoint is AUTHENTICATED in my cas.yml just as you 
did

here is my build.gradle webauthn section :
   // MFA FIDO2 WEBAUTHN
implementation 
"org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-webauthn-core:${project.'cas.version'}" 
(this one in order to comment out  @PreAuthorize("isAuthenticated()") as 
you did in  
src/main/java/org/apereo/cas/webauthn/web/WebAuthnController.java )

//MFA TRUSTED DEVICE
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa:${project.'cas.version'}"
implementation 
"org.apereo.cas:cas-server-support-trusted-mfa-redis:${project.'cas.version'}"

(John, what are the extra dependencies that you implement in your 
build.gradle cas overlay to be able to modify the 
src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java 

 
? Compilation breaks) 

Regards,


Le jeudi 16 mars 2023 à 04:25:47 UTC+1, John a écrit :

> Circling back to this, it also fails on 7.x current and master. Same 
> issue, I believe I have found the source which is related to the csrf 
> token. It works by excluding the /register from csrf to the ignored 
> endpoints on 
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java#L437
>
> with the below,
>
> return List.of(WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
> WebAuthnController.WEBAUTHN_ENDPOINT_AUTHENTICATE,
> WebAuthnController.BASE_ENDPOINT_WEBAUTHN + 
> WebAuthnController.WEBAUTHN_ENDPOINT_REGISTER);
>
>
>
>
>
> On Monday, February 6, 2023 at 9:53:31 PM UTC-6 John wrote:
>
>> Since we don't use any of the actuators, all disabled except for whatever 
>> cas sets as default, I am leaving my change by commenting out 
>> @PreAuthorize("isAuthenticated()") in WebAuthnController.java. I'm just 
>> going along finishing upgrade testing for us and will circle back to this 
>> later before we upgrade prod.
>>
>> However, I do see some changes made below, I haven't had time to test if 
>> it will resolve this issue yet, maybe it will be part of next 7.x RC but 
>> for now its only in master. If I get some time I will switch to master and 
>> give it a go.
>>
>>
>> https://github.com/apereo/cas/commits/master/support/cas-server-support-webauthn/src/main/java/org/apereo/cas/config/WebAuthnConfiguration.java
>>
>>
>> On Friday, February 3, 2023 at 7:11:44 AM UTC-6 micha...@gmail.com wrote:
>>
>>> Yes, I have the same registration issue.
>>>
>>> I thought I have caused this error by meddling with the spring security 
>>> settings, but it looks like it is not the case.
>>>
>>> However, after setting up spring security for the webAuthnDevices 
>>> actuator like this
>>>
>>> spring.security.user.name=XXX
>>>
>>> spring.security.user.password=YYY
>>>
>>> cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED
>>>
>>>
>>> then registration starts to work, but requires HTTP basic authentication.
>>>
>>>
>>> This is spring security filter chain for /webauthn/register endpoint 
>>> without any additional configuration:
>>>
>>> Security filter chain: [
>>>
>>>   ChannelProcessingFilter
>>>
>>>   WebAsyncManagerIntegrationFilter
>>>
>>>   CorsFilter
>>>
>>>   CsrfFilter
>>>
>>>   SecurityContextHolderAwareRequestFilter
>>>
>>>   AnonymousAuthenticationFilter
>>>
>>>   ExceptionTranslationFilter
>>>
>>>   AuthorizationFilter
>>>
>>> ]
>>>
>>> And the chain with the spring security settings as above:
>>>
>>> Security filter chain: [
>>>
>>>   ChannelProcessingFilter
>>>
>>>   WebAsyncManagerIntegrationFilter
>>>
>>>   CorsFilter
>>>
>>>   CsrfFilter
>>>
>>>   BasicAuthenticationFilter
>>>
>>>   SecurityContextHolderAwareRequestFilter
>>>
>>>   AnonymousAuthenticationFilter
>>>
>>>   ExceptionTranslationFilter
>>>
>>>   AuthorizationFilter
>>>
>>> ]
>>>
>>>
>>> I would say that
>>>
>>>   1) setting the actuator access really influences the processing for 
>>> registration endpoint (and it should not), 
>>>
>>>   2) using PERMIT or ANONYMOUS is not enough to make it work, as perhaps 
>>> it does not satisfy the  @PreAuthorize("isAuthenticated()") requirement
>>>
>>> I wonder how the registration endpoint should be authenticated; I guess 
>>> it can not be left unprotected