Re: [cas-user] which registry ticket storage ?

2021-03-24 Thread Julien Gribonvald 

Hi Jérôme,

We are deploying for several services the same conf: 3 serveurs with 
redis + sentinel each one (We think also to deploy a redis farm in 
place). One server is a master and the two other are slaves, we don't 
use the persistant option nor the database. Also we use a HAproxy when 
we can distinguish read and write access to share the load. All this 
conf was defined mainly from this blog: 
https://www.willandskill.se/en/setup-a-highly-available-redis-cluster-with-sentinel-and-haproxy/ 



Julien Gribonvald

Le 24/03/2021 à 09:23, Jérôme NENERT a écrit :

Le 17/03/2021 à 17:34, Julien Gribonvald a écrit :

Hi,


Hi Julien,

I would recommand Redis, after memcached it's the fastest and more 
efficient system for large number of datas. Other will works well but 
you will win in effiency and server ressources comparing to other 
systems.


Which type of Redis replication do you use in combination which CAS ? 
Sentinel with redis.sentinel configuration keys or other type of 
configuration ?


Jerome Nenert



I don't recommand memcached only because we can't watch on datas 
without modifying/refreshing it, the problem is that we can't have a 
good overview on and on the datas.


Thanks

Julien Gribonvald

Le 17/03/2021 à 15:50, Daniel CHARLOT a écrit :

Hello there,

We need to upgrade our CAS server V4 to V6 and add an loadbalancer F5.
We will do some HA with them and we wondering which is the product 
with the best performance for use ticket registry ?

Memcached, cassanadra, mongodb, couchbase redis or an other ?
I would like choose redis, because its seems works like a charm, but 
im not sure.


Thanks for your advices and your experiences return.

Daniel CHARLOT





--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ae9c044-693a-3b06-8912-628dbd9a36f9%40recia.fr.

Re: [cas-user] which registry ticket storage ?

2021-03-17 Thread Julien Gribonvald 

Hi,

I would recommand Redis, after memcached it's the fastest and more 
efficient system for large number of datas. Other will works well but 
you will win in effiency and server ressources comparing to other systems.


I don't recommand memcached only because we can't watch on datas without 
modifying/refreshing it, the problem is that we can't have a good 
overview on and on the datas.


Thanks

Julien Gribonvald

Le 17/03/2021 à 15:50, Daniel CHARLOT a écrit :

Hello there,

We need to upgrade our CAS server V4 to V6 and add an loadbalancer F5.
We will do some HA with them and we wondering which is the product with the 
best performance for use ticket registry ?
Memcached, cassanadra, mongodb, couchbase redis or an other ?
I would like choose redis, because its seems works like a charm, but im not 
sure.

Thanks for your advices and your experiences return.

Daniel CHARLOT



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f0049ae-38fb-6637-9d17-ea7820b07e61%40recia.fr.

Re: [cas-user] AJP with header too big

2019-09-30 Thread Julien Gribonvald 

Hi,

This is written in the doc but not directly, you have the property 
cas.server.ajp.attributes.attributeName=attributeValue .


That is to say, for your case: cas.server.ajp.attributes.packetSize=YOUR 
VALUE


- Julien

Le 30/09/2019 à 11:40, Fabrice Bacchella a écrit :

I'm getting the following error on CAS 5.3 with AJP:

2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Header 
message of length [11,006] received but the packetSize is only [8,192]
2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Error 
processing request
java.lang.NullPointerException: null

So I should increase the packetSize of the AJP connector, but it's missing from 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#ajp

Is it hidden somewhere else ?




--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e841efac-8c24-aee6-5d1c-a0e98c817527%40recia.fr.

[cas-user] Re: Logout workflow with Delegated Auth

2019-07-12 Thread Julien Gribonvald 
After more debuging on this problem it seems that the session can't be 
retrieved whereas all element where saved in the session store. The 
requestContext doesn't contains any session at the logout process (event if 
the action is called before the terminateSessionState and so only a new 
session is available. But cookies are again available !
Where is the problem ? the webflow can't provide a session is there some 
configuration needed ?

Thanks


Le jeudi 4 juillet 2019 14:29:47 UTC+2, Julien Gribonvald a écrit :
>
> To add some informations from my previous message:
> - from CAS I have this log :
> DEBUG 
> [org.apereo.cas.web.flow.DelegatedAuthenticationSAML2ClientLogoutAction] - 
>  logout action will be executed.>
>
> after debugging into the code to find if a client is a SAML2Client a 
> profile should be provisionned, but it's not the case so it returns each 
> time a null client.
>
> What is missing here ? should a profile be provisionned and how in this 
> case ? Or there is a problem with a wrong check ?
>
> I could fix that but let me know what is to good way to do.
> Thansk
>
>
> Le jeudi 4 juillet 2019 13:16:17 UTC+2, Julien Gribonvald a écrit :
>>
>> Hi, 
>>
>> I can't find in documentation how the logout should work with delegated 
>> Authentification (from pac4j module as example). 
>>
>> I'm looking on the workflow when the global logout is initiated from the 
>> CAS (or from a service to the CAS), is there a way to propagate it to 
>> the IDP which the user connected ? I can't have this working with a SAML 
>> IDP whereas metadatas have the SLOLogout url information provided. 
>>
>> Also is it working when the logout request come from the SAML IDP ? 
>>
>> How this should work, what are the requirements ? I'm using the CAS V6 
>> master branch. 
>>
>> Thanks, 
>>
>> -- 
>> Julien Gribonvald 
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1b91b16-da4c-4510-8c96-329243e28151%40apereo.org.

[cas-user] Re: Logout workflow with Delegated Auth

2019-07-04 Thread Julien Gribonvald 
To add some informations from my previous message:
- from CAS I have this log :
DEBUG 
[org.apereo.cas.web.flow.DelegatedAuthenticationSAML2ClientLogoutAction] - 


after debugging into the code to find if a client is a SAML2Client a 
profile should be provisionned, but it's not the case so it returns each 
time a null client.

What is missing here ? should a profile be provisionned and how in this 
case ? Or there is a problem with a wrong check ?

I could fix that but let me know what is to good way to do.
Thansk


Le jeudi 4 juillet 2019 13:16:17 UTC+2, Julien Gribonvald a écrit :
>
> Hi, 
>
> I can't find in documentation how the logout should work with delegated 
> Authentification (from pac4j module as example). 
>
> I'm looking on the workflow when the global logout is initiated from the 
> CAS (or from a service to the CAS), is there a way to propagate it to 
> the IDP which the user connected ? I can't have this working with a SAML 
> IDP whereas metadatas have the SLOLogout url information provided. 
>
> Also is it working when the logout request come from the SAML IDP ? 
>
> How this should work, what are the requirements ? I'm using the CAS V6 
> master branch. 
>
> Thanks, 
>
> -- 
> Julien Gribonvald 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/957dcddb-6704-42bc-8099-4e992fc6152c%40apereo.org.

[cas-user] Logout workflow with Delegated Auth

2019-07-04 Thread Julien Gribonvald 

Hi,

I can't find in documentation how the logout should work with delegated 
Authentification (from pac4j module as example).


I'm looking on the workflow when the global logout is initiated from the 
CAS (or from a service to the CAS), is there a way to propagate it to 
the IDP which the user connected ? I can't have this working with a SAML 
IDP whereas metadatas have the SLOLogout url information provided.


Also is it working when the logout request come from the SAML IDP ?

How this should work, what are the requirements ? I'm using the CAS V6 
master branch.


Thanks,

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0070ca06-8ff7-a54d-b58c-49631f26b865%40recia.fr.

[cas-user] Refreshing value on dynamic user attributes

2019-07-02 Thread Julien Gribonvald 

Hi folks,

I'm loading user attributes from a LDAP after authentication, my problem 
is that we have some "dynamic" atttributes that permit to set the user 
context.


My problem is to be able to change the value of such attributes without 
a logout of the the user, or doing only a partial logout. I mean I would 
like to keep the user logged to CAS but propagating the logout on 
already connected applications to be able to propagate the updated user 
context value (to change the user's context).


Do you think that could be doable ? without big change ? what would be 
your way to do it on CAS 6 ?


In our older CAS version we made a global logout, but we would like to 
avoid it now, as it will help us on some workflow.


Thanks,

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e0e771d-699f-2176-7e32-0005e2bb971b%40recia.fr.

[cas-user] SAML2 client Delegated Auth - IDP-initiated mode support

2019-06-18 Thread Julien Gribonvald 

Hi folks,

Is there a way to support the IDP-initiated mode with the pac4j client ? 
or any other client ? (IDP-initiated mode is an Auth Request comming 
directly from an IDP without going through the CAS server before, this 
mode set all url params needed like the entityID and the targeted service).


Thanks,

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bd5fa10-da04-8508-3935-b29912a4f13b%40recia.fr.

[cas-user] Questions on pac4j saml module

2019-05-16 Thread Julien Gribonvald 

Hi folks,
I have few questions about the pac4j saml configuration:

 * is there a way to customize the button generated with the clientName
   text on CAS login page ? I mean using a displayName and a
   description, is there something already existing or I could purpose
   a Pull Request to be able to customize ?
 * How are you generating metadata after cas server launch ? the
   default configuration generate metadatas if they doesn't exist only
   when a request is made, I would like that these metadatas available
   when the cas is available, like that IDPs can request them before a
   user access !
 * what is the best way to share files generated (metadata, keystore,
   certificates) between each CAS instance used in load-balancing (not
   in cluster) ? I'm using a git repo to share my configurations only
   (in the /xxx/cas-properties/), but I'm not sure that is a good
   practice, even more if we delete certificates and metadata to renew
   them. What are your advices/practices ?

Thanks
--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ee78d0d-152e-f384-9e1a-dc70efa4ead8%40recia.fr.

Re: [cas-user] Issue with LPPE and memcached ticket registry

2019-05-02 Thread Julien Gribonvald 
Ray I'm not sure that will work with the cas-overlay-template done with 
gradle.


On my side I cloned the CAS repository following the documentation and I 
publish to my nexus, but with docker :


- clone the cas project and apply change and publish them to your git repo

- clone this git repo on your docker file and run commands like locally 
following the doc, inside the module you will have to build and install 
locally the change (command example to build this kind of module and to 
install it locally : ../../gradlew clean build install 
--configure-on-demand --build-cache --parallel -x test -x javadoc -x 
check --stacktrace -DskipNestedConfigMetadataGen=true 
-DskipGradleLint=true), like that your cas build from the 
cas-overlay-template will be able to use your change.


Julien

Le 01/05/2019 à 21:26, Ray Bon a écrit :

Doug,

I have not used docker image but suspect it operate the same way as a 
stand alone deploy.
You create your package/class(es) in src/main/java (in root of project 
directory). It will get built and placed in the war.
https://apereo.github.io/cas/5.3.x/installation/Maven-Overlay-Installation.html 



Ray

On Wed, 2019-05-01 at 17:09 +0800, Doug Campbell wrote:


Thanks Julien.

I think I understand what is needed to be done for registering the 
missing class but I have no idea how to deploy a change to test it.  
I’m using the cas-webapp-docker to deploy to Docker using 
cas-overlay-template.  If were able to give me some pointers as to 
how to test these changes I would go ahead and try to make this work 
on the 6.0.x branch.


Doug

*From:*cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of 
*Julien Gribonvald

*Sent:* Tuesday, April 30, 2019 5:47 PM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] Issue with LPPE and memcached ticket registry

Hi,

To fix your problem you have to register the missing class, here is a 
PR to get as example to register some missing class 
https://github.com/apereo/cas/pull/3857/files. So you can contribute ?


After my point of view is that's a problem that KRYO need to register 
all class to serialize them, but it doesn't seem to have an other 
way. After there is a good beneit to use KRYO as his serialization is 
more efficient than the default one.


Thanks,

Julien

Le 29/04/2019 à 05:51, Windham, Gary D - (windhamg) a écrit :

Doug, thank you very much for your feedback and the workaround. That 
does, indeed, fix the immediate issue at hand. Hopefully the Kryo 
serialization issue will be resolved soon.


Thanks again!

--Gary

*--*

*Gary Windham*

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona

Email: windh...@email.arizona.edu <mailto:windh...@email.arizona.edu>

Office: +1 520 626 5981

On Sun, Apr 28, 2019 at 8:26 PM Doug Campbell 
mailto:wdouglascampb...@gmail.com>> wrote:


I don’t know if this is an ideal workaround but I found in my case 
if I changed the transcoder setting from KYRO to SERIAL that 
everything starting working great.


cas.ticket.registry.memcached.transcoder: SERIAL

In the documentation it recommends using KYRO stating “This 
component is recommended over the default Java serialization 
mechanism since it produces much more compact data, which benefits 
both storage requirements and throughput.”  There are two other 
options as well:  WHALIN and WHALINV1.


I am not sure if it really matters which one but since the use of 
KYRO seems buggy maybe the recommendation for using it is no longer 
the best.


*From:*cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org <mailto:cas-user@apereo.org>] *On 
Behalf Of *Doug Campbell

*Sent:* Monday, April 29, 2019 10:36 AM
*To:* cas-user@apereo.org <mailto:cas-user@apereo.org>
*Subject:* RE: [cas-user] Issue with LPPE and memcached ticket registry

Gary,

I don’t have an answer but I saw this same error yesterday when I 
was testing proxy authentication on my CAS 6.0.3 test setup. In my 
case I haven’t configured LPPE.  I did try disabling it just now 
but that seemed to have no effect as the error still occurs. In my 
case I am using spymemcache and not AWS Elasticache.  For now I 
have switched back to the default InMemory ticket registry and 
proxy authentication works fine with that.


If I figured out anything I will let you know and if you discover a 
solution please do report back.


Thanks!

*From:*cas-user@apereo.org <mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] *On Behalf Of *Windham, Gary D - 
(windhamg)

*Sent:* Monday, April 29, 2019 9:28 AM
*To:* cas-user@apereo.org <mailto:cas-user@apereo.org>
*Subject:* [cas-user] Issue with LPPE and memcached ticket registry

Hi all,

I've been building/testing CAS v6.1.0 (HEAD), and was getting along 
fairly well until I ran into an error with LPPE and the memcached 
ticket registry I'm using.


I am using 389 Directory server for LDAP authentication and have 
passw

Re: [cas-user] Issue with LPPE and memcached ticket registry

2019-04-30 Thread Julien Gribonvald 
   java.lang.IllegalArgumentException: Class is not registered:

org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor

Note: To register this class use:

kryo.register(org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor.class);

<...followed by big stack trace...>

Is there something I'm overlooking, or failed to add, in my
config? Any pointers appreciated!

Thanks,

--Gary

*--*

*Gary Windham*

Principal Enterprise Systems Architect

University Information Technology Services

The University of Arizona

Email: windh...@email.arizona.edu <mailto:windh...@email.arizona.edu>

Office: +1 520 626 5981

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHGDx0-TPBmE-tMCmpfcgvr1eSUMhQF0xygfka%3DxXxzKVA%40mail.gmail.com

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHGDx0-TPBmE-tMCmpfcgvr1eSUMhQF0xygfka%3DxXxzKVA%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/001201d4fe34%2459c9aa10%240d5cfe30%24%40gmail.com

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001201d4fe34%2459c9aa10%240d5cfe30%24%40gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/001901d4fe3b%244c401260%24e4c03720%24%40gmail.com

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/001901d4fe3b%244c401260%24e4c03720%24%40gmail.com?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHFPqf5pWspLfmx%2B-ncZZ4AE5WafMduJ_XmQPCCk%2BqNBHA%40mail.gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHFPqf5pWspLfmx%2B-ncZZ4AE5WafMduJ_XmQPCCk%2BqNBHA%40mail.gmail.com?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/90f4c6dd-6b79-719e-d2d2-2dcd5a3a3c31%40recia.fr.

Re: [cas-user] CAS 6.x delegated auth chanied with different attributeRepository

2019-04-29 Thread Julien Gribonvald 

Thanks Misagh,

Ok, so don't hesitate to notify me when the feature will be available.

Julien

Le 26/04/2019 à 20:36, Misagh Moayyed a écrit :
This isn't quite possible to do as you describe it today. I'd suggest 
you wait until 6.1 RC4 as this is being somewhat worked. Otherwise, 
you might need to write your authentication handler and in there 
decide how to fetch attributes based on the client, etc.


On Tuesday, April 16, 2019 at 2:33:04 AM UTC-7, Julien Gribonvald wrote:

Hi,

Sorry to re-run the question but how can I do that ? I've found
how to
define a policy with authenticationHandlers but it doesn't help to
chain
with an attributeRepository.

Is it possible to do what I want or I should chain all delegated
authenticationHandlers with all attributeResolver ?

Thanks,

Julien


Le 12/04/2019 à 11:24, Julien Gribonvald a écrit :
> Hi,
>
> Is there something already existing to map to a specific authn
> configuration a specific authn.attributeRepository ?
>
> I have several kind of external auth system and so the attribute
> resolution locally (local LDAP) should be done by different LDAP
> search request (and so attributeRepository), each authn system
should
> have his own attributeRepository, and I need to avoid to chain all
> attributeRepository. Is it possible or should I implement
something ?
>
> If I should implement something could you tell me what is the
best way
> (and where to look) ?
>
> I'm following the CAS master branch.
>
    > Thanks,
>
-- 
Julien Gribonvald


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c38d176-bd4f-4fbc-80dd-12c33924df04%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c38d176-bd4f-4fbc-80dd-12c33924df04%40apereo.org?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e7e710e-7bbc-f3e3-9db5-932605cadf1d%40recia.fr.

Re: [cas-user] Mandatory entry point before authentication

2019-04-25 Thread Julien Gribonvald 

Thanks Ray but that's not exactly my use case.

Your use case admit that users can authenticate from any service, on my 
case I need that they must come from one service to be able to 
authenticate. But your redirect is welcome !


Thanks

Julien

Le 17/04/2019 à 20:57, Ray Bon a écrit :

Julien,

Check this setting:
cas.view.defaultRedirectUrl=https://${cas.server.name}/mypage

If user goes to CAS first (without a service), they get redirected to 
defaultRedirectUrl.


Ray

On Wed, 2019-04-17 at 16:56 +0200, Julien Gribonvald wrote:

Hi,
Is there a simple way to force user to come from a service before to
authenticate ?
I mean before accessing to some services (not all) a user should come
from an entry point (a service on which he will be authenticated after,
like a portal), if not he should be redirected to this entry point.
If not is it the a thing to define a service policy from the service
management to do that ? Or are you seing a better way ?
Thanks,
--
Julien Gribonvald

--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f6cdffc229472b76ba097cf453afd8990093e18.camel%40uvic.ca 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f6cdffc229472b76ba097cf453afd8990093e18.camel%40uvic.ca?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2a583f-13fc-53b3-486f-17f916b6c067%40recia.fr.

[cas-user] Mandatory entry point before authentication

2019-04-17 Thread Julien Gribonvald 

Hi,

Is there a simple way to force user to come from a service before to 
authenticate ?


I mean before accessing to some services (not all) a user should come 
from an entry point (a service on which he will be authenticated after, 
like a portal), if not he should be redirected to this entry point.


If not is it the a thing to define a service policy from the service 
management to do that ? Or are you seing a better way ?


Thanks,

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fff077c2-94b4-7c1e-e6f0-be4284a412f5%40recia.fr.

Re: [cas-user] CAS 6.x delegated auth chanied with different attributeRepository

2019-04-16 Thread Julien Gribonvald 

Hi,

Sorry to re-run the question but how can I do that ? I've found how to 
define a policy with authenticationHandlers but it doesn't help to chain 
with an attributeRepository.


Is it possible to do what I want or I should chain all delegated 
authenticationHandlers with all attributeResolver ?


Thanks,

Julien


Le 12/04/2019 à 11:24, Julien Gribonvald a écrit :

Hi,

Is there something already existing to map to a specific authn 
configuration a specific authn.attributeRepository ?


I have several kind of external auth system and so the attribute 
resolution locally (local LDAP) should be done by different LDAP 
search request (and so attributeRepository), each authn system should 
have his own attributeRepository, and I need to avoid to chain all 
attributeRepository. Is it possible or should I implement something ?


If I should implement something could you tell me what is the best way 
(and where to look) ?


I'm following the CAS master branch.

Thanks,


--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/046352a4-29f0-f3a3-c4e8-6b05a233cef0%40recia.fr.

[cas-user] CAS 6.x delegated auth chanied with different attributeRepository

2019-04-12 Thread Julien Gribonvald 

Hi,

Is there something already existing to map to a specific authn 
configuration a specific authn.attributeRepository ?


I have several kind of external auth system and so the attribute 
resolution locally (local LDAP) should be done by different LDAP search 
request (and so attributeRepository), each authn system should have his 
own attributeRepository, and I need to avoid to chain all 
attributeRepository. Is it possible or should I implement something ?


If I should implement something could you tell me what is the best way 
(and where to look) ?


I'm following the CAS master branch.

Thanks,

--

Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b10edc58-e9cf-b4d9-e0d7-400c122da3da%40recia.fr.

Re: [cas-user] Re: Help CAS Management Error (CAS Server returned 502 status code from endpoint https://cas.example.com/cas/status/discovery. Using default FormData values)

2019-04-11 Thread Julien Gribonvald 
ils from it, 
send an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4314fa3d37e510b2956fdda5527281a09aa882d1.camel%40uvic.ca 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/4314fa3d37e510b2956fdda5527281a09aa882d1.camel%40uvic.ca?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CCD58B73-2087-41E3-BB23-3247EB357DE0%40gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CCD58B73-2087-41E3-BB23-3247EB357DE0%40gmail.com?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/146520a1-9471-324c-0bc3-c55483bf7a4f%40recia.fr.

Re: [cas-user] [CAS 6.1.X] Building with custom profiles settings

2019-03-19 Thread Julien Gribonvald 

Hi,

I'm running with the option -Dspring.profiles.active=standalone,test as 
example and I have a properties files named as test.properties and 
application-test.properties


This is working well on linux.

-Julien



Le 19/03/2019 à 15:58, The Jej a écrit :

Hello everyboy,

I'm trying to make two different profiles on my cas project:

1 profile for development environment
1 profile for production

For the moment I have tested cas by using the default 'standalone' 
profile. SO I have created an application-standalone.properties, 
everything works fine and configuration inside that file works fine.



Now I would like to create a more production oriented configuration:

application-dev.properties and application-prod.properties for example 
and tell gradlew to build cas using one or the other configuration file.


In my other springboot projects, I only have to use on the vm 
parameter: -Dspring.profiles.active=dev for example and the war 
generated take the application-dev.properties file



I'm trying the same thing with gradlew: gradlew.bat clean build 
-Dspring.profiles.active=dev


But it does nothing (I know it would be too simple :) ), I try to find 
more info on the documentation but I found that's the profiles 
configuration is not quite 
clear: https://apereo.github.io/cas/6.0.x/configuration/Configuration-Server-Management.html


Also it's not recommended to overlay default bootstrap.properties 
(witch sets spring.profiles.active=standalone) and 
application.properties so I try to avoid those solutions


How do you do to build with different configuration file ?

Thanks !

Jeremy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff0d4f4e-5f64-40ed-964e-63f70827d5a4%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff0d4f4e-5f64-40ed-964e-63f70827d5a4%40apereo.org?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73cb7281-cb31-0ae0-15e1-e90432eb8ddd%40recia.fr.

Re: [cas-user] CAS 6.1.x Ldaps configuration problem

2019-01-28 Thread Julien Gribonvald 

Thanks a lot David.

This solved the problem and it solved me some hours !

Regards,

--Julien

Le 26/01/2019 à 16:40, David Gelhar a écrit :

Using Java8 probably isn't an option - CAS 6.x requires Java11

We have been able to work around the issue by using the UnboundID 
provider as suggested, with settings like this:


cas.properties :
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

build.gradle:
// to use UnboundID ldap provider instead of JNDI
compile "com.unboundid:unboundid-ldapsdk:4.0.9"


On Friday, January 25, 2019 at 5:47:00 PM UTC-5, dfisher wrote:

This appears to be a bug in JNDI code that manifests with an NPE
in the ldaptive thread local code.
I've filed an issue, but there isn't a resolution yet.

Work arounds include:
* Use startTLS
* Use the UnboundID provider
* Use Java 8 (versions 9-12 are all affected)

--Daniel Fisher

On Fri, Jan 25, 2019 at 1:28 PM Julien Gribonvald
> wrote:

Hi,

I'm beginning a new CAS configuration with latest dev version
with the
overlay packaging and when configuring ldaps I'm having a such
error :

java.lang.NullPointerException: Thread local SslConfig has not
been set
 at

org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:53)

~[ldaptive-1.2.4.jar!/:?]

With no ssl conf I don't have any problems, here are my change
to move
on ssl use:

cas.authn.ldap[0].ldapUrl=ldaps://my.domain.fr:636
<http://my.domain.fr:636>
#cas.authn.ldap[0].ldapUrl=ldap://my.domain.fr:389
<http://my.domain.fr:389>
#cas.authn.ldap[0].useSsl=false

Did I make something wrong or ?

Is there someone having the same problem or not ?

After googling a bit it seems that could be a problem with
ldaptive lib
and jdk11... Any information about a such problem ?

Thanks

    -- 


Julien Gribonvald

-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to cas-user+u...@apereo.org .
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/19893719-ec68-4348-8a46-ca48e4df4002%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/19893719-ec68-4348-8a46-ca48e4df4002%40apereo.org?utm_medium=email_source=footer>.

--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/822f6e93-70c5-0d44-4314-2517be228676%40recia.fr.

[cas-user] CAS 6.1.x Ldaps configuration problem

2019-01-25 Thread Julien Gribonvald 

Hi,

I'm beginning a new CAS configuration with latest dev version with the 
overlay packaging and when configuring ldaps I'm having a such error :


java.lang.NullPointerException: Thread local SslConfig has not been set
    at 
org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:53) 
~[ldaptive-1.2.4.jar!/:?]


With no ssl conf I don't have any problems, here are my change to move 
on ssl use:


cas.authn.ldap[0].ldapUrl=ldaps://my.domain.fr:636
#cas.authn.ldap[0].ldapUrl=ldap://my.domain.fr:389
#cas.authn.ldap[0].useSsl=false

Did I make something wrong or ?

Is there someone having the same problem or not ?

After googling a bit it seems that could be a problem with ldaptive lib 
and jdk11... Any information about a such problem ?


Thanks

--

Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr.

[cas-user] java CAS-client spring config can't get ProxyTicket

2018-10-15 Thread julien . gribonvald 
Hi, 

After moving cas-client initialization from web.xml to spring beans we 
can't get anymore the proxy-ticket from the assertion. Did someone 
encounter the problem ? I don't see any bug repport about this problem. It 
would be to fix this problem : https://github.com/Jasig/uPortal/issues/1374 

On an other side, to be able to externalize the configuration did you test 
an other init method ?  from properties file (this one doesn't seem 
documented and tested) ? 

Thanks, 
Julien

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03bacef7-e1a7-421f-9094-b583bda448e8%40apereo.org.

Re: [cas-user] Memcache Ticket Registry HA

2018-04-10 Thread Julien Gribonvald 

Hi,

You can use repcached for the replicated side with memcached, we are 
using it since several years in our context and we are totally satisfied !


Thanks

Le 10/04/2018 à 17:51, Ray Bon a écrit :

Teddy,

I have not used memcached. To accomplish your goal you would need a 
replicated cache.

How often do you plan to restart your servers? Will your users to notice?

Ray

On Tue, 2018-04-10 at 08:07 -0700, Teddy Brown wrote:
Is it possible to get High Availability with the memcache ticket 
registry?


I only have these attributes configured currently and it works.

However it seems if the Memcached instance on either host is 
restarted (or the host is restarted) that CAS continues to function 
as expected, any tickets on the restarted host need to re-authenticate.

cas.ticket.registry.memcached.servers=cas01:11211,cas02:11211
cas.monitor.memcached.failureMode=Redistribute

Is it possible to configure this in a way that a restart of either 
Memcached service will not result in the loss of any CAS tickets?


Thanks


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375473.1822.5.camel%40uvic.ca 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375473.1822.5.camel%40uvic.ca?utm_medium=email_source=footer>.



--
Julien Gribonvald

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa5aeae9-aa9b-7872-1c79-3b967e29a348%40recia.fr.

Re: [cas-user] CAS server in Angular JS + spring REST API architecture

2017-07-10 Thread Julien Gribonvald 

What you described is good, and it's how work my app and examples provided.

After requesting on each request a CAS ACCESS TOKEN isn't needed, but at 
least on your REST server managing a token is needed or you need to 
manage a session cookie (or a map token/session), so the jwt token is a 
way to secure your app, even in my mind it's better than a cookie.



Le 10/07/2017 à 15:15, Filip Majernik a écrit :
First of all, thank you all for the responses, it helps me very much. 
I will take a look on that example with Angular.


However, I think I've found a solution (or at least going to try that 
way). I will go away from the OpenID or OAuth (imho I don't really 
think that they are well suited for what I need. Almost all the 
examples in spring are using the same app for the resource server as 
for the oauth server). I have reviewed the CAS protocol and I am going 
to try to implement it in this way:


1.) The angluarJS will redirect to the login page.
2.) After successful login the user is redirected to the angular app 
again but with a SERVICE TICKET
3.) When the first call is made to the REST API, the SERVICE TICKET 
would be validated and if valid, then it creates a session cookie.
4.) All the other REST API calls would get authorized unless the 
session cookie expires (without validating the SERVICE TICKET again).


Somehow I got fixed on the word "stateless", because the REST API is 
stateless. But if I really would like to be stateless, this would 
indeed require to contact the CAS server every time with an ACCESS 
TOKEN and validate if it.


So feel free to correct me if I am wrong, but I think the above 
described solution with the CAS protocol is fine.


On Monday, July 10, 2017 at 2:33:56 PM UTC+2, Julien Gribonvald wrote:

Hi Filip,

Did you watch on what is possible with spring security ? there are
several possibilities to secure your REST API, and in my mind jwt
is a
good option.

I developped an angular app and used spring-security, I didn't
used the
jwp protocol as it was not well documented when I developped my
app but
I think I would you use it now.
My app can be found here :
https://github.com/EsupPortail/esup-publisher
<https://github.com/EsupPortail/esup-publisher>
Or if you prefer you can find a POC of the auth mecanism here :
https://github.com/jgribonvald/demo-spring-cas-angular
<https://github.com/jgribonvald/demo-spring-cas-angular> or
someone made a
documented and more advanced example here :
https://github.com/rohajda/casdemo
<https://github.com/rohajda/casdemo> (he used my POC).

For jwt example you can rely on Pascal's explanations, or maybe on
web
you can find easily somes well explaned documentations (search on
"spring security jwt").

Thanks
Julien


Le 10/07/2017 à 13:35, Pascal Rigaux a écrit :
> Hi,
>
> With CAS protocol, your API MUST create its own token/session:
> CAS ticket is a one time token, no way to rely on it.
>
> Another solution is to use OpenID Connect, it should work with
CAS >=
> 5.1 :
> - enable OpenID Connect
> - use implicit flow to obtain CAS generated JWT
> - send JWT to your API
> - REST API checks JWT signature against jwks_uri
>
> Example : https://area51.univ-paris1.fr/prigaux/test-oidc.html
<https://area51.univ-paris1.fr/prigaux/test-oidc.html> (you
> must logged on google first)
>
> Drawbacks:
> - no easy single logout (major pb for us)
>
> French presentation on this:
https://prigaux.frama.io/JwtProxyService/
<https://prigaux.frama.io/JwtProxyService/>
>
> cu
>
>
> Filip Majernik <filip.m...@gmail.com > a écrit :
>
>> Hi Pascal,
>> the reason why I need this is, that the REST API calls can also be
>> performed only by an authorized user. This means that the
AngularJS app
>> must send some token alongside with the request to my REST API and
>> the REST
>> API must be able to validate that token.
>>
>> So the main problem for me is not to login (this can be done
with a
>> redirect, or with posting the username/password, I do not really
>> mind), but
>> to validate the token in my REST API. Because I do not want to
create
>> another http request to the CAS server everytime the Angular
app makes a
>> request.
>>
>> Bye,
>> Filip
>>
>> On Saturday, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux
wrote:
>>>
>>> Hi,
>>>
>>> Do you really need the handle username/password? Most CAS
applications
>>> avoid this since it breaks SSO.

Re: [cas-user] CAS server in Angular JS + spring REST API architecture

2017-07-10 Thread Julien Gribonvald 

Hi Filip,

Did you watch on what is possible with spring security ? there are 
several possibilities to secure your REST API, and in my mind jwt is a 
good option.


I developped an angular app and used spring-security, I didn't used the 
jwp protocol as it was not well documented when I developped my app but 
I think I would you use it now.

My app can be found here : https://github.com/EsupPortail/esup-publisher
Or if you prefer you can find a POC of the auth mecanism here : 
https://github.com/jgribonvald/demo-spring-cas-angular or someone made a 
documented and more advanced example here : 
https://github.com/rohajda/casdemo (he used my POC).


For jwt example you can rely on Pascal's explanations, or maybe on web 
you can find easily somes well explaned documentations (search on 
"spring security jwt").


Thanks
Julien


Le 10/07/2017 à 13:35, Pascal Rigaux a écrit :

Hi,

With CAS protocol, your API MUST create its own token/session:
CAS ticket is a one time token, no way to rely on it.

Another solution is to use OpenID Connect, it should work with CAS >= 
5.1 :

- enable OpenID Connect
- use implicit flow to obtain CAS generated JWT
- send JWT to your API
- REST API checks JWT signature against jwks_uri

Example : https://area51.univ-paris1.fr/prigaux/test-oidc.html (you 
must logged on google first)


Drawbacks:
- no easy single logout (major pb for us)

French presentation on this: https://prigaux.frama.io/JwtProxyService/

cu


Filip Majernik  a écrit :


Hi Pascal,
the reason why I need this is, that the REST API calls can also be
performed only by an authorized user. This means that the AngularJS app
must send some token alongside with the request to my REST API and 
the REST

API must be able to validate that token.

So the main problem for me is not to login (this can be done with a
redirect, or with posting the username/password, I do not really 
mind), but

to validate the token in my REST API. Because I do not want to create
another http request to the CAS server everytime the Angular app makes a
request.

Bye,
Filip

On Saturday, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux wrote:


Hi,

Do you really need the handle username/password? Most CAS applications
avoid this since it breaks SSO.

A simple solution for AngularJS application is to do as many other
apps: require a valid session an all html pages [*]

Example : https://github.com/fedon/spring-cas-auth .

SPA allows relogging without loosing "browser" activity (eg: textarea
content). Here is a tutorial application with phpCAS that shows
various ways to handle CAS relog in a SPA :
https://github.com/prigaux/angular-seed

* forked from "angular-seed" (an old version)
   added some php pages
   kept index.html, but the app really is index.php

* every commits shows a different functionality. To understand them,
start from the first one, then have a look at the more advanced
features:
- CAS example : minimal casification
- CAS example using http-auth-interceptor : same but using a module
intercepting every $http calls
- use ngRoute "resolve" : avoid displaying page "view1" until the user
is authenticated
- replace alert with modal window from angular UI Bootstrap : prepares
the next commit
- add transparent relog using jsonp + CAS gateway : if app session is
expired, try transparent login on CAS using JSONP
- add relog using window.open+postMessage : if transparent relog
failed, instead of restarting application, use window.open+postMessage

* to make it work:

git clone --depth 4 https://github.com/prigaux/angular-seed.git
angular-seed-phpCAS
cd angular-seed-phpCAS
bower install

You need phpCAS :
https://wiki.jasig.org/display/CASC/phpCAS+installation+guide

Happy CAS,
cu


[*] if your first page is static AND CAS protected, you must ensure it
is not browser cached






--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2da6723a-a2b1-3af8-685b-2041638286d7%40recia.fr.

[cas-user] Reflexion around SPNEGO authentication and external IDP

2016-06-28 Thread Julien Gribonvald 

Hi,

In ESUP consortium we are looking for a way to do some possible use case 
on how to integrating the new French government central "identity 
provider", that french's administrations services will be able to 
integrate to authenticate all french peoples on their apps 
(FranceConnect and it use openId connect protocol).


So we know it's possible to integrate it without too much difficulties, 
we need only to use this service as authentication handler, but we have 
some workflow to develop. Our problems aren't for web authentication but 
on computer's auth (when using SPNEGO/kerberos...).


How can we do when the account's principals (login/password) are not 
known "localy" ? in this case how to do ? or how to delegate the 
computer authentication on a web only external service ?
Is their a way or is it possible to connect the user from a web access 
when the user log in from a computer ?


Reflexions are also welcome for a such use case !

Thanks,
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/577257A5.7010506%40recia.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CASify an AngularJS web application

2016-05-25 Thread Julien Gribonvald 

Hi,

I suggest that you look at these examples :
with java backend : https://github.com/jgribonvald/demo-spring-cas-angular
with php backend : https://github.com/prigaux/angular-seed

The problem with mod_auth_cas is that it doesn't take care of cas 
request logout ;)


Thanks
-Julien


Le 24/05/2016 17:22, Neil Sabol a écrit :


Hi Jay,

Good question – we struggled with this a little while ago and devised 
a solution that worked for our Angular JS applications. This may or 
may not scale or apply to your situation.


We discovered that mod_auth_cas “sees” routes in Angular (based on URI 
anyway). We configured mod_auth_cas to trigger when specific URIs are 
accessed in our Angular application and use those URIs POST to a 
“login.php” file that simply returns the UID of the currently 
authenticated user(basically, just echoing $SERVER[‘REMOTE_USER’]) to 
the Angular app. The “login.php” file must also be included in the 
paths that mod_auth_cas triggers for.


There is definitely room for improvement. We hoped to use phpCAS but 
it did not play well in our Angular app (CORS issues).


We were also unable to locate a great example, so if you (or anyone 
else) figure something out, I would be very interested to learn about 
your approach.


I hope this helps.

Thanks,

-Neil

*From:*cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of 
*india.jai

*Sent:* Monday, May 23, 2016 7:57 AM
*To:* CAS Community <cas-user@apereo.org>
*Subject:* [cas-user] CASify an AngularJS web application

Hi All

Is it possible to CASify an AngularJS web application ?

We are planing to refactor our existing CAS web applications and 
thinking of using AngularJS.


Not able to find a solid answer if its possible or not ?

Can you please kindly clarify ?

Thanks

Jay

--
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to cas-user@apereo.org 
<mailto:cas-user@apereo.org>.
Visit this group at 
https://groups.google.com/a/apereo.org/group/cas-user/ 
<https://groups.google.com/a/apereo.org/group/cas-user/>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org?utm_medium=email_source=footer>.
For more options, visit 
https://groups.google.com/a/apereo.org/d/optout 
<https://groups.google.com/a/apereo.org/d/optout>.


--
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to cas-user@apereo.org 
<mailto:cas-user@apereo.org>.
Visit this group at 
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com?utm_medium=email_source=footer>.

For more options, visit https://groups.google.com/a/apereo.org/d/optout.



--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57455097.5090706%40recia.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.