[cas-user] Service Access Strategy with several attributes and OR logic

2019-10-09 Thread Sébastien BEAUDLOT 
Hi,

I want to filter access on a CAS service from ldap attributes for some 
users and uid for other users (i don't want to allow all group for those 
few users).

Is it possible to apply a OR logic to Service Access Strategy ? 
Documentation only show an exemple with AND logic and two attributes : 
https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html

I am on CAS 5.3.11.

Regards?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/921aa159-fcbd-4dbb-97cf-2f7cd169ce82%40apereo.org.

[cas-user] AuthenticationInterrupt : disabling SSO without showing the Interrut page

2019-04-16 Thread Sébastien BEAUDLOT 
Hi,

I am on CAS 5.3.4 with Authentication Interrupt enabled with a Groovy 
script. 

What i want to achieve is kind of a "quarantine" system that allow or 
disallow authentication to services based on an attribute value. 

My problem is that, on some cases, i want the groovy script to just go on 
with authentication but with SSO enabled, so only this service is allowed 
(because the user is still under quarantine). Service should not always be 
allowed without SSO, only the script have the "power" to decide what to do.

I couldn't achieve to logon without SSO and without displaying the 
Interrupt page (no block, no interrupt, just automatically keep on 
authentication silently).

What's working is : return new InterruptResponse(message: message, 
interrupt: true, block: false, ssoEnabled: false)

This is Ok but it does display Authentication page, and i don't want to. Is 
there another way to achieve this ? 


Regards.

--
Sébastien Beaudlot
Avignon Université
univ-avignon.fr

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/05e0402f-421c-4993-9319-295b6392a266%40apereo.org.

Re: [cas-user] Configure CAS to have a good logout handling with a load balanced multi instance application

2017-07-21 Thread Sébastien Beaudlot 
Hi 

Do you have any backend configured for ticket registry ? This may be the 
easiest way to achieve your goal. 

Memcache is easy to setup. 

Regards. 

Le 21 juillet 2017 17:17:29 GMT+02:00, Fabio Martelli 
 a écrit :
>Hi All, I need your help to understand how I can configure my CAS 5.1.X
>
>single instance to control access to a multi instance application with
>a 
>load balancer in front.
>
>Each single instance communicates with CAS directly. This latter 
>communicates with the clustered application through the LB.
>
>With a sticky session configured on the LB I'm able to resolve any
>login 
>issue.
>
>I cannot say the same about the logout: the request from CAS to 
>invalidate client application sessions in addition to its own SSO 
>session cannot reach the right instance because the LB does not have
>any 
>info to route the request correctly.
>
>Can you suggest a solution?
>
>Thank you in advance.
>
>BR,
>
>F.
>
>-- 
>Fabio Martelli
>https://it.linkedin.com/pub/fabio-martelli/1/974/a44
>http://blog.tirasa.net/author/fabio/index.html
>
>Tirasa - Open Source Excellence
>http://www.tirasa.net/index.html?pk_campaign=email_kwd=fm
>
>Apache Syncope PMC
>http://people.apache.org/~fmartelli/
>
>-- 
>- CAS gitter chatroom: https://gitter.im/apereo/cas
>- CAS mailing list guidelines:
>https://apereo.github.io/cas/Mailing-Lists.html
>- CAS documentation website: https://apereo.github.io/cas
>- CAS project website: https://github.com/apereo/cas
>--- 
>You received this message because you are subscribed to the Google
>Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to cas-user+unsubscr...@apereo.org.
>To view this discussion on the web visit
>https://groups.google.com/a/apereo.org/d/msgid/cas-user/036f3abe-603b-ba41-1f3e-2d48f96d6e6e%40gmail.com.

-- 
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma 
brièveté.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/368332DC-3125-48BA-9088-11C48C9B9290%40univ-avignon.fr.

Re: [cas-user] Need help setting up LDAP Authentication

2017-07-06 Thread Sébastien Beaudlot 
Hello Toby, 

I think you should try like this :

cas.authn.ldap[0].userFilter=uid={user} 

Refer to the CAS properties page. 

Le 6 juillet 2017 17:32:01 GMT+02:00, Toby Archer  a écrit 
:
>I'm upgrading from CAS 3.5 to CAS 5.1. The configurations are similar,
>but 
>not quite the same. My configuration on CAS 3.5 is:
>
># == LDAP Authentication settings ==
>> ldap.authentication.filter=uid=%u
>> ldap.authentication.server.urls=ldap://dev-ldap7-1.usd.edu
>> ldap.authentication.basedn=o=usd.edu
>> ldap.authentication.manager.userdn=cn=Directory Manager
>> ldap.authentication.manager.password=lols a password in plain text
>> ldap.authentication.ignorePartialResultException=true
>> ldap.authentication.scope=2
>>
>> ldap.authentication.services.manager.userdn=cn=WebTeam Members,
>o=usd.edu
>>
>> ldap.authentication.jndi.connect.timeout=1
>> ldap.authentication.jndi.read.timeout=1
>> ldap.authentication.jndi.security.level=simple
>>
>
>And here's my configuration so far in 5.1:
>
>cas.authn.accept.users=
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldap://dev-ldap7-1
>> cas.authn.ldap[0].baseDn=o=usd.edu
>> cas.authn.ldap[0].userFilter=uid=%u
>> cas.authn.ldap[0].subtreeSearch=true
>> cas.authn.ldap[0].bindDn=cn=Directory Manager
>> cas.authn.ldap[0].bindCredential=shhh, dont tell anyone
>>
>> cas.authn.ldap[0].dnFormat=uid=%s,ou=people
>> cas.authn.ldap[0].principalAttributeId=uid
>> cas.authn.ldap[0].principalAttributePassword=password
>> cas.authn.ldap[0].principalAttributeList=sn,givenName
>>
>> cas.authn.ldap[0].keystore=file:/etc/cas/thekeystore
>> cas.authn.ldap[0].keyStorePassword=changeit
>> cas.authn.ldap[0].name=dev-ldap7-1
>>
>> cas.authn.ldap[0].poolPassivator=CLOSE
>
>
>It binds to the server fine. I added the logger that turns up debugging
>on 
>this particular component. I tried logging in and saw this in the logs:
>
>> user=[org.ldaptive.auth.User@1196469953::identifier=toben.archer, 
>> context=null] failed using 
>> filter=[org.ldaptive.SearchFilter@-635903203::filter=uid=%u, 
>> parameters={context=null, user=toben.archer}]>
>> 2017-07-06 10:28:41,778 DEBUG
>[org.ldaptive.auth.PooledSearchDnResolver] - 
>> > user=[org.ldaptive.auth.User@1196469953::identifier=toben.archer, 
>> context=null]>
>> 2017-07-06 10:28:41,778 DEBUG [org.ldaptive.auth.Authenticator] - 
>> >
>request=[org.ldaptive.auth.AuthenticationRequest@314951352::user=[org.ldaptive.auth.User@1196469953::identifier=toben.archer,
>
>> context=null], returnAttributes=[uid, givenName, sn]]>
>> 2017-07-06 10:28:41,778 WARN 
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - resolution 
>> failed. [DN cannot be null]>
>> 2017-07-06 10:28:41,779 INFO 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> <[dev-ldap7-1] failed authenticating [toben.archer]>
>> 2017-07-06 10:28:41,779 WARN 
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> cannot find 
>> authentication handler that supports [toben.archer] of type 
>> [UsernamePasswordCredential], which suggests a configuration
>problem.>
>>
>
>The problem appears to be the "DN resolution failed. [DN cannot be
>null]" 
>which seems strange because I set baseDn, bindDn, and dnFormat. Have I 
>missed something? Why is it still not working?
>
>-- 
>- CAS gitter chatroom: https://gitter.im/apereo/cas
>- CAS mailing list guidelines:
>https://apereo.github.io/cas/Mailing-Lists.html
>- CAS documentation website: https://apereo.github.io/cas
>- CAS project website: https://github.com/apereo/cas
>--- 
>You received this message because you are subscribed to the Google
>Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to cas-user+unsubscr...@apereo.org.
>To view this discussion on the web visit
>https://groups.google.com/a/apereo.org/d/msgid/cas-user/01662caf-30ab-4655-908d-a0ab5b2c7173%40apereo.org.

-- 
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma 
brièveté.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31CDF2E0-8CFE-4A72-AEC6-4389F66A8D64%40univ-avignon.fr.

[cas-user] CAS proxy and uPortal

2017-07-06 Thread Sébastien BEAUDLOT 
Hello,

I have a working 5.0.7 CAS on a Debian Jessie. All our websites and 
services using CAS are working and able to produce an use TGTs and STs.

Except for uPortal, which is using proxy granting. Below, all technical 
details. I also join debug level logs (sensitive datas replaced) of a 
uPortal login test with CAS. Every web server is using DigiCert 
certificates and listening on port 443 only. I also add the service 
definition and cas.properties (also with sensitive data taken off).

CAS version : 5.0.7
uPortal version : 4.0.12
Main error after uPortal login :  Forwarding to error page from request 
[/serviceValidate] due to exception ['principal' cannot be null.

I am really stuck, i don't even understand the meaning of this exception.

Maybe someone here can help me with this issue.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da965ffe-849f-4f46-a40c-4ea47e863913%40apereo.org.
2017-07-06 11:24:16,693 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2017-07-06 11:24:16,704 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2017-07-06 11:24:16,721 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://ent-test.mydomain.tld/uPortal/Login
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Jul 06 11:24:16 CEST 2017
CLIENT IP ADDRESS: 195.83.163.141
SERVER IP ADDRESS: 195.83.163.58
=

>
2017-07-06 11:24:16,831 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://ent-test.mydomain.tld/uPortal/CasProxyServlet
WHAT: Supplied credentials: 
[https://ent-test.mydomain.tld/uPortal/CasProxyServlet]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Jul 06 11:24:16 CEST 2017
CLIENT IP ADDRESS: 195.83.163.115
SERVER IP ADDRESS: 195.83.163.58
=

>
2017-07-06 11:24:16,906 ERROR 
[org.springframework.boot.web.support.ErrorPageFilter] - 
java.lang.IllegalArgumentException: 'principal' cannot be null.
Check the correctness of @Audit annotation at the following audit point: 
execution(public org.apereo.cas.ticket.proxy.ProxyGrantingTicket 
org.apereo.cas.CentralAuthenticationServiceImpl.createProxyGrantingTicket
(java.lang.String,org.apereo.cas.authentication.AuthenticationResult))
at 
org.apereo.inspektr.audit.AuditActionContext.assertNotNull(AuditActionContext.java:80)
 ~[AuditActionContext.class:1.7.GA]
at 
org.apereo.inspektr.audit.AuditActionContext.(AuditActionContext.java:62) 
~[AuditActionContext.class:1.7.GA]
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:159)
 ~[AuditTrailManagementAspect.class:1.7.GA]
at 
org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:147)
 ~[AuditTrailManagementAspect.class:1.7.GA]
at sun.reflect.GeneratedMethodAccessor240.invoke(Unknown Source) ~[?:?]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[?:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_131]
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:629)
 ~[AbstractAspectJAdvice.class:4.3.4.RELEASE]
at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:618)
 ~[AbstractAspectJAdvice.class:4.3.4.RELEASE]
at 
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:70)
 ~[AspectJAroundAdvice.class:4.3.4.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)
 ~[ReflectiveMethodInvocation.class:4.3.4.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
 ~[TransactionInterceptor$1.class:4.3.4.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
 ~[TransactionAspectSupport.class:4.3.4.RELEASE]
at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
 ~[TransactionInterceptor.class:4.3.4.RELEASE]
at