Re: [cas-user] log4j vulnerability remediation

[Robert Oschwald]

We had the same problem and we did the following:

1. Overwrite BOM defined version in gradle.properties

# BOM overwritten versions
# CVE-2021-44228 critical fix in 2.15.0.
# 2.16.0 further secures.
# See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
log4j2.version=2.16.0

2. add the dependencies to build.gradle
We use a fairly old CAS Server, so we use these deps. Normally, you do not have 
to state the ones which have no version, are taken with the version you defined 
in log4j2.version variable, but we stated them explicitly, so one knows what 
artifacts are affected.

// Log4j2 critical security flaw fixed in 2.15.0
compile "org.apache.logging.log4j:log4j-api"
compile "org.apache.logging.log4j:log4j-core"
compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
compile "org.apache.logging.log4j:log4j-slf4j-impl"
compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"

3. Exclude the old dependencies from war-overlay
This is an important step.
As you get the dependencies from the original, overlayed war file, you must 
exclude them in the war task, so only your versions are taken.

war {
 ...
  // exclusion list of all dependencies contained in the original cas-WAR for 
which we use newer versions.
  // You must exclude all of them, otherwise we get duplicate dependencies in 
our cas.war !
  // log4j2 insecure version remove. See above.
  exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
  exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
  exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
}

Hope that helps.



> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
> 
> Same experience.
> 
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  > wrote:
> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and bounced 
> tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 
> by adding in build.gradle but conflict with 2.12.1].  We have issues when 
> upgrading to 6.3.7.2 
> 
> Thanks
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>  
> .
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/A6D22B3F-1993-4D04-A604-59DE522768B6%40gmail.com.

Re: [cas-user] log4j2 vulnerability

[Robert Oschwald]

Thanks for clarification.

Sent while mobile

Von: 'Richard Frovarp' via CAS Community 
Gesendet: Sunday, December 12, 2021 6:10:15 PM
An: cas-user@apereo.org 
Betreff: Re: [cas-user] log4j2 vulnerability

Newer version of the JDK are still affected. The newer JDK versions stop JNDI 
from running remote code, it doesn't stop JNDI lookup. An attacker can still 
exfil data through the DNS lookup. Also, there are other paths to exploit with 
this attack. It was first found via JNDI LDAP to execute remote code. There is 
now a known path using classes present in Apache Tomcat. There will be more 
that are found. Update Log4j or put the environment variable in.

From: cas-user@apereo.org  on behalf of Robert Oschwald 

Sent: Saturday, December 11, 2021 09:24
To: cas-user@apereo.org 
Subject: Re: [cas-user] log4j2 vulnerability

Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

Am 11.12.2021 um 13:44 schrieb Anders Collstrup :


My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones 
mailto:manuelco...@gmail.com>> wrote:
Hello, due the recent discovered log4j2 vulnerability, whats the way to 
mitigate it?


should i add log4j2.formatMsgNoLookups=true to the cas.properties file?

Thanks in Advance,
Manuel.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com?utm_medium=email_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com?utm_medium=email_source=

Re: [cas-user] log4j2 vulnerability

[Robert Oschwald]

Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

> Am 11.12.2021 um 13:44 schrieb Anders Collstrup :
> 
> 
> My fix was the following:
> 
> CAS 6.1 running on debian 10. All except CAS installed from standard repo's
> 
> created this file:
> /usr/share/tomcat9/bin/setenv.sh
> 
> containing::
> JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"
> 
> After restart of tomcat I could see the following in the log:
> 10-Dec-2021 18:49:18.681 INFO [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
> -Dlog4j2.formatMsgNoLookups=True
> 
>> On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones  wrote:
>> Hello, due the recent discovered log4j2 vulnerability, whats the way to 
>> mitigate it?
>> 
>> 
>> should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
>> 
>> Thanks in Advance,
>> Manuel.
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.
> 
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.

Re: [cas-user] Sample Java Web Application to test the login

[Robert Oschwald]

https://www.baeldung.com/spring-security-cas-sso

Sent while mobile.

> Am 06.11.2019 um 08:37 schrieb Steve Cheung :
> 
> 
> Hi all, 
> 
> I have setup and run a overlay cas war 6.2.0 in my local environment with 
> simple configuration. 
> 
> The next step I would like to setup a sample web app to do the login via the 
> cas server. May I know where get more sample code from the web and more 
> instruction about it? 
> 
> Many thanks.
> 
> Regards, 
> Steve
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a04b5d84-294f-4db7-b2da-c5fc3d4d843c%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/F41CA08B-9C09-4EDE-A96B-AD1A3A6EAAA9%40gmail.com.

Re: [cas-user] CAS 5.3, where is LOGGER defined with @Slf4j?

[Robert Oschwald]

https://github.com/apereo/cas/blob/5.3.x/lombok.config 
<https://github.com/apereo/cas/blob/5.3.x/lombok.config>



> Am 08.10.2018 um 16:53 schrieb Robert Oschwald :
> 
> https://projectlombok.org/features/log 
> <https://projectlombok.org/features/log>
> 
> 
> See lombok.config file
> You need this file in your overlay project.
> 
> 
> 
> 
>> Am 08.10.2018 um 16:32 schrieb Yan Zhou > <mailto:yanand...@gmail.com>>:
>> 
>> Hello,
>> 
>> Looking at CAS 5.3 source code,   I need to customize action class, so I 
>> create a class with the same name/package in my overlay, but I cannot 
>> resolve compile error on LOGGER.
>> 
>> I understand with Lombok and @Slf4j, I get object: log  for free. But, I do 
>> not know how LOGGER is defined in CAS code.
>> 
>> Thx!
>> Yan
>> 
>> 
>> in action classes, I see this:
>> 
>> 
>> @Slf4j
>> public class SendPasswordResetInstructionsAction extends AbstractAction {
>> 
>> LOGGER.debug(...)   <== this is how logging is done, is this referring to 
>> the same logger object in parent?
>> 
>> In AbstractAction, i see this.
>> 
>> protected final Log logger = LogFactory.getLog(getClass());
>> 
>> Thanks,
>> Yan
>> 
>> --
>> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
>> - Gitter Chatroom: https://gitter.im/apereo/cas 
>> <https://gitter.im/apereo/cas>
>> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
>> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org 
>> <mailto:cas-user+unsubscr...@apereo.org>.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce7fb5fb-4cfe-4926-a14c-be5a18cb44b1%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce7fb5fb-4cfe-4926-a14c-be5a18cb44b1%40apereo.org?utm_medium=email_source=footer>.
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6D509FDE-F4E6-4564-98F0-BEFAE1F8CB4F%40gmail.com.


signature.asc
Description: Message signed with OpenPGP

Re: [cas-user] CAS 5.3, where is LOGGER defined with @Slf4j?

[Robert Oschwald]

https://projectlombok.org/features/log 


See lombok.config file
You need this file in your overlay project.




> Am 08.10.2018 um 16:32 schrieb Yan Zhou :
> 
> Hello,
> 
> Looking at CAS 5.3 source code,   I need to customize action class, so I 
> create a class with the same name/package in my overlay, but I cannot resolve 
> compile error on LOGGER.
> 
> I understand with Lombok and @Slf4j, I get object: log  for free. But, I do 
> not know how LOGGER is defined in CAS code.
> 
> Thx!
> Yan
> 
> 
> in action classes, I see this:
> 
> 
> @Slf4j
> public class SendPasswordResetInstructionsAction extends AbstractAction {
> 
> LOGGER.debug(...)   <== this is how logging is done, is this referring to the 
> same logger object in parent?
> 
> In AbstractAction, i see this.
> 
> protected final Log logger = LogFactory.getLog(getClass());
> 
> Thanks,
> Yan
> 
> --
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce7fb5fb-4cfe-4926-a14c-be5a18cb44b1%40apereo.org
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40EDA1E7-C119-4546-A6E4-426502168A09%40gmail.com.


signature.asc
Description: Message signed with OpenPGP

Re: [cas-user] Creating custom JDBC authentication handler!

[Robert Oschwald]

you can introduce your own config keys in cas.properties and define your own 
Config bean.

Access the properties with @Value annotation in the config bean like so:
@Configuration(„myCustomApplicationConfiguration")
@EnableConfigurationProperties(CasConfigurationProperties.class)
@AutoConfigureAfter(CasCoreTicketsConfiguration.class)
public class MyCustomApplicationConfiguration {
  @Value(„${my.custom.property}")
  public String customProp
...
}
 

> Am 21.12.2017 um 13:23 schrieb noumann.f :
> 
> Thanks,
> 
> Yes indeed, it's all about `CasConfigurationProperties` class, but I was 
> wondering if there is any way to do this without needing to override this 
> class in my project.
> 
> Anyway, while my handler is alive without this feature I can postpone this.
> 
> Regards,
> 
> On Wednesday, December 20, 2017 at 8:50:57 PM UTC+2, Manfredo Hopp wrote:
> Hi 
> 
> glad to hear your progress. 
> 
> To load your properties you could have a look on how they are loaded for cas 
> in src org.apereo.cas.configuration.CasConfigurationProperties where all 
> properties are loaded. 
> Important thing is this: 
> 
> @ConfigurationProperties("cas")
> public class CasConfigurationProperties 
> 
> 
> Regards
> 
> 
> 
> 2017-12-20 11:22 GMT-03:00 noumann.f >:
> And that's what happened,
> 
> setting up a fresh development env. and following the instructions inhere: 
> https://apereo.github.io/cas/5.1.x/installation/Configuring-Custom-Authentication.html
>  
> 
>  enabled me to create a custom handler that accepts users whom username is 
> similar to their password as a simple example.
> 
> Then, imitating the JDBC query authentication handler I could modified my 
> handler to connect and authenticate against a MySql database.
> 
> What is annoying me is that I couldn't create my own custom properties in the 
> `cas.properties` and I'm depending on the `cas.authn.jdbc.query[0].xxx` 
> properties. For the current time, any needed properties are hard-coded in the 
> handler class!!
> Is there any easy way to do this without hacking a lot of source code?!
> 
> Thanks a lot for your help,
> 
> Best regards,
> 
> 
> 
> 
> 
> On Thursday, December 14, 2017 at 3:51:20 PM UTC+2, Manfredo Hopp wrote:
> Ok,
> 
> using this a starting point try to debug your handler.
> 
> 2017-12-14 4:45 GMT-03:00 noumann.f >:
> Commenting out only `cas.authn.accept.users=` didn't help, BUT commenting the 
> policy entries either made it work and let me authenticate as (casuser, 
> Mellon).
> 
> On Thursday, December 14, 2017 at 12:47:29 AM UTC+2, Manfredo Hopp wrote:
> Hi
> 
> Can you comment out cas.authn.accept.users= in cas properties and see if at 
> least you can authenticate with casuser?
> 
> 
> 2017-12-13 6:24 GMT-03:00 noumann.f >:
> Sorry for being late to respond to you request, but the test machine I was 
> working on broke  down suddenly!
> 
> below the log after authentication:
> 
> log.cas
> 
> 2017-12-13 11:25:17,913 INFO 
> [org.apereo.cas.support.events.listener.DefaultCasEventListener] - <
> 
> 
>   _  _     __   __
>  |  _ \  | |/ \|  _ \  \ \ / /
>  | |_) | |  _| / _ \   | | | |  \ V / 
>  |  _ <  | |___   / ___ \  | |_| |   | |  
>  |_| \_\ |_| /_/   \_\ |/|_|  
>   
> >
> 2017-12-13 11:25:17,914 INFO 
> [org.apereo.cas.support.events.listener.DefaultCasEventListener] - < [0m>
> 2017-12-13 11:25:17,914 INFO 
> [org.apereo.cas.support.events.listener.DefaultCasEventListener] -  process requests @ [2017-12-13T09:25:17.909Z]>
> 2017-12-13 11:25:17,915 INFO [org.apereo.cas.web.CasWebApplication] - 
> 
> 2017-12-13 11:25:37,644 DEBUG 
> [org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  new transaction with name 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: 
> PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
> 2017-12-13 11:25:37,645 DEBUG 
> [org.apereo.cas.authentication.PseudoPlatformTransactionManager] -  new transaction with name 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: 
> PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
> 2017-12-13 11:25:37,649 DEBUG 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  to acquire ticket cleanup lock.>
> 2017-12-13 11:25:37,650 DEBUG 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  lock. Proceeding with cleanup.>
> 2017-12-13 11:25:37,652 DEBUG 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired 
> tickets found.>
> 2017-12-13 11:25:37,652 INFO 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <[0] expired 
> tickets removed.>
> 2017-12-13 11:25:37,652 DEBUG 
> [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] -  ticket cleanup 

Re: [cas-user] CAS 5.2.0 How to configure cas in that way so that it listen to HTTP?

[Robert Oschwald]

I strongly recommend to not use the approach you try to configure. Connection 
between the LB and CAS Servers should be encrypted as well.


> Am 14.12.2017 um 08:13 schrieb casuser :
> 
> Thank you Cristina,
> 
> Actually what I meant was lets say https://example.com will go to a load 
> balancer and it will check the ssl and provide the ssl certificate then it 
> will go to CAS. I want to configure CAS in a way so that it doesn't need to 
> check for the ssl because from the load balancer there will be a http 
> connection will go to CAS and if CAS finds it as HTTP Single Sign On WILL NOT 
> WORK. So I need to configure CAS so that it listen to HTTP for the Single 
> Sign On to work. Is there a way to achieve that?
> 
> Best Regards,
> 
> FAZLA
> 
> On Thursday, December 14, 2017 at 2:55:20 PM UTC+8, Cristina Vlaicu wrote:
> Hello, 
> 
> I had  configured https on the application server. I had nothing to configure 
> in CAS properties.
> 
> Thank you,
> Cristina
> 
> 
> 
> On Dec 14, 2017 6:51 AM, "casuser" > wrote:
> There is a load balancer in between the user and the CAS . The load balancer 
> will check allow the SSL certificate. But from the load balancer to the CAS 
> the connection will be HTTP. 
> 
> How to configure cas in that way so that it listen to HTTP?
> 
> I have tried this in my cas.properties but didn't solve my problem:
> 
> cas.server.httpProxy.enabled=true
> cas.server.httpProxy.secure=false ## changed from True
> cas.server.httpProxy.protocol=AJP/1.3
> cas.server.httpProxy.scheme=http ## changed to http
> cas.server.httpProxy.redirectPort=8080
> cas.server.httpProxy.proxyPort=8080
> cas.server.httpProxy.attributes.attributeName=attributeValue
> I do have the warning:
> "Non-secure Connection You are currently accessing CAS over a non-secure 
> connection. Single Sign On WILL NOT WORK. In order to have single sign on 
> work, you MUST log in over HTTPS." but the warning still remains. 
> "https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-proxying
>  
> "
> CAS Properties 
> 
> apereo.github.io 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org <>.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fa53de5-dc4e-42c8-ba3f-04e107a36aa5%40apereo.org
>  
> .
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e2dc1f6-b27e-4f1f-9fad-bb973a2b2a4f%40apereo.org
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3122DB3E-DFA9-44C5-A0E4-B253B8AB3FF4%40gmail.com.

Re: [cas-user] Re: Creating custom JDBC authentication handler!

[Robert Oschwald]

By default, CAS scans only the org.apereo.cas.config package, so you config 
bean is not picked up.
You can either move the config bean to the org.apereo.cas.config package, or 
you register your Config bean.
See https://apereo.github.io/2017/02/21/cas-autocfg-strategy/ 



> Am 11.12.2017 um 15:57 schrieb noumann.f :
> 
> The registration class in the previous post isn't complete, here it is:
> 
> Registration class:
> package org.custom;
> 
> // imports copied from the original code
> 
> 
> @Configuration("customFileAuthenticationEventExecutionPlanConfiguration")
> @EnableConfigurationProperties(CasConfigurationProperties.class)
> public class CustomFileAuthenticationEventExecutionPlanConfiguration 
> implements AuthenticationEventExecutionPlanConfigurer {
> private static final Logger LOGGER = 
> LoggerFactory.getLogger(CustomFileAuthenticationEventExecutionPlanConfiguration.class);
> 
> @Autowired(required = false)
> @Qualifier("customFilePasswordPolicyConfiguration")
> private PasswordPolicyConfiguration customFilePasswordPolicyConfiguration;
> 
> @Autowired
> @Qualifier("servicesManager")
> private ServicesManager servicesManager;
> 
> @Autowired
> private CasConfigurationProperties casProperties;
> 
> @Autowired
> @Qualifier("personDirectoryPrincipalResolver")
> private PrincipalResolver personDirectoryPrincipalResolver;
> 
> 
> @ConditionalOnMissingBean(name = "filePrincipalFactory")
> @Bean
> public PrincipalFactory filePrincipalFactory() {
> return new DefaultPrincipalFactory();
> }
> 
> @RefreshScope
> @Bean
> public AuthenticationHandler customFileAuthenticationHandler() {
> final FileAuthenticationProperties fileProperties = 
> casProperties.getAuthn().getFile();
> final FileAuthenticationHandler h = new 
> FileAuthenticationHandler(fileProperties.getName(), servicesManager, 
> filePrincipalFactory(),
> fileProperties.getFilename(), fileProperties.getSeparator());
> 
> 
> h.setPasswordEncoder(Beans.newPasswordEncoder(fileProperties.getPasswordEncoder()));
> if (customFilePasswordPolicyConfiguration != null) {
> 
> h.setPasswordPolicyConfiguration(customFilePasswordPolicyConfiguration);
> }
> 
> h.setPrincipalNameTransformer(Beans.newPrincipalNameTransformer(fileProperties.getPrincipalTransformation()));
> 
> return h;
> }
> 
> @Override
> public void configureAuthenticationExecutionPlan(final 
> AuthenticationEventExecutionPlan plan) {
> if (casProperties.getAuthn().getFile().getFilename() != null) {
> LOGGER.debug("zzz Added file-based authentication handler");
> 
> plan.registerAuthenticationHandlerWithPrincipalResolver(customFileAuthenticationHandler(),
>  personDirectoryPrincipalResolver);
> }
> }
> }
> 
> 
> 
> cas.properites file
> 
> #File Authentication
> ##
> cas.authn.file.separator=::
> cas.authn.file.filename=file:///etc/cas/usersfile
> cas.authn.file.name=usersfile
> 
> ...
> 
> cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true
> cas.authn.policy.req.tryAll=false
> cas.authn.policy.req.handlerName=CustomFileAuthenticationHandler
> cas.authn.policy.req.enabled=true
> 
> 
> 
> 
> On Wednesday, December 6, 2017 at 11:18:28 PM UTC+2, noumann.f wrote:
> Hi,
> 
> I need to create a custom JDBC authentication handler, I'd done this 
> previously with version 4.x but with new version 5.1.x things have changed !!
> 
> I'm following the guide in here: 
> https://apereo.github.io/2017/02/02/cas51-authn-handlers 
> 
> but I need more details about registering the new handler and how to create 
> special properties for it in the cas.properties and then reach them in the 
> code!
> 
> Best regards,
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b3377eb-0d7d-4e63-bd09-36d6432c2a2d%40apereo.org
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: 

Re: [cas-user] How ticket cleanup works in clustered CAS environment

[Robert Oschwald]

Of course you can add tickets while cleaner is running, assuming you properly 
configured the cas.ticket.registry.jpa.dialect property (e.g. using 
org.hibernate.dialect.MySQL5InnoDBDialect).



> Am 26.07.2017 um 13:52 schrieb shruti halgekar :
> 
> Thank you for your reply. I have one more query, If cleanup activity 
> initiated by one server then will other server get permision to insert record 
> into TICKETGRANTINGTICKET and SERVICETICKET tables?
> 
> On Wednesday, July 26, 2017 at 4:59:38 PM UTC+5:30, robertoschwald wrote:
> A Scheduled Job runs on all nodes (normally DefaultTicketRegistryCleaner), 
> which obtains a lock using the underlying LockingStrategy (e.g.  
> JpaLockingStrategy), and performs the ticket cleaning using the underlying 
> TicketRegistry implementation (e.g. JpaTicketRegistry).
> All other nodes running the TicketRegistryCleaner do not perform if the lock 
> is already obtained.
> 
> See 
> https://github.com/apereo/cas/blob/d893011b344071ff983a3cda5d132d15c2f87c35/core/cas-server-core-tickets/src/main/java/org/apereo/cas/ticket/registry/DefaultTicketRegistryCleaner.java
> 
> 
> On Wednesday, July 26, 2017 at 1:17:54 PM UTC+2, shruti halgekar wrote:
> 
> Can anybody let me know, How ticket cleanup works in clustered CAS 
> environment? We are using JPA Ticket Registry.
> 
> Thank you in advance.
> 
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd583dc9-3317-44b4-96f4-1d0c13481807%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/A0B8C492-BB9B-4FF2-B21D-A3B03B4BB6AF%40gmail.com.

Re: [cas-user] CAS 5.0.5 how to release attributes with Protocol V 2.0

[Robert Oschwald]

You do not need to customize CasServiceValidationSuccess.html, if you just want 
to release attributes the same way as p3.
For 5.0.5, you currently need to do the following things:

1. Overwrite the serviceValidateController bean definition, and wire in the 
cas3ServiceSuccessView, like so:

@Bean
public ServiceValidateController serviceValidateController() {
final ServiceValidateController c = new ServiceValidateController();

c.setValidationSpecification(this.cas20WithoutProxyProtocolValidationSpecification);
c.setSuccessView(cas3ServiceSuccessView());
c.setFailureView(cas2ServiceFailureView);
c.setProxyHandler(proxy20Handler);
c.setAuthenticationSystemSupport(authenticationSystemSupport);
c.setServicesManager(servicesManager);
c.setCentralAuthenticationService(centralAuthenticationService);
c.setArgumentExtractor(argumentExtractor);

c.setMultifactorTriggerSelectionStrategy(multifactorTriggerSelectionStrategy);
c.setAuthenticationContextValidator(authenticationContextValidator);
c.setJsonView(cas3ServiceJsonView());

c.setAuthnContextAttribute(casProperties.getAuthn().getMfa().getAuthenticationContextAttribute());
return c;
}
}

There is a current limitation up to 5.0.5, were it is not possible to overwrite 
these bean definitions. Therefore, you must copy the whole 
CasValidationConfiguration.java class from the CAS sources into your overlay 
projects org.apereo.cas.web.config package and make the change there.
This will be fixed in 5.0.6, where you only need to define the bean definition 
above in your own config class, like OverwrittenServiceValidateConfiguration.

2. Set a property to use the p3 view for 2.0.
Set the following property in cas.properties to use the p3 view for 2.0 as well:

cas.view.cas2.success=protocol/3.0/casServiceValidationSuccess



Hope that helps,
Robert

> Am 14.05.2017 um 22:23 schrieb Cyrus Grissom :
> 
> Hello,
> 
> Does anybody knows how to release attributes using the protocol 2.0 with CAS 
> 5.0.5 ?
> 
> I tried some customisations of "CasServiceValidationSuccess.html" file but 
> without success.
> 
> Many thanks for your help,
> 
> Steve.
> 
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c89672af-ef5e-4e98-892b-93c1f8aaf091%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4474DD13-8559-411E-A603-F9EB24F6AF94%40gmail.com.

Re: [cas-user] Redirect to arbitrary URL after logout

[Robert Oschwald]

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

How to prevent that:

- Register the redirect url as a service
- check the redirect URL if the domain name is contained in any registered 
service (thats a custom extension you have to build on your own)
- Separate configuration where you register all urls to be allowed to be 
redirected to.


> Am 30.06.2016 um 13:48 schrieb John Rellis :
> 
> Hey folks,
> 
> I see it is possible to set cas.logout.followServiceRedirects=true to 
> redirect to a service while logging out
> 
> https://cas:8080/cas/logout?service=http://localhost:8082/app/shiro-cas
> 
> The above URL will bring me to http://localhost:8082/app/shiro-cas, however, 
> I was hoping to logout and redirect to a different URL that is not a service, 
> so maybe http://localhost:8082/app/somewhere-else
> 
> I tried testing it and it doesn't work unless "service" is actually defined 
> as a service.
> 
> Is it possible to redirect somewhere arbitrarily? 
> 
> Thanks,
> John
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To post to this group, send email to cas-user@apereo.org 
> .
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b7bbdb7-69cb-4c30-ba49-c370e03226a7%40apereo.org
>  
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/943DCC3E-5F59-4779-91AC-BF8625001FE1%40gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Re: 4.1.2: JpaTicketRegistry: No transactional EntityManager available

[Robert Oschwald]

As I use the JPA Ticket Registry and the JPA Service Registry in my CAS 4.1.2 
Server, I assume I need to use the same transactionManager for TicketRegistry 
and ServiceRegistry.

Therefore I set in the CAS-Server deployerConfigContext:



and in the CAS-Server ticketRegistry.xml I added the pointcut and 
packagesToScan accordingly for the ServiceRegistry:


  org.jasig.cas.ticket
  org.jasig.cas.adaptors.jdbc
  org.jasig.cas.services



  
  
  
  
  
  



but I receive error:

Caused by: java.lang.IllegalArgumentException: 
org.hibernate.hql.internal.ast.QuerySyntaxException: AbstractRegisteredService 
is not mapped [select r from AbstractRegisteredService r]
at 
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1750)
at 
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
at 
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)
at 
org.hibernate.jpa.spi.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:350)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:291)
at com.sun.proxy.$Proxy34.createQuery(Unknown Source)
at 
org.jasig.cas.services.JpaServiceRegistryDaoImpl.load(JpaServiceRegistryDaoImpl.java:50)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at 
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
at com.sun.proxy.$Proxy35.load(Unknown Source)
at 
org.jasig.cas.services.DefaultServicesManagerImpl.load(DefaultServicesManagerImpl.java:165)
at 
org.jasig.cas.services.DefaultServicesManagerImpl.(DefaultServicesManagerImpl.java:60)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at 
org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:147)
... 85 more
Caused by: org.hibernate.hql.internal.ast.QuerySyntaxException: 
AbstractRegisteredService is not mapped [select r from 
AbstractRegisteredService r]
at 
org.hibernate.hql.internal.ast.QuerySyntaxException.generateQueryException(QuerySyntaxException.java:96)
at 
org.hibernate.QueryException.wrapWithQueryString(QueryException.java:120)
at 
org.hibernate.hql.internal.ast.QueryTranslatorImpl.doCompile(QueryTranslatorImpl.java:234)
at 
org.hibernate.hql.internal.ast.QueryTranslatorImpl.compile(QueryTranslatorImpl.java:158)
at 
org.hibernate.engine.query.spi.HQLQueryPlan.(HQLQueryPlan.java:131)
at 
org.hibernate.engine.query.spi.HQLQueryPlan.(HQLQueryPlan.java:93)
at 
org.hibernate.engine.query.spi.QueryPlanCache.getHQLQueryPlan(QueryPlanCache.java:167)
at 
org.hibernate.internal.AbstractSessionImpl.getHQLQueryPlan(AbstractSessionImpl.java:301)
at 
org.hibernate.internal.AbstractSessionImpl.createQuery(AbstractSessionImpl.java:236)

Re: [cas-user] 4.1.2: JpaTicketRegistry: No transactional EntityManager available

[Robert Oschwald]

ok, so I should use the same config as defined in the Service-Management webapp 
(http://jasig.github.io/cas/4.1.x/installation/Service-Management.html)?
But then I need to define a different „transactionManager" bean in this case, 
as it is already defined for the ticketRegistry.

Like so?

deployerConfigContext.xml:


 


  org.jasig.cas.services





${database.dialect:org.hibernate.dialect.HSQLDialect}
${database.batchSize:1}

















Robert


> Am 01.12.2015 um 17:15 schrieb Misagh Moayyed <mmoay...@unicon.net>:
> 
> No you should not have to use the same transaction manager. 
> 
> - Misagh
> 
>> On Dec 1, 2015, at 8:00 AM, Robert Oschwald <robertoschw...@gmail.com> wrote:
>> 
>> 
>> As I use the JPA Ticket Registry and the JPA Service Registry in my CAS 
>> 4.1.2 Server, I assume I need to use the same transactionManager for 
>> TicketRegistry and ServiceRegistry.
>> 
>> Therefore I set in the CAS-Server deployerConfigContext:
>> 
>> > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" />
>> 
>> and in the CAS-Server ticketRegistry.xml I added the pointcut and 
>> packagesToScan accordingly for the ServiceRegistry:
>> 
>> 
>>   org.jasig.cas.ticket
>>   org.jasig.cas.adaptors.jdbc
>>   org.jasig.cas.services
>> 
>> 
>> 
>>   
>>   
>>   
>>   > pointcut-ref="ticketRegistryOperations"/>
>>   > pointcut-ref="ticketRegistryLockingOperations"/>
>>   > pointcut-ref="serviceRegistryOperations"/>
>> 
>> 
>> 
>> but I receive error:
>> 
>> Caused by: java.lang.IllegalArgumentException: 
>> org.hibernate.hql.internal.ast.QuerySyntaxException: 
>> AbstractRegisteredService is not mapped [select r from 
>> AbstractRegisteredService r]
>>  at 
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1750)
>>  at 
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
>>  at 
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)
>>  at 
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.createQuery(AbstractEntityManagerImpl.java:350)
>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>  at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>  at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>  at java.lang.reflect.Method.invoke(Method.java:606)
>>  at 
>> org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:291)
>>  at com.sun.proxy.$Proxy34.createQuery(Unknown Source)
>>  at 
>> org.jasig.cas.services.JpaServiceRegistryDaoImpl.load(JpaServiceRegistryDaoImpl.java:50)
>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>  at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>  at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>  at java.lang.reflect.Method.invoke(Method.java:606)
>>  at 
>> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
>>  at 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
>>  at 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
>>  at 
>> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
>>  at 
>> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
>>  at 
>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
>>  at 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
>>  at 
>> org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
>>  at 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
>>  at 
>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicA