Re: [cas-user] CAS 6.3.x + Google Auth as 2FA
whoops :-), just forgotten some other modifications, here's the whole diff file : https://dpaste.com/GWJ5L7F59 Regards. Le 13/04/2021 à 16:04, Bartosz Nitkiewicz a écrit : > I have cloned CAS sources and > copy > cas/support/cas-server-support-gauth-core/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java > to > cas-overlay-template/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java > > > and I have build issues down below: > > https://dpaste.com/8X6QFAGR2 > > > Maybe there is another way? > wtorek, 13 kwietnia 2021 o 15:22:29 UTC+2 Philippe MARASSE napisał(a): > > A good question indeed :-) > > I've took a look over my overlay, it seem that I only overloaded > the flawed class from the commit : > > > cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java > > CAS 6.3.2 is older than the patch I think. > > So : > - fetch CAS sources from github > - Copy the > GoogleAuthenticatorOneTimeTokenCredentialValidator.java in your > overlay > - build your overlay > > and test it :-). > > Regards. > > > Le 13/04/2021 à 14:24, Bartosz Nitkiewicz a écrit : >> I have CAS v 6.3.2 which is quite new. But I'm not sure if its >> newer than this patch. >> Hmm, I've cloned this >> overlay https://github.com/apereo/cas-overlay-template/tree/6.3 >> <https://github.com/apereo/cas-overlay-template/tree/6.3> with >> latest commit 995813b on 14 Feb >> >> >> So how to make it work? I don't want to build CAS form sources: >> >> https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f >> >> <https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f> >> >> I'm wondering, where is >> this GoogleAuthenticatorOneTimeTokenCredentialValidator.java >> >> <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f#diff-1df13ecfa59195b04a0fb8db8cfe2d11ef4a09ef52fab4832edff1caaeeb8a81> >> file >> after build. Maybe it's possible to replace/edit it? >> Regards >> Bartek >> >> >> wtorek, 13 kwietnia 2021 o 14:06:08 UTC+2 Philippe MARASSE >> napisał(a): >> >> Hello, >> >> It has been fixed there >> >> https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f >> >> <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f> >> >> Verify that you version of CAS is newer than that commit, it >> should be fine. >> >> Regards >> >> >> Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit : >>> Hi, >>> The setup looks like this: >>> >>> CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis >>> for gauth and ticket registration. >>> >>> After testing before production deployment I've noticed that >>> user can authorize providing user and pass, when asking for >>> Gauth token*it can be anything (even one character)* and CAS >>> will pass it through. I don't know where I have mistake: >>> >>> Here is my config form VAULT >>> >>> >>> "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]", >>> "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]", >>> "cas.authn.mfa.gauth.issuer": "CAS", >>> "cas.authn.mfa.gauth.label": "CAS", >>> >>> "cas.authn.mfa.gauth.multiple-device-registration-enabled": >>> "false", >>> "cas.authn.mfa.gauth.name >>> <http://cas.authn.mfa.gauth.name>": "CAS", >>> "cas.authn.mfa.gauth.redis.database": "0", >>> "cas.authn.mfa.gauth.redis.host": "localhost", >>> "cas.authn.mfa.gauth.redis.password": "[redacted]", >>> "cas.authn.mfa.gauth.redis.port": "6379", >>> "cas.authn.mfa.gauth.redis.read-from": "MASTER", >>> "cas.authn.mfa.gauth.redis.timeout": "2000", >>>
Re: [cas-user] CAS 6.3.x + Google Auth as 2FA
A good question indeed :-) I've took a look over my overlay, it seem that I only overloaded the flawed class from the commit : cas-overlay/src/main/java/org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.java CAS 6.3.2 is older than the patch I think. So : - fetch CAS sources from github - Copy the GoogleAuthenticatorOneTimeTokenCredentialValidator.java in your overlay - build your overlay and test it :-). Regards. Le 13/04/2021 à 14:24, Bartosz Nitkiewicz a écrit : > I have CAS v 6.3.2 which is quite new. But I'm not sure if its newer > than this patch. > Hmm, I've cloned this > overlay https://github.com/apereo/cas-overlay-template/tree/6.3 with > latest commit 995813b on 14 Feb > > > So how to make it work? I don't want to build CAS form sources: > https://github.com/apereo/cas/tree/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f > > I'm wondering, where is > this GoogleAuthenticatorOneTimeTokenCredentialValidator.java > <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f#diff-1df13ecfa59195b04a0fb8db8cfe2d11ef4a09ef52fab4832edff1caaeeb8a81> > file > after build. Maybe it's possible to replace/edit it? > Regards > Bartek > > > wtorek, 13 kwietnia 2021 o 14:06:08 UTC+2 Philippe MARASSE napisał(a): > > Hello, > > It has been fixed there > > https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f > > <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f> > > Verify that you version of CAS is newer than that commit, it > should be fine. > > Regards > > > Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit : >> Hi, >> The setup looks like this: >> >> CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for >> gauth and ticket registration. >> >> After testing before production deployment I've noticed that user >> can authorize providing user and pass, when asking for Gauth >> token*it can be anything (even one character)* and CAS will pass >> it through. I don't know where I have mistake: >> >> Here is my config form VAULT >> >> >> "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]", >> "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]", >> "cas.authn.mfa.gauth.issuer": "CAS", >> "cas.authn.mfa.gauth.label": "CAS", >> "cas.authn.mfa.gauth.multiple-device-registration-enabled": >> "false", >> "cas.authn.mfa.gauth.name <http://cas.authn.mfa.gauth.name>": >> "CAS", >> "cas.authn.mfa.gauth.redis.database": "0", >> "cas.authn.mfa.gauth.redis.host": "localhost", >> "cas.authn.mfa.gauth.redis.password": "[redacted]", >> "cas.authn.mfa.gauth.redis.port": "6379", >> "cas.authn.mfa.gauth.redis.read-from": "MASTER", >> "cas.authn.mfa.gauth.redis.timeout": "2000", >> "cas.authn.mfa.gauth.redis.use-ssl": "false", >> "cas.authn.mfa.global-provider-id": "mfa-gauth", >> >> >> "cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers": >> "memberOf", >> >> >> "cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex": >> "[redacted]" >> >> Maybe its ticket registering with redis: >> >> "cas.ticket.registry.redis.crypto.alg": "AES", >> "cas.ticket.registry.redis.crypto.enabled": "false", >> "cas.ticket.registry.redis.crypto.encryption.key": "", >> "cas.ticket.registry.redis.crypto.encryption.key-size": "16", >> "cas.ticket.registry.redis.crypto.signing.key": "", >> "cas.ticket.registry.redis.crypto.signing.key-size": "512", >> "cas.ticket.registry.redis.database": "1", >> "cas.ticket.registry.redis.host": "localhost", >> "cas.ticket.registry.redis.password": "[redacted]", >> "cas.ticket.registry.redis.pool.enabled": "false", >> "cas.ticket.registry.redis.pool.fairness": "false", >> "cas.ticket.registry.redis
Re: [cas-user] CAS 6.3.x + Google Auth as 2FA
Hello, It has been fixed there https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f Verify that you version of CAS is newer than that commit, it should be fine. Regards Le 13/04/2021 à 13:04, Bartosz Nitkiewicz a écrit : > Hi, > The setup looks like this: > > CAS + Vault (config file) + LDAP + 2FA (mfa-gauth) + redis for gauth > and ticket registration. > > After testing before production deployment I've noticed that user can > authorize providing user and pass, when asking for Gauth token*it can > be anything (even one character)* and CAS will pass it through. I > don't know where I have mistake: > > Here is my config form VAULT > > > "cas.authn.mfa.gauth.crypto.encryption.key": "[redacted]", > "cas.authn.mfa.gauth.crypto.signing.key": "[redacted]", > "cas.authn.mfa.gauth.issuer": "CAS", > "cas.authn.mfa.gauth.label": "CAS", > "cas.authn.mfa.gauth.multiple-device-registration-enabled": "false", > "cas.authn.mfa.gauth.name": "CAS", > "cas.authn.mfa.gauth.redis.database": "0", > "cas.authn.mfa.gauth.redis.host": "localhost", > "cas.authn.mfa.gauth.redis.password": "[redacted]", > "cas.authn.mfa.gauth.redis.port": "6379", > "cas.authn.mfa.gauth.redis.read-from": "MASTER", > "cas.authn.mfa.gauth.redis.timeout": "2000", > "cas.authn.mfa.gauth.redis.use-ssl": "false", > "cas.authn.mfa.global-provider-id": "mfa-gauth", > > "cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers": > "memberOf", > > "cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex": > "[redacted]" > > Maybe its ticket registering with redis: > > "cas.ticket.registry.redis.crypto.alg": "AES", > "cas.ticket.registry.redis.crypto.enabled": "false", > "cas.ticket.registry.redis.crypto.encryption.key": "", > "cas.ticket.registry.redis.crypto.encryption.key-size": "16", > "cas.ticket.registry.redis.crypto.signing.key": "", > "cas.ticket.registry.redis.crypto.signing.key-size": "512", > "cas.ticket.registry.redis.database": "1", > "cas.ticket.registry.redis.host": "localhost", > "cas.ticket.registry.redis.password": "[redacted]", > "cas.ticket.registry.redis.pool.enabled": "false", > "cas.ticket.registry.redis.pool.fairness": "false", > "cas.ticket.registry.redis.pool.lifo": "true", > "cas.ticket.registry.redis.pool.max-active": "8", > "cas.ticket.registry.redis.pool.max-idle": "8", > "cas.ticket.registry.redis.pool.max-wait": "-1", > "cas.ticket.registry.redis.pool.min-evictable-idle-time-millis": "0", > "cas.ticket.registry.redis.pool.min-idle": "0", > "cas.ticket.registry.redis.pool.num-tests-per-eviction-run": "0", > > "cas.ticket.registry.redis.pool.soft-min-evictable-idle-time-millis": "0", > "cas.ticket.registry.redis.pool.test-on-borrow": "false", > "cas.ticket.registry.redis.pool.test-on-create": "false", > "cas.ticket.registry.redis.pool.test-on-return": "false", > "cas.ticket.registry.redis.pool.test-while-idle": "false", > "cas.ticket.registry.redis.port": "6379", > "cas.ticket.registry.redis.timeout": "2000", > "cas.ticket.registry.redis.use-ssl": "false", > > Any hints? > Regards > Bartek > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aac5f3d-d9a7-4455-9639-bf8ce2be695en%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3aac5f3d-d9a7-4455-9639-bf8ce2be695en%40apereo.org?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9ef7528-85cf-4a92-7f56-d74c8e053a84%40ch-poitiers.fr.
Re: [cas-user] CAS 6.x + 2FA/MFA with Google Authenticator
In service definition, something like this exists : multifactorPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy multifactorAuthenticationProviders: [ java.util.HashSet [ mfa-gauth ] ] failureMode: UNDEFINED principalAttributeNameTrigger: mfaTrigger principalAttributeValueToMatch: "true" bypassEnabled: false } If I'm not mistaken, 2FA will trigger only if user has an attribute named "mfaTrigger" with the value "true" (both are customizable of course). And the only 2FA asked will be gauth. For a more complex use case, you can use a groovy script to inspect user attributes and take the appropriate decision. Regards. Le 23/03/2021 à 15:23, Bartosz Nitkiewicz a écrit : > Hello, > > We thought about another authentication step for users to access some > services. The problem is that it can't be mandatory. User can turn 2FA > on and off. It could be possible by one of LDAP extended attributes. > Then if user has this attribute set to, let's say true, then CAS will > use 2FA method. If not just regular LDAP authentication. > I know it is possible to use different authentication methods depends > on service. > > I'm wondering if it is possible. And how to setup CAS for it. > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a83e90e-b6c3-4bdb-917d-d59141c2d6f2%40nitkiewicz.eu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a83e90e-b6c3-4bdb-917d-d59141c2d6f2%40nitkiewicz.eu?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/78ea7e2f-5f82-3778-c49c-75d9acdc09ea%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 6.x + 2FA/MFA with Google Authenticator
Hi, Here we use 2FA, either U2F or TOTP/Gauth, to grant access to a specific service. The 2FA is mandatory but the method is given by a LDAP attribute. What is your use case ? 2FA for all services triggered by a LDAP attribute (I believe it's possible in service configuration) ? Regards. Le 23/03/2021 à 09:31, Bartosz Nitkiewicz a écrit : > Hi, > I'm wondering how to set up 2FA/MFA with Google Authenticator? > For now I have configured my CAS server to authenticate user through > LDAP and successfully managed to make SAML work with one of my > application. > > I have to set up CAS for possibility to enable MFA for a specific LDAP > user. Whether it's achievable. Should I enable another service to save > this info (user enable/disable MFA). > > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ac21753-2b33-44ca-aec5-84d2d0fa5865n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ac21753-2b33-44ca-aec5-84d2d0fa5865n%40apereo.org?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/91024aaf-ad1a-1700-d545-69ad8f5cf7a9%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 6.3.2 Google Auth OTP Validation Issue
Hello, Thank you, it seems to work now as expected with this patch. Regards. Le 10/03/2021 à 09:40, Pavlos Drandakis a écrit : > Hi Philippe, > > it seems that gauth validation, is now fixed > (https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f > <https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f>). > > Pavlos > > On Tue, Mar 9, 2021 at 10:19 PM 'Philippe MARASSE' via CAS Community > mailto:cas-user@apereo.org>> wrote: > > Folks, > > Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), > we've > ran into a strange issue : > - TOTP registering works fine, first check of TOTP code is > verified ok > (a bad code is rejected, as expected) > - TOTP input before accessing a service is asked, but whatever > numerical input can be sent, it will always be accepted ?? > > In other words : Google authenticator TOTP does not work for us. > > I've set trace level on org.apereo.cas.gauth package, then used > 1234 as > TOTP token (expected tokens are 6 digit long) : > > 2021-03-09 20:59:30,214 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > [GoogleAuthenticatorAuthenticationHandler]> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - credential repository...> > 2021-03-09 20:59:30,215 TRACE > > [org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository] > - [RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]> > 2021-03-09 20:59:30,218 TRACE > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - [testuser]...> > 2021-03-09 20:59:30,219 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,220 DEBUG > > [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] > - > 2021-03-09 20:59:30,232 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] > successfully for [testuser]> > 2021-03-09 20:59:30,232 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key > [GoogleAuthenticatorRedisTokenRepository:testuser:1234]> > 2021-03-09 20:59:30,281 TRACE > [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - > userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]> > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - > > 2021-03-09 20:59:30,282 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > successfully authenticated > > [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234), > accountId=1614873350660)]> > > our dependencies : > > dependencies { > implementation > "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}" > implementation > > "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}" > > implementation > "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}" > > implementation > > "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}" > } > > And relevant configuation in cas.properties : > > cas.authn.mfa.gauth.code-digits=6 > cas.authn.mfa.gauth.time-step-size=30 > cas.authn.mfa.gauth.rank=2 > > Any idea ? > > Regards. > > -- > Phi
[cas-user] CAS 6.3.2 Google Auth OTP Validation Issue
Folks, Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've ran into a strange issue : - TOTP registering works fine, first check of TOTP code is verified ok (a bad code is rejected, as expected) - TOTP input before accessing a service is asked, but whatever numerical input can be sent, it will always be accepted ?? In other words : Google authenticator TOTP does not work for us. I've set trace level on org.apereo.cas.gauth package, then used 1234 as TOTP token (expected tokens are 6 digit long) : 2021-03-09 20:59:30,214 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2021-03-09 20:59:30,215 TRACE [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] - 2021-03-09 20:59:30,215 TRACE [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] - 2021-03-09 20:59:30,215 TRACE [org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository] - 2021-03-09 20:59:30,218 TRACE [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] - 2021-03-09 20:59:30,219 TRACE [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - 2021-03-09 20:59:30,220 DEBUG [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator] - 2021-03-09 20:59:30,232 DEBUG [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - 2021-03-09 20:59:30,232 TRACE [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - 2021-03-09 20:59:30,281 TRACE [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] - 2021-03-09 20:59:30,282 DEBUG [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] - 2021-03-09 20:59:30,282 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - our dependencies : dependencies { implementation "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}" } And relevant configuation in cas.properties : cas.authn.mfa.gauth.code-digits=6 cas.authn.mfa.gauth.time-step-size=30 cas.authn.mfa.gauth.rank=2 Any idea ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 6.3.0-RC3 issue with MFA selector menu
Interestingly, I think there's a flaw in the webflow. Let's use 2 services, and only the second requires MFA. Without MFA selector : - Call first service, redirect to cas - Authentication with only login/password ok, redirect to service one. - Service one validate service ticket OK - Call to second service, redirect to cas - CAS shows MFA screen (U2F in my case), Authentication OK, redirect to service two - Service two validate service ticket OK Everything runs fine. With MFA Selector enabled : - Call first service, redirect to cas - Authentication with only login/password ok, redirect to service one. - Service one validate service ticket OK - Call to second service, redirect to cas - Login screen shows login form ?? An exception has been raised (see below) - Authentication can be redone with login/password, no MFA asked, redirected to service - Service two validates service ticket... fails with http://www.yale.edu/tp/cas\'> The validation request for [ST-5-R2L9TIWs19jdW5DwR-jlcndnNvE-castest] cannot be satisfied. The request is either unrecognized or unfulfilled. cas.log : = WHO: audit:unknown WHAT: Transition definition cannot be found for event mfa-composite ACTION: AUTHENTICATION_EVENT APPLICATION: CAS WHEN: Fri Oct 09 14:22:14 CEST 2020 CLIENT IP ADDRESS: x.x.x.x SERVER IP ADDRESS: y.y.y.y = > 2020-10-09 14:22:14,440 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - org.apereo.cas.authentication.AuthenticationException: Transition definition cannot be found for event mfa-composite at org.apereo.cas.authentication.MultifactorAuthenticationUtils.lambda$validateEventIdForMatchingTransitionInContext$1(MultifactorAuthenticationUtils.java:74) ~[cas-server-core-authentication-mfa-api- at java.util.Optional.map(Optional.java:265) ~[?:?] at org.apereo.cas.authentication.MultifactorAuthenticationUtils.validateEventIdForMatchingTransitionInContext(MultifactorAuthenticationUtils.java:71) ~[cas-server-core-authentication-mfa-api-6.3.0-RC3 at org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver.lambda$resolveInternal$0(DefaultMultifactorAuthenticationProviderWebflowEventResolver.java:48) at java.util.Optional.map(Optional.java:265) ~[?:?] Regards. Le 06/10/2020 à 17:51, 'Philippe MARASSE' via CAS Community a écrit : > Folks, > > I'm testing the possibility to let the user choose MFA token to use, in > fact between u2f and google authenticator. > > I have a PHP test page used tho retrieve and show me some attributes. At > the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot > get validated by CAS : > > > The > validation request for > [ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest] cannot be > satisfied. The request is either unrecognized or > unfulfilled. > > > In cas_audit, I have : > > 2020-10-06 17:28:50,359 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > = > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > = > > 2020-10-06 17:28:50,424 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > = > WHO: audit:unknown > WHAT: [result=Service Access > Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, > attributes={...}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > = > > 2020-10-06 17:28:50,427 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - > Audit trail record BEGIN > = > WHO: xxx > WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for > http://php2/portail/cas61.php > ACTION: SERVICE_TICKET_VALIDATE_SUCCESS > APPLICATION: CAS > WHEN: Tue Oct 06 17:28:50 CEST 2020 > CLIENT IP ADDRESS: > SERVER IP ADDRESS: > ========= > > If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose > the 2FA but it works... > > Any clue ? > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique,
Re: [EXTERNAL SMIME EMAIL] [cas-user] Cas Management webapp does not start anymore
Thanks you for the direction, I wish it's only a matter of certificate but no NPE is raised in my case. I'll take a look when my other problem about MFA selector menu will be solved. Regards. Le 06/10/2020 à 17:51, King, Robert a écrit : > > If I was to guess this is the recent error of requiring the Incommon > Federation certificate as a requirement to start. > > > > If you search the for incommon.pem over the last few weeks discussion > you’ll find several answers to this problem. > > > > > > > > *From:*'Philippe MARASSE' via CAS Community > *Sent:* Tuesday, October 6, 2020 10:26 AM > *To:* CAS Community > *Subject:* [EXTERNAL SMIME EMAIL] [cas-user] Cas Management webapp > does not start anymore > > > > Folks, > > I'm upgrading my management webapp from 6.1.0-RC4 to 6.2.2, but > unfortunately, webapp does not start anymore, raising an exception : > > 06-Oct-2020 14:45:32.552 GRAVE [Catalina-utility-2] > org.apache.catalina.startup.HostConfig.deployWAR Erreur lors du > déploiement de l'archive > [/var/lib/tomcat/casmgr/webapps/cas-management.war] de l'application web > java.lang.IllegalStateException: Erreur lors du démarrage du > conteneur fils > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) > at > org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978) > at > org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1849) > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > at > java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > at > org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) > at > java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118) > at > org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427) > at > org.apache.catalina.startup.HostConfig.check(HostConfig.java:1620) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:305) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > at > org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1151) > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > at > java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) > at > java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.base/java.lang.Thread.run(Thread.java:834) > Caused by: org.apache.catalina.LifecycleException: Echec de > démarrage du composant > [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]] > at > org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) > ... 24 more > Caused by: > org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'samlController' defined in class path > resource > [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: > Bean instantiation via factory method failed; nested exception is > org.springframework.beans.BeanInstantiationException: Failed
[cas-user] CAS 6.3.0-RC3 issue with MFA selector menu
Folks, I'm testing the possibility to let the user choose MFA token to use, in fact between u2f and google authenticator. I have a PHP test page used tho retrieve and show me some attributes. At the time I use cas.authn.mfa.provider-selection-enabled=true, I cannot get validated by CAS : The validation request for [ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest] cannot be satisfied. The request is either unrecognized or unfulfilled. In cas_audit, I have : 2020-10-06 17:28:50,359 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: xxx WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for http://php2/portail/cas61.php ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: = 2020-10-06 17:28:50,424 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: [result=Service Access Granted,service=http://php2/portail/...,principal=SimplePrincipal(id=xxx, attributes={...}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: = 2020-10-06 17:28:50,427 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: xxx WHAT: ST-1-6gCa8d4O65sMdY-612TXkDd1HDc-castest for http://php2/portail/cas61.php ACTION: SERVICE_TICKET_VALIDATE_SUCCESS APPLICATION: CAS WHEN: Tue Oct 06 17:28:50 CEST 2020 CLIENT IP ADDRESS: SERVER IP ADDRESS: = If I use cas.authn.mfa.provider-selection-enabled=false, I cannot choose the 2FA but it works... Any clue ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8dedb52-116c-3bd9-cf9c-00d8b3f36b3e%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Cas Management webapp does not start anymore
Folks, I'm upgrading my management webapp from 6.1.0-RC4 to 6.2.2, but unfortunately, webapp does not start anymore, raising an exception : 06-Oct-2020 14:45:32.552 GRAVE [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployWAR Erreur lors du déploiement de l'archive [/var/lib/tomcat/casmgr/webapps/cas-management.war] de l'application web java.lang.IllegalStateException: Erreur lors du démarrage du conteneur fils at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1849) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427) at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1620) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:305) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1151) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: org.apache.catalina.LifecycleException: Echec de démarrage du composant [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas-management]] at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717) ... 24 more Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlController' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.SamlController]: Factory method 'samlController' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'metadataAggregateResolver' defined in class path resource [org/apereo/cas/mgmt/config/CasManagementSamlConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas.mgmt.MetadataAggregateResolver]: Factory method 'metadataAggregateResolver' threw exception; nested exception is org.apereo.cas.services.UnauthorizedServiceException: *screen.service.error.message* ... Any idea ? If I switch back to 6.1.0-RC4, it works. Regards. -- Philippe MARASSE Responsable pôle Infrastructures Direction de l'Informatique, Support à la Communication et à l'Organisation (DISCO) Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl
Re: [cas-user] CAS 6.1 - decipher / cipher an arbitrary attribute
Hello Ray, Thanks for your answer. If I'm not mistaken, clearpass encrypts the password used to authenticate with CAS, not an arbitrary attribute. The documentation let us believe that it is possible (https://apereo.github.io/cas/6.1.x/integration/Attribute-Release.html) but I've not found how to do yet. Philippe. Le 16/04/2020 à 17:52, Ray Bon a écrit : > Philippe, > > I do not know the exact answer. But check how clear pass works. It > encrypts the password with the service's public key. > > Ray > > On Thu, 2020-04-16 at 16:49 +0200, 'Philippe MARASSE' via CAS > Community wrote: >> Hi, >> Is it possible to : >> - fetch an attribute from LDAP, ciphered with a symmetric key, then >> decipher to get it in clear text >> - release an attribute (not the username, nor the password) to a >> service, ciphered with service's public key ? >> Use case : deliver user-dependent credentials to apache guacamole in a >> safe way. >> Cheers. >> -- >> Philippe MARASSE >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 > -- > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca> > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, > Esquimalt and WSÁNEĆ Nations. > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a848fe9a5032f827c12d1f144be7850ad76aabf.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a848fe9a5032f827c12d1f144be7850ad76aabf.camel%40uvic.ca?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/60003da9-6506-43be-596d-c886069d9e82%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] CAS 6.1 - decipher / cipher an arbitrary attribute
Hi, Is it possible to : - fetch an attribute from LDAP, ciphered with a symmetric key, then decipher to get it in clear text - release an attribute (not the username, nor the password) to a service, ciphered with service's public key ? Use case : deliver user-dependent credentials to apache guacamole in a safe way. Cheers. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f857389-b6c4-bd76-6b4c-b8c9c62099c2%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Re: cas 6.1 with u2f
Hello, this u2f-jpa hack solved an issue I've encoutered with CAS v6.1.5 (also with 6.1.6-SNAP) + U2F (with JSON backend for testing). The raised exception was different : 2020-04-09 17:39:49,592 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - 2020-04-09 17:39:49,595 DEBUG [org.apereo.cas.web.FlowExecutionExceptionResolver] - 2020-04-09 17:39:49,600 ERROR [org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet]] - *java.lang.NoSuchFieldError: ACCEPT_CASE_INSENSITIVE_VALUES* at com.fasterxml.jackson.datatype.jsr310.deser.JSR310DateTimeDeserializerBase.acceptCaseInsensitiveValues(JSR310DateTimeDeserializerBase.java:126) ~[jackson-datatype-jsr310-2.10.0.jar!/:2.10.0] ... But has gone since I've added the JPA backend. Thank you. Le 15/11/2019 à 14:57, Andy Ng a écrit : > Hi John, > > Not familiar with uf2 at all, but I am trying this out in my > simulation and I also encountered your bug as well. > > Something like this: > /Caused by: > org.springframework.beans.factory.BeanCurrentlyInCreationException: > Error creating bean with name 'u2fDeviceRepository': Requested bean is > currently in creation: Is there an unresolvable circular reference?/ > > I found that the bug will be gone if you > add *cas-server-support-u2f-jpa* as well: > > compile "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}" > compile > "org.apereo.cas:cas-server-support-u2f-jpa:${project.'cas.version'}" > > The error seems gone after I apply the above. > > Again I am not familiar with u2f, so other might be able to help pick > up from here if the above info is not helping you fix this bug > > Cheers! > - Andy > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b45cc66-1160-48aa-9320-b4fabc54ae75%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b45cc66-1160-48aa-9320-b4fabc54ae75%40apereo.org?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5e99a10-9ed4-e1e1-7406-28ed6ae0b0e8%40ch-poitiers.fr.
Re: [cas-user] AJP with header too big
You should set packetSize at the same value on application server and in your web server (we use 16384 in our organization for years). Regards; Le 30/09/2019 à 11:40, Fabrice Bacchella a écrit : > I'm getting the following error on CAS 5.3 with AJP: > > 2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Header > message of length [11,006] received but the packetSize is only [8,192] > 2019-09-30 11:19:19,411 ERROR [org.apache.coyote.ajp.AjpProcessor] Error > processing request > java.lang.NullPointerException: null > > So I should increase the packetSize of the AJP connector, but it's missing > from > https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#ajp > > Is it hidden somewhere else ? > > > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75f8d5bb-77bc-f478-abbf-1a1a098a73e4%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback
Hello, How does look like step 2 dialog box ? I suspect it could be NTLM dialog box shown by the browser. Have you disabled NTLM ? If you need login/passwd fallback, enable MixedMode Authentication. Regards. Le 06/04/2017 à 10:46, Petr Gašparík - AMI Praha a.s. a écrit : > Hi, > we integrated Apereo CAS with AD via SPNEGO, with fallback to LDAP. > > It works like this: > > 1. Try SPNEGO auth > 2. If it fails, show browser dialog for Kerberos login (L/P from AD) > 3. If it fails, show login page for LDAP auth > > > Now, how to get rid of step 2? > > Use case: > > 1. Try SPNEGO auth > 2. If it fails, show login page for LDAP auth > > Thanks! > Petr Gašparík > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9b1459f-54ca-48a5-9b0f-868dadaf0b17%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9b1459f-54ca-48a5-9b0f-868dadaf0b17%40apereo.org?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1f9be3-22ba-9947-ec39-ab2a2ac8a2cd%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Blank first 401 page with SPNEGO
If it fits your use case it's perfect. In our case we want Spnego for all internal accesses so CAS needs to stop and does not offer login/password if Spnego fails. Regards. Le 14/02/2017 à 15:22, Felix Schumacher a écrit : > Am 13.02.2017 18:45, schrieb 'Philippe MARASSE' via CAS Community: >> Fine, my last attempt was with 5.1-SNAP but it worked with 5.0 also. >> >> I had to overload : >> - SpengoWebflowConfigurer (add new end state views) >> - SpengoWebflowConfig >> - SpnegoNegociateCredentialsAction to modify default behavior >> >> create/ overload html templates for views : >> - casSpnegoNegotiateView.html (first 401 view) >> - casSpnegoAuthenticationFailureView.html (auth failure view) >> - casSpnegoErrorView.html (all other errors view) > > Thanks for your info, but I found an easier way. > > Put > > cas.authn.spnego.mixedModeAuthentication=true > > into your cas.properties. > > That way the first page will have the login page as the body, even > when the browser is spnego capable > (or what cas thinks are spnego capable browsers) and the browser did > not send an authenticate header. > > No special overloading of classes or webflows :) > > Regards, > Felix > >> >> Regards. >> >> >> Le 13/02/2017 à 18:07, Felix Schumacher a écrit : >>> >>> Am 13. Februar 2017 17:28:44 MEZ schrieb 'Philippe MARASSE' via CAS >>> Community <cas-user@apereo.org>: >>>> Hello, >>>> >>>> We have the same problem here, which version of CAS do you use ? >>> I believe it is 5.0.2. >>> >>> I would have to check tomorrow at work. >>> >>> Felix >>> >>>> Regards. >>>> >>>> Le 13/02/2017 à 16:13, Felix Schumacher a écrit : >>>>> Hi all, >>>>> >>>>> I have configured a simple webapp overlay with ldap and spnego >>>> enabled. >>>>> When I try to login with a SPNEGO enabled browser (that has no valid >>>>> ticket for the configured domain), I get two 401 pages. >>>>> The first 401 page is empty except for the header, that is telling >>>> the >>>>> browser to try SPNEGO for authentication. >>>>> The second 401 page has the login page as content together with the >>>>> header, that tells the browser to try SPNEGO. >>>>> >>>>> The user can login via ldap and everything is fine. >>>>> >>>>> Now consider the case where we have a browser, that is not SPNEGO >>>>> enabled. The browser gets the first (empty) 401 page and finds, that >>>>> it has no valid authentication scheme to try. The user is therefore >>>>> greeted with an empty page. >>>>> >>>>> Is this a bug, or do I have to specify anything to get the first 401 >>>>> page have the login page included? >>>>> >>>>> Regards, >>>>> Felix >>>>> >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/25df45be-180d-b42a-9266-79498a05e8ad%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Blank first 401 page with SPNEGO
Fine, my last attempt was with 5.1-SNAP but it worked with 5.0 also. I had to overload : - SpengoWebflowConfigurer (add new end state views) - SpengoWebflowConfig - SpnegoNegociateCredentialsAction to modify default behavior create/ overload html templates for views : - casSpnegoNegotiateView.html (first 401 view) - casSpnegoAuthenticationFailureView.html (auth failure view) - casSpnegoErrorView.html (all other errors view) Regards. Le 13/02/2017 à 18:07, Felix Schumacher a écrit : > > Am 13. Februar 2017 17:28:44 MEZ schrieb 'Philippe MARASSE' via CAS Community > <cas-user@apereo.org>: >> Hello, >> >> We have the same problem here, which version of CAS do you use ? > I believe it is 5.0.2. > > I would have to check tomorrow at work. > > Felix > >> Regards. >> >> Le 13/02/2017 à 16:13, Felix Schumacher a écrit : >>> Hi all, >>> >>> I have configured a simple webapp overlay with ldap and spnego >> enabled. >>> When I try to login with a SPNEGO enabled browser (that has no valid >>> ticket for the configured domain), I get two 401 pages. >>> The first 401 page is empty except for the header, that is telling >> the >>> browser to try SPNEGO for authentication. >>> The second 401 page has the login page as content together with the >>> header, that tells the browser to try SPNEGO. >>> >>> The user can login via ldap and everything is fine. >>> >>> Now consider the case where we have a browser, that is not SPNEGO >>> enabled. The browser gets the first (empty) 401 page and finds, that >>> it has no valid authentication scheme to try. The user is therefore >>> greeted with an empty page. >>> >>> Is this a bug, or do I have to specify anything to get the first 401 >>> page have the login page included? >>> >>> Regards, >>> Felix >>> -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/50c8941b-271d-b6a1-a062-0e2ddc9e13bd%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Blank first 401 page with SPNEGO
Hello, We have the same problem here, which version of CAS do you use ? Regards. Le 13/02/2017 à 16:13, Felix Schumacher a écrit : > Hi all, > > I have configured a simple webapp overlay with ldap and spnego enabled. > > When I try to login with a SPNEGO enabled browser (that has no valid > ticket for the configured domain), I get two 401 pages. > The first 401 page is empty except for the header, that is telling the > browser to try SPNEGO for authentication. > The second 401 page has the login page as content together with the > header, that tells the browser to try SPNEGO. > > The user can login via ldap and everything is fine. > > Now consider the case where we have a browser, that is not SPNEGO > enabled. The browser gets the first (empty) 401 page and finds, that > it has no valid authentication scheme to try. The user is therefore > greeted with an empty page. > > Is this a bug, or do I have to specify anything to get the first 401 > page have the login page included? > > Regards, > Felix > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b966f7be-99c7-9ba5-a8e2-b05ae732de1c%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5.0.0 with Active Directory Authentication
Hello, I don't think it make a lot of differences, as dkopylenko said. But have you overloaded application.properties ? your log shows AcceptUsersAuthenticationHandler which is not related to LDAP but is related to default distribution of CAS which works out of the box with casuser/mellon user. Regards. Le 13/12/2016 à 10:19, mohammad almodallal a écrit : > Hello Philippe, > > the cas.properties was containing cas.authn.attributeRepository > instead of cas.authn.ldap[0] > anyway I'm using Active Directory does this make diffrence? > for the cas-server-support-ldap yes it is already included > > but I still get errors like > > 2016-12-13 12:14:20,367 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-12-13 12:14:20,368 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > find authentication handler that supports [testuser] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > > > have you any idea could help? > > Thanks. > > 2016-12-13 12:14:20,367 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-12-13 12:14:20,368 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > find authentication handler that supports [testuser] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > > On Monday, December 12, 2016 at 2:11:50 PM UTC+3, Philippe MARASSE wrote: > > Hello, > > The reference documentation is > > https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap > > <https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap> > > cas.authn.ldap[0].ldapUrl=ldap://ldap1.mydomain.com > ldap://ldap2.mydomain.com > cas.authn.ldap[0].useSsl=false > cas.authn.ldap[0].useStartTls=false > > cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider > > Others parameters depend upon your AD configuration. > > According to your log, it seems that LDAP support is not > configured. Do you use maven overlay method ? If so, do you have a > dependency section like : > > > org.apereo.cas > cas-server-support-ldap > ${cas.version} > > > Regards. > > Le 12/12/2016 à 11:10, mohammad almodallal a écrit : >> Hello Philippe, >> >> also, please I've already configure the cas.properties and still >> getting the following logs for authentication >> >> er.support.HttpBasedServiceCredentialsAuthenticationHandler@6537e53c, >> org.apereo.cas.authentication.AcceptUsersAuthenticationHandler@594da5db]> >> 2016-12-12 13:01:13,716 DEBUG >> [org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] >> - >> 2016-12-12 13:01:13,718 INFO >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >> - >> 2016-12-12 13:01:13,719 DEBUG >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >> - > not found in backing map.> >> 2016-12-12 13:01:13,721 WARN >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] >> - > cannot find authentication handler that supports [testuser] of >> type [UsernamePasswordCredential], which suggests a configuration >> problem.> >> 2016-12-12 13:01:13,722 DEBUG >> [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - >> > >> org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] >> with thrown exception >> [org.apereo.cas.authentication.AuthenticationException: 1 errors, >> 0 successes]> >> >> Thanks. >> >> On Monday, December 12, 2016 at 12:58:08 PM UTC+3, mohammad >> almodallal wrote: >> >> Hell Philippe, >> >> So how to we can configure the LDAP authentication handler? >> >> Thanks. >> >> >> >> On Monday, December 12, 2016 at 12:01:20 PM UTC+3, Philippe >> MARASSE wrote: >> >> Hello, >> >> No, it's neither required nor recommended with this >> version of CAS. >> >> Regards >> >> Le 12/12/2016 à 08:19, mohammad almodallal a écrit : >>> Hello, >>> >>> should we use the deployerConfigContext.xml in CAS-5.0.0 >>> to integrate with Active Directory? >>&g
Re: [cas-user] CAS 5.0.0 with Active Directory Authentication
Hello, The reference documentation is https://apereo.github.io/cas/development/installation/Configuration-Properties.html#ldap cas.authn.ldap[0].ldapUrl=ldap://ldap1.mydomain.com ldap://ldap2.mydomain.com cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].useStartTls=false cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider Others parameters depend upon your AD configuration. According to your log, it seems that LDAP support is not configured. Do you use maven overlay method ? If so, do you have a dependency section like : org.apereo.cas cas-server-support-ldap ${cas.version} Regards. Le 12/12/2016 à 11:10, mohammad almodallal a écrit : > Hello Philippe, > > also, please I've already configure the cas.properties and still > getting the following logs for authentication > > er.support.HttpBasedServiceCredentialsAuthenticationHandler@6537e53c, > org.apereo.cas.authentication.AcceptUsersAuthenticationHandler@594da5db]> > 2016-12-12 13:01:13,716 DEBUG > [org.apereo.cas.authentication.AcceptUsersAuthenticationHandler] - > > 2016-12-12 13:01:13,718 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-12-12 13:01:13,719 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > found in backing map.> > 2016-12-12 13:01:13,721 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > find authentication handler that supports [testuser] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > 2016-12-12 13:01:13,722 DEBUG > [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - principal at audit point [execution(Authentication > org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))] > with thrown exception > [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 > successes]> > > Thanks. > > On Monday, December 12, 2016 at 12:58:08 PM UTC+3, mohammad almodallal > wrote: > > Hell Philippe, > > So how to we can configure the LDAP authentication handler? > > Thanks. > > > > On Monday, December 12, 2016 at 12:01:20 PM UTC+3, Philippe > MARASSE wrote: > > Hello, > > No, it's neither required nor recommended with this version of > CAS. > > Regards > > Le 12/12/2016 à 08:19, mohammad almodallal a écrit : >> Hello, >> >> should we use the deployerConfigContext.xml in CAS-5.0.0 to >> integrate with Active Directory? >> >> Thanks. >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> <https://apereo.github.io/cas/Mailing-Lists.html> >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the >> Google Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b613c270-c10a-44c5-ba96-de42a546f57f%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b613c270-c10a-44c5-ba96-de42a546f57f%40apereo.org?utm_medium=email_source=footer>. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/39da3d6d-81f4-253c-b64b-41df327e8665%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS-5.1.0-SNAP MFA Bypass configuration property is confusing
Done : https://github.com/apereo/cas/issues/2138 Let's switch to cas-dev. Regards. Le 18/11/2016 à 16:31, Misagh Moayyed a écrit : > > That’s an excellent find. I suspect bypass rules don’t account for > non-interactive AuthN somehow. If you can change your config to bypass > MFA based on the Ldap handler, that pretty much confirms my theory. > > > > File an issue either way please. (And since you’re on SNAPSHOT, let’s > move this to dev) > > > > --Misagh > > > > *From:*'Philippe MARASSE' via CAS Community [mailto:cas-user@apereo.org] > *Sent:* Friday, November 18, 2016 4:25 AM > *To:* CAS Community <cas-user@apereo.org> > *Subject:* [cas-user] CAS-5.1.0-SNAP MFA Bypass configuration property > is confusing > > > > Hello, > > As issues #2126 & #2127 are solved, this morning, another issue arises > : Yubikey MFA is bypassed when I use LdapAuthenticationHandler (via > login form), but not when I use Spnego ?? relevant cas.properties line > is : > > cas.authn.mfa.yubikey.bypass.authenticationHandlerName=JcifsSpnegoAuthenticationHandler > > As far as I understand it should bypass MFA-Yubikey when the first > auth is done via SPNEGO, and enforce MFA with another type of auth. > That's what I need. > > But on my test page, with login form I get this attribute : > successfulAuthenticationHandlers: *LdapAuthenticationHandler* > > with SPNEGO : successfulAuthenticationHandlers: > JcifsSpnegoAuthenticationHandler, YubiKeyAuthenticationHandler > > Then I modified the property to : > > cas.authn.mfa.yubikey.bypass.authenticationHandlerName=LdapAuthenticationHandler > > Now I have successfulAuthenticationHandlers: > YubiKeyAuthenticationHandler, LdapAuthenticationHandler whe I use > login form, fine. > and successfulAuthenticationHandlers: JcifsSpnegoAuthenticationHandler > with SPNEGO, perfect :-). > > but IMHO, bypass configuration option behavior is inverted. > > Regards. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/48552979-800b-f552-1189-db88268723d2%40ch-poitiers.fr > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/48552979-800b-f552-1189-db88268723d2%40ch-poitiers.fr?utm_medium=email_source=footer>. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/012501d241b0%24ccd44a80%24667cdf80%24%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/012501d241b0%24ccd44a80%24667cdf80%24%40unicon.net?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42fa0838-f84e-2ca7-5f09-1e9c69d01d70%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] CAS-5.1.0-SNAP MFA Bypass configuration property is confusing
Hello, As issues #2126 & #2127 are solved, this morning, another issue arises : Yubikey MFA is bypassed when I use LdapAuthenticationHandler (via login form), but not when I use Spnego ?? relevant cas.properties line is : cas.authn.mfa.yubikey.bypass.authenticationHandlerName=JcifsSpnegoAuthenticationHandler As far as I understand it should bypass MFA-Yubikey when the first auth is done via SPNEGO, and enforce MFA with another type of auth. That's what I need. But on my test page, with login form I get this attribute : successfulAuthenticationHandlers: *LdapAuthenticationHandler* with SPNEGO : successfulAuthenticationHandlers: JcifsSpnegoAuthenticationHandler, YubiKeyAuthenticationHandler Then I modified the property to : cas.authn.mfa.yubikey.bypass.authenticationHandlerName=LdapAuthenticationHandler Now I have successfulAuthenticationHandlers: YubiKeyAuthenticationHandler, LdapAuthenticationHandler whe I use login form, fine. and successfulAuthenticationHandlers: JcifsSpnegoAuthenticationHandler with SPNEGO, perfect :-). but IMHO, bypass configuration option behavior is inverted. Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48552979-800b-f552-1189-db88268723d2%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5.1.0-SNAPSHOT no more mfa-yubikey ??
Done : https://github.com/apereo/cas/issues/2127 Please get another look at https://github.com/apereo/cas/issues/2126 as my morning tests show only SPNEGO related issue and no more dependencies issues. Regards. Le 17/11/2016 à 17:42, Misagh Moayyed a écrit : > Yes please. > > --Misagh > > > -Original Message- > From: 'Philippe MARASSE' via CAS Community [mailto:cas-user@apereo.org] > Sent: Thursday, November 17, 2016 4:37 AM > To: CAS Community <cas-user@apereo.org> > Subject: [cas-user] CAS 5.1.0-SNAPSHOT no more mfa-yubikey ?? > > Hello, > > After disabling spnego, I wanted to test MFA yubikey with CAS > 5.1.0-SNAP, unfortunately I get authenticated without MFA : > > 2016-11-17 11:51:36,559 DEBUG > [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] > - > 2016-11-17 11:51:36,569 DEBUG > [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] > - an authentication provider.> > 2016-11-17 11:51:36,573 DEBUG > [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] > - id=3139139547012322,name=test mfa,description=Test MFA > Yubikey,serviceId=https?://php-dev.mydomain.local/prenom/eclipse/testcas/www/ > > Just reverting back to 5.0.0 in pom.xml fixes the issue. > Should I open an issue (I have both logs for v5.0.0 & v5.1.0-SNAP). > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/583d2ceb-b980-cd8f-dfb2-b52ec474cfec%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5 does not read cas.properties file
Hello, Fortunately, I've found that this property : spring.cloud.config.server.native.searchLocations=file:/etc/cas5/config placed in bootstrap.properties file do the job. on Mac, once JDK (dmg file from Oracle) and Tomcat (from tar.gz) are installed, catalina.sh script should work. Don't forget to set JAVA_HOME environment variable with something like : /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home Regards. Le 17/11/2016 à 15:23, David Brown a écrit : > Howdy, I have read thru this thread. I can't see anything to improve > the same error condition you describe. Did you ever get CAS to start > without stopping? I had a previous version of CAS working on a Linux > box. Now I'm on a Mac and can't get it to work. I need this for > development purposes only to test application before using the > production CAS server. Please advise. > > On Monday, August 8, 2016 at 9:42:40 AM UTC-5, Philippe MARASSE wrote: > > Folks, > > I'm preparing a new CAS service for our organisation (we use CAS > 3.5 for years now :-) ), my plan is to upgrade to v5 in order to > use MFA. > > I'm using maven overlay (from > > https://apereo.github.io/cas/development/installation/Maven-Overlay-Installation.html > > <https://apereo.github.io/cas/development/installation/Maven-Overlay-Installation.html> > ) > and json service registry > > Unfortunately, I did not manage to make cas read my customized > properties. > > 1st try : > cas/WEB-INF/spring-configuration/propertyFileConfigurer.xml is not > read > > verified with iwatch tool. > > 2nd try : moved this file as WEB-INF/deployerConfigContext.xml > (the packaged one is empty), this file get read but catalina.out > shows : > > 08-Aug-2016 15:29:35.339 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployWAR Déploiement de > l'archive /var/tomcat/inst2/webapps/cas.war de l'application web > 08-Aug-2016 15:29:41.429 INFO [localhost-startStop-1] > org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > scanned for TLDs yet contained no TLDs. Enable debug logging for > this logger for a complete list of JARs that were scanned but no > TLDs were found in them. Skipping unneeded JARs during scanning > can improve startup time and JSP compilation time. > > > __ _ __ > / / / ___| / \ / ___| \ \ > | | | | / _ \ \___ \ | | > | | | |___ / ___ \ ___) | | | > | | \|/_/ \_\|/ | | > \_\ /_/ > > CAS Version: 5.0.0.RC1-SNAPSHOT > Build Date/Time: 2016-08-08T07:37:10Z > Java Home: /usr/java/jdk1.8.0_101/jre > Java Vendor: Oracle Corporation > Java Version: 1.8.0_101 > OS Architecture: i386 > OS Name: Linux > OS Version: 3.16.0-4-686-pae > > > 2016-08-08 15:29:45,485 INFO > [org.apereo.cas.web.CasWebApplicationServletInitializer] - following profiles are active: native> > 2016-08-08 15:29:49,005 WARN > [org.springframework.context.annotation.ConfigurationClassPostProcessor] > - since its singleton instance has been created too early. The > typical cause is a non-static @Bean method with a > BeanDefinitionRegistryPostProcessor return type: Consider > declaring such methods as 'static'.> > *2016-08-08 15:29:49,393 WARN > > [org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor] > - [placeHolderConfigurer, > > org.springframework.context.support.PropertySourcesPlaceholderConfigurer#0], > falling back to Environment>* > 2016-08-08 15:29:51,702 INFO > [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] > - /var/tomcat/inst2/webapps/cas/WEB-INF/classes/services> > 2016-08-08 15:29:51,952 INFO > [org.apereo.cas.services.DefaultServicesManagerImpl] - services from JsonServiceRegistryDao.> > 2016-08-08 15:29:58,240 WARN > [org.apereo.cas.WebflowConversationStateCipherExecutor] - key for signing is not defined. CAS will attempt to auto-generate > the signing key> > 2016-08-08 15:29:58,247 WARN > [org.apereo.cas.WebflowConversationStateCipherExecutor] - > > UfOXj8N0pNAX6QJQHL4ewu_cvlTAHo6abg0NqUhf7y-vlOT_brv2Eq9sDspXBir1bGXZMME9FaX0II1Jd0CB0g > of size 512. The generated key MUST be added to CAS settings.> > 2016-08-08 15:29:58,247 WARN > [org.apereo.cas.WebflowConversationStateCipherExecutor] - encryption key is defined. CAS will attempt to auto-generate keys> > 2016-08-08 15:29:58,248 WARN > [o
[cas-user] CAS 5.1.0-SNAPSHOT no more mfa-yubikey ??
Hello, After disabling spnego, I wanted to test MFA yubikey with CAS 5.1.0-SNAP, unfortunately I get authenticated without MFA : 2016-11-17 11:51:36,559 DEBUG [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] - 2016-11-17 11:51:36,569 DEBUG [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] - 2016-11-17 11:51:36,573 DEBUG [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyProviderResolver] - https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8185b8e4-3acc-ad4a-3d38-99b9c8f48fec%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5.1.0-SNAPSHOT - SPNEGO broken ?
Done : https://github.com/apereo/cas/issues/2126 I've raised Spring Web Flow logging to debug (only this one, hoping this will be enough). Regards. Le 16/11/2016 à 15:56, Misagh Moayyed a écrit : > Looks like a bug. File an issue please, and attach logs at DEBUG (specially > for SWF). > > --Misagh > > -Original Message- > From: 'Philippe MARASSE' via CAS Community [mailto:cas-user@apereo.org] > Sent: Wednesday, November 16, 2016 3:20 AM > To: CAS Community <cas-user@apereo.org> > Subject: [cas-user] CAS 5.1.0-SNAPSHOT - SPNEGO broken ? > > Hello, > > Thanks implementing MFA bypass in CAS 5.1.0, I'm moving on to test it on > our actual test case : SPNEGO or Login/Password + yubikey. > > If I'm not mistaken, after reviewed up to date documentation, I've added > a line in my cas.properties : > > cas.authn.mfa.yubikey.bypass.authenticationHandlerName=JcifsSpnegoAuthenticationHandler > > I've also updated my tomcat to 8.5.8 + java 1.8.0u111. my pom.xml from > CASv5.0.0 to CASv5.1.0-SNAPSHOT. cas.war builds ok with maven overlay > but when it comes to start, spnego webflow configurer (which is > misspelled spengo) hangs : > > 2016-11-16 11:09:34,911 INFO > [org.apereo.cas.services.ServiceRegistryInitializer] - registry database will not be initialized from default JSON services. If > the service registry database ends up empty, CAS will refuse to > authenticate services until service definitions are added to the registry.> > 2016-11-16 11:09:35,185 ERROR > [org.apereo.cas.web.flow.SpengoWebflowConfigurer] - required> > java.lang.IllegalArgumentException: The literal is required > at org.springframework.util.Assert.notNull(Assert.java:115) > ~[spring-core-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.binding.expression.support.LiteralExpression.(LiteralExpression.java:34) > ~[spring-binding-2.4.4.RELEASE.jar:2.4.4.RELEASE] > at > org.apereo.cas.web.flow.AbstractCasWebflowConfigurer.createTransition(AbstractCasWebflowConfigurer.java:268) > ~[cas-server-core-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at > org.apereo.cas.web.flow.AbstractCasWebflowConfigurer.createTransitionForState(AbstractCasWebflowConfigurer.java:256) > ~[cas-server-core-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at > org.apereo.cas.web.flow.AbstractCasWebflowConfigurer.lambda$registerMultifactorProvidersStateTransitionsIntoWebflow$2(AbstractCasWebflowConfigurer.java:643) > ~[cas-server-core-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at java.util.LinkedHashMap.forEach(LinkedHashMap.java:684) > ~[?:1.8.0_111] > at > org.apereo.cas.web.flow.AbstractCasWebflowConfigurer.registerMultifactorProvidersStateTransitionsIntoWebflow(AbstractCasWebflowConfigurer.java:643) > ~[cas-server-core-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at > org.apereo.cas.web.flow.SpengoWebflowConfigurer.doInitialize(SpengoWebflowConfigurer.java:40) > ~[cas-server-support-spnego-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at > org.apereo.cas.web.flow.AbstractCasWebflowConfigurer.initialize(AbstractCasWebflowConfigurer.java:112) > ~[cas-server-core-webflow-5.1.0-SNAPSHOT.jar:5.1.0-SNAPSHOT] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_111] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_111] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_111] > at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_111] > at > org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:366) > ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:311) > ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:134) > ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:408) > ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1575) > ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE] > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBe
[cas-user] CAS 5.1.0-SNAPSHOT - SPNEGO broken ?
] at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:866) ~[spring-context-4.3.4.RELEASE.jar:4.3.4.RELEASE] at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542) ~[spring-context-4.3.4.RELEASE.jar:4.3.4.RELEASE] at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:151) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:131) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:86) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE] at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169) ~[spring-web-4.3.4.RELEASE.jar:4.3.4.RELEASE] at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5178) ~[catalina.jar:8.5.8] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[catalina.jar:8.5.8] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) ~[catalina.jar:8.5.8] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) ~[catalina.jar:8.5.8] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) ~[catalina.jar:8.5.8] at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952) ~[catalina.jar:8.5.8] at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823) ~[catalina.jar:8.5.8] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_111] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_111] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111] 2016-11-16 11:09:40,260 INFO [org.apereo.cas.configuration.CasConfigurationRebinder] - Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3010f187-3466-3d24-d8be-c64f730d0e05%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Re: Custom Authentication Handler in version 5.0.0
Hi, Not resolved yet unfortunately. Regards. Le 08/11/2016 à 16:56, Natan Zeferino a écrit : > Hi, > > Did you resolve that problem? > > I want to do the same. > > Em quinta-feira, 8 de setembro de 2016 05:47:25 UTC-3, Gokhan > Mansuroglu escreveu: > > Hi, > > Let's say I have a custom AbcAuthencticationHandler and > AbcCredentials. How can i configure this custom auhtentication > handler ? In previous versions this can be handled in > deployerConfigContext.xml, but how it is done in version 5.0.0 ? > > Thanks. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ee8f8ac-5761-43d7-ade1-ad95b6e11e3f%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ee8f8ac-5761-43d7-ade1-ad95b6e11e3f%40apereo.org?utm_medium=email_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea3b207e-525a-012a-3bb6-d9dc86b0bf63%40ch-poitiers.fr. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Level of identity assurance implementation in CAS 5.0
I'm back to CAS testing... I wrote a selective resolver derived from the one mentioned (SelectiveAuthenticationProviderWebflowEventResolver) to not trigger MFA when SPNEGO has succeeded. This part seems to work, but when Service ticket is validated, I get : = WHO: testuser WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Thu Oct 27 15:07:30 CEST 2016 CLIENT IP ADDRESS: 172.16.10.177 SERVER IP ADDRESS: unknown = > 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - 2016-10-27 15:07:30,347 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - AuthenticationContextValidator wants to find mfa-yubikey in context... but cannot as I've only SPNEGO. What should I do know ? Regards. Le 07/10/2016 à 17:27, Misagh Moayyed a écrit : > What you want to do is, assign an mfa level to your healthcare > software registered in CAS. That will trigger MFA for both SPNEGO and > “internet” login attempts. You then write your own “selective” > resolver to determine the method of authentication and conditionally > decide how MFA might be activated at the end. > > See http://bit.ly/2dKxtxw > > Thinking more about this; seems like this would be an attractive > feature to add; to turn on/off mfa levels conditionally based on mode > of authentication. You’re welcome to file a request. > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: October 7, 2016 at 12:09:37 AM > To: Misagh Moayyed <mmoay...@unicon.net> <mailto:mmoay...@unicon.net>, > cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] Level of identity assurance implementation in > CAS 5.0 > >> Hello, >> >> I'll try to be clearer :-), for example, a user wants to use our >> healthcare software : >> - if he's connected from LAN, SPNEGO auth will be required & >> sufficient to grant access to the service. >> - if he's connected from the Internet, connection will be granted >> only with login/password + OTP (SMS, mail, yubikey, ... we've not >> chosen yet). >> >> I already have modified login webflow to trigger SPNEGO only on our >> LAN, so login/password is only triggered from the Internet. Then... I >> don't know, yet, how to perform MFA only for Internet users and some >> services. >> >> Regards. >> >> Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : >>> >>> What exactly do these points mean? >>> >>> >>> If you mean to say, multiple MFA options are assigned to a user, and >>> you wish to rank them by weight, that’s already supported. >>> >>> >>> -- >>> Misagh >>> >>> From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Date: October 5, 2016 at 3:46:46 PM >>> To: cas-user@apereo.org <cas-user@apereo.org> >>> <mailto:cas-user@apereo.org> >>> Subject: Re: [cas-user] Level of identity assurance implementation >>> in CAS 5.0 >>> >>>> No idea, really ? >>>> >>>> It's mentioned in section MFA of >>>> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >>>> >>>> but not anymore on v5 >>>> https://apereo.github.io/cas/development/planning/Security-Guide.html >>>> ?? >>>> >>>> Regards. >>>> >>>> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >>>> > Hello, >>>> > >>>> > I'm wondering if CAS is able to do service-based LOA, eg, >>>> internal users >>>> > use SPNEGO and external users use Login/Password, and if requested by >>>> > service : MFA with Yubikey or other not yet implemented mean (OTP via >>>> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by >>>> service : >>>> > - access to Webmail with required level of 15 points >>>> > - access to Personal informations with required level of 20 points >>>&g
Re: [cas-user] Workflow for SPNEGO partly broken with 5.0.0-RC3
Faster than light ! It seems that you've already fixed that transition (commit c8b80250bdbbcc4e7435c4831500597681bf7b78 ) Thank you. Regards. Le 06/10/2016 à 13:22, Misagh Moayyed a écrit : > Looks like a bug also. File, and please include full web flow logs. > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: October 5, 2016 at 3:37:18 PM > To: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] Workflow for SPNEGO partly broken with 5.0.0-RC3 > >> Hi, >> >> Flow processing complains about a missing "authenticationFailure" >> transition, I suspect that's a side effect of a recent modification made >> to get SPENGO working with MFA (Yubikey in our test case). >> >> As SPNEGO transition is no more handled in XML file, I think you need a >> change in Configuration class. >> >> Regards. >> >> Le 05/10/2016 à 12:39, Felix Schumacher a écrit : >> > Hi all, >> > >> > I have updated my test environment from 5.0.0-RC2 to 5.0.0-RC3 and >> > noticed, that the SPNEGO workflow is broken, when a wrong kerberos >> > ticket is send. >> > >> > With RC2 I got the LDAP backed Login form, while RC3 shows me an error >> > page with the following error snippet on it: >> > >> > Error: No transition was matched on the event(s) signaled by the [1] >> > action(s) that executed in this action state 'spnego' of flow 'login'; >> > transitions must be defined to handle action result outcomes -- >> > possible flow configuration error? Note: the eventIds signaled were: >> > 'array['authenticationFailure']', while the supported set of >> > transitional criteria for this action state is >> > 'array[success, error]' >> > >> > The browser gets the first 401 response as it should and responds with >> > a request containing the Negotiate header. That triggers the 500 >> > response with the snippet above. >> > >> > If I call the login webflow with a browser, that is not issuing >> > kerberos tickets, I can use the login form successfully. >> > >> > If I call the login webflow with a correct kerberos ticket, I get >> > logged in OK, too. >> > >> > My workflows only modification is: >> > >> > @@ -25,7 +25,7 @@ >> > >> > >> > >> > - >> > + >> > >> > >> > > > model="credential"> >> > >> > >> > Any ideas? >> > >> > Felix >> > >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> >> >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+unsubscr...@apereo.org. >> To post to this group, send email to cas-user@apereo.org. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c5aee78-49df-d197-fa2b-48933d86dc30%40ch-poitiers.fr. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f633fc.2cfad819.2cbc%40gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f633fc.2cfad819.2cbc%40gmail.com?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/054ae67d-1506-3b2f-3a35-1c401a64f40f%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Level of identity assurance implementation in CAS 5.0
Hello, I'll try to be clearer :-), for example, a user wants to use our healthcare software : - if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service. - if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet). I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services. Regards. Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : > > What exactly do these points mean? > > > If you mean to say, multiple MFA options are assigned to a user, and > you wish to rank them by weight, that’s already supported. > > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: October 5, 2016 at 3:46:46 PM > To: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] Level of identity assurance implementation in > CAS 5.0 > >> No idea, really ? >> >> It's mentioned in section MFA of >> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >> >> but not anymore on v5 >> https://apereo.github.io/cas/development/planning/Security-Guide.html ?? >> >> Regards. >> >> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >> > Hello, >> > >> > I'm wondering if CAS is able to do service-based LOA, eg, internal >> users >> > use SPNEGO and external users use Login/Password, and if requested by >> > service : MFA with Yubikey or other not yet implemented mean (OTP via >> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service : >> > - access to Webmail with required level of 15 points >> > - access to Personal informations with required level of 20 points >> > >> > And successful authentication would be granted by handler : >> > - SPNEGO : 25 points >> > - Login/Password : 15 points >> > - MFA yubikey : 10 points >> > - ... >> > >> > So internal users would always gain access with SPNEGO, and external >> > users will be requested login/password only for Webmail, and >> > login/password + MFA for Personal Informations. >> > >> > Is it already possible with CASv5 ? >> > >> > I think it will need some development though, in this case, I'll need >> > directions :-) >> > >> > Regards. >> > >> >> -- br/>Philippe MARASSE < >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >> Tel : 05.49.44.57.19 >> >> >> -- br/>You received this message because you are subscribed tto the >> Google Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+unsubscr...@apereo.org. >> To post to this group, send email to cas-user@apereo.org. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Issue with json service registry between CASv5 RC3-SNAP and RC4-SNAP
Hello, My today's build fails : although I've mentioned ${cas.groupId} cas-server-support-json-service-registry ${cas.version} runtime in my pom.xml, Service registry used to work, The log shows : 2016-10-05 17:26:06,164 INFO [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - perfect, but : 2016-10-05 17:26:15,845 WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext] - it seems that embeddedJsonServiceRegistry (looking services in classpath:/services) is instantiated instead of jsonServiceRegistry found in cas-server-support-json-service-registry module. Environment is the same as last week (Tomcat 8.5.4 / java 8u101). Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6683d22-fd8d-4fab-461d-36aef4202524%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Level of identity assurance implementation in CAS 5.0
No idea, really ? It's mentioned in section MFA of https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html but not anymore on v5 https://apereo.github.io/cas/development/planning/Security-Guide.html ?? Regards. Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : > Hello, > > I'm wondering if CAS is able to do service-based LOA, eg, internal users > use SPNEGO and external users use Login/Password, and if requested by > service : MFA with Yubikey or other not yet implemented mean (OTP via > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service : > - access to Webmail with required level of 15 points > - access to Personal informations with required level of 20 points > > And successful authentication would be granted by handler : > - SPNEGO : 25 points > - Login/Password : 15 points > - MFA yubikey : 10 points > - ... > > So internal users would always gain access with SPNEGO, and external > users will be requested login/password only for Webmail, and > login/password + MFA for Personal Informations. > > Is it already possible with CASv5 ? > > I think it will need some development though, in this case, I'll need > directions :-) > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] Level of identity assurance implementation in CAS 5.0
Hello, I'm wondering if CAS is able to do service-based LOA, eg, internal users use SPNEGO and external users use Login/Password, and if requested by service : MFA with Yubikey or other not yet implemented mean (OTP via SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service : - access to Webmail with required level of 15 points - access to Personal informations with required level of 20 points And successful authentication would be granted by handler : - SPNEGO : 25 points - Login/Password : 15 points - MFA yubikey : 10 points - ... So internal users would always gain access with SPNEGO, and external users will be requested login/password only for Webmail, and login/password + MFA for Personal Informations. Is it already possible with CASv5 ? I think it will need some development though, in this case, I'll need directions :-) Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/14829eb7-4567-1b91-0f89-84826f36ed76%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5.0.0RC1 - MFA webflow not found
Hello, Thanks for your answer, I've opened this issue : https://github.com/apereo/cas/issues/2018 Regards Le 23/09/2016 à 19:35, Misagh Moayyed a écrit : >> Second test : >> - SPNEGO >> - yubikey >> >> => works oddly : my client service page uses phpCAS, on first pass I >> get an "Authentication Error, try again", If I click on "try again", >> then yubikey token is asked, and after validation, I'm logged to the >> application. >> >> I suspect that transition on success after SPNEGO to be incorrect. >> It's hardcoded to >> CasWebflowConstants.TRANSITION_ID_SEND_TICKET_GRANTING_TICKET, but >> MFA shoud be inspected before sending TGC, shouldn't it ? > > It should, yes. Do submit a bug plz. I suspect MFA only takes into > account interactive authn, which is something that needs to be fixed. > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57e567f8.1ae214b4.2e6e%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57e567f8.1ae214b4.2e6e%40unicon.net?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/78fb387b-e387-e88f-9418-237b7df61cae%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] CAS 5.0.0RC1 - MFA webflow not found
Hello, I've rolled back to simple LDAP Authentication + Yubikey, my service definition (generated via cas-management webapp) is : { @class: org.apereo.cas.services.RegexRegisteredService serviceId: https?://myserver.example.com/testcas/cas5v3.php name: test mfa id: 3139139547012322 description: Test MFA Yubikey evaluationOrder: 1 logoutType: NONE attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy principalAttributesRepository: { @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository expiration: 2 timeUnit: HOURS } authorizedToReleaseCredentialPassword: false authorizedToReleaseProxyGrantingTicket: false } multifactorPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy multifactorAuthenticationProviders: [ java.util.HashSet [ mfa-yubikey ] ] failureMode: CLOSED } accessStrategy: { @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy enabled: true ssoEnabled: true requireAllAttributes: true caseInsensitive: false } } Yubikey web-flow seems to be registered : 2016-09-20 09:20:09,895 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - ... 2016-09-20 09:20:36,003 WARN [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyWebflowEventResolver] - In MFA wiki page ( https://apereo.github.io/cas/development/installation/Configuring-Multifactor-Authentication.html#yubikey ), there's a mention of "id" field, but I didn't find any reference in my configuration files. Regards. Le 16/09/2016 à 16:57, Philippe MARASSE a écrit : > Hello, > > I'm trying to trigger MFA (with yubikey), on a service access. > Triggering seems to work but mfa-yubikey webflow is not found ?? > > Extract from logs : > 2016-09-16 16:28:03,438 DEBUG > [org.springframework.webflow.engine.builder.DefaultFlowHolder] - > > 2016-09-16 16:28:04,503 DEBUG > [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] > - <*Registering flow definition* 'URL > [jar:file:/var/tomcat/inst2/webapps/cas/WEB-INF/lib/cas-server-support-yubikey-5.0.0.RC1.jar!/webflow/mfa-yubikey/mfa-yubikey-webflow.xml]' > under id '*mfa-yubikey*'> > 2016-09-16 16:28:08,806 INFO > [org.apereo.cas.configuration.CasConfigurationRebinder] - CAS configuration > cas-org.apereo.cas.configuration.CasConfigurationProperties> > ... > 2016-09-16 16:28:41,259 INFO [org.ldaptive.auth.Authenticator] - > > 2016-09-16 16:28:41,267 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-09-16 16:28:41,299 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > > 2016-09-16 16:28:41,533 WARN > [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyWebflowEventResolver] > - <*Transition definition cannot be found for event [mfa-yubikey]*> > 2016-09-16 16:28:41,538 DEBUG > [org.springframework.webflow.execution.ActionExecutor] - executing org.apereo.cas.web.flow.AuthenticationViaFormAction@b553; > result = authenticationFailure> > > Is login-webflow.xml needing modifications (documentation does not > mention this) ? > > Regards. > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd99844e-7ea7-12e4-9872-323d46c2f8a9%40ch-poitiers.fr > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd99844e-7ea7-12e4-9872-323d46c2f8a9%40ch-poitiers.fr?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo
[cas-user] CAS 5.0.0RC1 - MFA webflow not found
Hello, I'm trying to trigger MFA (with yubikey), on a service access. Triggering seems to work but mfa-yubikey webflow is not found ?? Extract from logs : 2016-09-16 16:28:03,438 DEBUG [org.springframework.webflow.engine.builder.DefaultFlowHolder] - 2016-09-16 16:28:04,503 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - <*Registering flow definition* 'URL [jar:file:/var/tomcat/inst2/webapps/cas/WEB-INF/lib/cas-server-support-yubikey-5.0.0.RC1.jar!/webflow/mfa-yubikey/mfa-yubikey-webflow.xml]' under id '*mfa-yubikey*'> 2016-09-16 16:28:08,806 INFO [org.apereo.cas.configuration.CasConfigurationRebinder] - ... 2016-09-16 16:28:41,259 INFO [org.ldaptive.auth.Authenticator] - 2016-09-16 16:28:41,267 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2016-09-16 16:28:41,299 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2016-09-16 16:28:41,533 WARN [org.apereo.cas.web.flow.resolver.impl.RegisteredServiceAuthenticationPolicyWebflowEventResolver] - <*Transition definition cannot be found for event [mfa-yubikey]*> 2016-09-16 16:28:41,538 DEBUG [org.springframework.webflow.execution.ActionExecutor] - Is login-webflow.xml needing modifications (documentation does not mention this) ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd99844e-7ea7-12e4-9872-323d46c2f8a9%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] Re: CAS 2.0 not return attributes.
Hi, As far as I remember, CAS 2.0 protocol does not return attributes, but you can validate service tickets through SAML 1.1 endpoint which returns attributes. Regards. Le 15/09/2016 à 10:09, jordi tomas a écrit : > Hi Misagh, > thanks a lot, but I see this html > (https://apereo.github.io/cas/4.1.x/protocol/CAS-Protocol-Specification.html), > and I'm not sure that 2.0 protocol return attributes. > Jordi > > > El dijous, 15 setembre de 2016 9:13:22 UTC+2, jordi tomas va escriure: > > Hi, > > > > We are new on CAS Server, and we install version 4.1.5. I have > problems with return attributes. I use *cas-sample-java-webapp* > application to test it. It works ok, but on web.xml: > > > > - When I put > > org.jasig.cas.client.validation.*Cas30ProxyReceivingTicketValidationFilter* > it works ok, and return attributes. > > - When I put > > org.jasig.cas.client.validation.*Cas20ProxyReceivingTicketValidationFilter* > only can validate, but not return attributes. > > > > My CAS validate with LDAP. On deployerConfigContext.xml I have: > > > > > > > > And then… > > > > > > class="org.jasig.cas.authentication.LdapAuthenticationHandler" > init-method="initialize" > > p:principalIdAttribute="uid" > > c:authenticator-ref="authenticator"> > > > > > > > > > > > > > > > > > > > > > > > > And on JSON services: > > > > { > > "@class" : "org.jasig.cas.services.RegexRegisteredService", > > "serviceId" : "/cas-sample-java-webapp/*", > > "name" : "Test Application", > > "id" : 1002, > > "description" : "", > > "evaluationOrder" : 1002, > > "usernameAttributeProvider" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" > > }, > > "logoutType" : "BACK_CHANNEL", > > "attributeReleasePolicy" : { > > "@class" : > "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", > > "allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", > "sn", "givenname”] ] > > }, > > "accessStrategy" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", > > "enabled" : true, > > "ssoEnabled" : true > > }, > > "proxyPolicy" : { > > "@class" : > "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy", > > "pattern" : "^https://.*; > > } > > } > > > Can CAS 2.0 protocol return attributes ? or I have something wrong ? > > > Thanks in Advance, > > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/0faf8db9-abea-47b4-854c-d7f16e1df46a%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0faf8db9-abea-47b4-854c-d7f16e1df46a%40apereo.org?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fa0ca3c-2289-5cf4-c96e-81a70dd44859%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] CAS management Webapp 5.0.0RC1 default locale
Folks, I was wondering : how to change de default locale for the management webapp ? in CAS server we have : cas.locale.defaultValue=fr property in application.properties. But management webapp remains in english, as CAS server, it does not seem to look at Accept-Language header to deliver the right localized page. Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/401c1908-7057-e8e7-bd80-9a83c19513ab%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
Re: [cas-user] YUbikey MFA and customized validation URLs
Done : https://github.com/apereo/cas/issues/1998 Thank you. Le 14/09/2016 à 12:32, Dmitriy Kopylenko a écrit : > That's a valid use case, IMO. I think we need to open up that config > option. If you could file an issues on Github, that would be terrific. > > D. > > On Wed, Sep 14, 2016 at 06:30, Philippe MARASSE > <philippe.mara...@ch-poitiers.fr> wrote: > > Actually, we're testing a few Yubikeys with customized > cryptographic keys, so public Yubico API's cannot validate our > tokens. I've set up a local validation server that works the very > same ways Yubico's one following this : > > > https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/ > > So I need to tell yubico client to use my validation server > instead of public ones. > > Regards. > > Le 14/09/2016 à 09:48, Misagh Moayyed a écrit : > > Yes, all valid statements. > > > I am curious; what’s your case for modifying the validation > URLs? Do you wish to disable a certain API version? > > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: September 14, 2016 at 11:58:00 AM > To: cas-user@apereo.org <cas-user@apereo.org> > <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] YUbikey MFA and customized validation > URLs > > I've seen : YubicoClient.setWsapiUrls(String[] wsapi), by > default, the property is valued with : > > protected String wsapi_urls[] = { > "https://api.yubico.com/wsapi/2.0/verify;, > "https://api2.yubico.com/wsapi/2.0/verify;, > "https://api3.yubico.com/wsapi/2.0/verify;, > "https://api4.yubico.com/wsapi/2.0/verify;, > "https://api5.yubico.com/wsapi/2.0/verify; > }; > > I think, it's the right property that I need to change, > but for now, there is no configuration entry in CAS to do > that. > > Regards. > > Le 13/09/2016 à 18:34, Misagh Moayyed a écrit : > > There is nothing that allows to modify the validation > urls. They are built into the Yubikey API. > > > -- > Misagh > > From: Philippe MARASSE > <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE > <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: September 13, 2016 at 8:22:48 PM > To: cas-user@apereo.org <cas-user@apereo.org> > <mailto:cas-user@apereo.org> > Subject: [cas-user] YUbikey MFA and customized > validation URLs > > Folks, > > Unless I'm mistaken, I've not seen any > configuration for a customized > validation URL, all URLs are hardcoded into > Yubikey client class and > I've not seen any CAS configuration value related > to validation URLs. > > So, how to customize these URLs ? > > Regards. > > -- br/>Philippe MARASSE < > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur br/>86021 > Poitiers CCedex > Tel : 05.49.44.57.19 > > > -- br/>You received this message because you are > subscribed tto the Google Groups "CAS Community" > group. > To unsubscribe from this group and stop receiving > emails from it, send an email to > cas-user+unsubscr...@apereo.org. > To post to this group, send email to > cas-user@apereo.org. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > > https://groups.
Re: [cas-user] YUbikey MFA and customized validation URLs
Actually, we're testing a few Yubikeys with customized cryptographic keys, so public Yubico API's cannot validate our tokens. I've set up a local validation server that works the very same ways Yubico's one following this : https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/ So I need to tell yubico client to use my validation server instead of public ones. Regards. Le 14/09/2016 à 09:48, Misagh Moayyed a écrit : > > Yes, all valid statements. > > > I am curious; what’s your case for modifying the validation URLs? Do > you wish to disable a certain API version? > > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: September 14, 2016 at 11:58:00 AM > To: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] YUbikey MFA and customized validation URLs > >> I've seen : YubicoClient.setWsapiUrls(String[] wsapi), by default, >> the property is valued with : >> >> protected String wsapi_urls[] = { >>"https://api.yubico.com/wsapi/2.0/verify;, >>"https://api2.yubico.com/wsapi/2.0/verify;, >>"https://api3.yubico.com/wsapi/2.0/verify;, >>"https://api4.yubico.com/wsapi/2.0/verify;, >>"https://api5.yubico.com/wsapi/2.0/verify; >> }; >> >> I think, it's the right property that I need to change, but for now, >> there is no configuration entry in CAS to do that. >> >> Regards. >> >> Le 13/09/2016 à 18:34, Misagh Moayyed a écrit : >>> >>> There is nothing that allows to modify the validation urls. They are >>> built into the Yubikey API. >>> >>> >>> -- >>> Misagh >>> >>> From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Date: September 13, 2016 at 8:22:48 PM >>> To: cas-user@apereo.org <cas-user@apereo.org> >>> <mailto:cas-user@apereo.org> >>> Subject: [cas-user] YUbikey MFA and customized validation URLs >>> >>>> Folks, >>>> >>>> Unless I'm mistaken, I've not seen any configuration for a customized >>>> validation URL, all URLs are hardcoded into Yubikey client class and >>>> I've not seen any CAS configuration value related to validation URLs. >>>> >>>> So, how to customize these URLs ? >>>> >>>> Regards. >>>> >>>> -- br/>Philippe MARASSE < >>>> >>>> Responsable pôle Infrastructures - DSIO >>>> Centre Hospitalier Henri Laborit >>>> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >>>> Tel : 05.49.44.57.19 >>>> >>>> >>>> -- br/>You received this message because you are subscribed tto the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to cas-user+unsubscr...@apereo.org. >>>> To post to this group, send email to cas-user@apereo.org. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/db15e0e4-a807-d724-c1dc-b7e1e4f8cc4c%40ch-poitiers.fr. >>>> For more options, visit >>>> https://groups.google.com/a/apereo.org/d/optout. >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+unsubscr...@apereo.org >> <mailto:cas-user+unsubscr...@apereo.org>. >> To post to this group, send email to cas-user@apereo.org >> <mailto:cas-user@apereo.org>. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view
Re: [cas-user] Custom Authentication Handler in version 5.0.0
+1 I need to add a step in login webflow, how to add custom configuration properties to a Configurer class ? via a custom @EnableConfigurationProperties(MyConfigProperties.class) ? Regards. Le 09/09/2016 à 14:18, Gokhan Mansuroglu a écrit : > Hi Misagh, > > Thank you for your link, I am trying to figure it out. However there > is definetely a need for a step by step guide. > > 8 Eylül 2016 Perşembe 12:17:03 UTC+3 tarihinde Misagh Moayyed yazdı: > > Example: > > https://github.com/apereo/cas/blob/master/cas-server-support-digest-authentication/src/main/java/org/apereo/cas/digest/config/DigestAuthenticationConfiguration.java#L128 > > <https://github.com/apereo/cas/blob/master/cas-server-support-digest-authentication/src/main/java/org/apereo/cas/digest/config/DigestAuthenticationConfiguration.java#L128> > > > -- > Misagh > > From: Gokhan Mansuroglu <gokhan.m...@gmail.com> > Reply: Gokhan Mansuroglu <gokhan.m...@gmail.com> > Date: September 8, 2016 at 1:17:32 PM > To: CAS Community <cas...@apereo.org> > Subject: [cas-user] Custom Authentication Handler in version 5.0.0 > >> Hi, >> >> Let's say I have a custom AbcAuthencticationHandler and >> AbcCredentials. How can i configure this custom auhtentication >> handler ? In previous versions this can be handled in >> deployerConfigContext.xml, but how it is done in version 5.0.0 ? >> >> Thanks. >> -- >> You received this message because you are subscribed to the >> Google Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+u...@apereo.org . >> To post to this group, send email to cas-...@apereo.org >> . >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/ >> <https://groups.google.com/a/apereo.org/group/cas-user/>. >> To view this discussion on the web visit >> >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a0ba25b-2dff-4cae-aa1b-a639cd629bc9%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a0ba25b-2dff-4cae-aa1b-a639cd629bc9%40apereo.org?utm_medium=email_source=footer>. >> For more options, visit >> https://groups.google.com/a/apereo.org/d/optout >> <https://groups.google.com/a/apereo.org/d/optout>. > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a92aede-f879-4387-ad16-cdecbfffbd8b%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a92aede-f879-4387-ad16-cdecbfffbd8b%40apereo.org?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d7cf48b-dd9e-0864-e8f0-4e595c2940ea%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME
[cas-user] CAS 5.0.0 SPNEGO - How to send a view after a failed authentication
Folks, Actually, when SPNEGO authentication fails, it's falling back to login form (wether cas.authn.spnego.send401OnAuthenticationFailure is true or false). But in our configuration, on a failure, we need to send a specific view. How can I achieve that behavior ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/191f5df0-b4e1-7ce2-5f82-c6e47fbbe161%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Re: [cas-user] CAS 5.0.0 SPNEGO issue
Done. #1946 Le 11/08/2016 à 22:27, Misagh Moayyed a écrit : > Possibly. Could you issue a pull with the updates you have in mind to > the docs? > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: August 11, 2016 at 8:45:31 AM > To: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] CAS 5.0.0 SPNEGO issue > >> Today, it works a little better : I get 401, my browser send its >> ticket... but no authentication : >> >> Caused by: KrbException: Invalid argument (400) - Cannot find key of >> appropriate type to decrypt AP REP - RC4 with HMAC >> >> I have to declare my keytab as default keytab in /etc/krb5.conf to get >> authenticated (keytab is read *before* login.conf) ! It was not >> necessary with CASv3.5. >> >> If my keytab is not declared in /etc/krb5.conf, login.conf is not read >> either, why ?? >> >> Last test, with only a few parameters : >> >> cas.authn.spnego.kerberosConf=/etc/krb5.conf >> cas.authn.spnego.mixedModeAuthentication=false >> cas.authn.spnego.jcifsServicePrincipal=HTTP/php-dev.mydomain@mydomain.com >> >> cas.authn.spnego.ntlmAllowed=false >> cas.authn.spnego.hostNamePatternString=.+ >> cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit >> cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction >> cas.authn.spnego.ipsToCheckPattern=172.+ >> cas.authn.spnego.send401OnAuthenticationFailure=false >> cas.authn.spnego.principalWithDomainName=false >> >> it works... >> >> Is the documentation needing update ? >> >> Regards. >> >> Le 10/08/2016 à 17:42, Philippe MARASSE a écrit : >> > Folks, >> > >> > I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO, >> > following instructions at >> > >> https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html >> > >> > Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc, >> > etc.), My browser get a 401 with WWW-Authenticate: Negotiate as >> > expected. So it sends its Authorization: Negotiate header, but CAS >> does >> > not seem to catch the header (see attached catalina.out log file) and >> > throws a NullPointerException. >> > >> > Tomcat is behind Apache + mod_jk, packetSize has been increased to >> 16k. >> > >> > Am I missing something ? >> > >> > Regards. >> > >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+unsubscr...@apereo.org. >> To post to this group, send email to cas-user@apereo.org. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b3772b-8210-abf7-5151-3b85dd10e5ef%40ch-poitiers.fr. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57acdf96.21f89478.295c%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57acdf96.21f89478.295c%40unicon.net?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d923cb3-437f-46cc-2aed-248c4ebb9541%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Re: [cas-user] New to CAS, new to Apereo
Hello, 1. Here we have about 1400 employees, our architecture is pretty simple : 2 front servers sharing a virtual IP (active/passive, apache + mod_jk), 2 CAS applications servers (CAS v3.5, Clustered tomcat, EHCache ticket registry, JPA Service registry). It works like a charm since 2012. 2. Our servers run Debian 7/8. IMHO, OS doesn't matter as long as you use custom JVM for your CAS server. Regards. Le 11/08/2016 à 23:23, Hank Foss a écrit : > Thanks, Misagh, much appreciated. > > It sounds like this will work quite well for us. Most of our web apps > rely on LDAP authentication. > > Regarding architecture, hope you don't mind a couple of other questions: > > > 1. How many servers are in your CAS environment (presuming you > recommend an HA environment) - e.g. 1 web server (Tomcat?) + 2 HA > CAS ticketing servers > 2. Do you recommend RHEL for OS? > > > Our user environment is about 12,000 (2,000 staff + 10,000 students) > so I am trying to architect the CAS to support that. > > > -Hank > > On Thursday, August 11, 2016 at 4:45:43 PM UTC-4, Misagh Moayyed wrote: > > If you mean CAS is going to provide you with an LDAP server, the > answer is no. AFAIK, that has never been the case. If you mean you > wish to authenticate via AD/LDAP and get access to your portal and > other CAS-protected apps, then it’s quite simple. Since the dawn > of time, CAS has supported LDAP/AD authentication. 90% of the > deployments use that method of authentication. > > -- > Misagh > From: Hank Foss <hank...@gmail.com> > Reply: Hank Foss <hank...@gmail.com> > Date: August 11, 2016 at 1:38:35 PM > To: CAS Community <cas...@apereo.org> > Subject: [cas-user] New to CAS, new to Apereo > > >> Hello, >> >> I'm brand new to CAS and Apereo, and am asking the best way to >> begin. We are migrating our CAS from the cloud to on-premise as a >> cost savings measure. This will likely save us $60+k annually, as >> the vendor is also provides our portal. >> >> The externally hosted portal contains LDAP as well as CAS links. >> I understand CAS 5 comes out this fall (October?) which offers >> LDAP support, so I am on the fence a bit more. Since AD >> authentication drives many of our authentication, I have been >> told that we will either need to use ADFS or Shibboleth. The goal >> for this to be live is December of this year, so there are >> learning curve, architecture, installation and customization >> components of this project that all come into play. >> >> I built the Linux box, most current version of CentOS, but I >> believe being an open source application that the support of at >> least the OS should actually be a licensed RHEL instance. >> >> I'm technical, but this is uncharted territory so suggestions, >> comments, and criticism are all greatly welcome. >> >> >> Thanks, >> CAS-Newbie >> >> -- >> You received this message because you are subscribed to the >> Google Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+u...@apereo.org . >> To post to this group, send email to cas-...@apereo.org >> . >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/ >> <https://groups.google.com/a/apereo.org/group/cas-user/>. >> To view this discussion on the web visit >> >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccf659bc-12d9-4cb8-98dd-4dbf926f403a%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccf659bc-12d9-4cb8-98dd-4dbf926f403a%40apereo.org?utm_medium=email_source=footer>. >> For more options, visit >> https://groups.google.com/a/apereo.org/d/optout >> <https://groups.google.com/a/apereo.org/d/optout>. >> > > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/ap
Re: [cas-user] CAS 5.0.0 SPNEGO issue
Today, it works a little better : I get 401, my browser send its ticket... but no authentication : Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC I have to declare my keytab as default keytab in /etc/krb5.conf to get authenticated (keytab is read *before* login.conf) ! It was not necessary with CASv3.5. If my keytab is not declared in /etc/krb5.conf, login.conf is not read either, why ?? Last test, with only a few parameters : cas.authn.spnego.kerberosConf=/etc/krb5.conf cas.authn.spnego.mixedModeAuthentication=false cas.authn.spnego.jcifsServicePrincipal=HTTP/php-dev.mydomain@mydomain.com cas.authn.spnego.ntlmAllowed=false cas.authn.spnego.hostNamePatternString=.+ cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction cas.authn.spnego.ipsToCheckPattern=172.+ cas.authn.spnego.send401OnAuthenticationFailure=false cas.authn.spnego.principalWithDomainName=false it works... Is the documentation needing update ? Regards. Le 10/08/2016 à 17:42, Philippe MARASSE a écrit : > Folks, > > I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO, > following instructions at > https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html > > Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc, > etc.), My browser get a 401 with WWW-Authenticate: Negotiate as > expected. So it sends its Authorization: Negotiate header, but CAS does > not seem to catch the header (see attached catalina.out log file) and > throws a NullPointerException. > > Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k. > > Am I missing something ? > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b3772b-8210-abf7-5151-3b85dd10e5ef%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
[cas-user] CAS 5.0.0 SPNEGO issue
Folks, I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO, following instructions at https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc, etc.), My browser get a 401 with WWW-Authenticate: Negotiate as expected. So it sends its Authorization: Negotiate header, but CAS does not seem to catch the header (see attached catalina.out log file) and throws a NullPointerException. Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k. Am I missing something ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/062ffcc8-e314-c0f0-6dcb-06fde269a9aa%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. 10-Aug-2016 17:25:15.917 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.5.4 10-Aug-2016 17:25:15.921 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jul 6 2016 08:43:30 UTC 10-Aug-2016 17:25:15.921 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.5.4.0 10-Aug-2016 17:25:15.922 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 10-Aug-2016 17:25:15.923 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.16.0-4-686-pae 10-Aug-2016 17:25:15.923 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: i386 10-Aug-2016 17:25:15.924 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/java/jdk1.8.0_101/jre 10-Aug-2016 17:25:15.924 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_101-b13 10-Aug-2016 17:25:15.925 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 10-Aug-2016 17:25:15.926 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /var/tomcat/inst2 10-Aug-2016 17:25:15.926 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/apache-tomcat-8.5.4 10-Aug-2016 17:25:15.927 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/var/tomcat/inst2/conf/logging.properties 10-Aug-2016 17:25:15.928 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 10-Aug-2016 17:25:15.928 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512m 10-Aug-2016 17:25:15.929 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256m 10-Aug-2016 17:25:15.930 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 10-Aug-2016 17:25:15.930 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcom.sun.management.jmxremote 10-Aug-2016 17:25:15.931 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcom.sun.management.jmxremote.port=8004 10-Aug-2016 17:25:15.931 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcom.sun.management.jmxremote.authenticate=false 10-Aug-2016 17:25:15.932 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcom.sun.management.jmxremote.ssl=false 10-Aug-2016 17:25:15.933 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.rmi.server.hostname=172.16.10.108 10-Aug-2016 17:25:15.933 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/var/tomcat/inst2 10-Aug-2016 17:25:15.934 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/apache-tomcat-8.5.4 10-Aug-2016 17:25:15.934 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/var/tomcat/inst2/temp 10-Aug-2016 17:25:15.935 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native lib
Re: [cas-user] CAS 5 + phpCAS client + SAML 1.1 service validation
Done : https://github.com/apereo/cas/issues/1943 Regards. Le 10/08/2016 à 13:57, Misagh Moayyed a écrit : > > > I don’t think you have. Go ahead and file an issue please. > > > On Wednesday, August 10, 2016 at 4:46:07 AM UTC-7, Philippe MARASSE > wrote: > > BTW, The sample request found on the wiki ( > https://apereo.github.io/cas/development/protocol/SAML-Protocol.html > <https://apereo.github.io/cas/development/protocol/SAML-Protocol.html> > ) shows : > > POST /cas/samlValidate?ticket= > Host: cas.example.com <http://cas.example.com> > Content-Length: 491 > Content-Type: text/xml > > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/; > <http://schemas.xmlsoap.org/soap/envelope/>> > > > MajorVersion="1" > MinorVersion="1" RequestID="_192.168.16.51.1024506224022" > IssueInstant="2002-06-19T17:03:44.022Z"> > > ST-1-u4hrm3td92cLxpCvrjylcas.example.com > <http://ST-1-u4hrm3td92cLxpCvrjylcas.example.com> > > > > > > but phpCAS does not use POST /cas/samlValidate?ticket= but > /cas/samlValidate?TARGET= Regards. > Le 10/08/2016 à 12:39, Philippe MARASSE a écrit : >> Folks, >> >> I'm testing basic authentication (casuser:Mellon) with CAS 5 server and >> official phpCAS 1.3.4 client with SAML 1.1 validation, and it does not >> seem to work. >> >> Cas Client send post data : >> >> > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/; >> <http://schemas.xmlsoap.org/soap/envelope/>> >> >> >> > MajorVersion="1" MinorVersion="1" >> RequestID="_192.168.16.51.1024506224022" >> IssueInstant="2002-06-19T17:03:44.022Z"> >> >> >> ST-2-aghFC3hJ2dnePztkMfbK-devcas1 >> >> >> >> >> to : >> >> https://php-dev.mydomain.com/cas/samlValidate?TARGET=http%3A%2F%2Fphp-dev.mydomain.com%2Fphilippe%2Feclipse%2Ftestcas%2Fwww%2Fsaml11.php >> >> <https://php-dev.mydomain.com/cas/samlValidate?TARGET=http%3A%2F%2Fphp-dev.mydomain.com%2Fphilippe%2Feclipse%2Ftestcas%2Fwww%2Fsaml11.php> >> >> I got this answer from CAS Server : >> >> >> > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/; >> <http://schemas.xmlsoap.org/soap/envelope/>> >> >> > IssueInstant="2016-08-10T09:44:12.393 >> Z" MajorVersion="1" MinorVersion="1" >> ResponseID="_2905923a3d94406937598b14f57e8043" >> >> xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol">> Value="saml1p:RequestDenied"/> >> Les paramètres 'service' et 'ticket' sont tous deux >> nécessaires >> >> >> >> >> Server complains about missing ticket and/or service parameter ?? >> Validation works for both CASv2 and CASv3 protocol but not with SAMLv1.1. >> SAMLv1.1 works against our production CAS v3.5 servers. >> >> Relevant part of my pom.xml (maven war overlay method) : >> org.apereo.cas >> 5.0.0.RC1-SNAPSHOT >> >> >> ${cas.groupId} >> cas-server-support-spnego >> ${cas.version} >> runtime >> >> >> ${cas.groupId} >> cas-server-support-spnego-webflow >> ${cas.version} >> runtime >> >> >> ${cas.groupId} >> >> cas-server-support-json-service-registry >> ${cas.version} >> >> >> >> >> org.apereo.cas >> cas-server-support-saml >> ${cas.version} >> >> >> Am I missing something (again :-) ) ? >> >> Regards. >> > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > -- You received this message because you are subscribed to the Google > Groups "
[cas-user] CAS 5 + phpCAS client + SAML 1.1 service validation
Folks, I'm testing basic authentication (casuser:Mellon) with CAS 5 server and official phpCAS 1.3.4 client with SAML 1.1 validation, and it does not seem to work. Cas Client send post data : http://schemas.xmlsoap.org/soap/envelope/;> ST-2-aghFC3hJ2dnePztkMfbK-devcas1 to : https://php-dev.mydomain.com/cas/samlValidate?TARGET=http%3A%2F%2Fphp-dev.mydomain.com%2Fphilippe%2Feclipse%2Ftestcas%2Fwww%2Fsaml11.php I got this answer from CAS Server : http://schemas.xmlsoap.org/soap/envelope/;> Les paramètres 'service' et 'ticket' sont tous deux nécessaires Server complains about missing ticket and/or service parameter ?? Validation works for both CASv2 and CASv3 protocol but not with SAMLv1.1. SAMLv1.1 works against our production CAS v3.5 servers. Relevant part of my pom.xml (maven war overlay method) : org.apereo.cas 5.0.0.RC1-SNAPSHOT ${cas.groupId} cas-server-support-spnego ${cas.version} runtime ${cas.groupId} cas-server-support-spnego-webflow ${cas.version} runtime ${cas.groupId} cas-server-support-json-service-registry ${cas.version} org.apereo.cas cas-server-support-saml ${cas.version} Am I missing something (again :-) ) ? Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e07ec1e7-b6c6-703d-e47a-a9e7450d2a38%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Re: [cas-user] CAS 5 does not read cas.properties file
Thanks for your replies, I was not on the good branch, now I am :-). Following Dmitriy's directions, I've modified application.properties to include : spring.profiles.active=native spring.cloud.config.server.native.searchLocations=file:///etc/chl/cas5/config The properties file is read, but... json files continues to be read from classpath instead of property set. My new cleaned-up cas.properties is now : ## # CAS Server Host/Prefix # cas.server.name=https://id.ch-poitiers.fr cas.server.prefix=${server.name}/cas ## # CAS Configuration Cloud Amqp Bus # spring.cloud.bus.enabled=false spring.cloud.bus.refresh.enabled=true spring.cloud.bus.env.enabled=true spring.cloud.bus.destination=CasCloudBus spring.cloud.bus.ack.enabled=true # spring.activemq.broker-url= # spring.activemq.in-memory= # spring.activemq.pooled= # spring.activemq.user= # spring.activemq.password= cas.serviceRegistry.config.location=file:///etc/chl/cas5/services >From log file : 2016-08-08 17:44:16,483 INFO [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - is cas.serviceRegistry.config.location the right property ? (taken from v5 template) Regards. Le 08/08/2016 à 17:02, Misagh Moayyed a écrit : > Simply put, you should be following the docs here: > https://github.com/apereo/cas-overlay-template/tree/5.0 > > There is no “propertyFileConfigurer.xml”. > Using “deployerConfigContext.xml” is also useless for most if not all > cases. > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: August 8, 2016 at 7:42:47 AM > To: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: [cas-user] CAS 5 does not read cas.properties file > >> Folks, >> >> I'm preparing a new CAS service for our organisation (we use CAS 3.5 >> for years now :-) ), my plan is to upgrade to v5 in order to use MFA. >> >> I'm using maven overlay (from >> https://apereo.github.io/cas/development/installation/Maven-Overlay-Installation.html >> ) >> and json service registry >> >> Unfortunately, I did not manage to make cas read my customized >> properties. >> >> 1st try : cas/WEB-INF/spring-configuration/propertyFileConfigurer.xml >> is not read >> >> verified with iwatch tool. >> >> 2nd try : moved this file as WEB-INF/deployerConfigContext.xml (the >> packaged one is empty), this file get read but catalina.out shows : >> >> 08-Aug-2016 15:29:35.339 INFO [localhost-startStop-1] >> org.apache.catalina.startup.HostConfig.deployWAR Déploiement de >> l'archive /var/tomcat/inst2/webapps/cas.war de l'application web >> 08-Aug-2016 15:29:41.429 INFO [localhost-startStop-1] >> org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was >> scanned for TLDs yet contained no TLDs. Enable debug logging for this >> logger for a complete list of JARs that were scanned but no TLDs were >> found in them. Skipping unneeded JARs during scanning can improve >> startup time and JSP compilation time. >> >> >> __ _ __ >> / / / ___| / \ / ___| \ \ >> | | | | / _ \ \___ \ | | >> | | | |___ / ___ \ ___) | | | >> | | \|/_/ \_\|/ | | >> \_\ /_/ >> >> CAS Version: 5.0.0.RC1-SNAPSHOT >> Build Date/Time: 2016-08-08T07:37:10Z >> Java Home: /usr/java/jdk1.8.0_101/jre >> Java Vendor: Oracle Corporation >> Java Version: 1.8.0_101 >> OS Architecture: i386 >> OS Name: Linux >> OS Version: 3.16.0-4-686-pae >> >> >> 2016-08-08 15:29:45,485 INFO >> [org.apereo.cas.web.CasWebApplicationServletInitializer] - > following profiles are active: native> >> 2016-08-08 15:29:49,005 WARN >> [org.springframework.context.annotation.ConfigurationClassPostProcessor] >> - > its singleton instance has been created too early. The typical cause >> is a non-static @Bean method with a >> BeanDefinitionRegistryPostProcessor return type: Consider declaring >> such methods as 'static'.> >> *2016-08-08 15:29:49,393 WARN >> [org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor] >> - > [placeHolderConfigurer, >> org.springframework.context.support.PropertySourcesPlaceholderConfigurer#0], >> falling back to Environment>* >> 2016-08-08 15:29:51,702 INFO >> [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - >> > /var/tomcat/inst2/webapps/cas/WEB-INF/classes/services> >> 201
[cas-user] CAS 5 does not read cas.properties file
Folks, I'm preparing a new CAS service for our organisation (we use CAS 3.5 for years now :-) ), my plan is to upgrade to v5 in order to use MFA. I'm using maven overlay (from https://apereo.github.io/cas/development/installation/Maven-Overlay-Installation.html ) and json service registry Unfortunately, I did not manage to make cas read my customized properties. 1st try : cas/WEB-INF/spring-configuration/propertyFileConfigurer.xml is not read verified with iwatch tool. 2nd try : moved this file as WEB-INF/deployerConfigContext.xml (the packaged one is empty), this file get read but catalina.out shows : 08-Aug-2016 15:29:35.339 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Déploiement de l'archive /var/tomcat/inst2/webapps/cas.war de l'application web 08-Aug-2016 15:29:41.429 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. __ _ __ / / / ___| / \ / ___| \ \ | | | | / _ \ \___ \ | | | | | |___ / ___ \ ___) | | | | | \|/_/ \_\|/ | | \_\ /_/ CAS Version: 5.0.0.RC1-SNAPSHOT Build Date/Time: 2016-08-08T07:37:10Z Java Home: /usr/java/jdk1.8.0_101/jre Java Vendor: Oracle Corporation Java Version: 1.8.0_101 OS Architecture: i386 OS Name: Linux OS Version: 3.16.0-4-686-pae 2016-08-08 15:29:45,485 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - 2016-08-08 15:29:49,005 WARN [org.springframework.context.annotation.ConfigurationClassPostProcessor] - *2016-08-08 15:29:49,393 WARN [org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor] - * 2016-08-08 15:29:51,702 INFO [org.apereo.cas.services.AbstractResourceBasedServiceRegistryDao] - 2016-08-08 15:29:51,952 INFO [org.apereo.cas.services.DefaultServicesManagerImpl] - 2016-08-08 15:29:58,240 WARN [org.apereo.cas.WebflowConversationStateCipherExecutor] - 2016-08-08 15:29:58,247 WARN [org.apereo.cas.WebflowConversationStateCipherExecutor] - 2016-08-08 15:29:58,247 WARN [org.apereo.cas.WebflowConversationStateCipherExecutor] - 2016-08-08 15:29:58,248 WARN [org.apereo.cas.WebflowConversationStateCipherExecutor] - 2016-08-08 15:30:05,729 INFO [org.apereo.cas.configuration.CasConfigurationRebinder] - 2016-08-08 15:30:05,876 INFO [org.apereo.cas.configuration.CasConfigurationRebinder] - 2016-08-08 15:30:08,132 WARN [org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 2016-08-08 15:30:08,133 WARN [org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 2016-08-08 15:30:08,133 WARN [org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 2016-08-08 15:30:08,133 WARN [org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 2016-08-08 15:30:08,581 INFO [org.apereo.cas.configuration.support.Beans] - 2016-08-08 15:30:08,647 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - my cas.properties contains these customizations (from maven overlay template) : tgc.encryption.key=ppL7OCfnABdvhjzCz3z1b7xsngqBTnBBWBsthw_wC7E tgc.signing.key=JVKEUrcfz0j76Dh6gzyQBuKkSIJpVpFzAflfWcL9DclY4N66kddjT0zFJ35RgbfC6yCWd5DLKmco70zTbKPhfg tgc.secure=true service.registry.config.location=/etc/chl/cas5/services and cas.properties is never read... (json services read from classpath instead of my location, keys generated instead of configured ones) What am I doing wrong ?? relevant portion of my pom.xml : UTF-8 1.8 1.8 ... org.apereo.cas 5.0.0.RC1-SNAPSHOT ... ... ${cas.groupId} cas-server-webapp ${cas.version} war runtime ${cas.groupId} cas-server-support-spnego ${cas.version} runtime ${cas.groupId} cas-server-support-spnego-webflow ${cas.version} runtime ${cas.groupId} cas-server-support-json-service-registry ${cas.version} Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a4abe26
Re: [cas-user] French enteprise to integrate JASIG with SPNEGO
Hi, You might use cas-fr mailing list for your request. BTW, our company uses CAS + AD with SPNEGO for years now without problems. Rgds. Le 07/06/2016 à 16:34, Jeremie NATAF a écrit : > Hi, > Our company are looking for a society (services) for integrating jasig > with module SPNEGO and AD windows 2012. > Jasig will we connect with J2EE applications (webapp) in différents > tomcat > All Jasig server was installed in linux server. > Thanks for your help > Jérémie > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABjbDXTu2oDXd%2BRjvt%2BXyc4h2sTekoxtH1jveQXCXeYxxqng7w%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABjbDXTu2oDXd%2BRjvt%2BXyc4h2sTekoxtH1jveQXCXeYxxqng7w%40mail.gmail.com?utm_medium=email_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a5bbf10-f635-f566-90b2-10c5607d70c5%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. smime.p7s Description: Signature cryptographique S/MIME