Re: [cas-user] log4j vulnerability remediation

[Joe Manavalan]

Thanks @ robertoschwald

That worked for me as well

build.gradle
---
dependencies {
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${
casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
}
}
}

On Tuesday, December 14, 2021 at 10:41:32 AM UTC-6 robertoschwald wrote:

> We had the same problem and we did the following:
>
> 1. Overwrite BOM defined version in gradle.properties
>
> # BOM overwritten versions
> # CVE-2021-44228 critical fix in 2.15.0.
> # 2.16.0 further secures.
> # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> log4j2.version=2.16.0
>
> 2. add the dependencies to build.gradle
> We use a fairly old CAS Server, so we use these deps. Normally, you do not 
> have to state the ones which have no version, are taken with the version 
> you defined in log4j2.version variable, but we stated them explicitly, so 
> one knows what artifacts are affected.
>
> // Log4j2 critical security flaw fixed in 2.15.0
> compile "org.apache.logging.log4j:log4j-api"
> compile "org.apache.logging.log4j:log4j-core"
> compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
> compile "org.apache.logging.log4j:log4j-slf4j-impl"
> compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
>
> 3. Exclude the old dependencies from war-overlay
> This is an important step.
> As you get the dependencies from the original, overlayed war file, you 
> must exclude them in the war task, so only your versions are taken.
>
> war {
> ...
>   // exclusion list of all dependencies contained in the original cas-WAR 
> for which we use newer versions.
>   // You must exclude all of them, otherwise we get duplicate dependencies 
> in our cas.war !
>   // log4j2 insecure version remove. See above.
>   exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
>   exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
>   exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
> }
>
> Hope that helps.
>
>
>
> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
>
> Same experience.
>
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> 
>> .
>>
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

[cas-user] HikariPool-1 connection has passed maxLifetime

[Joe Manavalan]

Upgrading from jasig cas 3.4 to 6.1 using  cas.authn.pac4j.oauth2  and jpa 
registry
Following is my connection pool setting

cas.ticket.registry.jpa.failFastTimeout=1
#cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=false
cas.ticket.registry.jpa.leakThreshold=10
cas.ticket.registry.jpa.batchSize=25
cas.ticket.registry.jpa.jpaLockingTimeout=3600
cas.ticket.registry.jpa.pool.minSize=10
cas.ticket.registry.jpa.pool.maxSize=18

Is there a setting to resolve the connection pool issue? It seems all the 
connections reaches max life more or less around the same time and the pool 
becomes empty and server stops responding with sql error thereafter


2021-01-30 14:41:02,135 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 14:41:02,135 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:26:02,159 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:26:02,159 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:26:13,339 DEBUG [com.zaxxer.hikari.pool.PoolBase] - 

2021-01-30 15:26:32,159 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:26:32,159 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:30:46,183 DEBUG [com.zaxxer.hikari.pool.PoolBase] - 

2021-01-30 15:30:11,432 DEBUG [com.zaxxer.hikari.pool.PoolBase] - 

2021-01-30 15:30:32,161 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:30:32,161 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:02,161 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:02,161 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:32,162 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:32,162 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:56,158 DEBUG [com.zaxxer.hikari.pool.HikariPool] - 

2021-01-30 15:31:56,160 WARN 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - 
2021-01-30 15:31:56,160 ERROR 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - 
2021-01-30 15:31:56,240 ERROR 
[org.apereo.cas.config.CasCoreTicketsSchedulingConfiguration] - 
org.springframework.transaction.CannotCreateTransactionException: Could not 
open JPA EntityManager for transaction; nested exception is 
org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC 
Connection
at 
org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:447)
 
~[spring-orm-5.2.0.RELEASE.jar:5.2.0.RELEASE]
Thanks in advance
Joe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5dc36af2-f373-4042-b6b7-68ecedf4cf70n%40apereo.org.

Re: [cas-user] Jpa Connection pool settings

[Joe Manavalan]

Hi Tom

Connection details were intentionally removed here. Everything was working 
continuously for more than a month before it started showing the error. 
Restart of the server took care of the issue. But this is the second time 
in few months. So was wondering any connection pool related setting can 
resolve this or not.

On Monday, January 11, 2021 at 2:27:33 PM UTC-6 oneill wrote:

> Joe,
>
>  
>
> I don’t know if you removed it for security purposes but the error says 
> that the application timed out trying to connect to the database and your 
> settings are empty.
>
> It looks like your database URL (and other details) may be missing. 
>
> Either way, double check your cas.ticket.registry.jpa.url and the 
> corresponding port.
>
>  
>
> Good luck!
>
> Tom
>
>  
>
> *From:* cas-...@apereo.org  *On Behalf Of *Joe 
> Manavalan
> *Sent:* Monday, January 11, 2021 1:35 PM
> *To:* CAS Community 
> *Subject:* [EXT] [cas-user] Jpa Connection pool settings
>
>  
>
> *CAUTION: This email originated from outside of SIG. Exercise caution when 
> opening attachments or clicking links, especially from unknown senders.* 
>
> [EXT-STAMP-ADDED] 
>
> Hi,
>
>  
>
> Is there a connection pool setting which can mitigate the below error ? 
> The server after running for few days, stops working with this error. 
>
> I am using  CAS 6.1 [overlay template] with  cas.authn.pac4j.oauth2  and 
> jpa registry 
>
>  
>
> Following is my current settings for ticket registry
>
>  
>
> cas.ticket.registry.jpa.driverClass=oracle.jdbc.OracleDriver
>
> cas.ticket.registry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
>
> cas.ticket.registry.jpa.jpaLockingTimeout=60
>
> cas.ticket.registry.jpa.autocommit=true
>
> cas.ticket.registry.jpa.ddl-auto=none
>
> cas.ticket.registry.jpa.user=
>
> cas.ticket.registry.jpa.password=
>
> cas.ticket.registry.jpa.url=
>
>  
>
> I was wondering if any of the following properties helps and was looking 
> for some documentation on these
>
>  
>
> cas.ticket.registry.jpa.failFastTimeout=
> cas.ticket.registry.jpa.healthQuery=SELECT 1
> cas.ticket.registry.jpa.isolateInternalQueries=
> cas.ticket.registry.jpa.leakThreshold=
> cas.ticket.registry.jpa.batchSize=
> cas.ticket.registry.jpa.jpaLockingTimeout=
>
> cas.ticket.registry.jpa.pool.minSize=6
>
> cas.ticket.registry.jpa.pool.maxSize=18
>
>  
>
>  
>
>  
>
> Caused by: java.sql.SQLTransientConnectionException: HikariPool-1 - 
> Connection is not available, request timed out after 3ms.
>
> at 
> com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:697) 
> ~[HikariCP-3.4.1.jar:?]
>
> at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:196) 
> ~[HikariCP-3.4.1.jar:?]
>
> at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:161) 
> ~[HikariCP-3.4.1.jar:?]
>
> at 
> com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:128) 
> ~[HikariCP-3.4.1.jar:?]
>
> at 
> org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.internal.NonContextualJdbcConnectionAccess.obtainConnection(NonContextualJdbcConnectionAccess.java:38)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:104)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:134)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getConnectionForTransactionManagement(LogicalConnectionManagedImpl.java:250)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.begin(LogicalConnectionManagedImpl.java:258)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl$TransactionDriverControlImpl.begin(JdbcResourceLocalTransactionCoordinatorImpl.java:246)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.hibernate.engine.transaction.internal.TransactionImpl.begin(TransactionImpl.java:83)
>  
> ~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
>
> at 
> org.springframework.orm.jpa.vendor.HibernateJpaDialect.beginTransacti

[cas-user] Jpa Connection pool settings

[Joe Manavalan]

Hi,

Is there a connection pool setting which can mitigate the below error ? The 
server after running for few days, stops working with this error. 
I am using  CAS 6.1 [overlay template] with  cas.authn.pac4j.oauth2  and 
jpa registry 

Following is my current settings for ticket registry

cas.ticket.registry.jpa.driverClass=oracle.jdbc.OracleDriver
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
cas.ticket.registry.jpa.jpaLockingTimeout=60
cas.ticket.registry.jpa.autocommit=true
cas.ticket.registry.jpa.ddl-auto=none
cas.ticket.registry.jpa.user=
cas.ticket.registry.jpa.password=
cas.ticket.registry.jpa.url=

I was wondering if any of the following properties helps and was looking 
for some documentation on these

cas.ticket.registry.jpa.failFastTimeout=
cas.ticket.registry.jpa.healthQuery=SELECT 1
cas.ticket.registry.jpa.isolateInternalQueries=
cas.ticket.registry.jpa.leakThreshold=
cas.ticket.registry.jpa.batchSize=
cas.ticket.registry.jpa.jpaLockingTimeout=
cas.ticket.registry.jpa.pool.minSize=6
cas.ticket.registry.jpa.pool.maxSize=18



Caused by: java.sql.SQLTransientConnectionException: HikariPool-1 - 
Connection is not available, request timed out after 3ms.
at 
com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:697) 
~[HikariCP-3.4.1.jar:?]
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:196) 
~[HikariCP-3.4.1.jar:?]
at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:161) 
~[HikariCP-3.4.1.jar:?]
at 
com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:128) 
~[HikariCP-3.4.1.jar:?]
at 
org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.internal.NonContextualJdbcConnectionAccess.obtainConnection(NonContextualJdbcConnectionAccess.java:38)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:104)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:134)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getConnectionForTransactionManagement(LogicalConnectionManagedImpl.java:250)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.begin(LogicalConnectionManagedImpl.java:258)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl$TransactionDriverControlImpl.begin(JdbcResourceLocalTransactionCoordinatorImpl.java:246)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.hibernate.engine.transaction.internal.TransactionImpl.begin(TransactionImpl.java:83)
 
~[hibernate-core-5.4.9.Final.jar:5.4.9.Final]
at 
org.springframework.orm.jpa.vendor.HibernateJpaDialect.beginTransaction(HibernateJpaDialect.java:184)
 
~[spring-orm-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:402)
 
~[spring-orm-5.2.0.RELEASE.jar:5.2.0.RELEASE]


Thanks in advance

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/583da684-7571-4492-a7d2-bedbb5bb80bcn%40apereo.org.

[cas-user] Exclude HikariCP-java7-2.4.13.jar from war

[Joe Manavalan]

How do we exclude  *HikariCP-java7-2.4.13.ja*r from generated war ?
I am using 
CAS 6.1 [overlay template] with  cas.authn.pac4j.oauth2  and jpa registry  .
Server works fine on Windows and single node Unix boxes. But on clustered 
Unix environment some of the nodes throws error as shown below and fail to 
come up .
If I manually delete *HikariCP-java7-2.4.13.ja*r, server starts successfully
 
Caused by: java.lang.AbstractMethodError: Receiver class 
com.zaxxer.hikari.metrics.micrometer.MicrometerMetricsTrackerFactory does 
not define or inherit an implementation of the resolved method abstract 
create(Ljava/lang/String;Lcom/zaxxer/hikari/metrics/PoolStats;)Lcom/zaxxer/hikari/metrics/MetricsTracker;
 
of interface com.zaxxer.hikari.metrics.MetricsTrackerFactory 

I tried few changes to my build.gradle without success, including the one 
suggested at 
https://github.com/spring-projects/spring-boot/issues/16489

Any help appreciated.

thanks
Joe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f7ee489-13ee-4155-a551-2716e087d4e5n%40apereo.org.

[cas-user] Re: Suppres DDL

[Joe Manavalan]

Thank you . That took care of it

On Friday, November 6, 2020 at 10:21:24 AM UTC-6 Misagh Moayyed wrote:

> See 
> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties-Common.html#ddl-configuration
>
> and
>
> cas.ticket.registry.jpa.ddl-auto=none
>
> On Monday, November 2, 2020 at 8:12:05 PM UTC+4 joeman...@gmail.com wrote:
>
>> Using CAS 6.1 with  cas.authn.pac4j.oauth2  and jpa registry with the 
>> following configuration  .
>>
>> All the required default database tables are manually created
>> While starting tomcat after deploying the war, DDL gets executed and 
>> throws sql exception ("table already exist".) Application works without 
>> any error though.
>>
>> How do we suppress the DDL execution at start of application?
>>
>> I do have the following in cas.properties
>> cas.jdbc.genDdl=false
>> cas.ticket.registry.jpa.user=user
>> cas.ticket.registry.jpa.password=password
>> cas.ticket.registry.jpa.url=url
>> cas.ticket.registry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
>> cas.ticket.registry.jpa.jpaLockingTimeout=60
>> cas.ticket.registry.jpa.autocommit=true
>> cas.jdbc.genDdl=false
>>
>> Thanks in advance
>> Joe
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f640af5-d2af-489b-95dd-5699a4f31b09n%40apereo.org.

[cas-user] Suppres DDL

[Joe Manavalan]

Using CAS 6.1 with  cas.authn.pac4j.oauth2  and jpa registry with the 
following configuration  .

All the required default database tables are manually created
While starting tomcat after deploying the war, DDL gets executed and throws 
sql exception ("table already exist".) Application works without any 
error though.

How do we suppress the DDL execution at start of application?

I do have the following in cas.properties
cas.jdbc.genDdl=false
cas.ticket.registry.jpa.user=user
cas.ticket.registry.jpa.password=password
cas.ticket.registry.jpa.url=url
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
cas.ticket.registry.jpa.jpaLockingTimeout=60
cas.ticket.registry.jpa.autocommit=true
cas.jdbc.genDdl=false

Thanks in advance
Joe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6cabd77e-0faa-4025-8ad6-c8a840c31da9n%40apereo.org.

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Thanks Ray for the response.
I did create the jar and copied to the lib folder of the project. When the 
war gets deployed, my custom jar is deployed instead of the one pulled in.
Since I am only specifying the versions of CAS and PAC4J, I was not sure 
whether there is a possibility of a different version of 
cas-server-support-pac4j-webflow-?.jar or scribejava-core-?.jar being 
pulled in, in the future.

Thanks
joe
On Thursday, September 17, 2020 at 11:21:44 AM UTC-5 Ray Bon wrote:

> Joe,
>
> If you built those jars, you can install them to your company repo with 
> gradle install.
> You then include them like all the others in the dependencies section. 
> Make sure you add your company repo to the repos section of build.gradle. 
> (It may have to be first in the list.)
>
>
> Ray
>
> On Wed, 2020-09-16 at 22:22 -0700, Joe Manavalan wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information. 
>
>
> Hi Jerome, 
> Where do we add custom jars in the project to be included in the build ? I 
> am using cas overlay template 6.1, building war, and deploying in tomcat 
> [not embedded tomcat]
> Also how do we restrict specific version of jars being pulled in by Gradle 
> build ?
>
> After using custom JDKHttpClient with modified JDKHttpClientConfig using 
> proxy, redirection issue [https to http ] was resolved with replace method 
> in BaseDelegatedAuthenticationController 
> [val url = httpUrl.replace("http", "https");]
>
> So I need to use 2 custom jars 
> cas-server-support-pac4j-webflow-6.1.7.jar
> scribejava-core-6.9.0.jar
>
> Thanks
> Joe
>
>
> Thanks
> Joe
>
> On Tuesday, September 15, 2020 at 11:35:30 AM UTC-5 leleuj wrote:
>
> Hi, 
>
> In fact, I meant that you should set the *Proxy* in a specific 
> JDKHttpClientConfig and instantiate a specific JDKHttpClient with that. 
> Instead of using it directly for the *HttpURLConnection*.
> This may not be possible though... I haven't tested it...
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mar. 15 sept. 2020 à 18:28, Joe Manavalan  a 
> écrit :
>
> Hi Jerome, 
>
> For some reason 
> com.github.scribejava.core.httpclient.jdk.JDKHttpClient.java is not using 
> the proxy from jvm arguments even though the arguments are reaching the 
> class.
>
> Finally when I explicitly use a proxy in the connection, everything 
> works.  Do you think this is the right approach ? Or am I missing any 
> properties which is causing the client not to use proxy ?
>
> final Proxy proxy = new Proxy(Proxy.Type.HTTP, new 
> InetSocketAddress("proxy", 80));
> final HttpURLConnection connection = (HttpURLConnection) new 
> URL(completeUrl).openConnection(proxy);
>
> Thanks again for your tips. 
> Joe
>
> On Thursday, September 10, 2020 at 1:06:01 AM UTC-5 leleuj wrote:
>
> Hi, 
>
> pac4j relies on ScribeJava to handle the OAuth protocol communications.
> This library itself relies on an internal HTTP client for HTTP calls: by 
> default, it's the JDKHttpClient.
> And you can set a Proxy at this level. But this must be done 
> programmatically.
> You should put some breakpoint in the OAuth20Authenticator.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 10 sept. 2020 à 05:30, Joe Manavalan  a 
> écrit :
>
> Unfortunately I did not get any additional logs from  either of the 
> packages.  
>
> On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:
>
> Hi, 
>
> You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a 
> écrit :
>
>
> Hi Jerome, 
> Are there any logs we can get to see the timed out request url?
> btw I tried adding the proxy host and port as jvm arguments with the same 
> connection timed out error.
>
> Thanks
> Joe
> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:
>
>
> HiJerome, 
>
> It appears that the token server cannot be reached directly but has to go 
> via a proxy.
> Is there a property in cas to specify the proxy url and port ? or this has 
> to be a network settings on the server ?
>
> Thanks 
> Joe
> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>
> Hi, 
>
> During the authentication process, CAS via pac4j tries to directly contact 
> the identity provider to retrieve the access token.
> The "connection timeout" means that the identity provider is not directly 
> reachable from the CAS server. Maybe a mismatch in the URL definition or a 
> proxy setting on the CAS se

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Hi Jerome,
Where do we add custom jars in the project to be included in the build ? I 
am using cas overlay template 6.1, building war, and deploying in tomcat 
[not embedded tomcat]
Also how do we restrict specific version of jars being pulled in by Gradle 
build ?

After using custom JDKHttpClient with modified JDKHttpClientConfig using 
proxy, redirection issue [https to http ] was resolved with replace method 
in BaseDelegatedAuthenticationController 
[val url = httpUrl.replace("http", "https");]

So I need to use 2 custom jars 
cas-server-support-pac4j-webflow-6.1.7.jar
scribejava-core-6.9.0.jar

Thanks
Joe


Thanks
Joe

On Tuesday, September 15, 2020 at 11:35:30 AM UTC-5 leleuj wrote:

> Hi,
>
> In fact, I meant that you should set the *Proxy* in a specific 
> JDKHttpClientConfig and instantiate a specific JDKHttpClient with that. 
> Instead of using it directly for the *HttpURLConnection*.
> This may not be possible though... I haven't tested it...
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mar. 15 sept. 2020 à 18:28, Joe Manavalan  a 
> écrit :
>
>> Hi Jerome,
>>
>> For some reason 
>> com.github.scribejava.core.httpclient.jdk.JDKHttpClient.java is not using 
>> the proxy from jvm arguments even though the arguments are reaching the 
>> class.
>>
>> Finally when I explicitly use a proxy in the connection, everything 
>> works.  Do you think this is the right approach ? Or am I missing any 
>> properties which is causing the client not to use proxy ?
>>
>> final Proxy proxy = new Proxy(Proxy.Type.HTTP, new 
>> InetSocketAddress("proxy", 80));
>> final HttpURLConnection connection = (HttpURLConnection) new 
>> URL(completeUrl).openConnection(proxy);
>>
>> Thanks again for your tips. 
>> Joe
>>
>> On Thursday, September 10, 2020 at 1:06:01 AM UTC-5 leleuj wrote:
>>
>>> Hi,
>>>
>>> pac4j relies on ScribeJava to handle the OAuth protocol communications.
>>> This library itself relies on an internal HTTP client for HTTP calls: by 
>>> default, it's the JDKHttpClient.
>>> And you can set a Proxy at this level. But this must be done 
>>> programmatically.
>>> You should put some breakpoint in the OAuth20Authenticator.
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le jeu. 10 sept. 2020 à 05:30, Joe Manavalan  a 
>>> écrit :
>>>
>>>> Unfortunately I did not get any additional logs from  either of the 
>>>> packages. 
>>>>
>>>> On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
>>>>> Thanks.
>>>>> Best regards,
>>>>> Jérôme
>>>>>
>>>>>
>>>>> Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a 
>>>>> écrit :
>>>>>
>>>>>>
>>>>>> Hi Jerome,
>>>>>> Are there any logs we can get to see the timed out request url?
>>>>>> btw I tried adding the proxy host and port as jvm arguments with the 
>>>>>> same connection timed out error.
>>>>>>
>>>>>> Thanks
>>>>>> Joe
>>>>>> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:
>>>>>>
>>>>>>>
>>>>>>> HiJerome,
>>>>>>>
>>>>>>> It appears that the token server cannot be reached directly but has 
>>>>>>> to go via a proxy.
>>>>>>> Is there a property in cas to specify the proxy url and port ? or 
>>>>>>> this has to be a network settings on the server ?
>>>>>>>
>>>>>>> Thanks 
>>>>>>> Joe
>>>>>>> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> During the authentication process, CAS via pac4j tries to directly 
>>>>>>>> contact the identity provider to retrieve the access token.
>>>>>>>> The "connection timeout" means that the identity provider is not 
>>>>>>>> directly reachable from the CAS server. Maybe a mismatch in the URL 
>>>>>>>> definition or a pro

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Hi Jerome,

For some reason 
com.github.scribejava.core.httpclient.jdk.JDKHttpClient.java is not using 
the proxy from jvm arguments even though the arguments are reaching the 
class.

Finally when I explicitly use a proxy in the connection, everything works.  
Do you think this is the right approach ? Or am I missing any properties 
which is causing the client not to use proxy ?

final Proxy proxy = new Proxy(Proxy.Type.HTTP, new 
InetSocketAddress("proxy", 80));
final HttpURLConnection connection = (HttpURLConnection) new 
URL(completeUrl).openConnection(proxy);

Thanks again for your tips. 
Joe

On Thursday, September 10, 2020 at 1:06:01 AM UTC-5 leleuj wrote:

> Hi,
>
> pac4j relies on ScribeJava to handle the OAuth protocol communications.
> This library itself relies on an internal HTTP client for HTTP calls: by 
> default, it's the JDKHttpClient.
> And you can set a Proxy at this level. But this must be done 
> programmatically.
> You should put some breakpoint in the OAuth20Authenticator.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 10 sept. 2020 à 05:30, Joe Manavalan  a 
> écrit :
>
>> Unfortunately I did not get any additional logs from  either of the 
>> packages. 
>>
>> On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:
>>
>>> Hi,
>>>
>>> You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a 
>>> écrit :
>>>
>>>>
>>>> Hi Jerome,
>>>> Are there any logs we can get to see the timed out request url?
>>>> btw I tried adding the proxy host and port as jvm arguments with the 
>>>> same connection timed out error.
>>>>
>>>> Thanks
>>>> Joe
>>>> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:
>>>>
>>>>>
>>>>> HiJerome,
>>>>>
>>>>> It appears that the token server cannot be reached directly but has to 
>>>>> go via a proxy.
>>>>> Is there a property in cas to specify the proxy url and port ? or this 
>>>>> has to be a network settings on the server ?
>>>>>
>>>>> Thanks 
>>>>> Joe
>>>>> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> During the authentication process, CAS via pac4j tries to directly 
>>>>>> contact the identity provider to retrieve the access token.
>>>>>> The "connection timeout" means that the identity provider is not 
>>>>>> directly reachable from the CAS server. Maybe a mismatch in the URL 
>>>>>> definition or a proxy setting on the CAS server.
>>>>>> Thanks.
>>>>>> Best regards,
>>>>>> Jérôme
>>>>>>  
>>>>>>
>>>>>> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
>>>>>> écrit :
>>>>>>
>>>>>>> Hi Jerome,
>>>>>>>
>>>>>>> For testing I set up the server name as the url. And now I have the 
>>>>>>> redirect url coming correctly but its timing out when getting 
>>>>>>> authentication Object. since the error is from pac4j, I also posted a 
>>>>>>> message in pac4j group too..
>>>>>>>
>>>>>>> Following is the trace from log. Would it help trying a different 
>>>>>>> version of pac4j ?
>>>>>>>
>>>>>>>
>>>>>>> 2020-09-07 18:47:30,765 DEBUG 
>>>>>>> [org.springframework.security.web.FilterChainProxy] - 
>>>>>>> >>>>>>  
>>>>>>> reached end of additional filter chain; proceeding with original chain>
>>>>>>> 2020-09-07 18:47:30,772 DEBUG 
>>>>>>> [org.springframework.web.servlet.DispatcherServlet] - >>>>>> "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>>>>>>  
>>>>>>> parameters={masked}>
>>>>>>> 2020-09-07 18:47:30,774 DEBUG 
>>>>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>>>>

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Unfortunately I did not get any additional logs from  either of the 
packages. 

On Wednesday, September 9, 2020 at 5:45:55 AM UTC-5 leleuj wrote:

> Hi,
>
> You should turn on DEBUG logs on org.pac4j and com.github.scribejava.
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mer. 9 sept. 2020 à 06:42, Joe Manavalan  a 
> écrit :
>
>>
>> Hi Jerome,
>> Are there any logs we can get to see the timed out request url?
>> btw I tried adding the proxy host and port as jvm arguments with the same 
>> connection timed out error.
>>
>> Thanks
>> Joe
>> On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:
>>
>>>
>>> HiJerome,
>>>
>>> It appears that the token server cannot be reached directly but has to 
>>> go via a proxy.
>>> Is there a property in cas to specify the proxy url and port ? or this 
>>> has to be a network settings on the server ?
>>>
>>> Thanks 
>>> Joe
>>> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>>>
>>>> Hi,
>>>>
>>>> During the authentication process, CAS via pac4j tries to directly 
>>>> contact the identity provider to retrieve the access token.
>>>> The "connection timeout" means that the identity provider is not 
>>>> directly reachable from the CAS server. Maybe a mismatch in the URL 
>>>> definition or a proxy setting on the CAS server.
>>>> Thanks.
>>>> Best regards,
>>>> Jérôme
>>>>  
>>>>
>>>> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
>>>> écrit :
>>>>
>>>>> Hi Jerome,
>>>>>
>>>>> For testing I set up the server name as the url. And now I have the 
>>>>> redirect url coming correctly but its timing out when getting 
>>>>> authentication Object. since the error is from pac4j, I also posted a 
>>>>> message in pac4j group too..
>>>>>
>>>>> Following is the trace from log. Would it help trying a different 
>>>>> version of pac4j ?
>>>>>
>>>>>
>>>>> 2020-09-07 18:47:30,765 DEBUG 
>>>>> [org.springframework.security.web.FilterChainProxy] - 
>>>>> >>>>  
>>>>> reached end of additional filter chain; proceeding with original chain>
>>>>> 2020-09-07 18:47:30,772 DEBUG 
>>>>> [org.springframework.web.servlet.DispatcherServlet] - >>>> "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>>>>  
>>>>> parameters={masked}>
>>>>> 2020-09-07 18:47:30,774 DEBUG 
>>>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>>>  
>>>>> - >>>> org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>>>>  
>>>>> HttpServletRequest, HttpServletResponse)>
>>>>> 2020-09-07 18:47:30,775 DEBUG 
>>>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >>>> response for client [a204264-CodesESSO_DevDomain], redirecting the login 
>>>>> flow [
>>>>> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
>>>>> ]>
>>>>> 2020-09-07 18:47:30,786 DEBUG 
>>>>> [org.springframework.web.servlet.view.RedirectView] - >>>> [RedirectView], 
>>>>> model {}>
>>>>> 2020-09-07 18:47:30,787 DEBUG 
>>>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>>>  
>>>>> - >>>> be 
>>>>> stored in HttpSession.>
>>>>> 2020-09-07 18:47:30,787 DEBUG 
>>>>> [org.springframework.web.servlet.DispatcherServlet] - >>>> FOUND>
>>>>> 2020-09-07 18:47:30,787 DEBUG 
>>>>> [org.springframework.security.web.access.ExceptionTranslationFilter] - 
>>>>> 
>>>>> 2020-09-07 18:47:30,788 DEBUG 
>>>>> [org.springframework.security.web.context.SecurityContextPersistenceFilter]
>>>>>  
>>>>> - 
>>>>> 2020-09-07 18:47:30,860 DEBUG 
>>>>> [org.springframework.security.web.FilterChainPro

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Hi Jerome,
Are there any logs we can get to see the timed out request url?
btw I tried adding the proxy host and port as jvm arguments with the same 
connection timed out error.

Thanks
Joe
On Tuesday, September 8, 2020 at 7:49:32 PM UTC-5 Joe Manavalan wrote:

>
> HiJerome,
>
> It appears that the token server cannot be reached directly but has to go 
> via a proxy.
> Is there a property in cas to specify the proxy url and port ? or this has 
> to be a network settings on the server ?
>
> Thanks 
> Joe
> On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:
>
>> Hi,
>>
>> During the authentication process, CAS via pac4j tries to directly 
>> contact the identity provider to retrieve the access token.
>> The "connection timeout" means that the identity provider is not directly 
>> reachable from the CAS server. Maybe a mismatch in the URL definition or a 
>> proxy setting on the CAS server.
>> Thanks.
>> Best regards,
>> Jérôme
>>  
>>
>> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
>> écrit :
>>
>>> Hi Jerome,
>>>
>>> For testing I set up the server name as the url. And now I have the 
>>> redirect url coming correctly but its timing out when getting 
>>> authentication Object. since the error is from pac4j, I also posted a 
>>> message in pac4j group too..
>>>
>>> Following is the trace from log. Would it help trying a different 
>>> version of pac4j ?
>>>
>>>
>>> 2020-09-07 18:47:30,765 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> reached end of additional filter chain; proceeding with original chain>
>>> 2020-09-07 18:47:30,772 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - >> "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>>  
>>> parameters={masked}>
>>> 2020-09-07 18:47:30,774 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>  
>>> - >> org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>>  
>>> HttpServletRequest, HttpServletResponse)>
>>> 2020-09-07 18:47:30,775 DEBUG 
>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >> response for client [a204264-CodesESSO_DevDomain], redirecting the login 
>>> flow [
>>> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
>>> ]>
>>> 2020-09-07 18:47:30,786 DEBUG 
>>> [org.springframework.web.servlet.view.RedirectView] - >> model {}>
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - >> stored in HttpSession.>
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - 
>>> 2020-09-07 18:47:30,787 DEBUG 
>>> [org.springframework.security.web.access.ExceptionTranslationFilter] - 
>>> 
>>> 2020-09-07 18:47:30,788 DEBUG 
>>> [org.springframework.security.web.context.SecurityContextPersistenceFilter] 
>>> - 
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 1 of 9 in additional filter chain; firing Filter: 
>>> 'ChannelProcessingFilter'>
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 2 of 9 in additional filter chain; firing Filter: 
>>> 'WebAsyncManagerIntegrationFilter'>
>>> 2020-09-07 18:47:30,860 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 3 of 9 in additional filter chain; firing Filter: 
>>> 'SecurityContextPersistenceFilter'>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - 
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>>  
>>> - >> will be created.>
>>> 2020-09-07 18:47:30,861 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> at position 4 of 9 in

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

HiJerome,

It appears that the token server cannot be reached directly but has to go 
via a proxy.
Is there a property in cas to specify the proxy url and port ? or this has 
to be a network settings on the server ?

Thanks 
Joe
On Tuesday, September 8, 2020 at 1:00:12 AM UTC-5 leleuj wrote:

> Hi,
>
> During the authentication process, CAS via pac4j tries to directly contact 
> the identity provider to retrieve the access token.
> The "connection timeout" means that the identity provider is not directly 
> reachable from the CAS server. Maybe a mismatch in the URL definition or a 
> proxy setting on the CAS server.
> Thanks.
> Best regards,
> Jérôme
>  
>
> Le mar. 8 sept. 2020 à 03:34, Joe Manavalan  a 
> écrit :
>
>> Hi Jerome,
>>
>> For testing I set up the server name as the url. And now I have the 
>> redirect url coming correctly but its timing out when getting 
>> authentication Object. since the error is from pac4j, I also posted a 
>> message in pac4j group too..
>>
>> Following is the trace from log. Would it help trying a different version 
>> of pac4j ?
>>
>>
>> 2020-09-07 18:47:30,765 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> reached end of additional filter chain; proceeding with original chain>
>> 2020-09-07 18:47:30,772 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - > "/codesESSO/login/a204264-CodesESSO_DevDomain?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8",
>>  
>> parameters={masked}>
>> 2020-09-07 18:47:30,774 DEBUG 
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>  
>> - > org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>  
>> HttpServletRequest, HttpServletResponse)>
>> 2020-09-07 18:47:30,775 DEBUG 
>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - > response for client [a204264-CodesESSO_DevDomain], redirecting the login 
>> flow [
>> https://mycompanydomain.com:8445/codesESSO/login?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain
>> ]>
>> 2020-09-07 18:47:30,786 DEBUG 
>> [org.springframework.web.servlet.view.RedirectView] - > model {}>
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - > stored in HttpSession.>
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.web.servlet.DispatcherServlet] - 
>> 2020-09-07 18:47:30,787 DEBUG 
>> [org.springframework.security.web.access.ExceptionTranslationFilter] - 
>> 
>> 2020-09-07 18:47:30,788 DEBUG 
>> [org.springframework.security.web.context.SecurityContextPersistenceFilter] 
>> - 
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 1 of 9 in additional filter chain; firing Filter: 
>> 'ChannelProcessingFilter'>
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 2 of 9 in additional filter chain; firing Filter: 
>> 'WebAsyncManagerIntegrationFilter'>
>> 2020-09-07 18:47:30,860 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 3 of 9 in additional filter chain; firing Filter: 
>> 'SecurityContextPersistenceFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - 
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.context.HttpSessionSecurityContextRepository]
>>  
>> - > will be created.>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 4 of 9 in additional filter chain; firing Filter: 
>> 'RequestCacheAwareFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - 
>> 
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 5 of 9 in additional filter chain; firing Filter: 
>> 'SecurityContextHolderAwareRequestFilter'>
>> 2020-09-07 18:47:30,861 DEBUG 
>> [org.springframework.security.web.FilterChainProxy] - 
>> >  
>> at position 6 of 9 in additional filter chain; firing Filter: 
>> 'AnonymousAuthenticationFilter'>

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

j-core-4.0.3.jar:?]
at java.util.Optional.ifPresent(Optional.java:183) ~[?:?]
at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:67) 
~[pac4j-core-4.0.3.jar:?]
at 
org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:144) 
~[pac4j-core-4.0.3.jar:?]
at 
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.getCredentialsFromDelegatedClient(DelegatedClientAuthenticationAction.java:254)
 
~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
at 
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.populateContextWithClientCredential(DelegatedClientAuthenticationAction.java:240)
 
~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
at 
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:213)
 
~[cas-server-support-pac4j-webflow-6.1.7.jar:6.1.7]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
 
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.GeneratedMethodAccessor196.invoke(Unknown Source) 
~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) 
~[spring-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499)
 
~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
 
~[spring-aop-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at com.sun.proxy.$Proxy228.execute(Unknown Source) ~[?:?]
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
 
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
... 119 more
2020-09-07 18:49:38,308 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - <"FORWARD" dispatch 
for GET 
"/codesESSO/error?code=Fvyu6ywosaL8ym8wbzsdjBWy23mu__38eEgzxxse=TST-4-RfkeExouV9CAQXsjUlhRAXgZ84QdVGF8_name=a204264-CodesESSO_DevDomain",
 
parameters={masked}>
2020-09-07 18:49:38,310 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 
- 
2020-09-07 18:49:38,432 DEBUG 
[org.springframework.web.servlet.view.ContentNegotiatingViewResolver] - 




Thanks

On Friday, September 4, 2020 at 3:07:18 AM UTC-5 leleuj wrote:

> Hi,
>
> I would have expected the *val url = httpUrl.replace("http", "https");* 
> solution to work.
>
> You may also try to set the "secure" flag in the Tomcat connector.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 3 sept. 2020 à 18:48, Joe Manavalan  a 
> écrit :
>
>> I was told there is  BIG-IP which counts as reverse proxy in front of 
>> tomcat. Are there any specific settings to resolve this ?
>> FYI : We have CAS war deployed in tomcat 8.5 [Not in embedded tomcat]
>>
>> Thanks
>> Joe
>>
>>
>> On Monday, August 31, 2020 at 6:01:46 PM UTC-5 Joe Manavalan wrote:
>>
>>> Thanks Jerome for the response.
>>>
>>> I am checking with the network team about the reverse proxy..
>>> request.getRequestURL()  is coming in as "http  "
>>>
>>> Following is the log
>>>
>>>
>>> 2020-08-31 17:45:43,157 DEBUG 
>>> [org.springframework.security.web.FilterChainProxy] - 
>>> >>  
>>> reached end of additional filter chain; proceeding with original chain>
>>> 2020-08-31 17:45:43,164 DEBUG 
>>> [org.springframework.web.servlet.DispatcherServlet] - >> "/codesESSO/login/CodesESSO_Dev?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s",
>>>  
>>> parameters={masked}>
>>> 2020-08-31 17:45:43,167 DEBUG 
>>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>>>  
>>> - >> org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>>>  
>>> HttpServletRequest, HttpServletResponse)>
>>> 2020-08-31 17:45:43,201 DEBUG 
>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >> client [http://:8445/codesESSO/login/CodesESSO_Dev],>
>>>
>>>
>>> I manually added a http to https replace here in 
>>> BaseDelegatedAuthenticationController for testing
>>> val url = httpUrl.replace("http", "https");
>>>
>>>
>>> 2020-08-31 17:45:43

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

I was told there is  BIG-IP which counts as reverse proxy in front of 
tomcat. Are there any specific settings to resolve this ?
FYI : We have CAS war deployed in tomcat 8.5 [Not in embedded tomcat]

Thanks
Joe


On Monday, August 31, 2020 at 6:01:46 PM UTC-5 Joe Manavalan wrote:

> Thanks Jerome for the response.
>
> I am checking with the network team about the reverse proxy..
> request.getRequestURL()  is coming in as "http  "
>
> Following is the log
>
>
> 2020-08-31 17:45:43,157 DEBUG 
> [org.springframework.security.web.FilterChainProxy] - 
>   
> reached end of additional filter chain; proceeding with original chain>
> 2020-08-31 17:45:43,164 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] -  "/codesESSO/login/CodesESSO_Dev?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s",
>  
> parameters={masked}>
> 2020-08-31 17:45:43,167 DEBUG 
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>  
> -  org.apereo.cas.web.DelegatedClientNavigationController#redirectResponseToFlow(String,
>  
> HttpServletRequest, HttpServletResponse)>
> 2020-08-31 17:45:43,201 DEBUG 
> [org.apereo.cas.web.BaseDelegatedAuthenticationController] -  client [http://:8445/codesESSO/login/CodesESSO_Dev],>
>
>
> I manually added a http to https replace here in 
> BaseDelegatedAuthenticationController for testing
> val url = httpUrl.replace("http", "https");
>
>
> 2020-08-31 17:45:43,204 DEBUG 
> [org.apereo.cas.web.BaseDelegatedAuthenticationController] -  response for client [a204264-CodesESSO_Dev], redirecting the login flow 
> [https://:8445/codesESSO/login?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s_name=CodesESSO_Dev]>
>
> Ended up throwing an error  [Which I believe is expected due to the 
> manipulation]
> org.springframework.webflow.execution.ActionExecutionException: Exception 
> thrown executing 
> org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@40e79dec in 
> state 'delegatedAuthenticationAction' of flow 'login' -- action execution 
> attributes were 'map[[empty]]'
> at 
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
> at 
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>
> On Mon, Aug 31, 2020 at 1:52 AM Jérôme LELEU  wrote:
>
>> Hi,
>>
>> This redirection relies on: request.getRequestURL()
>> Do you have some reverse proxy in front of your Tomcat?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 27 août 2020 à 17:20, Joe Manavalan  a 
>> écrit :
>>
>>> I have cas6.1 deployed and working with cas.authn.pac4j.oauth2. The app 
>>> works fine in my local windows machine on an https port
>>> When deployed in unix with the same setting [except the url has domain 
>>> name instead of server name] the app after authenticating with the external 
>>> oauth2 provider redirects the url to an http port as shown below
>>> This is the redirect url configured and get successfully redirected 
>>> after authentication and authorization based on the browser trace
>>>
>>> https://:/cas/login/?code==_name=
>>> It then gets redirected to the below http port instead of the expected 
>>> https port
>>>
>>> http//:/cas/login?code==_name=
>>>
>>> Is this some configuration in CAS  or need to be investigated on the 
>>> network side ?
>>> Any help appreciated
>>>
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You re

Re: [cas-user] Redirection after authentication from https to http

[Joe Manavalan]

Thanks Jerome for the response.

I am checking with the network team about the reverse proxy..
request.getRequestURL()  is coming in as "http  "

Following is the log


2020-08-31 17:45:43,157 DEBUG
[org.springframework.security.web.FilterChainProxy] -

2020-08-31 17:45:43,164 DEBUG
[org.springframework.web.servlet.DispatcherServlet] - 
2020-08-31 17:45:43,167 DEBUG
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
- 
2020-08-31 17:45:43,201 DEBUG
[org.apereo.cas.web.BaseDelegatedAuthenticationController] - :8445/codesESSO/login/CodesESSO_Dev],>


I manually added a http to https replace here in
BaseDelegatedAuthenticationController for testing
val url = httpUrl.replace("http", "https");


2020-08-31 17:45:43,204 DEBUG
[org.apereo.cas.web.BaseDelegatedAuthenticationController] - :8445/codesESSO/login?code=aF7GlAT5G_5OTjTQQw512P5U7WQ87DQwGfloQZcI=TST-1-M7NvxcUUbWhZsfDKg9WZ3CF2ift41e5s_name=CodesESSO_Dev]>

Ended up throwing an error  [Which I believe is expected due to the
manipulation]
org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction@40e79dec in
state 'delegatedAuthenticationAction' of flow 'login' -- action execution
attributes were 'map[[empty]]'
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)

On Mon, Aug 31, 2020 at 1:52 AM Jérôme LELEU  wrote:

> Hi,
>
> This redirection relies on: request.getRequestURL()
> Do you have some reverse proxy in front of your Tomcat?
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 27 août 2020 à 17:20, Joe Manavalan  a
> écrit :
>
>> I have cas6.1 deployed and working with cas.authn.pac4j.oauth2. The app
>> works fine in my local windows machine on an https port
>> When deployed in unix with the same setting [except the url has domain
>> name instead of server name] the app after authenticating with the external
>> oauth2 provider redirects the url to an http port as shown below
>> This is the redirect url configured and get successfully redirected after
>> authentication and authorization based on the browser trace
>> https://
>> :/cas/login/?code==_name=
>> It then gets redirected to the below http port instead of the expected
>> https port
>>
>> http//:/cas/login?code==_name=
>>
>> Is this some configuration in CAS  or need to be investigated on the
>> network side ?
>> Any help appreciated
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz_k_jQenLtSjYe3TPNOD%3DStaVdub7UaF4yUpMErBTiHg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lz_k_jQenLtSjYe3TPNOD%3DStaVdub7UaF4yUpMErBTiHg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGTtRUTcv5_AwPDg4AgFmAwCEzd8vmQTJ2LA5ojQPyDUJkRKtw%40mail.gmail.com.

[cas-user] Redirection after authentication from https to http

[Joe Manavalan]

I have cas6.1 deployed and working with cas.authn.pac4j.oauth2. The app 
works fine in my local windows machine on an https port
When deployed in unix with the same setting [except the url has domain name 
instead of server name] the app after authenticating with the external 
oauth2 provider redirects the url to an http port as shown below
This is the redirect url configured and get successfully redirected after 
authentication and authorization based on the browser trace
https://:/cas/login/?code==_name=
It then gets redirected to the below http port instead of the expected 
https port
http//:/cas/login?code==_name=

Is this some configuration in CAS  or need to be investigated on the 
network side ?
Any help appreciated


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9fa4862-6604-4c32-8a75-81a04f982998n%40apereo.org.

[cas-user] delegated authentication Oauth

[Joe Manavalan]

Hi 
Setting up cas 6.1 for delegated authentication on our IDP
cas.properties
cas.authn.pac4j.oauth2[0].id=id
cas.authn.pac4j.oauth2[0].secret=secret
cas.authn.pac4j.oauth2[0].authUrl=url
cas.authn.pac4j.oauth2[0].tokenUrl=url
cas.authn.pac4j.oauth2[0].profileUrl=profileurl
cas.authn.pac4j.oauth2[0].clientName=clientName
cas.authn.pac4j.oauth2[0].scope=openid

Cas redirects to provided but comes back after authentication with an error 


<>>
log show success until getting response from profile url after that shows

2020-07-22 07:41:13,097 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-07-22 07:41:13,097 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[DelegatedClientAuthenticationHandler]: [id cannot be blank]>
2020-07-22 07:41:13,097 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- 
2020-07-22 07:41:13,097 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

2020-07-22 07:41:13,099 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2020-07-22 07:41:13,099 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- 
2020-07-22 07:41:13,100 DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 
- <1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:350)
 
~[cas-server-core-authentication-api-6.1.7.jar!/:6.1.7]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:328)
 
~[cas-server-core-authentication-api-6.1.7.jar!/:6.1.7]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:136)
 
~[cas-server-core-authentication-api-6.1.7.jar!/:6.1.7]
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke()
 
~[cas-server-core-authentication-api-6.1.7.jar!/:6.1.7]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) 
~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:769)
 
~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
 
~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:747)
 
~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:88)
 
~[spring-aop-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:135)
 
~[inspektr-audit-1.8.6.GA.jar!/:1.8.6.GA]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:?]

When I do the same with a sample springboot app it works and return the 
principal. But I had to use 2 extra properties to decode the token
spring.security.oauth2.client.provider.sso.user-name-attribute=sub
spring.security.oauth2.client.provider.sso.jwk-set-uri=url

Wondering where I provide these values in CAS. 


Any help appreciated

Thanks
Joe

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2207c2a0-5bb5-4595-bb61-8ebde265c45fn%40apereo.org.