Re: [cas-user] log4j vulnerability remediation

2021-12-16 Thread Raph C 
Hi,

You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
correct version as dependency( use 2.16.0 instead, a new CVE appeared on
Tuesday)
Regards,

Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
écrit :

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTFH2iCfbQQMe31WtoJtCgatasTAw4TCZWBUx8tZLirSXg%40mail.gmail.com.

Re: [cas-user] JWTTokenTicketBuilder.build issue an http request to server itself

2021-06-04 Thread Raph C 
I'm totally agree. In my company we had to upgrade cpu as a workaround of
performance issue due to jwtasticket activation.

The tokenBuilder reuses servicevalidate web controllers to fetch ticket
claims by using an internal java http client. Seems to be the easier
solution. A tough rework would be necessary to split attributes release
logic from web controllers (depending on protocol version).

I wanted to working on it but no time to spend on it.

Regards

Le ven. 4 juin 2021 à 05:57, Daniel Qian  a écrit :

> cas version: v5.3.16
>
> cas-server-support-token-core / JWTTokenTicketBuilder[1] use cas-client
> TicketValidator to validate service ticket, which issue an http request to
> the server itself.
>
> That's not good, there is a performance impact.
>
> I think it'll be better if server validate the service ticket locally, not
> http request to itself.
>
> [1]:
> https://github.com/apereo/cas/blob/v5.3.16/support/cas-server-support-token-core/src/main/java/org/apereo/cas/token/JWTTokenTicketBuilder.java
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d3da75b-0a83-42b6-806c-fcef84a4358fn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTFZfYVHWX4_pKaCCWYV%2B78okgsmh93ay5x9nirEHpqgLQ%40mail.gmail.com.

[cas-user] renew + non interactive authentication module

2021-06-03 Thread Raph C 
Hello,

I developped a non interactive authentication module which works as 
expected. I tested when a /cas/login is sent with renew parameter if CAS 
ignores silent authentication and force authentication from login page but 
not. I was wondering If anyone has the same behaviour with another "non 
interactive" module (e.g spnego)?

What do you think about it ? cas works as expected or should force 
authentication ?

Thanks for your help
Regards,

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bde3ef3e-575d-40df-92d7-95ef1cce7e29n%40apereo.org.

Re: [cas-user] Testing multiple sites (Drupal & Moodle) with cas server 5.2

2020-05-29 Thread Raph C 
Hi Uma,

Is your CASTGS cookie is sent with the second login (beginning at Drupal)?

Le mar. 24 juil. 2018 à 18:29, Ray Bon  a écrit :

> Uma,
>
> What happens when you go to drupal first then moodle?
>
> Ray
>
> P.S. your encoding for the drupal url is odd but I do not think that is
> what is causing the problem.
>
> On Tue, 2018-07-24 at 18:23 +0530, Uma Pathy wrote:
>
> Hi David,
>
> These are urls i tried here.
>
>
> https://cas5.2.eluminaelearning.com.au:8443/cas/login?service=https%3A%2F%2Fstaging.aipmupdate.eluminaelearning.com.au%2Flogin%2Findex.php%3FauthCAS%3DCAS=true
>
>
> https://cas5.2.eluminaelearning.com.au:8443/cas/login?gateway=true=https%3A//drupal.eluminaelearning.com.au/casservice%3Freturnto%3Dhttps%253A//drupal.eluminaelearning.com.au/user/login
>
> But i could not find the solution yet even i turned on debug mode in CAS.
>
> Thanks & Regards,
> J Umapathy
>
> On Mon, Jul 23, 2018 at 9:27 PM, Chia-Ying (David) Yang <
> yangchiay...@gmail.com> wrote:
>
> Hi Uma,
>
> The service definition looks ok.  If you haven't customized the login page
> yet, do both login pages display "HTTPS and IMAPS" (upper right)?  What are
> the URLs for the login pages?  Also, after logging in the first time, do
> you have a TGC cookie in your browser for localhost /cas?
>
> You need to turn on debug-level logging for CAS so you can see why the
> second login page is triggered.
>
> David
>
>
>
>
> On 07/23/2018 07:42 AM, Uma Pathy wrote:
>
> Hi David,
>
> Have you found anything for me regarding this issue?
>
> Thanks & Regards,
> J Umapathy
>
> On Sat, Jul 21, 2018 at 3:10 PM, Uma Pathy  wrote:
>
> Hi,
>
> Please find my service definition here.
>
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^(https|imaps)://.*",
>   "name" : "HTTPS and IMAPS",
>   "id" : 1001,
>   "description" : "This service definition authorizes all application urls
> that support HTTPS and IMAPS protocols.",
>   "evaluationOrder" : 1
> }
>
> Thanks & Regards,
> J Umapathy
>
> On Fri, Jul 20, 2018 at 5:09 PM, David Yang 
> wrote:
>
> Sounds like SSO issue, please share your service definitions?
>
> David
>
>
>
> On Fri, Jul 20, 2018, 3:50 AM Uma Pathy  wrote:
>
> Hi,
>
> I facing some issues in Testing the cas server 5.2 with multiple sites
> (Drupal & Moodle). Here please find my test steps below.
>
> *Expecting Result & Test steps:*
> a. I go to Moodle site, click the link 'CAS User' to redirect into CAS
> Server
> b. Login the CAS server, if login successful, redirect back to Moodle site
> c. Moodle site creates a session for the user and allow him into inside
> the Moodle Site
> d. *I go to Drupal site, Click the link 'CAS Login' to redirect into CAS
> Server*
> *e. Since the CAS User is already login, So it should skip the cas login
> and redirect back to drupal site*
> *f. Drupal will create a session for the user and allow him to inside the
> drupal.*
> *Actual Result:*
> a. Until the Moodle site, it is working fine.
> b. But in Drupal is,
> Once we click the CAS login, it redirects to CAS Server. it is displaying
> the cas login page. once we enter username & password and login getting
> successful, then only it redirects back to Drupal and then drupal creating
> a session for the user and allow him to inside.
>
> Please help me to sort the issue (When go to CAS server from Drupal site
> (ie. since the cas user already login), the cas login will have to be
> skipped and will rediect to Drupal with Ticketid [TGT-XXX], Then drupal
> will proceed further).
>
> Thanks & Regards,
> J Umapathy
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/01f49e04-d0cd-4737-9213-edf183ed06c6%40apereo.org
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANc%3DAx31%3DRfmGAa13LodSMOaqfRWTJnORjRNbCbew-0F8pC%2BPQ%40mail.gmail.com
>

Re: [cas-user] Update Authentication attribute during a renew

2020-05-29 Thread Raph C 
Hi Ray,

No. In renew mode, CAS if user already has a valid session, ask
login/passwd, validate it and then genarate a new Service Ticket linked to
the current tgt (user current Cas Session). So authentication metadata are
not updated.

In this case, client when validate Service Ticket, see authentication
metadata from initial authentication not the renew ones.

Regards

Le ven. 29 mai 2020 à 17:55, Ray Bon  a écrit :

> Raph,
>
> Are you talking about ticket expiration?
> https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html
>
> Ray
>
> On Fri, 2020-05-29 at 07:43 -0700, Raph C wrote:
>
> Hi all,
>
> I'm using CAS 5.3 version and have multiple authentication handler which
> supports different kind of credential. So let's imagine the following flow :
>
> A/ user authenticates with a custom credential (e.g header and not a
> login/password). all is ok, an authentication attribute (let's call it
> *amr*) is set to tgt to state which authn method was used ... then a CAS
> session is started
> B/ A few moment later (before CAS session expires), user agent is
> redirected to login page with renew param.
> C/ user has to enter its login/password. After validating it by another
> authentication handler, CAS generates a new Service Ticket but left tgt as
> is without updating *amr* attribute with new value. Finally CAS client
> will see an outdated information.
>
> How can I force CAS to update my TGT authentication attribute before
> generating service ticket ?
>
> Thanks for your help
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6cb93970ae8c45f5ac4912c86c8d9ca1b36f1ba.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6cb93970ae8c45f5ac4912c86c8d9ca1b36f1ba.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTGYWTq84%3DKW%3DoudN9jAj%3DypF-zA2f%3DfBFXjHiJNkxLaWQ%40mail.gmail.com.

[cas-user] Update Authentication attribute during a renew

2020-05-29 Thread Raph C 
Hi all,

I'm using CAS 5.3 version and have multiple authentication handler which 
supports different kind of credential. So let's imagine the following flow :

A/ user authenticates with a custom credential (e.g header and not a 
login/password). all is ok, an authentication attribute (let's call it *amr*) 
is set to tgt to state which authn method was used ... then a CAS session 
is started
B/ A few moment later (before CAS session expires), user agent is 
redirected to login page with renew param.
C/ user has to enter its login/password. After validating it by another 
authentication handler, CAS generates a new Service Ticket but left tgt as 
is without updating *amr* attribute with new value. Finally CAS client will 
see an outdated information.

How can I force CAS to update my TGT authentication attribute before 
generating service ticket ?

Thanks for your help 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f80d76ed-187f-4743-9ca4-5f3d192ccef3%40apereo.org.

[cas-user] Surrogate module extension

2020-05-13 Thread Raph C 
Hi all,

In our previous version based on CAS 5.2 we decided to fork module webflow 
and authentication to handle our own implementation. I'm currently 
upgrading to 5.3.15.1 and I would like to extend base module instead of 
fork it but I'm facing an issue: bean SurrogateInitialAuthenticationAction 
authenticationViaFormAction 
(SurrogateAuthenticationWebflowConfiguration in surrogate-webflow is not 
easy overridable.

Do you know is there any way to force our app to override 
authenticationViaFormAction bean definition ?

NB: I already tried @Primary but it doesn't work. I thought of 
AutoConfigureBefore but not sure of the result.

Regards, 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5a436ee-2158-47c4-9605-ffa317770bcc%40apereo.org.

Re: [cas-user] Log4j property discrepancies

2018-05-06 Thread Raph C 
Hi,
This is the same property. Spring boot (used by CAS) relaxed binding allows
you to write property by different ways : in camelCase, snake case,
upper/lower case ... See Spring boot documentation.

Regardd

Le ven. 4 mai 2018 à 08:00, Jay  a
écrit :

> Hello All,
>
> Can someone tell me which is the correct property to be used.
>
> In the documentation, I see
>
> server.contextParameters.isLog4jAutoInitializationDisabled=true
>
>
> whereas in the application.propeties I see
> server.context-parameters.isLog4jAutoInitializationDisabled=true
>
> and what is the functionality that this property is used for.
>
> Thanks,
> Jay
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/79675e72-659f-45b3-ad2f-a6836dbfbddc%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTG4ZesnJ6CEdsQnG7ftv5VFeixTw2PGZtr-E0wkAZi4iQ%40mail.gmail.com.

Re: [cas-user] SLO(Single Logout) issue problem in CAS5.1

2017-10-27 Thread Raph C 
Hi,

Cas 5.1 is based on Spring-Boot1.5/Spring4 and uses Java config approach
for bean declaration instead of config files. So the cas-servlet doesn't
exists anymore.You can find the bean declaration into the classes
Configuration annotated with @Configuration.

Regards

Le 27 oct. 2017 02:14, "zl anson"  a écrit :

> Hello, everybody
>   I have question about the SLO (single log out) problem for CAS5.1, I
> don't know if it is a bug.
>   When I used CAS4.2.x , and used 2 Java client as CAS client, the SLO
> function works well, when I logout in A system, the account in B system
> will logout also.
>  But when I keep anything same (include filter in web.xml) in CAS
> client, and only changed CAS server from 4.2 to 5.1, I found the SLO is not
> worked.
>  Does any body know reason?
> I had test a little, and found some beans affect this slo , actually
> in CAS4.2, there is a file "cas-severlet.xml", its beans include logout and
> something. maybe it make slo works
>But in CAS5.1 I cannot find this file, and don't know how to do ,
>   any help will be very appricated, thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/c948af02-20d0-4968-be67-
> bb5e7df26984%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTF8N25kqDiaXGYbY13YMbKd7hWHxzYwfGreHeNvkU87fw%40mail.gmail.com.