RE: [EXTERNAL SENDER] [cas-user] Google Authenticator JPA account not persisted

[King, Robert]

Those specific keys are not included in your application.properties that you 
originally provided.  Only encryption keys in the file are for cas.tgc and 
cas.webflow.

From: Jaanus Heinlaid 
Sent: Thursday, March 14, 2024 11:14 AM
To: CAS Community 
Cc: King, Robert 
Subject: Re: [EXTERNAL SENDER] [cas-user] Google Authenticator JPA account not 
persisted

Yes, I do have them defined, as I already learned my lesson back in ver 6.5.0 :)
You can see these and other properties in the attachment of my previous post.
So it's not the missing encryption keys this time, but rather some other anomaly
which I cannot figure out.

cheers,
Jaanus
On Thursday 14 March 2024 at 14:26:09 UTC+2 King, Robert wrote:

Do you have the following defined in your properties?



cas.authn.mfa.gauth.crypto.encryption.key

cas.authn.mfa.gauth.crypto.signing.key



Maybe not relevant to the missing DB write, but exhibits the same behavior of 
MFA not persisting past restart.  If you do not define the keys in your 
properties file they typically get regenerated on each restart of CAS and that 
will make the previously encrypted data unrecoverable.





From: cas-...@apereo.org  On Behalf Of Jaanus Heinlaid
Sent: Wednesday, March 13, 2024 3:53 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Google Authenticator JPA account not 
persisted



Hi all,



I have upgraded to CAS 7.0.1 and using MFA provided by Google Authenticator.

The problem is that Google Authenticator accounts don't get persisted into

the "google_authenticator_registration_record" database table, forcing users

to rescan the QR Code again after CAS is restarted.



The tokens, however, get created and stored into "google_authenticator_token"

table without any problems. I have turned on TRACE logging and logging Hibernate

SQL statements. The part of the log that I think is relevant is attached.



You can clearly see from the log that first a token is created and successfully

persisted into "Google_Authenticator_Token" table. After that we can see that

OneTimeTokenAccountSaveRegistrationAction is logging "Storing account  ...".

It must be this line in code:
https://github.com/apereo/cas/blob/7.0.x/support/cas-server-support-otp-mfa-core/src/main/java/org/apereo/cas/otp/web/flow/OneTimeTokenAccountSaveRegistrationAction.java#L75

However, no account is actually created in the DB :(



Tried this with both MySQL and PostgreSQL, same thing happens in both.

Attached is the relevant part of my application.properties.

As you can see, all the required encryption keys are also nicely provided.



And no errors are thrown. I'm out of ideas :(
This used to work nicely in CAS 6.5.0.

And works when I'm using JSON file for the GAuth registry.

But I need to get it working with JPA.

Any ideas?



cheers,

jaa...@cas.user.since.2016



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fca213e-e1a4-4731-8370-4f9ca83e5ce1n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fca213e-e1a4-4731-8370-4f9ca83e5ce1n%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67307D84484E7F8706D3F1DAB4292%40DS7PR17MB6730.namprd17.prod.outlook.com.

RE: [EXTERNAL SENDER] [cas-user] Google Authenticator JPA account not persisted

[King, Robert]

Do you have the following defined in your properties?

cas.authn.mfa.gauth.crypto.encryption.key
cas.authn.mfa.gauth.crypto.signing.key

Maybe not relevant to the missing DB write, but exhibits the same behavior of 
MFA not persisting past restart.  If you do not define the keys in your 
properties file they typically get regenerated on each restart of CAS and that 
will make the previously encrypted data unrecoverable.


From: cas-user@apereo.org  On Behalf Of Jaanus Heinlaid
Sent: Wednesday, March 13, 2024 3:53 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Google Authenticator JPA account not 
persisted

Hi all,

I have upgraded to CAS 7.0.1 and using MFA provided by Google Authenticator.
The problem is that Google Authenticator accounts don't get persisted into
the "google_authenticator_registration_record" database table, forcing users
to rescan the QR Code again after CAS is restarted.

The tokens, however, get created and stored into "google_authenticator_token"
table without any problems. I have turned on TRACE logging and logging Hibernate
SQL statements. The part of the log that I think is relevant is attached.

You can clearly see from the log that first a token is created and successfully
persisted into "Google_Authenticator_Token" table. After that we can see that
OneTimeTokenAccountSaveRegistrationAction is logging "Storing account  ...".
It must be this line in code:
https://github.com/apereo/cas/blob/7.0.x/support/cas-server-support-otp-mfa-core/src/main/java/org/apereo/cas/otp/web/flow/OneTimeTokenAccountSaveRegistrationAction.java#L75
However, no account is actually created in the DB :(

Tried this with both MySQL and PostgreSQL, same thing happens in both.
Attached is the relevant part of my application.properties.
As you can see, all the required encryption keys are also nicely provided.

And no errors are thrown. I'm out of ideas :(
This used to work nicely in CAS 6.5.0.
And works when I'm using JSON file for the GAuth registry.
But I need to get it working with JPA.
Any ideas?

cheers,
jaa...@cas.user.since.2016

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1fca213e-e1a4-4731-8370-4f9ca83e5ce1n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB673097AA3893FC66A6EF7090B4292%40DS7PR17MB6730.namprd17.prod.outlook.com.

RE: [EXTERNAL SENDER] Re: [cas-user] CAS 7 and OIDC problems

[King, Robert]

It appears as if the cas-user list maybe stripping some folks email responses.  
There has be a few of these over the last week.

From: spfma.tech via CAS Community 
Sent: Thursday, January 18, 2024 6:35 AM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS 7 and OIDC problems

Hi Ray,

Thanks for your answer but it looks even more mysterious than the error message 
itself :-))

Regards


Le 18-Jan-2024 03:34:40 +0100, r...@uvic.ca a écrit:


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c680c3bcde06bdc62b7f8d992a445829ddcd322.camel%40uvic.ca.


FreeMail powered by mail.fr
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31eff6e6bd4d1d28f2426b8946f72c47b043f307%40mail.de.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67308BFE70F2D8BFFE789BA2B4712%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] RE: [EXTERNAL SENDER] Re: Initializr cas-overlay 6.6.13 build issue

[King, Robert]

Just to close the circle.  This issue is now resolved with Initializr.

From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Friday, November 17, 2023 9:09 AM
To: CAS Community 
Subject: [cas-user] RE: [EXTERNAL SENDER] Re: Initializr cas-overlay 6.6.13 
build issue

It does not,  which is the point.  Initializr switched from 
“support-discovery-profile” to “support-discovery-profile-core” and that breaks 
the gradle build.

[cid:image001.png@01DA1C66.CBFD54B0]

From: Meysam Shirazi mailto:shirazi.may...@gmail.com>>
Sent: Thursday, November 16, 2023 5:23 PM
To: CAS Community mailto:cas-user@apereo.org>>
Cc: King, Robert mailto:r...@mun.ca>>
Subject: [EXTERNAL SENDER] Re: Initializr cas-overlay 6.6.13 build issue

Hi
The CAS repository does not contain the 
cas-server-support-discovery-profile-core module!

On Thursday, November 16, 2023 at 11:00:31 PM UTC+3:30 King, Robert wrote:
Folks,

Looks like there is an issue with Initializr and the gradle build process.

How to reproduce:

curl https://casinit.herokuapp.com/starter.tgz -d casVersion=6.6.13 -d 
type=cas-overlay -d 
dependencies="support-ldap,support-saml,support-saml-idp,support-hazelcast-ticket-registry,support-hazelcast-monitor,support-jdbc,support-jdbc-monitor,support-simple-mfa,support-git-service-registry,support-reports,support-metrics,support-monitor,support-discovery-profile-core,support-consent-webflow"
 | tar -xzvf –

./gradlew clean build setExecutable

Gradle fails to build:

> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not find org.apereo.cas:cas-server-support-discovery-profile-core:.
 Required by:
 project :

If you modify build.gradle and make the following change on line 293:

implementation "org.apereo.cas:cas-server-support-discovery-profile-core"
to:
implementation "org.apereo.cas:cas-server-support-discovery-profile"

Then the gradle build completes successfully.

So it looks to me like maybe the dependencies reference should be 
support-discovery-profile and not support-discovery-core?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730CB81B56E4C5A5DD71AB1B4B7A%40DS7PR17MB6730.namprd17.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730CB81B56E4C5A5DD71AB1B4B7A%40DS7PR17MB6730.namprd17.prod.outlook.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67301746262F4C313CD8B9C1B4BBA%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] RE: [EXTERNAL SENDER] Re: Initializr cas-overlay 6.6.13 build issue

[King, Robert]

It does not,  which is the point.  Initializr switched from 
“support-discovery-profile” to “support-discovery-profile-core” and that breaks 
the gradle build.

[cid:image001.png@01DA1934.1B47E020]

From: Meysam Shirazi 
Sent: Thursday, November 16, 2023 5:23 PM
To: CAS Community 
Cc: King, Robert 
Subject: [EXTERNAL SENDER] Re: Initializr cas-overlay 6.6.13 build issue

Hi
The CAS repository does not contain the 
cas-server-support-discovery-profile-core module!

On Thursday, November 16, 2023 at 11:00:31 PM UTC+3:30 King, Robert wrote:
Folks,

Looks like there is an issue with Initializr and the gradle build process.

How to reproduce:

curl https://casinit.herokuapp.com/starter.tgz -d casVersion=6.6.13 -d 
type=cas-overlay -d 
dependencies="support-ldap,support-saml,support-saml-idp,support-hazelcast-ticket-registry,support-hazelcast-monitor,support-jdbc,support-jdbc-monitor,support-simple-mfa,support-git-service-registry,support-reports,support-metrics,support-monitor,support-discovery-profile-core,support-consent-webflow"
 | tar -xzvf –

./gradlew clean build setExecutable

Gradle fails to build:

> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not find org.apereo.cas:cas-server-support-discovery-profile-core:.
 Required by:
 project :

If you modify build.gradle and make the following change on line 293:

implementation "org.apereo.cas:cas-server-support-discovery-profile-core"
to:
implementation "org.apereo.cas:cas-server-support-discovery-profile"

Then the gradle build completes successfully.

So it looks to me like maybe the dependencies reference should be 
support-discovery-profile and not support-discovery-core?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730CB81B56E4C5A5DD71AB1B4B7A%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] Initializr cas-overlay 6.6.13 build issue

[King, Robert]

Folks,

Looks like there is an issue with Initializr and the gradle build process.

How to reproduce:

curl https://casinit.herokuapp.com/starter.tgz -d casVersion=6.6.13 -d 
type=cas-overlay -d 
dependencies="support-ldap,support-saml,support-saml-idp,support-hazelcast-ticket-registry,support-hazelcast-monitor,support-jdbc,support-jdbc-monitor,support-simple-mfa,support-git-service-registry,support-reports,support-metrics,support-monitor,support-discovery-profile-core,support-consent-webflow"
 | tar -xzvf -

./gradlew clean build setExecutable

Gradle fails to build:

> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not find org.apereo.cas:cas-server-support-discovery-profile-core:.
 Required by:
 project :

If you modify build.gradle and make the following change on line 293:

implementation "org.apereo.cas:cas-server-support-discovery-profile-core"
to:
implementation "org.apereo.cas:cas-server-support-discovery-profile"

Then the gradle build completes successfully.

So it looks to me like maybe the dependencies reference should be 
support-discovery-profile and not support-discovery-core?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730090F958347D1E760EB25B4B0A%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] embeded cas high cpu usage systemd-journal

[King, Robert]

Load testing CAS for proof of concept.

Background:

  *   CAS release 6.6.13
  *   initializr build
  *   dependencies:
 *   support-ldap
 *   support-saml
 *   support-saml-idp
 *   support-hazelcast-ticket-registry
 *   support-hazelcast-monitor
 *   support-jdbc
 *   support-jdbc-monitor
 *   support-simple-mfa
 *   support-git-service-registry
 *   support-reports
 *   support-metrics
 *   support-discovery-profile
 *   support-consent-webflow
 *   support-surrogate-webflow
 *   support-surrogate-authentication-ldap
 *   support-throttle
  *   embedded tomcat server
  *   gradlew clean build setExecutable
  *   Red Hat Enterprise 7.9 selinux
  *   run as systemd service
  *   load testing with locust

The problem we are running into is system cpu usage during a load test.  
Systemd-journal ramps to 100% cpu usage when we run a minimal load test(400 
users).  Has anyone running the embedded CAS seen similar behavior?  Running 
the same system on standalone Tomcat did not see similar behavior.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730313FB7685692E0B183F7B4DDA%40DS7PR17MB6730.namprd17.prod.outlook.com.

RE: [EXTERNAL SENDER] [cas-user] Update tomcat version only

[King, Robert]

CAS 6.6.13 was released Oct. 16th and updated the embedded tomcat to 9.0.81.

From: cas-user@apereo.org  On Behalf Of Mohamed Amdouni
Sent: Thursday, October 19, 2023 7:44 AM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] [cas-user] Update tomcat version only

Hello,

When using cas version 6.6.12 for example the embedded tomcat server is 9.0.80.
What is the best way to upgrade only the tomcat server to 9.0.81.

For spring boot application with maven it required only to set the 
tomcat.version pom properties.

Best regards,
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALmwvcZLU41mQpPub942gXmca2t%3D7eoQau_oPDvKZGaqQNOEiQ%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB673019827DBC27E0A5A98891B4D4A%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] Embedded userid

[King, Robert]

Folks who are running embedded Tomcat, what account are you running CAS under?

Currently working on a move from maintaining our own Tomcat install to the 
embedded spring boot.  For the POC we are running as root, but clearly that 
would be unacceptable in a production environment.

Also, what hurdles did you run into, if any.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67302D5F9C8CAE64C09A0D9CB4C4A%40DS7PR17MB6730.namprd17.prod.outlook.com.

[cas-user] Web Jars in cas-overlay?

[King, Robert]

Our UI developer wants to include bootstrap into our custom user interface.  
Looking over the documentation:

https://apereo.github.io/cas/6.6.x/ux/User-Interface-Customization-CSSJS.html#webjars-for-javascriptcss-libraries

The described method of including the web jars seems to be specific to working 
with the cas repo and not the cas-overlay repo.

Does anyone have any experience/guidance on including Web Jars with the 
cas-overlay repo?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB6730282FFD4D04C8851E02E5B4F6A%40DS7PR17MB6730.namprd17.prod.outlook.com.

RE: [EXTERNAL SENDER] [cas-user] Displaying random views

[King, Robert]

You would need to setup a service entry with a time based service access 
strategy that would fail on entry.

The example from:

https://apereo.github.io/cas/6.6.x/services/Service-Access-Strategy-Time.html

should work since its dates are in the past.

  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.TimeBasedRegisteredServiceAccessStrategy",
"startingDateTime" : "2015-11-01T13:19:54.132-07:00",
"endingDateTime" : "2015-11-10T13:19:54.248-07:00",
"zoneId" : "UTC"
  }




From: cas-user@apereo.org  On Behalf Of Pablo Vidaurri
Sent: Tuesday, May 9, 2023 2:22 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Displaying random views

When I do gradlew listTemplateViews, i see one of the templates such as:
templates\casBadHoursView.html

How can I view this page to see what it looks like out of the box? I've tried 
myserver/cas/badHours, myserver/cas/BadHours, myserver/cas/badhours, etc and 
cannot find the page. Only thing I can view is cas/login and cas/logout.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d38451b3-95f6-49fe-b769-64203a04bc7cn%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DS7PR17MB67307D5BC0D6E39B476C7337B4769%40DS7PR17MB6730.namprd17.prod.outlook.com.

RE: [EXTERNAL SENDER] Re: [cas-user] requiredIpAddresses specification?

[King, Robert]

Does it take CIDR?

10.17.133.2/31,10.17.133.4/32


From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Tuesday, March 7, 2023 10:14 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] Re: [cas-user] requiredIpAddresses specification?

Actually, I've belatedly discovered I'm also seeing warnings logged about being 
unable to parse regular expressions for IP addresses in 6.6.5, I'm setting 
something like the following:

cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1, 
10.17.133.[234], ...

But the following is logged:

WARN [org.apereo.cas.util.function.FunctionUtils] - :58

CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297

How should IP addresses using regular expressions in the list be defined? I 
expected "10.17.133.[234]" to represent "10.17.133.2, 10.17.133.3, 10.17.133.4"

On Thu, Feb 23, 2023 at 8:44 PM Arkady Keppert 
mailto:vtsun...@gmail.com>> wrote:
One i leave only one ip addres everything is working find. I did try before 
with comma and the result is the same but comma it wont let me in even when i 
provide my ip addres.

2023-02-24 07:31:45,593 WARN [org.apereo.cas.util.function.FunctionUtils] - 
:58

CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297
>
2023-02-24 07:31:45,593 WARN 
[org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter] - 

Everything is working find on version 6.5.9 with the same setting and ip 
separated with | like  127.0.0.1|10.xx.xx.*
czwartek, 23 lutego 2023 o 18:16:28 UTC+1 baron napisał(a):
Ahh, there it is. Ok, thanks! I guess for now this is generally a pretty 
indirect way to find the information (and at least for me, prone to error), and 
as you noted can be hit or miss. :/

On Thu, Feb 23, 2023 at 5:41 AM Dmitriy Kopylenko 
mailto:dkopy...@unicon.net>> wrote:
This field: 
https://github.com/apereo/cas/blob/master/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/monitor/ActuatorEndpointProperties.java#L44-L48

D.

On Feb 23, 2023 at 09:40:51, Baron Fujimoto 
mailto:ba...@hawaii.edu>> wrote:
I'm still not sure I'm looking in the right place then, because I also don't 
see it in either of:

• 

• 


Which I think are for the master branch?

On Thu, Feb 23, 2023 at 2:48 AM Dmitriy Kopylenko 
mailto:dkopy...@unicon.net>> wrote:
Hi Baron.

Ok, you are right, that comment is not available in the version that you are 
dealing with. I was looking at the master branch, so it’s “hit or miss” :)

D.

On Thu, Feb 23, 2023 at 00:56 Baron Fujimoto 
mailto:ba...@hawaii.edu>> wrote:
Thanks, Dima. That  `./gradlew exportConfigMetadata` task will be very handy 
going forward.

My apologies for the probably dumb question, but where exactly does one find 
those javadocs? I tried fumbling around what seemed like likely places for the 
version I'm working with (6.6.5), such as:
• 

• 


But I don't see the comment you provided as an example.



On Wed, Feb 22, 2023 at 5:00 AM Dmitriy Kopylenko 
mailto:dkopy...@unicon.net>> wrote:
Hello.

There is a useful Gradle task available which would generate the properties 
file containing ALL CAS’ properties along with documentation comments for each. 
Then one could use search in that file to see what’s available. To run it, 
simply execute ./gradlew exportConfigMetadata from the root of your overlay and 
it will generate file named config-metadata.properties for your reference.

And then for example for the property in question it contains:

# Type: java.util.List
# Module: cas-server-support-reports
# Owner: 
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties
#
# Required ip addresses.
#
# cas.monitor.endpoints.endpoint.[key].required-ip-addresses:

With owner configuration class documented 
(org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties), 
one could see the source of it and in particular the member field in question:

   /**
 * Required IP addresses. CIDR ranges are accepted.
 */
@RegularExpressionCapable
private List requiredIpAddresses = new ArrayList<>(0);

where from the Javadoc comment it’s now clear that CIDR ranges are accepted in 
its values.

HTH,
D.

On Feb 22, 2023 at 08:49:49, 

RE: [EXTERNAL SENDER] [cas-user] Security question about CasRegisteredService wildcards

[King, Robert]

Also be very careful with your regex, it could open you up to pseudo-similar 
domain name exploit.

eg.
https://anotheruniversity.edu   << allow malicious pseudo-similar domain

VS

https://my.university.edu<< allow child domains

I’d suggest changing it to “^https?://([^/]*\.)?university\.edu/.*”, but only 
if you are set on a wild card service entry for your domain.   I would caution 
against it though.


From: cas-user@apereo.org  On Behalf Of Joshua Leger
Sent: Wednesday, February 15, 2023 3:16 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Security question about 
CasRegisteredService wildcards

Hello,

I have recently taken over the CAS instance at my university and have a 
question about security for the regex in CasRegisteredService.

My understanding is that you wouldn't want to set up a service with a serviceId 
of "^https://.+; because an attacker could make a fake website that seems 
legitimate because it uses our actual CAS server to authenticate and then 
convinces the user to input sensitive information. If my university owns the 
university.edu domain though, could I set up a regex like 
"^https?://[^/]*university\.edu/.*" that allows all subdomains safely because 
an attacker couldn't make their own subdomain that they control? Are there any 
other risks of the "^https://.+; serviceId that I haven't thought of?

Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d329790-70fd-4e84-b22d-29a3192cd304n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d525b67b57d4a77a66b577d393a4059%40mun.ca.

[cas-user] Default attribute name format

[King, Robert]

Is there a way to define a default attribute name format?

Currently on CAS 6.4. (eol version, I know, but we are working on updating).  
In the meantime I'm attempting to setup a SAML SP, but that SP does not support 
(what seems to be a CAS default) 
urn:oasis:names:tc:SAML:2.0:attrname-format:uri for attribute name format.

There does not seem to be a way to define attribute name format when using:

cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

As an alternate solution, I was wondering if there is a way to define a default 
for attribute name formats.  Defining it at the service entry level seems to 
have no effect if the attribute is already defined in the json file.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1077292ab5dd4551a0b28f1bc9ee29aa%40mun.ca.

RE: [cas-user] Re: Older documentation is no longer available

[King, Robert]

Seconded

From: cas-user@apereo.org  On Behalf Of Ray Bon
Sent: Thursday, October 20, 2022 12:50 PM
To: cas-user@apereo.org
Cc: benja...@bini.io
Subject: [EXTERNAL SENDER] Re: [cas-user] Re: Older documentation is no longer 
available

Please consider that Cas is a critical part of your security infrastructure. As 
such, it should be updated regularly to stay within supported versions.
If a vulnerability is discovered (i.e., log4j2), only supported versions will 
be patched.
Deploying a patch is much simpler than upgrading, hours vs days/weeks.

It is our job to push back on management to get demand time to perform upgrades.



Ray

On Wed, 2022-10-19 at 06:43 -0700, Benjamin Bini wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Up. Any info on this topic?

Thanks!

Le lundi 19 septembre 2022 à 16:18:45 UTC+2, Benjamin Bini a écrit :
Hello,

Why did the older CAS 5.x and early 6.x disappeared ? It is really sad that 
such an important resource for running projects is not available any more, 
except if you go to GitHub to read the md files...

Thanks,


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3dfdf25b9370a9bdbee3a334edf8573c4cca140a.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ab9d1c9722543f3ae345ec86c5a7052%40mun.ca.

[cas-user] RE: [EXTERNAL SENDER] Re: LPPE password expirying soon webflow

[King, Robert]

Unfortunately no.  The “fix” was to remove the link to the password 
self-service application and hope that our users are motivated enough to find 
their own way to the password self-service application.

From: Timothy Hansen 
Sent: Monday, August 29, 2022 2:16 PM
To: CAS Community 
Cc: King, Robert 
Subject: [EXTERNAL SENDER] Re: LPPE password expirying soon webflow

I just discovered this problem in 6.5.x as I was attempting to implement the 
same thing in our environment.  Where you ever able to discover a workaround?
On Wednesday, August 25, 2021 at 10:16:07 AM UTC-7 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
Looking to see if anyone has experience with this use case.


• CAS 6.3.x from cas-overlay-template

• LDAP with LPPE enabled

• custom account management application (service using CAS for 
authentication)

• When a users password has less then 30 days left to expiry, the LPPE 
triggers the interrupt webflow that loads casLoginMessageView.html for 
“Authentication Succeeded with Warnings”

• We customized templates/casLoginMessageView.html to add a button that 
links to our custom account management application

• When a near expiry user logs in, they are presented with the 
following UI

[https://groups.google.com/a/apereo.org/group/cas-user/attach/4105f0cc6e7f7/image001.png?part=0.1=1]

• At this point the TGT is created in the ticket registry, but no TGC 
in the client browser

• If the user clicks “continue” the TGC is set, establishing the 
session in the client browser

• If the user clicks “change password”, since TGC is not set, the 
session is never valid and so sends the user into a “loop” where they go back 
to the cas/login because no TGC is set in the client browser

With interrupt notifications there is a way to configure “ssoEnabled: true”, 
which I think would resolve this issue.  Does any such webflow option exist for 
the “Authentication Succeded with Warnings”?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3911aa3b1041443491ae2cabee4f1b0c%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] Using Let's Encrypt for SSL certificate for CAS and CAS management

[King, Robert]

and the article link …..ooops sorry

https://objectpartners.com/2018/07/19/spring-boot-ssl-and-badpaddingexception/


From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Friday, July 22, 2022 10:47 AM
To: cas-user@apereo.org
Subject: RE: [EXTERNAL SENDER] [cas-user] Using Let's Encrypt for SSL 
certificate for CAS and CAS management

I have run into a similar issue and it seems to always stem from using openssl 
to covert a pem/x509 cert and private key into a pkcs12 bundle.  Was not able 
to find a solution.

This article looks like it might work, but I did not have time to test it yet.

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
mailto:cas-user@apereo.org>> On Behalf Of Tom Reijnders
Sent: Thursday, July 21, 2022 11:57 AM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: [EXTERNAL SENDER] [cas-user] Using Let's Encrypt for SSL certificate 
for CAS and CAS management

I used several methods to convert the Let's Encrypt certificatate to a PKCS12 
certificate (inlcuding the key) but whatever I try, I get the follwing error 
when trying to start cas-management:

java.security.UnrecoverableKeyException: Get Key failed: Given final block not 
properly padded. Such issues can arise if a bad key is used during decryption.

Any ideas how to fix this?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ecd0820-ae3e-43f8-8549-2e01990567cbn%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ecd0820-ae3e-43f8-8549-2e01990567cbn%40apereo.org?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb2af410e10427c882e26e9201f366f%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb2af410e10427c882e26e9201f366f%40mun.ca?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa582939a6cf40dc811ed9d46932a659%40mun.ca.

[cas-user] RE: [EXTERNAL SENDER] Re: SAML federation and service entries

[King, Robert]

That is likely the issue.  We are on the latest 6.3.x branch.  Will mark it as 
a known bug to be resolved when we get our version to 6.5.  Thank you.

From: obe...@fsu.edu 
Sent: Monday, June 27, 2022 3:47 PM
To: CAS Community 
Cc: King, Robert 
Subject: [EXTERNAL SENDER] Re: SAML federation and service entries

Hi Robert,

There used to be a bug in CAS where a wildcard SAML service would catch 
undefined CAS services.
That issue should have been fixed in releases 6.4.0 and up.

What version of CAS are you using?

Thanks
Olivier B.
ITS Middleware
Florida State University

On Friday, June 24, 2022 at 12:51:49 PM UTC-4 ro...@mun.ca<mailto:ro...@mun.ca> 
wrote:
I am attempting to integrate a SAML federation into our CAS instance.  I seem 
to be stuck on service entry defeind access.

It seems that to allow SAML federation I have to configure a wildcard for 
entityId/serviceId.  I was assuming that saml service entries would require 
both a positive metadata match and entityId match.  Seems that by entering the 
SAML service entry the wildcard match also applies to CAS services.

example SAML service entry
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^https://.*$;,
  "name" : "Federation Test",
  "id" : 1003,
  "evaluationOrder" : 10,
  "metadataLocation" : "https://url/to/metadata.xml;
}

After entering the above service entry, any request to 
“/cas/login?service=anything” will match.  Makes sense if only serviceId is 
used for the match.  But I figured, incorrectly, that metadata was also 
involved.

Am I missing something, or do I have to iteratively add every possible entity 
id into the regex for serviceId.  That seems unmaintainable at scale.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e87b4c31696e4a7c94ce63441408f3a2%40mun.ca.

[cas-user] SAML federation and service entries

[King, Robert]

I am attempting to integrate a SAML federation into our CAS instance.  I seem 
to be stuck on service entry defeind access.

It seems that to allow SAML federation I have to configure a wildcard for 
entityId/serviceId.  I was assuming that saml service entries would require 
both a positive metadata match and entityId match.  Seems that by entering the 
SAML service entry the wildcard match also applies to CAS services.

example SAML service entry
{
  "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
  "serviceId" : "^https://.*$;,
  "name" : "Federation Test",
  "id" : 1003,
  "evaluationOrder" : 10,
  "metadataLocation" : "https://url/to/metadata.xml;
}

After entering the above service entry, any request to 
"/cas/login?service=anything" will match.  Makes sense if only serviceId is 
used for the match.  But I figured, incorrectly, that metadata was also 
involved.

Am I missing something, or do I have to iteratively add every possible entity 
id into the regex for serviceId.  That seems unmaintainable at scale.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/02c947e0c88f4d02b50f4998b4b96fd0%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] Assistance building CAS Management Overlay, "Could not find org.apereo.cas:cas-server-support-bom:."

[King, Robert]

This typically indicates that you are missing the OpenJDK development packages.

Previous thread:

https://groups.google.com/a/apereo.org/g/cas-user/c/HOiMGSumH5c/m/yof4tIlNBAAJ

From: cas-user@apereo.org  On Behalf Of Joe Gullo
Sent: Friday, May 27, 2022 1:32 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Assistance building CAS Management 
Overlay, "Could not find org.apereo.cas:cas-server-support-bom:."

I've been trying to build CAS Management Overlay, but I'm finding the 
documentation a bit difficult to follow.  My understanding is it should produce 
a standalone war, correct?I have a deployment procedure that follows this:

cd /opt/cas
rm -Rf /opt/cas/cas-management.orgname
getcas --directory cas-management.orgname --casVersion 6.5.3 --type 
cas-management-overlay
cd -orgname
cd /opt/cas/cas-management.orgname/
chown -R casadmin:casadmin /opt/cas/cas-management.orgname
sudo -u casadmin ./gradlew clean build

This fails with the following:

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not find org.apereo.cas:cas-server-support-bom:.
 Required by:
 project :

I've seen some other people building this and looking at their procedures, it 
leads me to believe I need to download the actual cas-overlay to the same 
directory before attempting to build, or is something just wrong with the build 
environment?  I haven't seen much about building it in the documentation.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a93b8d1b-1cef-4b9f-8c74-cb217f362554n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5445fa6af9ab481a9e3dac0a18a3a360%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] CAS/LDAP user

[King, Robert]

It looks like the attribute in your cas.authn.ldap[0].searchFilter is not in 
the response from your LDAP query.

cas.authn.ldap[0].searchFilter=supannAliasLogin={%s}

Also according to the CAS documentation, you should “{user}” and not “{%s}”.

Try the following and see if it resolves your connection issues:

cas.authn.ldap[0].searchFilter=uid={user}

From: cas-user@apereo.org  On Behalf Of Zaki Elmi Guelleh
Sent: Wednesday, May 18, 2022 3:02 AM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS/LDAP user

Hi Ray,
 ldap settings are correct.
root@LDAPserv:~# ldapsearch -h 192.168.143.200 -x -W -D 
"cn=admin,dc=example,dc=com"
# testuser, people, example.com
dn: cn=testuser,ou=people,dc=example,dc=com
cn: testuser
gidNumber: 9802
givenName: testuser
homeDirectory: /home/users/testuser
mail:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: supannPerson
sn: testuser
supannEmpId: 1001
supannEmpProfil:: QWRtaW5pc3RyYXRldXIgZHUgU3lzdMOobWUgJiBSw6lzZWF1
supannEntiteAffectation:
uid: testuser
uidNumber: 10012
userPassword:: e01ENX16QVBuUjZhdnU4djR2blpvclA2KzVRPT0=


logs cas :

=
WHO: audit:unknown
WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, 
event=success, timestamp=Wed May 18 07:23:54 CEST 2022}
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed May 18 07:23:54 CEST 2022
CLIENT IP ADDRESS: X.X.X.X
SERVER IP ADDRESS: X.X.X.X
=

>
2022-05-18 07:24:07,465 INFO 
[org.apereo.cas.authentication.DefaultAuthenticationManager] - 
<[LdapAuthenticationHandler] exception details: [Unable to resolve user dn for 
testuser].>
2022-05-18 07:24:07,465 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - mailto:r...@uvic.ca>> a 
écrit :
zak,

This are the settings I have for ldap


cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://...
cas.authn.ldap[0].connectTimeout=PT3S
cas.authn.ldap[0].baseDn=ou=people,...
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Auth Manager,...
cas.authn.ldap[0].bindCredential=...
cas.authn.ldap[0].principalAttributeList=...

You can use the command line utility, ldapsearch, to be sure your ldap settings 
are correct.
Also check ldap logs.

Ray

On Tue, 2022-05-17 at 08:25 -0700, zak elmi wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi everyone.

I have a problem that I haven't been able to solve for a long time.


[org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - 

 _  _   _ ___ _
/ \  |  _ \| |  _ \| / _ \   / ___|  / \  / ___|
   / _ \ | |_) |  _| | |_) |  _|| | | | | | / _ \ \___ \
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_|_| \_\_\___/   \/_/   \_\/


CAS Version: 6.6.0-RC2
CAS Branch: master
CAS Commit Id: 7946bc20e93ed407274ca391864c8e67165b4c8c
CAS Build Date/Time: 2022-05-10T11:39:56Z
Spring Boot Version: 2.6.6
Spring Version: 5.3.19
Java Home: /usr/lib/jvm/jdk-11
Java Vendor: Oracle Corporation
Java Version: 11.0.15
JVM Free Memory: 298 MB
JVM Maximum Memory: 910 MB
JVM Total Memory: 603 MB
OS Architecture: amd64
OS Name: Linux
OS Version: 4.9.0-18-amd64
OS Date/Time: 2022-05-17T16:45:45.852237
OS Temp Directory: /opt/tomcat/latest/temp

Apache Tomcat Version: Apache Tomcat/9.0.30
---
    ____   __
 |  _ \| |  / \  |  _ \ \ / /
 | |_) |  _|   / _ \ | | | \ V /
 |  _ <| |___ / ___ \| |_| || |
 |_| \_\_/_/   \_\/ |_|
>
2022-05-17 16:55:04,681 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 - <1 errors, 0 successes>
2022-05-17 16:55:13,354 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://example.com/index.php, 
requiredAttributes={}}
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue May 17 16:55:13 CEST 2022
CLIENT IP ADDRESS: X.X.X.X
SERVER IP ADDRESS: X.X.X.X
=

>
2022-05-17 16:55:13,367 INFO 
[org.apereo.cas.authentication.DefaultAuthenticationManager] - 
<[LdapAuthenticationHandler] exception details: [Unable to resolve user dn for 
user].>
2022-05-17 16:55:13,368 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2022-05-17 16:55:13,368 WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 - <1 errors, 0 successes>



also find my cas.properties
cas.server.name=https://192.168.143.203:8443

[cas-user] RE: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?

[King, Robert]

Follow up, for anyone running into this situation.  One of the problems was a 
lack of understanding, and the other was a “maybe” configuration error.

Turns out the attribute definitions were working, but they do not show up in 
availableAttributes as output by the cas/actuator/discoveryProfile endpoint.  
Therefore, they were “invisible” to the cas-management app.  Might be an idea 
for PR/feature request.

To get the attribute definitions working, under 6.3.X, I ended using the 
following method.  Use a mapped attribute release policy and reference the 
friendlyName defined in the attribute definition.

  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class: java.util.TreeMap
  eduPersonPrincipalName:
  [
java.util.ArrayList
[
  eduPersonPrincipalName
]
  ]
}
  }

Would also probably work in ReturnAllowedAttributeReleasePolicy, 
ReturnAllAttributeReleasePolicy.  Just have not tested.

I should mention, in case it is specific to SAML registered services, I 
switched the attribute definition to the SamlIdpAttributeDefinition class.  
This extends DefaultAttributeDefinition to add two optional attributes urn and 
friendlyName.  Originally, I was using friendlyName under 
DeafultAttributeDefinition which may have been the configuration error.

New /cas/etc/config/attribute.json:

{
@class : java.util.TreeMap
eduPersonPrincipalName : {
  @class : 
org.apereo.cas.support.saml.web.idp.profile.builders.attr.SamlIdPAttributeDefinition
  key : eduPersonPrincipalName
  name : eduPersonPrincipalName
  urn : urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  friendlyName : eduPersonPrincipalName
  scoped : true
  attribute : uid
}
}



From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Wednesday, February 2, 2022 4:51 PM
To: Pablo Vidaurri ; CAS Community 
Subject: [cas-user] RE: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?

Already able to release attributes from authentication source (LDAP).  These 
attribute definitions are an attempt to add scope to attributes from that 
authentication source.

For example using uid from LDAP to define an eduPersonPrincipalName:

{
  @class: java.util.TreeMap
  eduPersonPrincipalName: {
@class: org.apereo.cas.authentication.attribute.DefaultAttributeDefinition
key: eduPersonPrincipalName
name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.6
friendlyName: eduPersonPrincipalName
scoped: true
attribute: uid
}

My understanding is that this should take the attribute “uid”, from the person 
directory, and append the value of cas.server.scope as a domain scope.

uid =  user1
cas.server.scope= example.org

Which results in:

eduPersonPrincipalName=us...@example.org<mailto:eduPersonPrincipalName=us...@example.org>

My experience is that defining 
“cas.person-directory.attribute-definition-store.json.location” in the 
cas.properties file has no effect and that enabling debugging in CAS does not 
identify any errors, or any indicators at all, that this feature is working.

I’m assuming that I’m lacking some configuration or that my understanding of 
how this should work is incorrect.

From: Pablo Vidaurri mailto:psvidau...@gmail.com>>
Sent: Wednesday, February 2, 2022 4:30 PM
To: CAS Community mailto:cas-user@apereo.org>>
Cc: King, Robert mailto:r...@mun.ca>>
Subject: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?

Have you tried this in your cas.properties:

cas.authn.attributeRepository.core.defaultAttributesToRelease=foo,bar,mail,name

the values you provide are comma delimited attributes from you sources such as 
ldap, active directory, db, static.
On Wednesday, February 2, 2022 at 9:08:21 AM UTC-6 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
I am attempting to utilize the attribute definitions feature, and I have hit a 
wall.

Reference used:

https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html

Implemented in my cas.properties:

cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

With the contents of /etc/cas/config/attributes.json:

{
"@class" : "java.util.TreeMap",
"testName" : {
  "@class" : 
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
  "key" : "testName",
  "name" : "testName",
  "scoped" : true,
  "attribute" : "uid"
}
}

I have turned on the following debug in log4j2.xml:




When I start up the CAS server there does not seem to be anything related to 
the attribute definitions present.  Hitting up the discovery profile actuator 
does not list the defined attributes in the “availableAttributes”.  There is no 
logging in relation to the attribute definitions configuration.

I am aware that we could do custom attrib

[cas-user] RE: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?

[King, Robert]

Already able to release attributes from authentication source (LDAP).  These 
attribute definitions are an attempt to add scope to attributes from that 
authentication source.

For example using uid from LDAP to define an eduPersonPrincipalName:

{
  @class: java.util.TreeMap
  eduPersonPrincipalName: {
@class: org.apereo.cas.authentication.attribute.DefaultAttributeDefinition
key: eduPersonPrincipalName
name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.6
friendlyName: eduPersonPrincipalName
scoped: true
attribute: uid
}

My understanding is that this should take the attribute “uid”, from the person 
directory, and append the value of cas.server.scope as a domain scope.

uid =  user1
cas.server.scope= example.org

Which results in:

eduPersonPrincipalName=us...@example.org

My experience is that defining 
“cas.person-directory.attribute-definition-store.json.location” in the 
cas.properties file has no effect and that enabling debugging in CAS does not 
identify any errors, or any indicators at all, that this feature is working.

I’m assuming that I’m lacking some configuration or that my understanding of 
how this should work is incorrect.

From: Pablo Vidaurri 
Sent: Wednesday, February 2, 2022 4:30 PM
To: CAS Community 
Cc: King, Robert 
Subject: [EXTERNAL SENDER] Re: Attribute Definitions in 6.3.x?

Have you tried this in your cas.properties:

cas.authn.attributeRepository.core.defaultAttributesToRelease=foo,bar,mail,name

the values you provide are comma delimited attributes from you sources such as 
ldap, active directory, db, static.
On Wednesday, February 2, 2022 at 9:08:21 AM UTC-6 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
I am attempting to utilize the attribute definitions feature, and I have hit a 
wall.

Reference used:

https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html

Implemented in my cas.properties:

cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

With the contents of /etc/cas/config/attributes.json:

{
"@class" : "java.util.TreeMap",
"testName" : {
  "@class" : 
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
  "key" : "testName",
  "name" : "testName",
  "scoped" : true,
  "attribute" : "uid"
}
}

I have turned on the following debug in log4j2.xml:




When I start up the CAS server there does not seem to be anything related to 
the attribute definitions present.  Hitting up the discovery profile actuator 
does not list the defined attributes in the “availableAttributes”.  There is no 
logging in relation to the attribute definitions configuration.

I am aware that we could do custom attributes via return mapped and groovy 
inline scripting, but we want something more broadly available to all services 
instead of per service entry custom attributes.

Does anyone have any guidance/ideas on how to get attribute definition feature 
up and running?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c134b38126724e42b83c155f7e2236d0%40mun.ca.

[cas-user] Attribute Definitions in 6.3.x?

[King, Robert]

I am attempting to utilize the attribute definitions feature, and I have hit a 
wall.

Reference used:

https://apereo.github.io/cas/6.3.x/integration/Attribute-Definitions.html

Implemented in my cas.properties:

cas.person-directory.attribute-definition-store.json.location=file:/etc/cas/config/attributes.json

With the contents of /etc/cas/config/attributes.json:

{
"@class" : "java.util.TreeMap",
"testName" : {
  "@class" : 
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
  "key" : "testName",
  "name" : "testName",
  "scoped" : true,
  "attribute" : "uid"
}
}

I have turned on the following debug in log4j2.xml:




When I start up the CAS server there does not seem to be anything related to 
the attribute definitions present.  Hitting up the discovery profile actuator 
does not list the defined attributes in the "availableAttributes".  There is no 
logging in relation to the attribute definitions configuration.

I am aware that we could do custom attributes via return mapped and groovy 
inline scripting, but we want something more broadly available to all services 
instead of per service entry custom attributes.

Does anyone have any guidance/ideas on how to get attribute definition feature 
up and running?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f35d5601baaf4b2c8ce309249d0b728d%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

[King, Robert]

Just rolled out this mitigation to our servers, seems to be effective for CAS 
6.3.x builds.

Our environment for reference:

- Standalone Tomcat
- OpenJDK
- CAS and CAS-Management as deployed jars
- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.

Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup 
in systemd tomcat.service file.


From: 'Richard Frovarp' via CAS Community 
Sent: Friday, December 10, 2021 3:29 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to your 
JVM and not in the config file.

On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the 
log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Using a new enough version of the JDK might also alleviate it? The other option 
is to throw the config option at the JDK to stop it from happening. That would 
seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community&

[cas-user] log4j vulnerability

[King, Robert]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set "log4jVersion=2.15.0"

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.

[cas-user] CAS-MANAGEMENT import metadata via URL

[King, Robert]

Running into an odd issue with cas-management version 6.3.5.  Attempting to 
import a published federation metadata and the interface errors out with the 
message that the entry already exists.  The entry does not exist.

In the catalina logs the only output is:


2021-11-09 11:42:14,319 ERROR [org.apereo.cas.mgmt.SamlController] - <
... snip to abbreviate very long xml file ...
>
2021-11-09 11:42:14,997 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] - 
java.lang.RuntimeException: 
org.springframework.web.util.NestedServletException: Request processing failed; 
nested exception is java.lang.NullPointerException
at 
org.pac4j.core.engine.AbstractExceptionAwareLogic.runtimeException(AbstractExceptionAwareLogic.java:64)
 ~[pac4j-core-4.5.0.jar:?]
at 
org.pac4j.core.engine.AbstractExceptionAwareLogic.handleException(AbstractExceptionAwareLogic.java:49)
 ~[pac4j-core-4.5.0.jar:?]
at 
org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:171)
 ~[pac4j-core-4.5.0.jar:?]
at 
org.pac4j.springframework.security.web.SecurityFilter.doFilter(SecurityFilter.java:73)
 ~[spring-security-pac4j-5.1.0.jar:?]

... snip to abbreviate very long nested null pointer exception ...

Caused by: java.lang.NullPointerException
at 
org.apereo.cas.mgmt.SamlController.createService(SamlController.java:188) 
~[cas-mgmt-support-saml-6.3.5.jar:6.3.5]
at org.apereo.cas.mgmt.SamlController.download(SamlController.java:174) 
~[cas-mgmt-support-saml-6.3.5.jar:6.3.5]


It seems as if the error is coming from

service.setSignAssertions(spDescriptor.getWantAssertionsSigned());


Setting logging for org.apereo.cas.mgmt to debug does not seemingly provide 
more insight into this issue.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5c0f56edda949ee92b284f22efe7a0d%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed

[King, Robert]

Try “gradlew –stop” to make sure that the gradle build daemon does not stay 
resident.  Past that I think it might be a different issue then what we ran 
into locally.

And just to confirm, we are running the same openjdk, just on RHEL.

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

rpm -qa | grep openjdk
java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64
java-11-openjdk-devel-11.0.12.0.7-0.el7_9.x86_64
java-11-openjdk-headless-11.0.12.0.7-0.el7_9.x86_64

From: cas-user@apereo.org  On Behalf Of Marc MAURICE
Sent: Tuesday, October 19, 2021 11:52 AM
To: cas-user@apereo.org
Subject: Re: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed


Hello,

Thanks a lot Robert.

I was missing the package. Unfortunately the error is still there.

(also tried with an overlay from initializer : same error)

[root@15871ceb6a09 initializer]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

[root@15871ceb6a09 initializer]# rpm -qa| grep openjdk
java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64
java-11-openjdk-headless-11.0.12.0.7-0.el7_9.x86_64
java-11-openjdk-devel-11.0.12.0.7-0.el7_9.x86_64







Le 19/10/2021 à 15:59, King, Robert a écrit :
You need the openjdk development packages.

For instance on RHEL7:

> yum install java-11-openjdk-devel

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
<mailto:cas-user@apereo.org> On Behalf Of Marc Maurice
Sent: Tuesday, October 19, 2021 11:25 AM
To: CAS Community <mailto:cas-user@apereo.org>
Subject: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed

Hello,

I'm trying to upgrade from cas 6.2 to 6.4.
As explained in the doc I want to start with a clean 6.4 overlay then reapply 
all my patches.

I cloned a fresh 6.4 overlay branch from the github project.
Openjdk 11 installed:

[root@15871ceb6a09 myclone]# java -version
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)

I'm getting the following error. Tried to run gradle in debug mode, and 
googling the error with no success.
gradle is not giving me any clue why it doesn't like my java version...

[root@15871ceb6a09 myclone]# ./gradlew clean build
> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> error: release version 11 not supported

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug 
option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with 
Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings 
and determine if they come from your own scripts or plugins.

See 
https://docs.gradle.org/7.2/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 4s
6 actionable tasks: 6 executed


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac396421-ebbb-4f9f-b9c8-58b141c110f0n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac396421-ebbb-4f9f-b9c8-58b141c110f0n%40apereo.org?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google 
Groups "CAS Community" group.
To unsubscribe from this topic, visit 
https://groups.google.com/a/apereo.org/d/topic/cas-user/HOiMGSumH5c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2330c621312a41cb9bc2ecd304c7e815%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2330c621312a41cb9bc2ecd304c7e815%40mun.ca?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubsc

RE: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed

[King, Robert]

You need the openjdk development packages.

For instance on RHEL7:

> yum install java-11-openjdk-devel

From: cas-user@apereo.org  On Behalf Of Marc Maurice
Sent: Tuesday, October 19, 2021 11:25 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed

Hello,

I'm trying to upgrade from cas 6.2 to 6.4.
As explained in the doc I want to start with a clean 6.4 overlay then reapply 
all my patches.

I cloned a fresh 6.4 overlay branch from the github project.
Openjdk 11 installed:

[root@15871ceb6a09 myclone]# java -version
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)

I'm getting the following error. Tried to run gradle in debug mode, and 
googling the error with no success.
gradle is not giving me any clue why it doesn't like my java version...

[root@15871ceb6a09 myclone]# ./gradlew clean build
> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> error: release version 11 not supported

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug 
option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with 
Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings 
and determine if they come from your own scripts or plugins.

See 
https://docs.gradle.org/7.2/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 4s
6 actionable tasks: 6 executed


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac396421-ebbb-4f9f-b9c8-58b141c110f0n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2330c621312a41cb9bc2ecd304c7e815%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] enable endpoints actuator on cas 6.3.7

[King, Robert]

What is your actuator endpoint configuration in your CAS properties?  Make sure 
you have at least the following:

management.endpoints.web.exposure.include=*
management.endpoint.importRegisteredServices.enabled=true
cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=

The management.endpoints.web.exposure.include statement should be switched to a 
list of allowed end points on a production environment.

The IP regular expression for an IPv4 address:  “12\.210\.12\.34”

From: cas-user@apereo.org  On Behalf Of Mathieu HETRU
Sent: Thursday, October 14, 2021 7:56 AM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] [cas-user] enable endpoints actuator on cas 6.3.7

Hello,

i cannot enable any endpoint actuator on my cas 6.3.7...

i already got 404 not found on url...

even i use the tutorial here : 
https://fawnoos.com/2018/11/06/cas6-admin-endpoints-security/

how can i enable actuator endpoints ?

i wish use importServiceRegisteread endpoint.

Thanks for your help !

Best regards,

Mathieu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHNwO5kxp9FQTKiYYOcR7kuujKbiYwf_pOT_sNxz0xK8PAJrjw%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec0bea610c8242d597f2b78298a42541%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] Re: Return allowed attributes?

[King, Robert]

Would

excludeDefaultAttributes: false

be what you are looking for?

From: cas-user@apereo.org  On Behalf Of Pablo Vidaurri
Sent: Tuesday, October 12, 2021 8:29 PM
To: CAS Community 
Cc: baron 
Subject: [EXTERNAL SENDER] [cas-user] Re: Return allowed attributes?


>From description 
>
> of default attributes, the purpose of default-attributes-to-release is to 
>always release the attributes defined here regardless of what you have or dont 
>have in attributeReleasePolicy at the service level.
On Thursday, October 7, 2021 at 3:55:53 PM UTC-5 baron wrote:
We have CAS 6.3.5 configured to return a default set of attributes defined with 
the property "cas.authn.attribute-repository.default-attributes-to-release". 
This works as desired.

We wanted to release only a subset of these attributes to a particular 
registered service. The CAS docs suggest this may be possible by using an 
attributeReleasePolicy in the service definition that specifies 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy"



So I added the following to an existing working service definition:

  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "sn", "mail" ] ]
  }
But CAS still seems to release the full set of default attributes for the 
service, and not just "cn", "sn", "mail" as defined above.

Am I misinterpreting what ReturnAllowedAttributeReleasePolicy should do here? 
If not, any ideas what may be amiss?
--
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec95a065-11df-4941-9cec-26ae5d907cb8n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ba92857e81245ef8bd327d577cf17c6%40mun.ca.

[cas-user] Canarie FIM and CAS 6.x setup

[King, Robert]

Question for the Canadian higher ed CAS users, do any of you have Canarie FIM 
federated using CAS SAML?

https://www.canarie.ca/identity/fim/

FIM documentation says that it follows Kantara's implementation for Federation 
Interoperability.  It should be compatible.  However, I have not heard of 
anyone attempting it.


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2337e9f34abd4cba81a581648538cf27%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] New UI elements on cas-management app

[King, Robert]

Thanks Travis,

Worked like a charm.

From: cas-user@apereo.org  On Behalf Of Travis Schmidt
Sent: Wednesday, September 15, 2021 3:18 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] Re: [cas-user] New UI elements on cas-management app

Yeah, that is something that we do here that must have made it into the main 
project.  If you remove "staged" form the "Environments" field on the 
"Advanced" tab then it will go away.  It is a way we can make things active 
only in stage and not in production.

Travis

On Wed, Sep 15, 2021 at 10:30 AM King, Robert mailto:r...@mun.ca>> 
wrote:
Just wondering if anyone has an explanation as to what the “staged” ui element 
from cas-management 6.3.4 is?

[cid:image001.png@01D7AA48.10ED18A0]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a463aa5cb946bf87953735cb5a91bc%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a463aa5cb946bf87953735cb5a91bc%40mun.ca?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbdEYZFxf8f-vOi%2BONm3WEuDQeicpae-Yg63An9ODR%2B8w%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbdEYZFxf8f-vOi%2BONm3WEuDQeicpae-Yg63An9ODR%2B8w%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5749bbda2ac4025af44b60066733fab%40mun.ca.

[cas-user] New UI elements on cas-management app

[King, Robert]

Just wondering if anyone has an explanation as to what the "staged" ui element 
from cas-management 6.3.4 is?

[cid:image001.png@01D7AA42.4AAD6500]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a463aa5cb946bf87953735cb5a91bc%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML functionality in 6.3.X?

[King, Robert]

In case anyone runs into this situation, the solution was to enable 
“unsafe-hashes” and add the hash for the inline script.

An example Apache directive:


  Header set Content-Security-Policy: “script-src ‘unsafe-hashes’ ‘self’ 
‘sha256-ePniVEkSivX/c7XWBGafqh8tSpiRrKiqYeqbG7N1TOE='”


Where the SHA256 hash is for the inline script “document.forms[0].submit()”.


From: cas-user@apereo.org  On Behalf Of Michael Daniel 
Seymour
Sent: Friday, September 3, 2021 12:49 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CSP script-src breaks SAML functionality 
in 6.3.X?

Hi all,

I believe enabling the script-src Content Security Policy in Apache will break 
SAML.

https://content-security-policy.com/script-src/

"The execution of all JS event handlers from inline HTML markup are blocked 
default, onclick, onload, onmouseover, onsubmit, etc. You can get them to work 
via a 'unsafe-hashes' source list expression, however that is only supported on 
CSP Level 3 browsers."

The callback from CAS through to the SAML SP fails because it contains some of 
these handlers. I have yet to try it, but possibly the unsafe-hashes policy 
could be used. But, it is not the safe or recommended way. They recommend 
refactoring the offending code.

Page loaded from 
https://cas.server.com/idp/profile/SAML2/Callback?entityId=ENTITYID=TICKET










Note: Since your browser does not support 
JavaScript,
you must press the Continue button once to proceed.

















--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40ab7a36-8f57-41b0-afb1-ce790d9df43an%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/35aa8dfd54fc46a19d0cac21ee3eb48e%40mun.ca.

[cas-user] LPPE password expirying soon webflow

[King, Robert]

Looking to see if anyone has experience with this use case.


* CAS 6.3.x from cas-overlay-template

* LDAP with LPPE enabled

* custom account management application (service using CAS for 
authentication)

* When a users password has less then 30 days left to expiry, the LPPE 
triggers the interrupt webflow that loads casLoginMessageView.html for 
"Authentication Succeeded with Warnings"

* We customized templates/casLoginMessageView.html to add a button that 
links to our custom account management application

* When a near expiry user logs in, they are presented with the 
following UI

[cid:image001.png@01D799B7.6C95F1F0]


* At this point the TGT is created in the ticket registry, but no TGC 
in the client browser

* If the user clicks "continue" the TGC is set, establishing the 
session in the client browser

* If the user clicks "change password", since TGC is not set, the 
session is never valid and so sends the user into a "loop" where they go back 
to the cas/login because no TGC is set in the client browser

With interrupt notifications there is a way to configure "ssoEnabled: true", 
which I think would resolve this issue.  Does any such webflow option exist for 
the "Authentication Succeded with Warnings"?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff737f1e7f6f4b2f87dedc4c7c2ce8d2%40mun.ca.

[cas-user] cas-management-overlay 6.3 branch empty

[King, Robert]

Looks like the Initializr push to the 6.3 branch of cas-management-overlay 
failed?

[cid:image001.jpg@01D798DC.50FC5460]

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/95916cf8ee6c4e2faed19dd9762dc127%40mun.ca.

[cas-user] RE: service vs TARGET CAS 6.3.4

[King, Robert]

According to the protocol, TARGET is for the samlValidate endpoint.

https://apereo.github.io/cas/6.3.x/protocol/CAS-Protocol-Specification.html#421-parameters

> -Original Message-
> From: 'Mallory, Erik' via CAS Community 
> Sent: Wednesday, July 14, 2021 2:43 PM
> To: cas-user@apereo.org
> Subject: [EXTERNAL SENDER] [cas-user] service vs TARGET CAS 6.3.4
> 
> Hello,
> We're working towards upgrading our CAS 6.1.8 to 6.3.4 and I discovered a
> problem with a few of our Banner applications that are configured to send
> TARGET=https://servicename.example.com/
> I reconfigured one app to send service=https://servicename.example.com/
>  and that seems to have fixed it.
> I imagine I'm going to have to touch a LOT of apps to get CAS upgraded.
> is there a way I can configure CAS to honor the TARGET variable?
> Thanks,
> --
> Erik Mallory
> Server Analyst
> Wichita State University
> 
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-
> user/16d09e1b3cbeab3719ccee2d24246d9212180ee3.camel%40wichita.edu.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/08b7c4fe690d4b8dbcb3c1670b9696df%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] CAS 6.3.4 Hazelcast 4.1 Issue.

[King, Robert]

If I had a nickel for every “is it plugged in” I have missed.  ;)

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Thursday, July 8, 2021 2:59 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS 6.3.4 Hazelcast 4.1 Issue.

Thanks for that clarification of replicated vs distributed. That was helpful. 
So if I understand correctly, CAS's use of Hazelcast, if distributed but not 
replicated, means that the loss of a node in a cluster means the remaining 
nodes may not actually have the desired content from the lost node.

Also, FWIW, I think I resolved our problem where we weren't seeing any of the 
tickets distributed to other nodes. I believe Hazelcast uses port 5701 by 
default for this. These were new VMs and they require each port to be 
explicitly added. (New host, who dis?) Seems to be working as expected now. 
Sorry, PEBKAC, mea culpa, etc...

On Thu, Jul 8, 2021 at 6:03 AM Mark H. Wood 
mailto:mw...@iupui.edu>> wrote:
On Wed, Jul 07, 2021 at 02:49:32PM -1000, Baron Fujimoto wrote:
> I'm also confused by this. What does distributed mean, if not replicated?

I understand "replicated" to mean that each associated instance
contains the complete set of cache entries locally.  There would be a
great deal of communication required to maintain consistency, but the
cost of cache queries is small.

Another form of distribution is variously called "sharded,",
"partitioned," etc.  Associated instances would hold subsets of the
complete cache content, and their association would mean that one
instance can ask the others if any have hits where it has a miss, and
to supply one.  This isn't as fast as having a complete set in each
instance, but it reduces the communication load on insertion.  It may
be appropriate where the cost of acquiring an uncached object is
sufficiently higher than the cost of asking for help from another
subset and awaiting a reply.

If the cost of uncached objects is quite high, it can also make sense
to run multiple cache instances atop a shared backing store, which has
its own cost.

> On Mon, Jul 5, 2021 at 7:42 AM Ray Bon mailto:r...@uvic.ca>> 
> wrote:
>
> > Erik,
> >
> > Hazelcast is not a replicated cache by default, just distributed. I
> > understand there is a backup/restore system but you would need at least
> > three servers to test it.
> >
> > The only config I have are these:
> > cluster.members
> > cluster.instanceName
> > crypto.signing.key
> > crypto.encryption.key
> > crypto.enabled=true
> >
> > which is in a shared file.
> >
> > I have two cas'es running on my local and have not seen that error. You
> > can tell if the hazelcast servers are communicating if your tickets are
> > validated on a different server than they were created. Set the load
> > balancer to round robin.
> >
> > I do not see a cas property for replication. Is it an option for cas? See
> > hazelcast docs,
> > https://docs.hazelcast.com/imdg/4.1/data-structures/replicated-map.html
> >
> > Ray
> >
> > On Thu, 2021-07-01 at 19:41 +, 'Mallory, Erik' via CAS Community wrote:
> >
> > Notice: This message was sent from outside the University of Victoria email 
> > system. Please be cautious with links and sensitive information.
> >
> >
> >
> > All I'm having a problem implementing the Hazelcast ticket store in CAS
> >
> > 6.3.4 which uses hazelcast-4.1
> >
> >
> > Currently I'm testing with a two node cluster fontended with a
> >
> > netscaler. Each node has it's own /etc/cas/config/cas.properties so
> >
> > each node as it's own hazelcast configuration.
> >
> > Here is the relevant hazelcast configuration parameters:
> >
> >  cas.ticket.registry.hazelcast.page-size=500
> >
> >  cas.ticket.registry.hazelcast.cluster.tcpip-enabled=true
> >
> >  cas.ticket.registry.hazelcast.cluster.map-merge-policy=PUT_IF_ABSENT
> >
> >  cas.ticket.registry.hazelcast.cluster.instance-name=cas-dev
> >
> >  cas.ticket.registry.hazelcast.cluster.members=10.0.79.38,10.0.79.37
> >
> >  cas.ticket.registry.hazelcast.cluster.eviction-policy=LRU
> >
> >  cas.ticket.registry.hazelcast.cluster.max-no-heartbeat-seconds=300
> >
> >  cas.ticket.registry.hazelcast.cluster.logging-type=slf4j
> >
> >  cas.ticket.registry.hazelcast.cluster.port=5701
> >
> >  cas.ticket.registry.hazelcast.cluster.max-size=85
> >
> >  cas.ticket.registry.hazelcast.cluster.backup-count=1
> >
> >  cas.ticket.registry.hazelcast.cluster.async-backup-count=0
> >
> >  cas.ticket.registry.hazelcast.cluster.max-size-
> >
> > policy=USED_HEAP_PERCENTAGE
> >
> >  cas.ticket.registry.hazelcast.cluster.timeout=5
> >
> >
> > IN my testing I found that the tickets were not being replicated the
> >
> > other host. I'd use the netscaler to switch between the backend CAS
> >
> > nodes, log in to one, fail over to the other node and attempt to access
> >
> > cas, and I was redirected to the login screen.
> >
> >
> > After restarting the cas services on both nodes and tailing out the cas
> >
> > log I noticed the following error:
> >
> >
> > Cannot 

RE: [EXTERNAL SENDER] [cas-user] CAS 6.3.5 renew=true bug for /validate and /serviceValidate

[King, Robert]

Out of curiosity, would it be possible to move to two service entries for app1 
vs app2?

I am wondering if you added the following for app2:

{
  "name" : "IAM CAS Regression Test app2",
  "description" : "CAS regression test app2",
  "serviceId" : "^https://(www\\.)*example\\.com/regression/app2(/.*)*",
  "id" : 1004,
  "evaluationOrder" : 10,
  "multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],
"failureMode" : "OPEN"
  }
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : false
  }
}

Functionally the “ssoEnabled” option is supposed to be equivalent to 
“renew=true”.  I am wondering if it is set server side, will it exhibit the 
same behavior.

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Wednesday, July 7, 2021 3:25 PM
To: CAS Community 
Subject: Re: [EXTERNAL SENDER] [cas-user] CAS 6.3.5 renew=true bug for 
/validate and /serviceValidate

Do you mean the service registration? We use a JSON file-based service 
registry, and this is what we're using for our regression tests:

{
  "name" : "IAM CAS Regression Test",
  "description" : "CAS regression test",
  "serviceId" : "^https://(www\\.)*example\\.com/regression(/.*)*",
  "id" : 1003,
  "evaluationOrder" : 10,
  "multifactorPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],
"failureMode" : "OPEN"
  }
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
}

Our regression tests are basically doing the following:

Establish SSO:
https://cas.example.edu/cas/login?service=https://www.example.com/regression/app1=true

Test renew=true against established SSO:
https://cas.example.edu/cas/login?service=https://www.example.com/regression/app2
https://cas.example.edu/cas/validate?service=https://www.example.com/regression/app2=ST-...-cas=true

We expect this to fail due to the inclusion of renew=true in the validation. 
However, instead the ST is successfully validated. We see this for both 
/validate and /serviceValidate. /samlValidate fails as expected. Prior to 
6.3.5, all would fail as expected.

In practice, it would probably be unusual to not specify renew=true for both 
login and validation of app2, but we do so here to explicitly test renew=true 
on the validation. And minimally, we think the results should at least be 
consistent among the validation methods.

On Wed, Jul 7, 2021 at 6:35 AM King, Robert mailto:r...@mun.ca>> 
wrote:
Would it be possible to see the service entry for app2?

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
mailto:cas-user@apereo.org>> On Behalf Of Baron Fujimoto
Sent: Wednesday, July 7, 2021 1:53 PM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: [EXTERNAL SENDER] [cas-user] CAS 6.3.5 renew=true bug for /validate 
and /serviceValidate

(originally from a different thread, but seems topically different enough to 
warrant its own)

There seems to be a bug handling renew=true for /validate and /serviceValidate 
for CAS 6.3.5. It also seems to be present in the current 6.4-snapshot.

If we first establish an SSO session by logging in to app1, then we login to 
app2 (without setting renew=true) and attempt to either /validate or 
/serviceValidate app2 with renew=true, we expect this to fail, but instead it 
succeeds. It does fail as expected with /samlValidate, so this behavior is not 
consistent among the validation methods. This is a change from 6.3.4.

--
Baron Fujimoto mailto:ba...@hawaii.edu>> :: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2MiCgjHgm9AT2tC4_S0htRrngTSkYBU_6xaW0drRQinA%40mail.gmai

RE: [EXTERNAL SENDER] [cas-user] CAS 6.3.5 renew=true bug for /validate and /serviceValidate

[King, Robert]

Would it be possible to see the service entry for app2?

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Wednesday, July 7, 2021 1:53 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CAS 6.3.5 renew=true bug for /validate 
and /serviceValidate

(originally from a different thread, but seems topically different enough to 
warrant its own)

There seems to be a bug handling renew=true for /validate and /serviceValidate 
for CAS 6.3.5. It also seems to be present in the current 6.4-snapshot.

If we first establish an SSO session by logging in to app1, then we login to 
app2 (without setting renew=true) and attempt to either /validate or 
/serviceValidate app2 with renew=true, we expect this to fail, but instead it 
succeeds. It does fail as expected with /samlValidate, so this behavior is not 
consistent among the validation methods. This is a change from 6.3.4.

--
Baron Fujimoto mailto:ba...@hawaii.edu>> :: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2MiCgjHgm9AT2tC4_S0htRrngTSkYBU_6xaW0drRQinA%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b889bfa6b7454193a048889d34cbc41f%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] Fetching user IP in CAS

[King, Robert]

Really depends on the configuration of your CAS server.  Is it running on a 
servlet container, embedded or docker container?

For our particular case we use Tomcat as a servlet container and we had to 
enabled the remote ip valve in the server.xml configuration file.

https://groups.google.com/a/apereo.org/g/cas-user/c/5FCYwTROMz4/m/bE1suoR3AwAJ


From: cas-user@apereo.org  On Behalf Of Vikash Chandra Ansh
Sent: Saturday, July 3, 2021 6:49 AM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] Fetching user IP in CAS

Sorry Stewart,

You haven't got my query. Ok let suppose CAS server has ip 192.18.10.2 and my 
application IP is 168.17.102.11. Now a user from IP 10.2.3.6 is accessing my 
application.

So in audit log I could find the client IP as 168.17.102.11 not the user 
personal Ip
 and sever Ip as 192.18.10.2.

I want the user IP 10.2.3.6. Can we able to track this in CAS?

THANKS

On Fri, Jul 2, 2021, 9:58 PM Stewart mailto:s...@alpert.org>> 
wrote:
Sure, takes a bit of parsing, but you should see something like this in your 
logs:

=
WHO: audit:unknown
WHAT: [result=Service Access 
Granted,service=https://myapp.mydomain.com/login..,principal=SimplePrincipal(id=user),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Jul 02 09:00:58 PDT 2021
CLIENT IP ADDRESS: xx.xx.xxx
SERVER IP ADDRESS: xxx.xx.xxx.xxx
=


On Fri, Jul 2, 2021 at 11:08 AM Vikash Chandra Ansh 
mailto:vikasharnav0...@gmail.com>> wrote:
Hi Stewart

Thanks for your reply.But in logs I can find the NLB url . What I am expecting 
is ,from which remote source (like personal machine IP), the user is accessing 
the NLB url.

Thanks and regards

On Fri, Jul 2, 2021, 8:53 PM Stewart mailto:s...@alpert.org>> 
wrote:
Hi Vikash,

I'm sure there is a more elegant solutions than what I'll suggest (I'm just an 
amateur...).Why not parse CAS logs for the Service Access Granted stanza, 
it contains the IP address?  Of course if you have lots of traffic, it might be 
more efficient to parse the application's server logs

Best Regards,

Stewart

On Fri, Jul 2, 2021 at 9:21 AM Vikash Chandra Ansh 
mailto:vikasharnav0...@gmail.com>> wrote:
Hi All,

Hope you are well. I have a small query.
I have integrated a java application with CAS. Now I want the IP addresses of 
the users who are accessing my application.
Is it feasible in CAS to track this? I beleive in CAS we can track the IP or 
NLB of client application. Please advise

My cas version is 6.1

Thanks and regards
Vikash Chandra
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxhsoCSrqsNWU-A5fCdPeMWV7AiN05%3DTM8-a0Wd0K8yuFA%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADdNXfHhNwBwdT7VKd0gnQ1XowNBdjb7GyVLg7oeKG8QAC8yTg%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgwBe6py%3DkRo3COBDa7FaQyr_Ve1FKJFtmc4XjVKUZDvQ%40mail.gmail.com.
--
- Website: https://apereo.github.io/cas
- Gitter 

RE: [EXTERNAL SENDER] [cas-user] CAS 5.0, 6.3 logging differences

[King, Robert]

I get the following WARN log entry from 
org.apereo.cas.services.RegisteredServiceAccessStrategyUtils

WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 



I believe this is configured in log4j.xml with the following in 



Hope that at least sets you on the correct path.



From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Saturday, July 3, 2021 1:09 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CAS 5.0, 6.3 logging differences

Continuing our journey to upgrade from CAS 5.0 to 6.3, I have some questions re 
logging differences I'm seeing.

Service not found in service registry

With CAS 5.0, if a service was not registered, we see something like this 
logged for an unauthorized service such as "https://www.foo.com":

WARN [org.apereo.cas.web.flow.ServiceAuthorizationCheck] - https://www.foo.com] is not found in service 
registry.>

This is often very helpful for troubleshooting to be able to see what URL an 
app is trying to use.

But with CAS6.3 we see:

ERROR 
[org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter]
 - 
org.apereo.cas.services.UnauthorizedServiceException: Service unauthorized
at 
org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer.execute(RegisteredServiceAccessStrategyAuditableEnforcer.java:112)
 ~[cas-server-core-services-api-6.3.4.jar:6.3.4]
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 ~[tomcat-util.jar:9.0.46]
[...many many lines of stack trace...]
   at java.lang.Thread.run(Thread.java:829) [?:?]

The unauthorized service is never identified, which removes a valuable 
troubleshooting tool. Is there a way to include this information?

We definitely want to see things logged as ERRORs, but the stack trace seems 
more appropriate for something at the DEBUG level?

Failed authentications
-
With CAS 5.0, when a user authentication failed, we'd see something like the 
following logged:

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 

INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 

Whereas with CAS 6.3, we get:

INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[LdapAuthenticationHandler] exception details: [Invalid credentials].>
INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
WARN 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 - <1 errors, 0 successes>
DEBUG 
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
 - <1 errors, 0 successes>
org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes
at 
org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:340)
 ~[cas-server-core-authentication-api-6.3.4.jar:6.3.4]
[... ~200 more lines of stack trace ...]
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 ~[tomcat-util.jar:9.0.46]
at java.lang.Thread.run(Thread.java:829) [?:?]

This 200+ line stack trace seems like overkill and not really helpful. Is the 
solution to this just not logging 
org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver 
at the debug level?

--
Baron Fujimoto mailto:ba...@hawaii.edu>> :: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2uh%3DN49pLnAmEuPxjem_yMmbXkQpfcj9fE3%2Brkk-v8yA%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6699c8c32a7446bf8ffbd9f9d58093ec%40mun.ca.

[cas-user] RE: CAS as a SAML IDP adds a space within the entity ID when checking the service registry

[King, Robert]

Just a guess, but the serviced with the errant space likely comes from the SP.

For example…


· hitting the login url - /cas/login?service=defnotaservice

Will result in the following WARN error message:

WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - 


Where defnotaservice is defined by the request to the cas login endpoint.  I am 
assuming it is likely the same the SAML IdP endpoint.

From: cas-user@apereo.org  On Behalf Of Jason B. Rappaport
Sent: Friday, July 2, 2021 5:09 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SMIME] [cas-user] CAS as a SAML IDP adds a space within the 
entity ID when checking the service registry

I am trying to figure out why CAS, acting as a SAML IDP is adding a space in 
the middle of an SP entity ID when doing a service registry evaluation.

We have configured our CAS sever to act as a SAML IDP.  For an SP that is 
trying to authenticate against CAS, we are seeing an application is not 
registered error.

When I look at the SAML tracer I see:

https://myEntityIDOfMySPhttps://myEntityIDOfMySP%3c/saml2:Issuer>>

Within the metadata file for the SP, the entity ID is the same as above.

Within CAS, I see this:
Jul 2 11:14:43 CASSERVERHostName user [https: //myEntityIDOfMySP] is not found 
in the registry or service access is denied. Ensure service is registered in 
service registry

Notice the space between https: and //.  I have no idea where this is coming 
from.  When I check the service registry entry, I don’t see this either:
"serviceId" : " https://myEntityIDOfMySP"

Has anyone seen this before?

Thanks, Jay

Jason Rappaport (he/him)
Identity and Access Management Analyst
Office of Information Technology
Email:  jason...@princeton.edu
Office:  609-258-8464


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR04MB5156D96D43780CE0F82F8063CC1F9%40BL0PR04MB5156.namprd04.prod.outlook.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fec5aba80f784947a5b0487dd0772e1f%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] CAS 6.3 extracting the ST from the redirect response location?

[King, Robert]

Is your resource path correct in that URL?  Normal cas login URI tends to end 
in “/cas/login” and your instance you have the two reversed.


From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Friday, June 25, 2021 12:35 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CAS 6.3 extracting the ST from the 
redirect response location?

We have another strange issue with our CAS 5.0 to 6.3 upgrade. We have a 
homebrew regression test for 5.0 that parsed the HTML for the service ticket 
from the Location header in a 302 redirect response after authentication. E.g.:

Location: 
https://casdemo.example.edu/casdemo/login/cas?ticket=ST-2-ujMo86d2pYcEebVDEFzWvAKghxE-cas

But with our 6.3 instance, we don't seem to see this 302 and Location header 
after authentication from our homebrew test. Nor do the logs show an ST being 
issued after an apparently successful authentication from the test. Browser 
developer tools seem to show a number of scripts being executed after 
authentication via "normal" sample client. Is the missing ST perhaps because we 
don't execute these scripts in our regression test? If so, can anyone tell us 
which script is responsible, or a possible workaround?
--
Baron Fujimoto mailto:ba...@hawaii.edu>> :: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2-xuxeZ%3Dhyb1nvgGYKRF9poiX%3DamVPgXHGC4vW8nJfeQ%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5f08b2aec6a54226a96da067e498240e%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] CAS 6.3 samlValidate?

[King, Robert]

https://apereo.github.io/cas/6.3.x/protocol/SAML-Protocol.html#saml-11

Have you added the dependency for “cas-server-support-saml” to your build?

That will enable the endpoint samlValidate.

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Tuesday, June 22, 2021 5:46 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CAS 6.3 samlValidate?

Is there something that needs to be done for CAS 6.3 to enable samlValidate?

I've been wrestling with this upgrade from 5.0.x, and it seems like the clients 
we used with this older version calling samlValidate on service tickets are 
failing with 6.3. It looks like the clients aren't getting any response to 
samlValidate, and I think our Tomcat access logs also suggest it's not there? 
(404 responses?)

=
10.0.0.100 - - [22/Jun/2021:09:56:11 -1000] "POST 
/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fcasdemo%2Flogin%2Fcas=true
 HTTP/1.1" 302 - 
"https://cas.example.edu.edu/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fcasdemo%2Flogin%2Fcas=true;
 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, 
like Gecko) Version/14.1.1 Safari/605.1.15" 47 "10.0.0.200"
10.0.0.100 - - [22/Jun/2021:09:56:12 -1000] "POST 
/cas/samlValidate?TARGET=http%3A%2F%2Flocalhost%3A8080%2Fcasdemo%2Flogin%2Fcas 
HTTP/1.1" 404 11316 "-" "Java/10.0.2" 64 "10.0.0.200"
10.0.0.100 - - [22/Jun/2021:09:56:12 -1000] "POST 
/cas/samlValidate?TARGET=http%3A%2F%2Flocalhost%3A8080%2Fcasdemo%2Ferror 
HTTP/1.1" 404 11316 "-" "Java/10.0.2" 6 "10.0.0.200"
=

The only references to samlValidate I've been able to find in the CAS wiki is 
in the protocol. I think it's included in the core CAS 3.0 protocol, and I 
didn't see anything mentioning build dependencies or cas.properties?
--
Baron Fujimoto mailto:ba...@hawaii.edu>> :: UH Information 
Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0_76kOS0AQ3PCho7d9%2BWTaS-bOkSud9pQakWT7G%3DLDQw%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eb6a2f30be674fcba33c4146bef880d3%40mun.ca.

[cas-user] cas-management default services

[King, Robert]

Is it possible to remove the "Apereo" and "HTTPS and IMAPS" default services 
that come as part of the cas-management-overlay build?

Every time we re-deploy cas-management.war those services come back in 
WEB-INF/classes/services/Apereo-1002.json and HTTPSandIMAPS-1001.json.  
Using the overlay method we could replace them, but how is it possible to 
remove them from the build?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dde6ab40805d4f72b2db63f84d9d89ae%40mun.ca.

RE: [cas-user] Hide CAS login box (and only use external identity providers)

[King, Robert]

Fantastic documentation!

From: cas-user@apereo.org  On Behalf Of Paul Chauvet
Sent: Thursday, April 29, 2021 12:39 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] Hide CAS login box (and only use 
external identity providers)

Hi Ray,

Thanks for getting back to me!  The redirect comment was exactly what I needed.

I ended up adding the following to the cas properties which handles that 
automatic redirect:
cas.authn.pac4j.saml[0].autoRedirect=true

P.S.: It's still not done - but I'm trying to document my whole journey in 
getting CAS 6 (with Duo, Delegated Auth, and using Ansible to deploy/maintain 
CAS and Tomcat).  It's inspired by what David Curry did for his CAS 5 guide 
plus the Ansible stuff I've done in CAS the past couple years.

https://paulchauvet.github.io/deploying-cas/

When it's complete (still need to do a couple more things - mostly on theming) 
I'll announce it to the list formally.  Hopefully someone else can benefit from 
where I've stumbled 






Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:image001.png@01D73D17.DEC69F60]


From: cas-user@apereo.org 
mailto:cas-user@apereo.org>> on behalf of Ray Bon 
mailto:r...@uvic.ca>>
Sent: Wednesday, April 28, 2021 5:27 PM
To: cas-user@apereo.org 
mailto:cas-user@apereo.org>>
Subject: Re: [cas-user] Hide CAS login box (and only use external identity 
providers)

CAUTION: Message from a non-New Paltz email server. Treat message, links, and 
attachments with extra caution.

Paul,

If a service is defined as using delegated auth, the redirect will happen 
automatically. The login page may be visible during the redirect.
See, 
https://apereo.github.io/cas/6.3.x/integration/Delegate-Authentication.html#user-interface
I have not tested with only delegated auth, so I do not know if you have to set 
delegated auth for each service.

Ray

On Wed, 2021-04-28 at 20:17 +, Paul Chauvet wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi all,

Is there a way (without making UI/theme changes) to completely hide the login 
box in CAS 6.3?

We're going to be delegating authentication to Azure via SAML - but I'd prefer 
to hide the regular login box completely and just want to leave the button 
under "External Identity Providers" there.

Apologies if I missed something obvious - and thanks all for any advice you can 
share.






Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

chauv...@newpaltz.edu

[cid:image001.png@01D73D17.DEC69F60]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d30df82f42cedf2e0e7b0e23179fe84be6204252.camel%40uvic.ca.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR20MB30051BC684711ADAB83D095AA75F9%40MN2PR20MB3005.namprd20.prod.outlook.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f6cded98659405891a84fe2b9ca9fff%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] Invalid LDAP URL

[King, Robert]

This example ldap-url works in my environments standalone cas.properties:

cas.authn.ldap[0].ldap-url=ldaps://ldap1.example.com,ldaps://ldap2.example.com,ldaps://ldap3.example.com,ldaps://ldap4.example.com

using commas as separator and no spaces in the string

-Original Message-
From: cas-user@apereo.org  On Behalf Of Colin Ryan
Sent: Wednesday, April 28, 2021 4:56 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] [cas-user] Invalid LDAP URL

Folks,

CAS 6.2.7


According to numerous sources I should be able to put a comma or space 
seperated list of URLs in various uses of the ldap-url configuration parameter.

However whenever I do so I get invalid URL when starting up.

eg.


cas.authn.pm.ldap[0].ldap-url: ldap://ldap1:3131 ldap://ldap2:3131

cas.authn.ldap[0].ldap-url: ldap://ldap1:3131 ldap://ldap2:3131

I get the following


Failed to instantiate [java.util.List]: Factory method 
'ldapAttributeRepositories' threw exception; nested exception is
java.lang.IllegalArgumentException: Invalid LDAP URL: ,ldap://ldap2:3131

These multiple URL's are multi-master replica's of each other.


Thoughts

Colin

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ad84f96-2ed1-c4a0-12af-352a24d3c5b4%40caveo.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fc448081f354772b3c64a98604cfca1%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] TGC invalid after cas server restart

[King, Robert]

Do you have the CAS tgc encryption and signing keys defined for your ticket 
registry?  If you do not define them, CAS will automatically generate a new set 
on startup.  This behavior will render previous TGCs in your jpa registry as 
useless.

cas.tgc.crypto.encryption.key=
cas.tgc.crypto.signing.key=

https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#signing--encryption-4
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#signing--encryption

From: cas-user@apereo.org  On Behalf Of Sayan Saha
Sent: Sunday, April 25, 2021 1:21 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] TGC invalid after cas server restart


Is it possible to login into the cas server after restarting it?

I am using jpa ticket registry for the TGTs and also have extended the lifetime 
of the TGC cookie.
But, after restarting cas still redirects me to the login page even though I 
can see that the TGC cookie is present in the network tab.

Please
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9f19fbe-0bd3-48f5-b039-5257681036b8n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b358f8a110da46d48a8ca487933777ca%40mun.ca.

[cas-user] RE: Endpoint security behind a proxy

[King, Robert]

Just in case, anyone else runs into this….

Only tested for our specific use case, running your own Tomcat server version 
9.x instead of using the embedded.

The issue ended up being Tomcat requires a remote IP valve to handle client IPs 
behind a proxy.  Added the following valve to the tomcat server.xml 
configuration:


  
  …



Reference here:

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve


From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Friday, April 9, 2021 2:26 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] [cas-user] Endpoint security behind a proxy

Is there a way to use x-forwarded-for when attempting actuator/endpoint 
security?

Our current implementation uses IP_ADDRESS, but having moved behind an Apache 
proxy everything gets access to the endpoints since all access seems to come 
from the proxy server IP.

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=

Is there a way to switch to x-forwarded-for IPs?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/841c7ef71fcf48a6b8102913e42b8365%40mun.ca.

RE: [EXTERNAL SENDER] [cas-user] CAS 6.3.x build question: Executable .war file

[King, Robert]

If you are using the cas-overlay-template repository to build your cas.war, in 
the file gradle.properties set the following property:

executable=true

This should produce the executable version you are looking for.

From: cas-user@apereo.org  On Behalf Of Brandon Hume
Sent: Wednesday, April 14, 2021 11:58 AM
To: CAS Community 
Subject: [EXTERNAL SENDER] [cas-user] CAS 6.3.x build question: Executable .war 
file


The documentation at 
https://apereo.github.io/cas/6.3.x/installation/Configuring-Servlet-Container.html
 says that CAS can be built as a "fully executable web application", meaning 
it'll embed a launch script into the war and then you can straight-up just 
./cas.war to launch the server.

This is advantageous in our environment for a number of reasons, but I can't 
find any evidence in the gradlew tasks to build it this way, nor the 
build.gradle script, and the default .war produced certainly doesn't have this 
ability.  Is the documentation wrong?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/18b1a97b-6a8e-40a9-8f73-26f07e943ea1n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57fa6151dafd4585b89f1d621046ccfb%40mun.ca.

[cas-user] Endpoint security behind a proxy

[King, Robert]

Is there a way to use x-forwarded-for when attempting actuator/endpoint 
security?

Our current implementation uses IP_ADDRESS, but having moved behind an Apache 
proxy everything gets access to the endpoints since all access seems to come 
from the proxy server IP.

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=

Is there a way to switch to x-forwarded-for IPs?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca.

RE: [cas-user] which registry ticket storage ?

[King, Robert]

Have not tried these yet, but these load tests do exist on the website:

https://apereo.github.io/cas/6.3.x/high_availability/High-Availability-Performance-Testing.html

From: cas-user@apereo.org  On Behalf Of Ray Bon
Sent: Wednesday, March 17, 2021 1:54 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] which registry ticket storage ?

Daniel,

You could create a load test (maybe there is one already with cas) and check 
the various options.
We switched to hazelcast, for cas version 5, from ehcache. Our confg can handle 
several logins per second (I do not remember the exact numbers) for an extended 
period of time.

Ray

On Wed, 2021-03-17 at 15:50 +0100, Daniel CHARLOT wrote:

Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.





Hello there,



We need to upgrade our CAS server V4 to V6 and add an loadbalancer F5.

We will do some HA with them and we wondering which is the product with the 
best performance for use ticket registry ?

Memcached, cassanadra, mongodb, couchbase redis or an other ?

I would like choose redis, because its seems works like a charm, but im not 
sure.



Thanks for your advices and your experiences return.



Daniel CHARLOT



--

- Website:


https://apereo.github.io/cas




- Gitter Chatroom:


https://gitter.im/apereo/cas




- List Guidelines:


https://goo.gl/1VRrw7




- Contributions:


https://goo.gl/mh7qDG




---

You received this message because you are subscribed to the Google Groups "CAS 
Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to


cas-user+unsubscr...@apereo.org


.

To view this discussion on the web visit


https://groups.google.com/a/apereo.org/d/msgid/cas-user/C22D6DFE-95B2-4D8E-92D3-15EFF6A17D1E%40unice.fr


.

--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3b69ff5296b8614658aa7fc489beebab4f30ba5b.camel%40uvic.ca.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/614936b2da564970ab1af11a0f1ac9c2%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] Latest Release - What is it really?

[King, Robert]

I also find that https://github.com/apereo/cas/milestones is a great resource 
for planning releases.

From: cas-user@apereo.org  On Behalf Of Andrew Marker
Sent: Friday, January 29, 2021 11:06 AM
To: CAS Community 
Cc: Ray Bon 
Subject: [EXTERNAL SENDER] Re: [cas-user] Latest Release - What is it really?

This is great. Thanks Ray.
On Thursday, January 28, 2021 at 3:07:25 PM UTC-6 Ray Bon wrote:
Andrew,

Under EOL Schedule on this page, 
https://apereo.github.io/cas/developer/Maintenance-Policy.html (which is under 
planning on the left hand menu - both 6.2.x and 6.3.x docs point to 'developer' 
for this page).

If you are upgrading, plan for the latest tag. 6.2.x will buy you 5 months 
before your next upgrade. Cas is released on a date schedule rather than number 
of features completed.

Ray

On Thu, 2021-01-28 at 12:44 -0800, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

My core question is if I'm upgrading on January 28th what version is the 
recommended version?  I apologize if my reasoning seems simplistic or 
conclusions drawn from incorrect premises.

Am I being too much of a fanboy of the process assuming that the latest is the 
greatest? Should I be using 6.2.X as I move from v5.3.x?  v6.3.0 is building 
without issue.  I have an issue with delegate auth and duo, so I was checking 
for an update to the service as a part of troubleshooting that.

6.3.x isn't listed on the page referred to from: 
https://apereo.github.io/2020/07/02/cas-release-notes/  : 
https://apereo.github.io/cas/development/release_notes/Overview.html

It also isn't listed on the linked from there as the choice for: "Appropriate 
Versions": https://apereo.github.io/cas/Older-Versions.html

It is tagged in GIT, so that seemed like the better gauge of truth rather than 
documentation updates made by HUMANS.  Before i went further I'd just ask the 
question above, in the event there is knowledge that I haven't clued into yet.


--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/745b7994-caa0-4408-b574-dae6a96377ean%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c23012bb30149ec820f56e24ebf4415%40mun.ca.

RE: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

[King, Robert]

I’m not certainas to the 5.0 version, but to use the UnboundIDProvider in 6.x 
you need to add :

compile "com.unboundid:unboundid-ldapsdk:4.0.9"

to the Gradle build dependencies.  I would assume it would be the same for 
Maven.

From: cas-user@apereo.org  On Behalf Of Baron Fujimoto
Sent: Thursday, January 28, 2021 11:41 PM
To: CAS Community 
Subject: [EXTERNAL SENDER] Re: [cas-user] CAS 5.0.x newer ldaptive?

Since the approach of trying to use an updated ldaptive library was rapidly 
getting complicated, I tried the suggested UnboundIDProvider[*] with the 
following in my cas.properties:

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

But CAS throws this exception on startup:

ERROR [org.apereo.cas.configuration.support.Beans] - 

java.lang.ClassNotFoundException: 
org.ldaptive.provider.unboundid.UnboundIDProvider

So perhaps I'm missing some other prerequisite? I don't see other mention or 
discussion of it in the docs though.

[*] I can't seem to find a 5.0.x version of 
/Configuration-Properties-Common.html#ldap-connection-settings but this 
property is also listed in the 5.0.x properties 


On Thu, Jan 28, 2021 at 11:18 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
You have to do overlay exclusions. Which for me looks like. Obviously close the 
XML out as appropriate. I have further build plugins.




maven-war-plugin
2.6

false
false

false
${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF



org.apereo.cas
cas-server-webapp


WEB-INF/classes/application*.properties
WEB-INF/lib/spring*.jar
WEB-INF/lib/log4j*.jar



cas




But that isn't going to help you to put ldaptive in there. If you look at the 
pom for ldaptive 2.0, they are calling for Java 11. Guessing they are using 
something that is JDK 11 specific. Maybe you can rebuild with 8 and it will 
work, I don't know.

I would go with the easier solution of giving the UnboundID provider a try. 
https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#ldap-connection-settings
 Bypass the JDK code altogether.

On Thu, 2021-01-28 at 10:56 -1000, Baron Fujimoto wrote:
Hmm, the older ldaptive-1.2.0.jar and ldaptive-beans-1.2.0.jar don't appear in 
the packages dependency tree, I'm not sure how I would exclude them from the 
build. If I manually delete them from the resulting cas.war file, then when I 
start CAS, I encounter the following error/exception:

ERROR [org.springframework.boot.SpringApplication] - 
java.lang.UnsupportedClassVersionError: org/ldaptive/ConnectionFactory has been 
compiled by a more recent version of the Java Runtime (class file version 
55.0), this version of the Java Runtime only recognizes class file versions up 
to 52.0 (unable to load class [org.ldaptive.ConnectionFactory])

If my google-fu is right, this suggests that the newer ldaptive jar files 
included via the overlay pom.xml were compiled with Java 11 rather than the 
Java 8 we are using. If I wanted to continue down this path, I suppose that 
means I would need to compile the newer ldaptive jars myself from source using 
our installed Java 8? And if successful, then manually place them in the 
resulting cas.war file? Or is there an easier way?

On Thu, Jan 28, 2021 at 7:46 AM Ray Bon mailto:r...@uvic.ca>> 
wrote:
Baron,

Check what packages are included in the build with:
mvn dependency:tree

You can  transitive dependencies for the old library.
But, the overlay, itself, may include an old version of the library, which 
means that you would have to manually remove the old one from the war. Maybe 
the exclude can be applied to the overlay too???

Ray

On Wed, 2021-01-27 at 15:06 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I'm working with Oracle to troubleshoot a bug we've encountered with their JDK 
(1.8u231+) and LDAP errors. According to their analysis, they're claiming that 
the problem lies with the ldaptive library being used by this old (I know) 
version of CAS. More specifically that the subsequent JDKs adhere to spec, and 
the ldaptive library appears to be testing for unspecified behaviour. They are 
recommending I try a newer version of the ldaptive library which does not 
appear to have the same code.

I added the following to our pom.xml:


org.ldaptive
ldaptive
2.0.1


When I ran "mvn clean package" I think it looked like it was including the 
2.0.1 version of ldaptive in the build. However, it seems like I'm still seeing 
LDAP problems. When I try to login, it will often result in the errors such as 
the following being logged:

2021-01-27 12:10:56,974 DEBUG 
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2021-01-27 12:10:56,986 WARN 

[cas-user] CAS-management attribute release

[King, Robert]

In our development environments, we are attempting to get cas-management 
implemented.  We have attempted the management-overlay 6.1 and 6.3.  We have 
also jerry rigged 6.2.2 using the 6.1 overlay.

We keep running into two showstopper issues:

1.   "Return Allowed" attribute release interface does not load the 
attributes list in the drop down.

This seems to be present in 6.1 and 6.3, but works in 6.2.2.


2.   The second is the local git repository seems to throw an exception in 
6.2.2.

This exception is tied to
org.apereo.cas.mgmt.controller.CommitController.isPublishedBehind(CommitController.java:199)
 ~[cas-mgmt-support-version-control-6.2.2.jar:6.2.2]
From, what I can gather it seems that controller is assuming one repo per 
environment and it searching for uncommitted changes to the repo.  We are 
running separate branches for each environment, and this seems to be acceptable 
in CAS server, but not CAS-MANAGEMENT.

Does anyone have any insights into these problems?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b968952e097a4d4387c34d57f0598685%40mun.ca.

RE: [cas-user] service access strategies and required attributes

[King, Robert]

On a hunch, I tried turning on the attribute caching in the service entry and 
it fixed the immediate issue.

This still leaves me a little puzzled.  The documentation implies that the 
principal should have been cached with the length of the default SSO session.

Time to keep digging.


From: cas-user@apereo.org  On Behalf Of Ray Bon
Sent: Friday, December 4, 2020 4:51 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] service access strategies and 
required attributes

Robert,

Two different steps, two different configurations. Attributes for access may be 
different from attributes the service needs/wants.
See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release.html, in 
particular, attribute release policy.

Ray


On Fri, 2020-12-04 at 18:07 +, King, Robert wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

CAS 6.1 server
LDAP authentication + built in principal resolution

I am running into what I think is an inexperience issue with service access 
strategies.  I am attempting to use principal attributes to grant access to a 
service.

Service entry:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://webappsqa.fqdn/castester/.*;,
  "name" : "cas test",
  "id" : 1,
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAtrributes" : true,
"requiredAttributes" :
{
  "@class": "java.util.HashMap",
  "memberOf" : [ "java.util.HashSet", [ 
"cn=cas_admin,ou=groups,dc=***,dc=***"] ],
},
"rejectedAttributes" :
{
   "@class": "java.util.LinkedHashMap"
},
"caseInsensitive": false
  },
}

When authenticating against the service I see the proper authentication and 
service access enforcement.

=
WHO: robk
WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk, 
source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
 attributes={memberOf=[ 
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
 attributes={memberOf=[ 
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: TGT-2-*3DWzf1qfRI-login-poc
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for 
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=

Then when the service attempts to validate the ST it seems to run into an issue 
where the principal does not have any attribute data.  I have highlighted the 
audit wit

[cas-user] service access strategies and required attributes

[King, Robert]

CAS 6.1 server
LDAP authentication + built in principal resolution

I am running into what I think is an inexperience issue with service access 
strategies.  I am attempting to use principal attributes to grant access to a 
service.

Service entry:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://webappsqa.fqdn/castester/.*;,
  "name" : "cas test",
  "id" : 1,
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAtrributes" : true,
"requiredAttributes" :
{
  "@class": "java.util.HashMap",
  "memberOf" : [ "java.util.HashSet", [ 
"cn=cas_admin,ou=groups,dc=***,dc=***"] ],
},
"rejectedAttributes" :
{
   "@class": "java.util.LinkedHashMap"
},
"caseInsensitive": false
  },
}

When authenticating against the service I see the proper authentication and 
service access enforcement.

=
WHO: robk
WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk, 
source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
 attributes={memberOf=[ 
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
 attributes={memberOf=[ 
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: TGT-2-*3DWzf1qfRI-login-poc
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: [result=Service Access 
Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: robk
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for 
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=

Then when the service attempts to validate the ST it seems to run into an issue 
where the principal does not have any attribute data.  I have highlighted the 
audit with the empty principal that I believe is the cause of the service 
ticket validation to fail.

=
WHO: audit:unknown
WHAT: [result=Service Access 
Denied,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
 
attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=
=
WHO: audit:unknown
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for 
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=

I am unsure as to why the principal is empty for the service when it is 
validating the ST?   Any help as to what I am missing?


-- 
- Website: https://apereo.github.io/cas
- Gitter 

RE: [EXTERNAL SMIME EMAIL] [cas-user] Cas Management webapp does not start anymore

[King, Robert]

If I was to guess this is the recent error of requiring the Incommon Federation 
certificate as a requirement to start.

If you search the for incommon.pem over the last few weeks discussion you’ll 
find several answers to this problem.



From: 'Philippe MARASSE' via CAS Community 
Sent: Tuesday, October 6, 2020 10:26 AM
To: CAS Community 
Subject: [EXTERNAL SMIME EMAIL] [cas-user] Cas Management webapp does not start 
anymore

Folks,

I'm upgrading my management webapp from 6.1.0-RC4 to 6.2.2, but unfortunately, 
webapp does not start anymore, raising an exception :

06-Oct-2020 14:45:32.552 GRAVE [Catalina-utility-2] 
org.apache.catalina.startup.HostConfig.deployWAR Erreur lors du déploiement de 
l'archive [/var/lib/tomcat/casmgr/webapps/cas-management.war] de l'application 
web
java.lang.IllegalStateException: Erreur lors du démarrage du conteneur 
fils
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978)
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1849)
at 
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at 
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at 
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at 
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
at 
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773)
at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427)
at 
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1620)
at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:305)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1151)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
at 
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at 
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at 
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.catalina.LifecycleException: Echec de démarrage 
du composant 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]]
at 
org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
... 24 more
Caused by: org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'samlController' defined in class path resource 
[org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw 
exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'metadataAggregateResolver' defined in class path resource 
[org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method 
'metadataAggregateResolver' threw exception; nested exception is 
org.apereo.cas.services.UnauthorizedServiceException: 
screen.service.error.message
...

Any 

[cas-user] Issues implementing {cas-cipher}

[King, Robert]

I am attempting to configuration security following Misagh Moayyed's blog post:

https://apereo.github.io/2019/05/08/cas61x-jasypt-encryption/

I created the crypts using the command-line shell.

java -jar cas-server-support-shell-6.1.6.jar

cas>encrypt-value value secret alg PBEWITHMD5ANDTRIPLEDES provider SunJCE 
password * iterations 1000
 Encrypted Value 
{cas-cipher}tPFQAXStTgoo21XimVoa8w==
cas>decrypt-value value {cas-cipher}tPFQAXStTgoo21XimVoa8w== alg 
PBEWITHMD5ANDTRIPLEDES provider SunJCE password * 
iterations 1000
 Decrypted Value 
secret


I added the cas.standalone.configuration-security options to cas.properties:

# ==
# Configuration Security
# ==
cas.standalone.configuration-security.alg=PBEWITHMD5ANDTRIPLEDES
cas.standalone.configuration-security.provider=SunJCE
cas.standalone.configuration-security.iteration=1000
cas.standalone.configuration-security.psw=*

I then added the cipher to the LDAP bind configuration:

# ==
# LDAP authentication
# ==

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].ldapUrl=
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].searchFilter=(|(uid={user})(mail={user}))
cas.authn.ldap[0].bindDn=
cas.authn.ldap[0].bindCredential={cas-cipher}tPFQAXStTgoo21XimVoa8w==
#cas.authn.ldap[0].bindCredential=

The config works with the plain text .  When I switch to 
the cas-cipher version it fails to start.

Here is the error when it fails to start up:

2020-09-30 12:04:12,434 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - 

org.jasypt.exceptions.EncryptionInitializationException: Password not set for 
Password Based Encryptor


I'm assuming I'm missing something obvious in regards to the PBE, but I'm at a 
loss for figuring it out.  Anyone know where I am going wrong?


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aaeac8b41b524318b01a0bb4dd76a452%40mun.ca.

RE: [cas-user] Switch to different persistent storage than memory (was: Re: Unable to start cas-management (nullPointer))

[King, Robert]

Not a dumb question at all.  The “compile” of CAS assumes certain 
background/familiarity with Gradle.

Note that I am assuming you are using the cas-overlay-template repository and 
are on branch 6.2.

https://github.com/apereo/cas-overlay-template/tree/6.2

You will find at line 72-75 in the build.gradle file:

dependencies {
// Other CAS dependencies/modules may be listed here...
// implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}

and you would update it to:

dependencies {
// Other CAS dependencies/modules may be listed here...
// implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
}

Then rebuild and redeploy.


From: gryf...@hkfree.org 
Sent: Tuesday, September 22, 2020 6:12 AM
To: CAS Community 
Cc: King, Robert 
Subject: Re: [cas-user] Switch to different persistent storage than memory 
(was: Re: Unable to start cas-management (nullPointer))

Hello,

Ok, it seems that i have not added "implementation 
"org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}""
 to the build (btw why its not in the documentation?)
But where should i put it? Into the "dependencies" block in build.gradle? And 
rebuild?

Thanks and sorry for dumb questions. This is my first time with Java.

Best regards,
Lukas
Dne pátek 18. září 2020 v 18:14:59 UTC+2 uživatel 
ro...@mun.ca<mailto:ro...@mun.ca> napsal:
https://apereo.github.io/cas/6.2.x/services/JSON-Service-Management.html

From: cas-...@apereo.org  On Behalf Of gry...@hkfree.org
Sent: Friday, September 18, 2020 7:31 AM
To: CAS Community 
Cc: gry...@hkfree.org 
Subject: [cas-user] Switch to different persistent storage than memory (was: 
Re: Unable to start cas-management (nullPointer))

Ok, it seems that i have resolved the previous error by using:
./gradlew createKeystore
in "cas-overlay-template".

Now the cas-management is freezing at the start rather than crashing with 
exception.

Next issue i have noticed is, that the CAS is using Runtime memory as 
persisntence storage. I have tried to switch to Json-based persistence storage, 
but after specifying "cas.serviceRegistry.json.location=file:/etc/cas/services" 
in "/etc/cas/config/cas.properties", i am still being told that the cas is 
using Runtime memory.

How do i disable Runtime memory persistence storage and enable Json persistence 
storage?

Also, do i need to specify 
"cas.serviceRegistry.json.location=file:/etc/cas/services" also in 
"/etc/cas/config/management.properties" to be able to comunicate with cas and 
start correctly?

Thanks!

Best regards,
Lukáš Krejza
Dne pátek 18. září 2020 v 10:47:49 UTC+2 uživatel gry...@hkfree.org napsal:

Hello,

i have deployed cas and cas-management war with default configuration (changed 
only cas URL). CAS itself is running and i can login, but when trying to start 
cas-management, i get following error:

[2020-09-18 10:05:14] [info] (CAS Management)
[2020-09-18 10:05:14] [info] CAS Version: 6.2.1
[2020-09-18 10:05:14] [info] CAS Branch: 6.2.x
[2020-09-18 10:05:14] [info] CAS Commit Id: 
dc90995b8911bd36c7aebc39588c9d6e3baee1a1
[2020-09-18 10:05:14] [info] CAS Build Date/Time: 2020-09-18T07:23:18Z
[2020-09-18 10:05:14] [info] Spring Boot Version: 2.2.8.RELEASE
[2020-09-18 10:05:14] [info] Spring Version: 5.2.7.RELEASE
[2020-09-18 10:05:14] [info] Java Home: /usr/lib/jvm/java-11-openjdk-amd64
[2020-09-18 10:05:14] [info] Java Vendor: Debian
[2020-09-18 10:05:14] [info] Java Version: 11.0.8
[2020-09-18 10:05:14] [info] JVM Free Memory: 457 MB
[2020-09-18 10:05:14] [info] JVM Maximum Memory: 955 MB
[2020-09-18 10:05:14] [info] JVM Total Memory: 955 MB
[2020-09-18 10:05:14] [info] JCE Installed: Yes
[2020-09-18 10:05:14] [info] OS Architecture: amd64
[2020-09-18 10:05:14] [info] OS Name: Linux
[2020-09-18 10:05:14] [info] OS Version: 4.19.0-10-amd64
[2020-09-18 10:05:14] [info] OS Date/Time: 2020-09-18T10:05:14.220917
[2020-09-18 10:05:14] [info] OS Temp Directory: /tmp
[2020-09-18 10:05:14] [info] 

[2020-09-18 10:05:14] [info] #033[0m
[2020-09-18 10:05:14] [info] #033[32m2020-09-18 10:05:14,260 INFO 
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - 
#033[m
[2020-09-18 10:05:28] [info] 2020-09-18 10:05:28,976 ERROR 
[org.apereo.cas.util.HttpUtils] - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,013 WARN 
[org.apereo.cas.support.saml.SamlUtils] - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,020 WARN 
[org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext]
 - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,060 ERROR 
[org.springframework.boot.SpringApplication] - 
[2020-09-18 10:05

RE: [cas-user] Cas 6.2 - Implmentation of Custom Password Policy for JDBC Authentication

[King, Robert]

I believe that the JDBC password policy settings are in the database 
authentication settings:

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#database-authentication

Specifically

# cas.authn.jdbc.query[0].field-expired=
# cas.authn.jdbc.query[0].field-disabled=

Where both queries determine if an account is expired or disabled.

I am not certain, but I think you need a separate system, other than CAS, to 
expire and disable accounts in JDBC.


From: cas-user@apereo.org  On Behalf Of Ritesh Tripathi
Sent: Sunday, September 20, 2020 12:50 PM
To: CAS Community 
Subject: [cas-user] Cas 6.2 - Implmentation of Custom Password Policy for JDBC 
Authentication

Hello All,

We have a requirement that "after 5 unsuccessful login attempts - we need to 
lock the account for a day for the said user."

We are having a JDBC Authentication.

We were just curious if anyone has implemented custom password policy using 
groovy scripts or some other method for requirements as above.

The CAS documentation - seems to be specific for LDAP and other cases. Was not 
able to get more information on JDBC.

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings

Will the groovy script method as given in above documentation link work for 
JDBC as well ? Any comments or points to implement the above type and similar 
requirements.

Best Regards
R
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/89e3ef10617c4723ba98e12962e919f7%40mun.ca.

RE: [cas-user] Switch to different persistent storage than memory (was: Re: Unable to start cas-management (nullPointer))

[King, Robert]

https://apereo.github.io/cas/6.2.x/services/JSON-Service-Management.html

From: cas-user@apereo.org  On Behalf Of gry...@hkfree.org
Sent: Friday, September 18, 2020 7:31 AM
To: CAS Community 
Cc: gry...@hkfree.org 
Subject: [cas-user] Switch to different persistent storage than memory (was: 
Re: Unable to start cas-management (nullPointer))

Ok, it seems that i have resolved the previous error by using:
./gradlew createKeystore
in "cas-overlay-template".

Now the cas-management is freezing at the start rather than crashing with 
exception.

Next issue i have noticed is, that the CAS is using Runtime memory as 
persisntence storage. I have tried to switch to Json-based persistence storage, 
but after specifying "cas.serviceRegistry.json.location=file:/etc/cas/services" 
in "/etc/cas/config/cas.properties", i am still being told that the cas is 
using Runtime memory.

How do i disable Runtime memory persistence storage and enable Json persistence 
storage?

Also, do i need to specify 
"cas.serviceRegistry.json.location=file:/etc/cas/services" also in 
"/etc/cas/config/management.properties" to be able to comunicate with cas and 
start correctly?

Thanks!

Best regards,
Lukáš Krejza
Dne pátek 18. září 2020 v 10:47:49 UTC+2 uživatel 
gry...@hkfree.org napsal:

Hello,

i have deployed cas and cas-management war with default configuration (changed 
only cas URL). CAS itself is running and i can login, but when trying to start 
cas-management, i get following error:

[2020-09-18 10:05:14] [info] (CAS Management)
[2020-09-18 10:05:14] [info] CAS Version: 6.2.1
[2020-09-18 10:05:14] [info] CAS Branch: 6.2.x
[2020-09-18 10:05:14] [info] CAS Commit Id: 
dc90995b8911bd36c7aebc39588c9d6e3baee1a1
[2020-09-18 10:05:14] [info] CAS Build Date/Time: 2020-09-18T07:23:18Z
[2020-09-18 10:05:14] [info] Spring Boot Version: 2.2.8.RELEASE
[2020-09-18 10:05:14] [info] Spring Version: 5.2.7.RELEASE
[2020-09-18 10:05:14] [info] Java Home: /usr/lib/jvm/java-11-openjdk-amd64
[2020-09-18 10:05:14] [info] Java Vendor: Debian
[2020-09-18 10:05:14] [info] Java Version: 11.0.8
[2020-09-18 10:05:14] [info] JVM Free Memory: 457 MB
[2020-09-18 10:05:14] [info] JVM Maximum Memory: 955 MB
[2020-09-18 10:05:14] [info] JVM Total Memory: 955 MB
[2020-09-18 10:05:14] [info] JCE Installed: Yes
[2020-09-18 10:05:14] [info] OS Architecture: amd64
[2020-09-18 10:05:14] [info] OS Name: Linux
[2020-09-18 10:05:14] [info] OS Version: 4.19.0-10-amd64
[2020-09-18 10:05:14] [info] OS Date/Time: 2020-09-18T10:05:14.220917
[2020-09-18 10:05:14] [info] OS Temp Directory: /tmp
[2020-09-18 10:05:14] [info] 

[2020-09-18 10:05:14] [info] #033[0m
[2020-09-18 10:05:14] [info] #033[32m2020-09-18 10:05:14,260 INFO 
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - 
#033[m
[2020-09-18 10:05:28] [info] 2020-09-18 10:05:28,976 ERROR 
[org.apereo.cas.util.HttpUtils] - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,013 WARN 
[org.apereo.cas.support.saml.SamlUtils] - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,020 WARN 
[org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext]
 - 
[2020-09-18 10:05:40] [info] 2020-09-18 10:05:40,060 ERROR 
[org.springframework.boot.SpringApplication] - 
[2020-09-18 10:05:40] [info] 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'samlController' defined in class path resource 
[org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw 
exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'metadataAggregateResolver' defined in class path resource 
[org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method 
'metadataAggregateResolver' threw exception; nested exception is 
java.lang.NullPointerException
[2020-09-18 10:05:40] [info] #011at 
org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:656)
 ~[spring-beans-5.2.6.RELEASE.jar:5.2.6.RELEASE]
[2020-09-18 10:05:40] [info] #011at 
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:484)
 ~[spring-beans-5.2.6.RELEASE.jar:5.2.6.RELEASE]
[2020-09-18 10:05:40] [info] #011at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1338)
 ~[spring-beans-5.2.6.RELEASE.jar:5.2.6.RELEASE]

[cas-user] RE: CAS 6.1 git service registry

[King, Robert]

I found the solution to my configuration issues.  The service registry Git 
option is using SSH to do git pull/push as the tomcat user.  For the system to 
work properly you should setup your tomcat user to be able to do git push/pull 
via console.  I had to set up that user with a SSH key pair and then setup the 
public key in the per repository key.

Final cas.properties entries:

# ==
# Service registry
# ==
#
# JSON registry
cas.serviceRegistry.init-from-json=false
#
# Git repo as supported by cas-management
cas.serviceRegistry.git.repositoryUrl=https:///cas/casServices.git
cas.serviceRegistry.git.cloneDirectory=file:/etc/cas/services-repo


And a tomcat user setup with SSH keys in both on system home directory and on 
the git repository.


From: cas-user@apereo.org  On Behalf Of King, Robert
Sent: Monday, August 31, 2020 12:01 PM
To: CAS Community 
Subject: [cas-user] CAS 6.1 git service registry

Attempting to implement the service registry via GIT on CAS 6.1.  Using the 
following settings:

# ==
# Service registry
# ==
cas.service-registry.initFromJson=false
# Git repo as supported by cas-management
cas.serviceRegistry.git.repositoryUrl=https:///cas/casServices.git
cas.serviceRegistry.git.branchesToClone=master
cas.serviceRegistry.git.activeBranch=master
cas.serviceRegistry.git.username=
cas.serviceRegistry.git.password=
cas.serviceRegistry.git.cloneDirectory=file:/tmp/casServices
cas.serviceRegistry.git.pushChanges=false
cas.serviceRegistry.git.timeout=PT10S
# cas.serviceRegistry.git.privateKeyPassphrase=
# cas.serviceRegistry.git.privateKeyPath=
# cas.serviceRegistry.git.sshSessionPassword=


When the CAS server starts up I get the following error:

[2020-08-31 11:41:17,208 ERROR 
[org.springframework.aop.interceptor.SimpleAsyncUncaughtExceptionHandler] - 
ESC[m
java.lang.ClassCastException: class org.eclipse.jgit.transport.TransportHttp 
cannot be cast to class org.eclipse.jgit.transport.SshTransport 
(org.eclipse.jgit.transport.TransportHttp and 
org.eclipse.jgit.transport.SshTransport are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @41beb473)
at 
org.apereo.cas.git.GitRepositoryBuilder.lambda$buildTransportConfigCallback$0(GitRepositoryBuilder.java:141)
 ~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at 
org.eclipse.jgit.api.TransportCommand.configure(TransportCommand.java:155) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
…snip…

and when the scheduled task to refresh the service registry attempts to run:

2020-08-31 11:41:36,914 ERROR 
[org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler] - 
ESC[m
java.lang.ClassCastException: class org.eclipse.jgit.transport.TransportHttp 
cannot be cast to class org.eclipse.jgit.transport.SshTransport 
(org.eclipse.jgit.transport.TransportHttp and 
org.eclipse.jgit.transport.SshTransport are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @41beb473)
at 
org.apereo.cas.git.GitRepositoryBuilder.lambda$buildTransportConfigCallback$0(GitRepositoryBuilder.java:141)
 ~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at 
org.eclipse.jgit.api.TransportCommand.configure(TransportCommand.java:155) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.apereo.cas.git.GitRepository.pull(GitRepository.java:170) 
~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 ~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
…snip…


Obviously, there is some error with my configuration, but I am at a dead end.  
Does anyone have any input as to what I have incorrectly in the configuration?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop

[cas-user] CAS 6.1 git service registry

[King, Robert]

Attempting to implement the service registry via GIT on CAS 6.1.  Using the 
following settings:

# ==
# Service registry
# ==
cas.service-registry.initFromJson=false
# Git repo as supported by cas-management
cas.serviceRegistry.git.repositoryUrl=https:///cas/casServices.git
cas.serviceRegistry.git.branchesToClone=master
cas.serviceRegistry.git.activeBranch=master
cas.serviceRegistry.git.username=
cas.serviceRegistry.git.password=
cas.serviceRegistry.git.cloneDirectory=file:/tmp/casServices
cas.serviceRegistry.git.pushChanges=false
cas.serviceRegistry.git.timeout=PT10S
# cas.serviceRegistry.git.privateKeyPassphrase=
# cas.serviceRegistry.git.privateKeyPath=
# cas.serviceRegistry.git.sshSessionPassword=


When the CAS server starts up I get the following error:

[2020-08-31 11:41:17,208 ERROR 
[org.springframework.aop.interceptor.SimpleAsyncUncaughtExceptionHandler] - 
ESC[m
java.lang.ClassCastException: class org.eclipse.jgit.transport.TransportHttp 
cannot be cast to class org.eclipse.jgit.transport.SshTransport 
(org.eclipse.jgit.transport.TransportHttp and 
org.eclipse.jgit.transport.SshTransport are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @41beb473)
at 
org.apereo.cas.git.GitRepositoryBuilder.lambda$buildTransportConfigCallback$0(GitRepositoryBuilder.java:141)
 ~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at 
org.eclipse.jgit.api.TransportCommand.configure(TransportCommand.java:155) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
...snip...

and when the scheduled task to refresh the service registry attempts to run:

2020-08-31 11:41:36,914 ERROR 
[org.springframework.scheduling.support.TaskUtils$LoggingErrorHandler] - 
ESC[m
java.lang.ClassCastException: class org.eclipse.jgit.transport.TransportHttp 
cannot be cast to class org.eclipse.jgit.transport.SshTransport 
(org.eclipse.jgit.transport.TransportHttp and 
org.eclipse.jgit.transport.SshTransport are in unnamed module of loader 
org.apache.catalina.loader.ParallelWebappClassLoader @41beb473)
at 
org.apereo.cas.git.GitRepositoryBuilder.lambda$buildTransportConfigCallback$0(GitRepositoryBuilder.java:141)
 ~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at 
org.eclipse.jgit.api.TransportCommand.configure(TransportCommand.java:155) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296) 
~[org.eclipse.jgit-5.5.1.201910021850-r.jar:5.5.1.201910021850-r]
at org.apereo.cas.git.GitRepository.pull(GitRepository.java:170) 
~[cas-server-support-git-service-registry-6.1.6.jar:6.1.6]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:?]
at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 ~[?:?]
at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
...snip...


Obviously, there is some error with my configuration, but I am at a dead end.  
Does anyone have any input as to what I have incorrectly in the configuration?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f0b17b16c9b54610bb6f8ad9dc1c8993%40mun.ca.

RE: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

[King, Robert]

I would suggest moving to CAS version 5.x or greater.  Version 4.x has been end 
of life for some time now.


From: saimir pollogati 
Sent: Monday, August 31, 2020 9:50 AM
To: CAS Community 
Cc: King, Robert 
Subject: Re: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

thank you for your answer,
do you have any suggestion  please,  in what ways or how can I handle this 
problem



Regards,
Saimir


On Monday, August 31, 2020 at 1:54:46 PM UTC+2 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
CAS v 4.2.7 does not support SAML version 2.  Please see the bottom of this 
webpage for reference.

https://apereo.github.io/cas/4.2.x/protocol/SAML-Protocol.html


From: cas-...@apereo.org  On Behalf Of saimir pollogati
Sent: Monday, August 31, 2020 7:39 AM
To: CAS Community 
Subject: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

Hello!

I am using cas v. 4.2.7,  I use authentication from database and   everything 
works perfect,
now I have to add also  authentication  from idp provider (idp delegation  with 
saml).
After a successful auth on idp login page,  cas  redirect me  on login page 
again
CAS Login link :
 Hyr 
nga e-Test
I did configs as on attached files. I followed cas documentations bud I don't 
know what I am  missing

Any help is welcomed!

Regards
Saimir
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d56e6db-4f5f-4370-8277-3eab74233010n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d56e6db-4f5f-4370-8277-3eab74233010n%40apereo.org?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0c8d6fe1e65b4da9bf8d9c465d319c69%40mun.ca.

RE: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

[King, Robert]

CAS v 4.2.7 does not support SAML version 2.  Please see the bottom of this 
webpage for reference.

https://apereo.github.io/cas/4.2.x/protocol/SAML-Protocol.html


From: cas-user@apereo.org  On Behalf Of saimir pollogati
Sent: Monday, August 31, 2020 7:39 AM
To: CAS Community 
Subject: [cas-user] CAS 4.2.7 Authentication Delegation Problems (PAC4J)

Hello!

I am using cas v. 4.2.7,  I use authentication from database and   everything 
works perfect,
now I have to add also  authentication  from idp provider (idp delegation  with 
saml).
After a successful auth on idp login page,  cas  redirect me  on login page 
again
CAS Login link :
 Hyr 
nga e-Test
I did configs as on attached files. I followed cas documentations bud I don't 
know what I am  missing

Any help is welcomed!

Regards
Saimir
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d56e6db-4f5f-4370-8277-3eab74233010n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5383e91ce27545ee9778b5857ec98655%40mun.ca.

RE: [cas-user] CAS 6.2 Password Policy

[King, Robert]

Does that account that you are using have the appropriate privileges to read 
the LPPE policy?  I have no experience with 389 and how it implements LPPE, but 
it does help to check on the LDAP server side to see what query the 
CAS/LDAPTIVE is making to check the LPPE.

From: cas-user@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Wednesday, August 19, 2020 4:46 PM
To: CAS Community 
Cc: King, Robert ; Jeremiah Garmatter 
Subject: Re: [cas-user] CAS 6.2 Password Policy

Robert,

That link does look like the properties I need, however it appears to be 
missing a few entries, such as the dateAttribute and dateFormat, which I 
believe are vital to the configuration. I tried this configuration, note my 
organziation runs 389 directory:
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.warn-all=false
cas.authn.ldap[0].passwordPolicy.warning-days=30
cas.authn.ldap[0].passwordPolicy.warning-attribute-value=
cas.authn.ldap[0].passwordPolicy.warning-attribute-name=
cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT

I also tried with warn-all=true, and the account-state-handling-enabled=true 
which didn't make a difference as far as I could tell. I am using an account 
with password set to expire in 1 day, which our cas 3.5 server correctly 
recognizes and acts on. After setting the ldaptive logger to debug, I don't see 
anything related to the password policy. Is there another logger that may 
provide more information for me?

Perhaps I'll have to create a custom groovy script or some thymeleaf logic to 
compare the attributes with current date and time, then direct them to the 
service or our password reset application.

On Wednesday, August 19, 2020 at 12:28:39 PM UTC-4 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings

From: Jeremiah Garmatter 
Sent: Wednesday, August 19, 2020 12:27 PM
To: CAS Community 
Cc: King, Robert 
Subject: Re: [cas-user] CAS 6.2 Password Policy

Alright, I was able to track down a little more information on my organizations 
password policy. I'm now wondering if CAS 6.2 supports lppe configurations. On 
the old CAS server (3.5), there was an lppe-configuration.xml file allowing one 
to set the attributes lppe looked at to trigger password warnings. Is there an 
equivalent configuration file on 6.2?

For reference, here is an example from our 5.3 lppe-configuration.xml file:

  
  
  
  
  
  
  
  
  
  
  
  
  


On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 ro...@mun.ca wrote:
Yes, it is defined in OpenLDAP.  I would be surprised if this is not already 
setup on your existing directory.

Guessing as to what CAS is doing…

First search for user operational attributes pwdChangedTime and 
pwdPolicySubentry.  Then a second search on the DN from pwdPolicySubentry.  
That should retrieve attribute pwdMaxAge.  Then CAS would determine if the 
account is expiring inside the CAS defined warning days window and pop up the 
interruption screen to notify users as they login.


From: cas-...@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Wednesday, August 5, 2020 10:30 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] CAS 6.2 Password Policy

Robert,

You are saying that password policy is defined within openldap itself and not 
within CAS?
I'd prefer not to change any ldap configuration if that can be avoided. Is 
there no way to change the attribute checked for password expiration within CAS 
properties?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu


On Tue, Aug 4, 2020 at 12:44 PM King, Robert  wrote:
If you are using OpenLDAP 2.4 for your directory service:

https://www.openldap.org/software/man.cgi?query=slapo-ppolicy=0=5=OpenLDAP+2.4-Release=default=html

From: cas-...@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Tuesday, August 4, 2020 10:45 AM
To: CAS Community 
Subject: [cas-user] CAS 6.2 Password Policy

Hello,

I am having trouble understanding the password policy documentation for CAS 
6.2.x. I use openldap as the ldap source. I would like to set up a policy that 
warns users of a password change at 60 days, 30 days, and forces a password 
change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm 
not sure how this system was set up (it was made by predecessors).

Could somebody explain what this line means?
"LPPE is also able to warn the user when the account is about to expire. The 
expiration policy is determined through pre-configured LDAP attributes with 
default values in place." (found here: 
https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.htm

RE: [cas-user] CAS 6.2 Password Policy

[King, Robert]

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings

From: Jeremiah Garmatter 
Sent: Wednesday, August 19, 2020 12:27 PM
To: CAS Community 
Cc: King, Robert 
Subject: Re: [cas-user] CAS 6.2 Password Policy

Alright, I was able to track down a little more information on my organizations 
password policy. I'm now wondering if CAS 6.2 supports lppe configurations. On 
the old CAS server (3.5), there was an lppe-configuration.xml file allowing one 
to set the attributes lppe looked at to trigger password warnings. Is there an 
equivalent configuration file on 6.2?

For reference, here is an example from our 5.3 lppe-configuration.xml file:

  
  
  
  
  
  
  
  
  
  
  
  
  


On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 
ro...@mun.ca<mailto:ro...@mun.ca> wrote:
Yes, it is defined in OpenLDAP.  I would be surprised if this is not already 
setup on your existing directory.

Guessing as to what CAS is doing…

First search for user operational attributes pwdChangedTime and 
pwdPolicySubentry.  Then a second search on the DN from pwdPolicySubentry.  
That should retrieve attribute pwdMaxAge.  Then CAS would determine if the 
account is expiring inside the CAS defined warning days window and pop up the 
interruption screen to notify users as they login.


From: cas-...@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Wednesday, August 5, 2020 10:30 AM
To: cas-...@apereo.org
Subject: Re: [cas-user] CAS 6.2 Password Policy

Robert,

You are saying that password policy is defined within openldap itself and not 
within CAS?
I'd prefer not to change any ldap configuration if that can be avoided. Is 
there no way to change the attribute checked for password expiration within CAS 
properties?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 
419-672-8685
-j-gar...@onu.edu


On Tue, Aug 4, 2020 at 12:44 PM King, Robert  wrote:
If you are using OpenLDAP 2.4 for your directory service:

https://www.openldap.org/software/man.cgi?query=slapo-ppolicy=0=5=OpenLDAP+2.4-Release=default=html

From: cas-...@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Tuesday, August 4, 2020 10:45 AM
To: CAS Community 
Subject: [cas-user] CAS 6.2 Password Policy

Hello,

I am having trouble understanding the password policy documentation for CAS 
6.2.x. I use openldap as the ldap source. I would like to set up a policy that 
warns users of a password change at 60 days, 30 days, and forces a password 
change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm 
not sure how this system was set up (it was made by predecessors).

Could somebody explain what this line means?
"LPPE is also able to warn the user when the account is about to expire. The 
expiration policy is determined through pre-configured LDAP attributes with 
default values in place." (found here: 
https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html)

>From what I understand there is a predefined LDAP attribute that is checked 
>against the warning-days property and if it is under the day-count then a 
>warning message appears.
Is this true? Also, what LDAP attribute is it checking against? Can this 
attribute be changed?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google 
Groups "CAS Community" group.
To unsubscribe from this topic, visit 
https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List

RE: [cas-user] CAS 6.2 Password Policy

[King, Robert]

Yes, it is defined in OpenLDAP.  I would be surprised if this is not already 
setup on your existing directory.

Guessing as to what CAS is doing…

First search for user operational attributes pwdChangedTime and 
pwdPolicySubentry.  Then a second search on the DN from pwdPolicySubentry.  
That should retrieve attribute pwdMaxAge.  Then CAS would determine if the 
account is expiring inside the CAS defined warning days window and pop up the 
interruption screen to notify users as they login.


From: cas-user@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Wednesday, August 5, 2020 10:30 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CAS 6.2 Password Policy

Robert,

You are saying that password policy is defined within openldap itself and not 
within CAS?
I'd prefer not to change any ldap configuration if that can be avoided. Is 
there no way to change the attribute checked for password expiration within CAS 
properties?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020
-Work: 419-772-1074 Cell: 419-672-8685
-j-garmat...@onu.edu<mailto:j-garmat...@onu.edu>


On Tue, Aug 4, 2020 at 12:44 PM King, Robert mailto:r...@mun.ca>> 
wrote:
If you are using OpenLDAP 2.4 for your directory service:

https://www.openldap.org/software/man.cgi?query=slapo-ppolicy=0=5=OpenLDAP+2.4-Release=default=html

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
mailto:cas-user@apereo.org>> On Behalf Of Jeremiah 
Garmatter
Sent: Tuesday, August 4, 2020 10:45 AM
To: CAS Community mailto:cas-user@apereo.org>>
Subject: [cas-user] CAS 6.2 Password Policy

Hello,

I am having trouble understanding the password policy documentation for CAS 
6.2.x. I use openldap as the ldap source. I would like to set up a policy that 
warns users of a password change at 60 days, 30 days, and forces a password 
change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm 
not sure how this system was set up (it was made by predecessors).

Could somebody explain what this line means?
"LPPE is also able to warn the user when the account is about to expire. The 
expiration policy is determined through pre-configured LDAP attributes with 
default values in place." (found here: 
https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html)

>From what I understand there is a predefined LDAP attribute that is checked 
>against the warning-days property and if it is under the day-count then a 
>warning message appears.
Is this true? Also, what LDAP attribute is it checking against? Can this 
attribute be changed?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google 
Groups "CAS Community" group.
To unsubscribe from this topic, visit 
https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com?utm_medium=email_source=footer&

RE: [cas-user] CAS 6.2 Password Policy

[King, Robert]

If you are using OpenLDAP 2.4 for your directory service:

https://www.openldap.org/software/man.cgi?query=slapo-ppolicy=0=5=OpenLDAP+2.4-Release=default=html

From: cas-user@apereo.org  On Behalf Of Jeremiah Garmatter
Sent: Tuesday, August 4, 2020 10:45 AM
To: CAS Community 
Subject: [cas-user] CAS 6.2 Password Policy

Hello,

I am having trouble understanding the password policy documentation for CAS 
6.2.x. I use openldap as the ldap source. I would like to set up a policy that 
warns users of a password change at 60 days, 30 days, and forces a password 
change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm 
not sure how this system was set up (it was made by predecessors).

Could somebody explain what this line means?
"LPPE is also able to warn the user when the account is about to expire. The 
expiration policy is determined through pre-configured LDAP attributes with 
default values in place." (found here: 
https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html)

>From what I understand there is a predefined LDAP attribute that is checked 
>against the warning-days property and if it is under the day-count then a 
>warning message appears.
Is this true? Also, what LDAP attribute is it checking against? Can this 
attribute be changed?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca.

RE: [cas-user] Service Registry -- Getting the 1st Application Entered

[King, Robert]

Does the tomcat service have proper read rights to the json files and/or the 
/etc/cas/services/ directories?

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Jann 
Malenkoff
Sent: May-14-18 9:39 PM
To: CAS Community 
Subject: Re: [cas-user] Service Registry -- Getting the 1st Application Entered

I had a minor Eureka moment --- but it came to fraught (partially).

I has a typo in the 'cas.properties' file: 
cas.serviceRegistry.json.location:file:/etc/cas/service

i,e, 'service' instead of 'services' --- corrected now (validated that the json 
files are in '/etc/cas/services').

But still no-go...any ideas will be matched by the maximum Karma I can 
provide.

On Monday, May 14, 2018 at 4:16:39 PM UTC-7, Jann Malenkoff wrote:
I'm on 5.2.4 --- I had earlier the 5.1 (i.e. 
cas.serviceRegistry.config.location) in 'cas.properties'--- now, updated to 
below (the 5.2.x version)

cas.serviceRegistry.json.location:file:/etc/cas/service
cas.serviceRegistry.initFromJson=true

Still getting error below:

2018-05-14 16:11:41,016 WARN [org.apereo.cas.services.web.ServiceThemeResolver] 
- http://localhost:8080/cas-management/manage.html,originalUrl=http://locahost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
 or service access is disallowed. Using default theme [cas-theme-default]>

Json file:

{
  "@class" :"org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http)://.*",
  "name" :  "HTTP wildcard",
  "id" :20170905111650,
  "evaluationOrder" :   9
}

Have I missed anything else? Could there be something else in the logs that can 
give a clue (I have been hunting but may be missing it)?

On Monday, May 14, 2018 at 3:47:36 PM UTC-7, Manfredo Hopp wrote:

where are these pointing to:

cas.serviceRegistry.json.location for 5.2.x
or
cas.serviceRegistry.config.location for 5.1.x

2018-05-14 19:41 GMT-03:00 Jann Malenkoff 
>:
FYI --- the following appears in 'catalina.out' when attempting to access 
'http://localhost:8080/cas-management/manage.html,'.

2018-05-14 15:39:09,152 WARN [org.apereo.cas.services.web.ServiceThemeResolver] 
- http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
 or service access is disallowed. Using default theme [cas-theme-default]>


On Monday, May 14, 2018 at 3:37:31 PM UTC-7, Jann Malenkoff wrote:
Hi Richard:

I have the following in 'cas.properties':

cas.serviceRegistry.initFromJson=true

Is that correct to enable the first read from JSON? I have been staring at the 
screen for so long and begining to doubt myself w.r.t true/false flags.

On Monday, May 14, 2018 at 3:30:38 PM UTC-7, richard.frovarp wrote:
Do you have initialization on from JSON? Not sure if it will use your file or 
just the defaults. Either way, it should get you into the manager. Then you 
configure the manager service, and turn that property off.



# Auto-initialize the registry from default JSON service definitions

# cas.serviceRegistry.initFromJson=false


On 05/14/2018 05:13 PM, Jann Malenkoff wrote:
Hi All:

I'm trying to get the 'http://localhost:8080/cas-management/manage.html' loaded 
up --- but hitting the error message:
'
Application Not Authorized to Use CAS

The services registry of CAS is empty and has no service definitions. 
Applications that wish to authenticate with CAS must explicitly be defined in 
the services registry.'



I am hoping to have a JPA service registry --- and have configured the 
dependencies below in the 'cas-overlay-template' pom.xml.



To enable the access to 'http://localhost:8080/cas-management/manage.html, I 
have added  the JASON entry as below --- but do not see it in the database 
table REGEXREGISTEREDSERVICE (I have cas.serviceRegistry.config.location:
file:/etc/cas/services in 'cas.properties).



What could I have missed (or more likely misunderstood)?



JSON File in /etc/cas/services (copied -- slightly adjusted -- from an earlier 
post):

{
  /*
   * Wildcard service definition that applies to any https or imaps url.
   * Do not use this definition in a production environment.
   */
  "@class" :"org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http)://.*",
  "name" :  "HTTP wildcard",
  "id" :20180514,
  "evaluationOrder" :   9
}


pom.xml -- for cas-overlay-template



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war

RE: [cas-user] Supporting SAML 2.0 using CAS 3.4

[King, Robert]

My organization has faced a simillar challenge and in our case we decided to 
use SimpleSAMLphp as a bridge between SAML 2.0 apps and CAS authentication.

CAS provides the authentication for the IdP, LDAP provides the data for the IdP 
and SimpleSAMLphp does the rest.

https://simplesamlphp.org

https://simplesamlphp.org/docs/1.6/cas:cas



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Antony Sunny
Sent: April-17-17 11:24 PM
To: CAS Community 
Subject: [cas-user] Supporting SAML 2.0 using CAS 3.4

Hi Team,

We have a requirement for integrating Saleforce in CAS 3.4.10 using SAML 2.0 
and since 3.4 doesn't support saml 2,we would like to know tthe options without 
upgrading CAS because we dont want to impact the existing applications that are 
currently integrated.

Also would like to know,from where can I download the CAS 3.4.10 documentation.

Thanks in Advance,

Regards,
Antony Sunny
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4f9e822-a0b2-4a9d-8552-45bbed1c9a3d%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8BE5A9103CDB3645B339ADB3D808F07B418BB675%40megaman.wds.mun.ca.

RE: [cas-user] Xml Deserialization Error with .net client

[King, Robert]

Attribute release through CAS response is part of the 3.0 schema, so I would 
assume your first hunch on it being the attributes would be correct.


From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Burak Sarica
Sent: February-02-16 1:44 PM
To: CAS Community 
Subject: [cas-user] Xml Deserialization Error with .net client

Hi there,

The ticket validation process throws an error (i ve modified the client code to 
include the inner exception)

Ticket validation error: DotNetCasClient.Validation.TicketValidationException: 
CAS Server response does not conform to CAS 2.0 schema ---> 
System.InvalidOperationException: XML belgesinde bir hata var (5, 2). ---> 
System.InvalidOperationException:  beklenmiyordu. (beklenmiyordu means not 
expected)

The ticket in the logs is the following (hide the values.. ):



***@yyu.edu.tr






***

***

***

***

erkek

***

***

***

***

***

***   






What is the problem here? They use this CAS installation with PHP clients etc. 
I thought it was about the attributes, but the inner exception says it cannot 
parse the root element. Any suggestions?
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.