Re: [cas-user] which registry ticket storage ?
Hi Jérôme, We are deploying for several services the same conf: 3 serveurs with redis + sentinel each one (We think also to deploy a redis farm in place). One server is a master and the two other are slaves, we don't use the persistant option nor the database. Also we use a HAproxy when we can distinguish read and write access to share the load. All this conf was defined mainly from this blog: https://www.willandskill.se/en/setup-a-highly-available-redis-cluster-with-sentinel-and-haproxy/ Julien Gribonvald Le 24/03/2021 à 09:23, Jérôme NENERT a écrit : Le 17/03/2021 à 17:34, Julien Gribonvald a écrit : Hi, Hi Julien, I would recommand Redis, after memcached it's the fastest and more efficient system for large number of datas. Other will works well but you will win in effiency and server ressources comparing to other systems. Which type of Redis replication do you use in combination which CAS ? Sentinel with redis.sentinel configuration keys or other type of configuration ? Jerome Nenert I don't recommand memcached only because we can't watch on datas without modifying/refreshing it, the problem is that we can't have a good overview on and on the datas. Thanks Julien Gribonvald Le 17/03/2021 à 15:50, Daniel CHARLOT a écrit : Hello there, We need to upgrade our CAS server V4 to V6 and add an loadbalancer F5. We will do some HA with them and we wondering which is the product with the best performance for use ticket registry ? Memcached, cassanadra, mongodb, couchbase redis or an other ? I would like choose redis, because its seems works like a charm, but im not sure. Thanks for your advices and your experiences return. Daniel CHARLOT -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ae9c044-693a-3b06-8912-628dbd9a36f9%40recia.fr.
Re: [cas-user] which registry ticket storage ?
Hi, I would recommand Redis, after memcached it's the fastest and more efficient system for large number of datas. Other will works well but you will win in effiency and server ressources comparing to other systems. I don't recommand memcached only because we can't watch on datas without modifying/refreshing it, the problem is that we can't have a good overview on and on the datas. Thanks Julien Gribonvald Le 17/03/2021 à 15:50, Daniel CHARLOT a écrit : Hello there, We need to upgrade our CAS server V4 to V6 and add an loadbalancer F5. We will do some HA with them and we wondering which is the product with the best performance for use ticket registry ? Memcached, cassanadra, mongodb, couchbase redis or an other ? I would like choose redis, because its seems works like a charm, but im not sure. Thanks for your advices and your experiences return. Daniel CHARLOT -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f0049ae-38fb-6637-9d17-ea7820b07e61%40recia.fr.
Re: [cas-user] AJP with header too big
Hi, This is written in the doc but not directly, you have the property cas.server.ajp.attributes.attributeName=attributeValue . That is to say, for your case: cas.server.ajp.attributes.packetSize=YOUR VALUE - Julien Le 30/09/2019 à 11:40, Fabrice Bacchella a écrit : I'm getting the following error on CAS 5.3 with AJP: 2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Header message of length [11,006] received but the packetSize is only [8,192] 2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Error processing request java.lang.NullPointerException: null So I should increase the packetSize of the AJP connector, but it's missing from https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#ajp Is it hidden somewhere else ? -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e841efac-8c24-aee6-5d1c-a0e98c817527%40recia.fr.
[cas-user] Re: Logout workflow with Delegated Auth
After more debuging on this problem it seems that the session can't be retrieved whereas all element where saved in the session store. The requestContext doesn't contains any session at the logout process (event if the action is called before the terminateSessionState and so only a new session is available. But cookies are again available ! Where is the problem ? the webflow can't provide a session is there some configuration needed ? Thanks Le jeudi 4 juillet 2019 14:29:47 UTC+2, Julien Gribonvald a écrit : > > To add some informations from my previous message: > - from CAS I have this log : > DEBUG > [org.apereo.cas.web.flow.DelegatedAuthenticationSAML2ClientLogoutAction] - > logout action will be executed.> > > after debugging into the code to find if a client is a SAML2Client a > profile should be provisionned, but it's not the case so it returns each > time a null client. > > What is missing here ? should a profile be provisionned and how in this > case ? Or there is a problem with a wrong check ? > > I could fix that but let me know what is to good way to do. > Thansk > > > Le jeudi 4 juillet 2019 13:16:17 UTC+2, Julien Gribonvald a écrit : >> >> Hi, >> >> I can't find in documentation how the logout should work with delegated >> Authentification (from pac4j module as example). >> >> I'm looking on the workflow when the global logout is initiated from the >> CAS (or from a service to the CAS), is there a way to propagate it to >> the IDP which the user connected ? I can't have this working with a SAML >> IDP whereas metadatas have the SLOLogout url information provided. >> >> Also is it working when the logout request come from the SAML IDP ? >> >> How this should work, what are the requirements ? I'm using the CAS V6 >> master branch. >> >> Thanks, >> >> -- >> Julien Gribonvald >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1b91b16-da4c-4510-8c96-329243e28151%40apereo.org.
[cas-user] Re: Logout workflow with Delegated Auth
To add some informations from my previous message: - from CAS I have this log : DEBUG [org.apereo.cas.web.flow.DelegatedAuthenticationSAML2ClientLogoutAction] - after debugging into the code to find if a client is a SAML2Client a profile should be provisionned, but it's not the case so it returns each time a null client. What is missing here ? should a profile be provisionned and how in this case ? Or there is a problem with a wrong check ? I could fix that but let me know what is to good way to do. Thansk Le jeudi 4 juillet 2019 13:16:17 UTC+2, Julien Gribonvald a écrit : > > Hi, > > I can't find in documentation how the logout should work with delegated > Authentification (from pac4j module as example). > > I'm looking on the workflow when the global logout is initiated from the > CAS (or from a service to the CAS), is there a way to propagate it to > the IDP which the user connected ? I can't have this working with a SAML > IDP whereas metadatas have the SLOLogout url information provided. > > Also is it working when the logout request come from the SAML IDP ? > > How this should work, what are the requirements ? I'm using the CAS V6 > master branch. > > Thanks, > > -- > Julien Gribonvald > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/957dcddb-6704-42bc-8099-4e992fc6152c%40apereo.org.
[cas-user] Logout workflow with Delegated Auth
Hi, I can't find in documentation how the logout should work with delegated Authentification (from pac4j module as example). I'm looking on the workflow when the global logout is initiated from the CAS (or from a service to the CAS), is there a way to propagate it to the IDP which the user connected ? I can't have this working with a SAML IDP whereas metadatas have the SLOLogout url information provided. Also is it working when the logout request come from the SAML IDP ? How this should work, what are the requirements ? I'm using the CAS V6 master branch. Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0070ca06-8ff7-a54d-b58c-49631f26b865%40recia.fr.
[cas-user] Refreshing value on dynamic user attributes
Hi folks, I'm loading user attributes from a LDAP after authentication, my problem is that we have some "dynamic" atttributes that permit to set the user context. My problem is to be able to change the value of such attributes without a logout of the the user, or doing only a partial logout. I mean I would like to keep the user logged to CAS but propagating the logout on already connected applications to be able to propagate the updated user context value (to change the user's context). Do you think that could be doable ? without big change ? what would be your way to do it on CAS 6 ? In our older CAS version we made a global logout, but we would like to avoid it now, as it will help us on some workflow. Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e0e771d-699f-2176-7e32-0005e2bb971b%40recia.fr.
[cas-user] SAML2 client Delegated Auth - IDP-initiated mode support
Hi folks, Is there a way to support the IDP-initiated mode with the pac4j client ? or any other client ? (IDP-initiated mode is an Auth Request comming directly from an IDP without going through the CAS server before, this mode set all url params needed like the entityID and the targeted service). Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bd5fa10-da04-8508-3935-b29912a4f13b%40recia.fr.
[cas-user] Questions on pac4j saml module
Hi folks, I have few questions about the pac4j saml configuration: * is there a way to customize the button generated with the clientName text on CAS login page ? I mean using a displayName and a description, is there something already existing or I could purpose a Pull Request to be able to customize ? * How are you generating metadata after cas server launch ? the default configuration generate metadatas if they doesn't exist only when a request is made, I would like that these metadatas available when the cas is available, like that IDPs can request them before a user access ! * what is the best way to share files generated (metadata, keystore, certificates) between each CAS instance used in load-balancing (not in cluster) ? I'm using a git repo to share my configurations only (in the /xxx/cas-properties/), but I'm not sure that is a good practice, even more if we delete certificates and metadata to renew them. What are your advices/practices ? Thanks -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ee78d0d-152e-f384-9e1a-dc70efa4ead8%40recia.fr.
Re: [cas-user] Issue with LPPE and memcached ticket registry
Ray I'm not sure that will work with the cas-overlay-template done with gradle. On my side I cloned the CAS repository following the documentation and I publish to my nexus, but with docker : - clone the cas project and apply change and publish them to your git repo - clone this git repo on your docker file and run commands like locally following the doc, inside the module you will have to build and install locally the change (command example to build this kind of module and to install it locally : ../../gradlew clean build install --configure-on-demand --build-cache --parallel -x test -x javadoc -x check --stacktrace -DskipNestedConfigMetadataGen=true -DskipGradleLint=true), like that your cas build from the cas-overlay-template will be able to use your change. Julien Le 01/05/2019 à 21:26, Ray Bon a écrit : Doug, I have not used docker image but suspect it operate the same way as a stand alone deploy. You create your package/class(es) in src/main/java (in root of project directory). It will get built and placed in the war. https://apereo.github.io/cas/5.3.x/installation/Maven-Overlay-Installation.html Ray On Wed, 2019-05-01 at 17:09 +0800, Doug Campbell wrote: Thanks Julien. I think I understand what is needed to be done for registering the missing class but I have no idea how to deploy a change to test it. I’m using the cas-webapp-docker to deploy to Docker using cas-overlay-template. If were able to give me some pointers as to how to test these changes I would go ahead and try to make this work on the 6.0.x branch. Doug *From:*cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Julien Gribonvald *Sent:* Tuesday, April 30, 2019 5:47 PM *To:* cas-user@apereo.org *Subject:* Re: [cas-user] Issue with LPPE and memcached ticket registry Hi, To fix your problem you have to register the missing class, here is a PR to get as example to register some missing class https://github.com/apereo/cas/pull/3857/files. So you can contribute ? After my point of view is that's a problem that KRYO need to register all class to serialize them, but it doesn't seem to have an other way. After there is a good beneit to use KRYO as his serialization is more efficient than the default one. Thanks, Julien Le 29/04/2019 à 05:51, Windham, Gary D - (windhamg) a écrit : Doug, thank you very much for your feedback and the workaround. That does, indeed, fix the immediate issue at hand. Hopefully the Kryo serialization issue will be resolved soon. Thanks again! --Gary *--* *Gary Windham* Principal Enterprise Systems Architect University Information Technology Services The University of Arizona Email: windh...@email.arizona.edu <mailto:windh...@email.arizona.edu> Office: +1 520 626 5981 On Sun, Apr 28, 2019 at 8:26 PM Doug Campbell mailto:wdouglascampb...@gmail.com>> wrote: I don’t know if this is an ideal workaround but I found in my case if I changed the transcoder setting from KYRO to SERIAL that everything starting working great. cas.ticket.registry.memcached.transcoder: SERIAL In the documentation it recommends using KYRO stating “This component is recommended over the default Java serialization mechanism since it produces much more compact data, which benefits both storage requirements and throughput.” There are two other options as well: WHALIN and WHALINV1. I am not sure if it really matters which one but since the use of KYRO seems buggy maybe the recommendation for using it is no longer the best. *From:*cas-user@apereo.org <mailto:cas-user@apereo.org> [mailto:cas-user@apereo.org <mailto:cas-user@apereo.org>] *On Behalf Of *Doug Campbell *Sent:* Monday, April 29, 2019 10:36 AM *To:* cas-user@apereo.org <mailto:cas-user@apereo.org> *Subject:* RE: [cas-user] Issue with LPPE and memcached ticket registry Gary, I don’t have an answer but I saw this same error yesterday when I was testing proxy authentication on my CAS 6.0.3 test setup. In my case I haven’t configured LPPE. I did try disabling it just now but that seemed to have no effect as the error still occurs. In my case I am using spymemcache and not AWS Elasticache. For now I have switched back to the default InMemory ticket registry and proxy authentication works fine with that. If I figured out anything I will let you know and if you discover a solution please do report back. Thanks! *From:*cas-user@apereo.org <mailto:cas-user@apereo.org> [mailto:cas-user@apereo.org] *On Behalf Of *Windham, Gary D - (windhamg) *Sent:* Monday, April 29, 2019 9:28 AM *To:* cas-user@apereo.org <mailto:cas-user@apereo.org> *Subject:* [cas-user] Issue with LPPE and memcached ticket registry Hi all, I've been building/testing CAS v6.1.0 (HEAD), and was getting along fairly well until I ran into an error with LPPE and the memcached ticket registry I'm using. I am using 389 Directory server for LDAP authentication and have passw
Re: [cas-user] Issue with LPPE and memcached ticket registry
java.lang.IllegalArgumentException: Class is not registered: org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor Note: To register this class use: kryo.register(org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor.class); <...followed by big stack trace...> Is there something I'm overlooking, or failed to add, in my config? Any pointers appreciated! Thanks, --Gary *--* *Gary Windham* Principal Enterprise Systems Architect University Information Technology Services The University of Arizona Email: windh...@email.arizona.edu <mailto:windh...@email.arizona.edu> Office: +1 520 626 5981 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHGDx0-TPBmE-tMCmpfcgvr1eSUMhQF0xygfka%3DxXxzKVA%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHGDx0-TPBmE-tMCmpfcgvr1eSUMhQF0xygfka%3DxXxzKVA%40mail.gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/001201d4fe34%2459c9aa10%240d5cfe30%24%40gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/001201d4fe34%2459c9aa10%240d5cfe30%24%40gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/001901d4fe3b%244c401260%24e4c03720%24%40gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/001901d4fe3b%244c401260%24e4c03720%24%40gmail.com?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHFPqf5pWspLfmx%2B-ncZZ4AE5WafMduJ_XmQPCCk%2BqNBHA%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABpeFHFPqf5pWspLfmx%2B-ncZZ4AE5WafMduJ_XmQPCCk%2BqNBHA%40mail.gmail.com?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/90f4c6dd-6b79-719e-d2d2-2dcd5a3a3c31%40recia.fr.
Re: [cas-user] CAS 6.x delegated auth chanied with different attributeRepository
Thanks Misagh, Ok, so don't hesitate to notify me when the feature will be available. Julien Le 26/04/2019 à 20:36, Misagh Moayyed a écrit : This isn't quite possible to do as you describe it today. I'd suggest you wait until 6.1 RC4 as this is being somewhat worked. Otherwise, you might need to write your authentication handler and in there decide how to fetch attributes based on the client, etc. On Tuesday, April 16, 2019 at 2:33:04 AM UTC-7, Julien Gribonvald wrote: Hi, Sorry to re-run the question but how can I do that ? I've found how to define a policy with authenticationHandlers but it doesn't help to chain with an attributeRepository. Is it possible to do what I want or I should chain all delegated authenticationHandlers with all attributeResolver ? Thanks, Julien Le 12/04/2019 à 11:24, Julien Gribonvald a écrit : > Hi, > > Is there something already existing to map to a specific authn > configuration a specific authn.attributeRepository ? > > I have several kind of external auth system and so the attribute > resolution locally (local LDAP) should be done by different LDAP > search request (and so attributeRepository), each authn system should > have his own attributeRepository, and I need to avoid to chain all > attributeRepository. Is it possible or should I implement something ? > > If I should implement something could you tell me what is the best way > (and where to look) ? > > I'm following the CAS master branch. > > Thanks, > -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c38d176-bd4f-4fbc-80dd-12c33924df04%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c38d176-bd4f-4fbc-80dd-12c33924df04%40apereo.org?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e7e710e-7bbc-f3e3-9db5-932605cadf1d%40recia.fr.
Re: [cas-user] Mandatory entry point before authentication
Thanks Ray but that's not exactly my use case. Your use case admit that users can authenticate from any service, on my case I need that they must come from one service to be able to authenticate. But your redirect is welcome ! Thanks Julien Le 17/04/2019 à 20:57, Ray Bon a écrit : Julien, Check this setting: cas.view.defaultRedirectUrl=https://${cas.server.name}/mypage If user goes to CAS first (without a service), they get redirected to defaultRedirectUrl. Ray On Wed, 2019-04-17 at 16:56 +0200, Julien Gribonvald wrote: Hi, Is there a simple way to force user to come from a service before to authenticate ? I mean before accessing to some services (not all) a user should come from an entry point (a service on which he will be authenticated after, like a portal), if not he should be redirected to this entry point. If not is it the a thing to define a service policy from the service management to do that ? Or are you seing a better way ? Thanks, -- Julien Gribonvald -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f6cdffc229472b76ba097cf453afd8990093e18.camel%40uvic.ca <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f6cdffc229472b76ba097cf453afd8990093e18.camel%40uvic.ca?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2a583f-13fc-53b3-486f-17f916b6c067%40recia.fr.
[cas-user] Mandatory entry point before authentication
Hi, Is there a simple way to force user to come from a service before to authenticate ? I mean before accessing to some services (not all) a user should come from an entry point (a service on which he will be authenticated after, like a portal), if not he should be redirected to this entry point. If not is it the a thing to define a service policy from the service management to do that ? Or are you seing a better way ? Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fff077c2-94b4-7c1e-e6f0-be4284a412f5%40recia.fr.
Re: [cas-user] CAS 6.x delegated auth chanied with different attributeRepository
Hi, Sorry to re-run the question but how can I do that ? I've found how to define a policy with authenticationHandlers but it doesn't help to chain with an attributeRepository. Is it possible to do what I want or I should chain all delegated authenticationHandlers with all attributeResolver ? Thanks, Julien Le 12/04/2019 à 11:24, Julien Gribonvald a écrit : Hi, Is there something already existing to map to a specific authn configuration a specific authn.attributeRepository ? I have several kind of external auth system and so the attribute resolution locally (local LDAP) should be done by different LDAP search request (and so attributeRepository), each authn system should have his own attributeRepository, and I need to avoid to chain all attributeRepository. Is it possible or should I implement something ? If I should implement something could you tell me what is the best way (and where to look) ? I'm following the CAS master branch. Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/046352a4-29f0-f3a3-c4e8-6b05a233cef0%40recia.fr.
[cas-user] CAS 6.x delegated auth chanied with different attributeRepository
Hi, Is there something already existing to map to a specific authn configuration a specific authn.attributeRepository ? I have several kind of external auth system and so the attribute resolution locally (local LDAP) should be done by different LDAP search request (and so attributeRepository), each authn system should have his own attributeRepository, and I need to avoid to chain all attributeRepository. Is it possible or should I implement something ? If I should implement something could you tell me what is the best way (and where to look) ? I'm following the CAS master branch. Thanks, -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b10edc58-e9cf-b4d9-e0d7-400c122da3da%40recia.fr.
Re: [cas-user] Re: Help CAS Management Error (CAS Server returned 502 status code from endpoint https://cas.example.com/cas/status/discovery. Using default FormData values)
ils from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4314fa3d37e510b2956fdda5527281a09aa882d1.camel%40uvic.ca <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4314fa3d37e510b2956fdda5527281a09aa882d1.camel%40uvic.ca?utm_medium=email_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CCD58B73-2087-41E3-BB23-3247EB357DE0%40gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CCD58B73-2087-41E3-BB23-3247EB357DE0%40gmail.com?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/146520a1-9471-324c-0bc3-c55483bf7a4f%40recia.fr.
Re: [cas-user] [CAS 6.1.X] Building with custom profiles settings
Hi, I'm running with the option -Dspring.profiles.active=standalone,test as example and I have a properties files named as test.properties and application-test.properties This is working well on linux. -Julien Le 19/03/2019 à 15:58, The Jej a écrit : Hello everyboy, I'm trying to make two different profiles on my cas project: 1 profile for development environment 1 profile for production For the moment I have tested cas by using the default 'standalone' profile. SO I have created an application-standalone.properties, everything works fine and configuration inside that file works fine. Now I would like to create a more production oriented configuration: application-dev.properties and application-prod.properties for example and tell gradlew to build cas using one or the other configuration file. In my other springboot projects, I only have to use on the vm parameter: -Dspring.profiles.active=dev for example and the war generated take the application-dev.properties file I'm trying the same thing with gradlew: gradlew.bat clean build -Dspring.profiles.active=dev But it does nothing (I know it would be too simple :) ), I try to find more info on the documentation but I found that's the profiles configuration is not quite clear: https://apereo.github.io/cas/6.0.x/configuration/Configuration-Server-Management.html Also it's not recommended to overlay default bootstrap.properties (witch sets spring.profiles.active=standalone) and application.properties so I try to avoid those solutions How do you do to build with different configuration file ? Thanks ! Jeremy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff0d4f4e-5f64-40ed-964e-63f70827d5a4%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff0d4f4e-5f64-40ed-964e-63f70827d5a4%40apereo.org?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73cb7281-cb31-0ae0-15e1-e90432eb8ddd%40recia.fr.
Re: [cas-user] CAS 6.1.x Ldaps configuration problem
Thanks a lot David. This solved the problem and it solved me some hours ! Regards, --Julien Le 26/01/2019 à 16:40, David Gelhar a écrit : Using Java8 probably isn't an option - CAS 6.x requires Java11 We have been able to work around the issue by using the UnboundID provider as suggested, with settings like this: cas.properties : cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider build.gradle: // to use UnboundID ldap provider instead of JNDI compile "com.unboundid:unboundid-ldapsdk:4.0.9" On Friday, January 25, 2019 at 5:47:00 PM UTC-5, dfisher wrote: This appears to be a bug in JNDI code that manifests with an NPE in the ldaptive thread local code. I've filed an issue, but there isn't a resolution yet. Work arounds include: * Use startTLS * Use the UnboundID provider * Use Java 8 (versions 9-12 are all affected) --Daniel Fisher On Fri, Jan 25, 2019 at 1:28 PM Julien Gribonvald > wrote: Hi, I'm beginning a new CAS configuration with latest dev version with the overlay packaging and when configuring ldaps I'm having a such error : java.lang.NullPointerException: Thread local SslConfig has not been set at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:53) ~[ldaptive-1.2.4.jar!/:?] With no ssl conf I don't have any problems, here are my change to move on ssl use: cas.authn.ldap[0].ldapUrl=ldaps://my.domain.fr:636 <http://my.domain.fr:636> #cas.authn.ldap[0].ldapUrl=ldap://my.domain.fr:389 <http://my.domain.fr:389> #cas.authn.ldap[0].useSsl=false Did I make something wrong or ? Is there someone having the same problem or not ? After googling a bit it seems that could be a problem with ldaptive lib and jdk11... Any information about a such problem ? Thanks -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/19893719-ec68-4348-8a46-ca48e4df4002%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/19893719-ec68-4348-8a46-ca48e4df4002%40apereo.org?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/822f6e93-70c5-0d44-4314-2517be228676%40recia.fr.
[cas-user] CAS 6.1.x Ldaps configuration problem
Hi, I'm beginning a new CAS configuration with latest dev version with the overlay packaging and when configuring ldaps I'm having a such error : java.lang.NullPointerException: Thread local SslConfig has not been set at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:53) ~[ldaptive-1.2.4.jar!/:?] With no ssl conf I don't have any problems, here are my change to move on ssl use: cas.authn.ldap[0].ldapUrl=ldaps://my.domain.fr:636 #cas.authn.ldap[0].ldapUrl=ldap://my.domain.fr:389 #cas.authn.ldap[0].useSsl=false Did I make something wrong or ? Is there someone having the same problem or not ? After googling a bit it seems that could be a problem with ldaptive lib and jdk11... Any information about a such problem ? Thanks -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b098c57c-feb6-ecaa-88a0-579ca6bb963c%40recia.fr.
[cas-user] java CAS-client spring config can't get ProxyTicket
Hi, After moving cas-client initialization from web.xml to spring beans we can't get anymore the proxy-ticket from the assertion. Did someone encounter the problem ? I don't see any bug repport about this problem. It would be to fix this problem : https://github.com/Jasig/uPortal/issues/1374 On an other side, to be able to externalize the configuration did you test an other init method ? from properties file (this one doesn't seem documented and tested) ? Thanks, Julien -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/03bacef7-e1a7-421f-9094-b583bda448e8%40apereo.org.
Re: [cas-user] Memcache Ticket Registry HA
Hi, You can use repcached for the replicated side with memcached, we are using it since several years in our context and we are totally satisfied ! Thanks Le 10/04/2018 à 17:51, Ray Bon a écrit : Teddy, I have not used memcached. To accomplish your goal you would need a replicated cache. How often do you plan to restart your servers? Will your users to notice? Ray On Tue, 2018-04-10 at 08:07 -0700, Teddy Brown wrote: Is it possible to get High Availability with the memcache ticket registry? I only have these attributes configured currently and it works. However it seems if the Memcached instance on either host is restarted (or the host is restarted) that CAS continues to function as expected, any tickets on the restarted host need to re-authenticate. cas.ticket.registry.memcached.servers=cas01:11211,cas02:11211 cas.monitor.memcached.failureMode=Redistribute Is it possible to configure this in a way that a restart of either Memcached service will not result in the loss of any CAS tickets? Thanks -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375473.1822.5.camel%40uvic.ca <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375473.1822.5.camel%40uvic.ca?utm_medium=email_source=footer>. -- Julien Gribonvald -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa5aeae9-aa9b-7872-1c79-3b967e29a348%40recia.fr.
Re: [cas-user] CAS server in Angular JS + spring REST API architecture
What you described is good, and it's how work my app and examples provided. After requesting on each request a CAS ACCESS TOKEN isn't needed, but at least on your REST server managing a token is needed or you need to manage a session cookie (or a map token/session), so the jwt token is a way to secure your app, even in my mind it's better than a cookie. Le 10/07/2017 à 15:15, Filip Majernik a écrit : First of all, thank you all for the responses, it helps me very much. I will take a look on that example with Angular. However, I think I've found a solution (or at least going to try that way). I will go away from the OpenID or OAuth (imho I don't really think that they are well suited for what I need. Almost all the examples in spring are using the same app for the resource server as for the oauth server). I have reviewed the CAS protocol and I am going to try to implement it in this way: 1.) The angluarJS will redirect to the login page. 2.) After successful login the user is redirected to the angular app again but with a SERVICE TICKET 3.) When the first call is made to the REST API, the SERVICE TICKET would be validated and if valid, then it creates a session cookie. 4.) All the other REST API calls would get authorized unless the session cookie expires (without validating the SERVICE TICKET again). Somehow I got fixed on the word "stateless", because the REST API is stateless. But if I really would like to be stateless, this would indeed require to contact the CAS server every time with an ACCESS TOKEN and validate if it. So feel free to correct me if I am wrong, but I think the above described solution with the CAS protocol is fine. On Monday, July 10, 2017 at 2:33:56 PM UTC+2, Julien Gribonvald wrote: Hi Filip, Did you watch on what is possible with spring security ? there are several possibilities to secure your REST API, and in my mind jwt is a good option. I developped an angular app and used spring-security, I didn't used the jwp protocol as it was not well documented when I developped my app but I think I would you use it now. My app can be found here : https://github.com/EsupPortail/esup-publisher <https://github.com/EsupPortail/esup-publisher> Or if you prefer you can find a POC of the auth mecanism here : https://github.com/jgribonvald/demo-spring-cas-angular <https://github.com/jgribonvald/demo-spring-cas-angular> or someone made a documented and more advanced example here : https://github.com/rohajda/casdemo <https://github.com/rohajda/casdemo> (he used my POC). For jwt example you can rely on Pascal's explanations, or maybe on web you can find easily somes well explaned documentations (search on "spring security jwt"). Thanks Julien Le 10/07/2017 à 13:35, Pascal Rigaux a écrit : > Hi, > > With CAS protocol, your API MUST create its own token/session: > CAS ticket is a one time token, no way to rely on it. > > Another solution is to use OpenID Connect, it should work with CAS >= > 5.1 : > - enable OpenID Connect > - use implicit flow to obtain CAS generated JWT > - send JWT to your API > - REST API checks JWT signature against jwks_uri > > Example : https://area51.univ-paris1.fr/prigaux/test-oidc.html <https://area51.univ-paris1.fr/prigaux/test-oidc.html> (you > must logged on google first) > > Drawbacks: > - no easy single logout (major pb for us) > > French presentation on this: https://prigaux.frama.io/JwtProxyService/ <https://prigaux.frama.io/JwtProxyService/> > > cu > > > Filip Majernik <filip.m...@gmail.com > a écrit : > >> Hi Pascal, >> the reason why I need this is, that the REST API calls can also be >> performed only by an authorized user. This means that the AngularJS app >> must send some token alongside with the request to my REST API and >> the REST >> API must be able to validate that token. >> >> So the main problem for me is not to login (this can be done with a >> redirect, or with posting the username/password, I do not really >> mind), but >> to validate the token in my REST API. Because I do not want to create >> another http request to the CAS server everytime the Angular app makes a >> request. >> >> Bye, >> Filip >> >> On Saturday, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux wrote: >>> >>> Hi, >>> >>> Do you really need the handle username/password? Most CAS applications >>> avoid this since it breaks SSO.
Re: [cas-user] CAS server in Angular JS + spring REST API architecture
Hi Filip, Did you watch on what is possible with spring security ? there are several possibilities to secure your REST API, and in my mind jwt is a good option. I developped an angular app and used spring-security, I didn't used the jwp protocol as it was not well documented when I developped my app but I think I would you use it now. My app can be found here : https://github.com/EsupPortail/esup-publisher Or if you prefer you can find a POC of the auth mecanism here : https://github.com/jgribonvald/demo-spring-cas-angular or someone made a documented and more advanced example here : https://github.com/rohajda/casdemo (he used my POC). For jwt example you can rely on Pascal's explanations, or maybe on web you can find easily somes well explaned documentations (search on "spring security jwt"). Thanks Julien Le 10/07/2017 à 13:35, Pascal Rigaux a écrit : Hi, With CAS protocol, your API MUST create its own token/session: CAS ticket is a one time token, no way to rely on it. Another solution is to use OpenID Connect, it should work with CAS >= 5.1 : - enable OpenID Connect - use implicit flow to obtain CAS generated JWT - send JWT to your API - REST API checks JWT signature against jwks_uri Example : https://area51.univ-paris1.fr/prigaux/test-oidc.html (you must logged on google first) Drawbacks: - no easy single logout (major pb for us) French presentation on this: https://prigaux.frama.io/JwtProxyService/ cu Filip Majernika écrit : Hi Pascal, the reason why I need this is, that the REST API calls can also be performed only by an authorized user. This means that the AngularJS app must send some token alongside with the request to my REST API and the REST API must be able to validate that token. So the main problem for me is not to login (this can be done with a redirect, or with posting the username/password, I do not really mind), but to validate the token in my REST API. Because I do not want to create another http request to the CAS server everytime the Angular app makes a request. Bye, Filip On Saturday, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux wrote: Hi, Do you really need the handle username/password? Most CAS applications avoid this since it breaks SSO. A simple solution for AngularJS application is to do as many other apps: require a valid session an all html pages [*] Example : https://github.com/fedon/spring-cas-auth . SPA allows relogging without loosing "browser" activity (eg: textarea content). Here is a tutorial application with phpCAS that shows various ways to handle CAS relog in a SPA : https://github.com/prigaux/angular-seed * forked from "angular-seed" (an old version) added some php pages kept index.html, but the app really is index.php * every commits shows a different functionality. To understand them, start from the first one, then have a look at the more advanced features: - CAS example : minimal casification - CAS example using http-auth-interceptor : same but using a module intercepting every $http calls - use ngRoute "resolve" : avoid displaying page "view1" until the user is authenticated - replace alert with modal window from angular UI Bootstrap : prepares the next commit - add transparent relog using jsonp + CAS gateway : if app session is expired, try transparent login on CAS using JSONP - add relog using window.open+postMessage : if transparent relog failed, instead of restarting application, use window.open+postMessage * to make it work: git clone --depth 4 https://github.com/prigaux/angular-seed.git angular-seed-phpCAS cd angular-seed-phpCAS bower install You need phpCAS : https://wiki.jasig.org/display/CASC/phpCAS+installation+guide Happy CAS, cu [*] if your first page is static AND CAS protected, you must ensure it is not browser cached -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2da6723a-a2b1-3af8-685b-2041638286d7%40recia.fr.
[cas-user] Reflexion around SPNEGO authentication and external IDP
Hi, In ESUP consortium we are looking for a way to do some possible use case on how to integrating the new French government central "identity provider", that french's administrations services will be able to integrate to authenticate all french peoples on their apps (FranceConnect and it use openId connect protocol). So we know it's possible to integrate it without too much difficulties, we need only to use this service as authentication handler, but we have some workflow to develop. Our problems aren't for web authentication but on computer's auth (when using SPNEGO/kerberos...). How can we do when the account's principals (login/password) are not known "localy" ? in this case how to do ? or how to delegate the computer authentication on a web only external service ? Is their a way or is it possible to connect the user from a web access when the user log in from a computer ? Reflexions are also welcome for a such use case ! Thanks, -- Julien Gribonvald -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/577257A5.7010506%40recia.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Re: [cas-user] CASify an AngularJS web application
Hi, I suggest that you look at these examples : with java backend : https://github.com/jgribonvald/demo-spring-cas-angular with php backend : https://github.com/prigaux/angular-seed The problem with mod_auth_cas is that it doesn't take care of cas request logout ;) Thanks -Julien Le 24/05/2016 17:22, Neil Sabol a écrit : Hi Jay, Good question – we struggled with this a little while ago and devised a solution that worked for our Angular JS applications. This may or may not scale or apply to your situation. We discovered that mod_auth_cas “sees” routes in Angular (based on URI anyway). We configured mod_auth_cas to trigger when specific URIs are accessed in our Angular application and use those URIs POST to a “login.php” file that simply returns the UID of the currently authenticated user(basically, just echoing $SERVER[‘REMOTE_USER’]) to the Angular app. The “login.php” file must also be included in the paths that mod_auth_cas triggers for. There is definitely room for improvement. We hoped to use phpCAS but it did not play well in our Angular app (CORS issues). We were also unable to locate a great example, so if you (or anyone else) figure something out, I would be very interested to learn about your approach. I hope this helps. Thanks, -Neil *From:*cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *india.jai *Sent:* Monday, May 23, 2016 7:57 AM *To:* CAS Community <cas-user@apereo.org> *Subject:* [cas-user] CASify an AngularJS web application Hi All Is it possible to CASify an AngularJS web application ? We are planing to refactor our existing CAS web applications and thinking of using AngularJS. Not able to find a solid answer if its possible or not ? Can you please kindly clarify ? Thanks Jay -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To post to this group, send email to cas-user@apereo.org <mailto:cas-user@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ <https://groups.google.com/a/apereo.org/group/cas-user/>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org?utm_medium=email_source=footer>. For more options, visit https://groups.google.com/a/apereo.org/d/optout <https://groups.google.com/a/apereo.org/d/optout>. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To post to this group, send email to cas-user@apereo.org <mailto:cas-user@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com?utm_medium=email_source=footer>. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Julien Gribonvald -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57455097.5090706%40recia.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.