[cas-user] Re: OIDC Spring dependency problem in 6.6.0 with change in 6.6.0-RC4?

[Sam Hough]

Hi,

In case anyone else hits this. mmoayyed suggested a workaround 
here https://github.com/apereo/cas/pull/5538#issuecomment-1303193825 that 
seems to be based on code added in this 
commit 
https://github.com/apereo/cas/commit/94b32c39bf76e261484c9bbb7106bb2834c4dc21 
?

I'd not heard of the CasFeatureModule stuff before and googling didn't help 
me very much. Anyway, 
adding --CasFeatureModule.OpenIDConnect.jpa.enabled=false as a command line 
option seemed to fix it.

Cheers

Sam

On Friday, 5 August 2022 at 16:06:37 UTC+1 Sam Hough wrote:

> Hi,
>
> I think the issue is:
> * I use org.apereo.cas:cas-server-support-jdbc which pulls in  
> support-jpa-util
> * support-jpa-util contains  JpaBeanFactory
> * OidcJwksJpaConfiguration has @ConditionalOnClass(JpaBeanFactory.class)
> * Fails as there is no instance of JpaBeanFactory
>
> I've hacked it locally for now but will try and come up with a pull 
> request. Seems dubious that support-jdbc depends on something about JPA. 
> JPA a higher level than JDBC? I've not use @ConditionalOnClass so maybe it 
> could be tweaked to whatever is the factory for instances of JpaBeanFactory?
>
> Any guidance welcome.
>
> Cheers
>
> Sam 
>
> On Tuesday, 26 July 2022 at 14:58:51 UTC+1 Sam Hough wrote:
>
>> Hi,
>>
>> Anyone else hit a problem using "org.apereo.cas:cas-server-support-oidc" 
>> in the 6.6.0 branch?
>>
>> At first I was getting a problem with:
>> [org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
>> dependency expressed through method 'jpaOidcJwksVendorAdapter' parameter 1; 
>> nested exception is 
>> org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
>> qualifying bean of type 'org.apereo.cas.jpa.JpaBeanFactory' available: 
>> expected at least 1 bean which qualifies as autowire candidate. Dependency 
>> annotations: 
>> {@org.springframework.beans.factory.annotation.Qualifier(value="jpaBeanFactory")}
>> That was fixed by adding "org.apereo.cas:cas-server-support-jpa-hibernate"
>>
>> After upgrading to 6.6.0-RC4 I now get:
>> [org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
>> dependency expressed through method 'transactionManagerOidcJwks' parameter 
>> 1; nested exception is 
>> org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
>> qualifying bean of type 'javax.persistence.EntityManagerFactory' available: 
>> expected at least 1 bean which qualifies as autowire candidate. Dependency 
>> annotations: 
>> {@org.springframework.beans.factory.annotation.Qualifier(value="oidcJwksEntityManagerFactory")}
>>
>> Anyone else hit this? I can't see how the same fix/kludge would work. I 
>> don't want to use JPA anyway as I'm happy with config in the file system.
>>
>> Any suggestions if somebody has hit something similar would be greatly 
>> appreciated.
>>
>> Cheers
>>
>> Sam
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a628e707-aa50-4862-ab4a-55ba1e1e63d5n%40apereo.org.

[cas-user] Re: OIDC Spring dependency problem in 6.6.0 with change in 6.6.0-RC4?

[Sam Hough]

Hi,

I think the issue is:
* I use org.apereo.cas:cas-server-support-jdbc which pulls in  
support-jpa-util
* support-jpa-util contains  JpaBeanFactory
* OidcJwksJpaConfiguration has @ConditionalOnClass(JpaBeanFactory.class)
* Fails as there is no instance of JpaBeanFactory

I've hacked it locally for now but will try and come up with a pull 
request. Seems dubious that support-jdbc depends on something about JPA. 
JPA a higher level than JDBC? I've not use @ConditionalOnClass so maybe it 
could be tweaked to whatever is the factory for instances of JpaBeanFactory?

Any guidance welcome.

Cheers

Sam 

On Tuesday, 26 July 2022 at 14:58:51 UTC+1 Sam Hough wrote:

> Hi,
>
> Anyone else hit a problem using "org.apereo.cas:cas-server-support-oidc" 
> in the 6.6.0 branch?
>
> At first I was getting a problem with:
> [org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
> dependency expressed through method 'jpaOidcJwksVendorAdapter' parameter 1; 
> nested exception is 
> org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
> qualifying bean of type 'org.apereo.cas.jpa.JpaBeanFactory' available: 
> expected at least 1 bean which qualifies as autowire candidate. Dependency 
> annotations: 
> {@org.springframework.beans.factory.annotation.Qualifier(value="jpaBeanFactory")}
> That was fixed by adding "org.apereo.cas:cas-server-support-jpa-hibernate"
>
> After upgrading to 6.6.0-RC4 I now get:
> [org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
> dependency expressed through method 'transactionManagerOidcJwks' parameter 
> 1; nested exception is 
> org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
> qualifying bean of type 'javax.persistence.EntityManagerFactory' available: 
> expected at least 1 bean which qualifies as autowire candidate. Dependency 
> annotations: 
> {@org.springframework.beans.factory.annotation.Qualifier(value="oidcJwksEntityManagerFactory")}
>
> Anyone else hit this? I can't see how the same fix/kludge would work. I 
> don't want to use JPA anyway as I'm happy with config in the file system.
>
> Any suggestions if somebody has hit something similar would be greatly 
> appreciated.
>
> Cheers
>
> Sam
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a59fa2db-d366-47bc-a3f2-5b7a80de16ccn%40apereo.org.

[cas-user] OIDC Spring dependency problem in 6.6.0 with change in 6.6.0-RC4?

[Sam Hough]

Hi,

Anyone else hit a problem using "org.apereo.cas:cas-server-support-oidc" in 
the 6.6.0 branch?

At first I was getting a problem with:
[org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
dependency expressed through method 'jpaOidcJwksVendorAdapter' parameter 1; 
nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
qualifying bean of type 'org.apereo.cas.jpa.JpaBeanFactory' available: 
expected at least 1 bean which qualifies as autowire candidate. Dependency 
annotations: 
{@org.springframework.beans.factory.annotation.Qualifier(value="jpaBeanFactory")}
That was fixed by adding "org.apereo.cas:cas-server-support-jpa-hibernate"

After upgrading to 6.6.0-RC4 I now get:
[org/apereo/cas/oidc/config/OidcJwksJpaConfiguration.class]: Unsatisfied 
dependency expressed through method 'transactionManagerOidcJwks' parameter 
1; nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
qualifying bean of type 'javax.persistence.EntityManagerFactory' available: 
expected at least 1 bean which qualifies as autowire candidate. Dependency 
annotations: 
{@org.springframework.beans.factory.annotation.Qualifier(value="oidcJwksEntityManagerFactory")}

Anyone else hit this? I can't see how the same fix/kludge would work. I 
don't want to use JPA anyway as I'm happy with config in the file system.

Any suggestions if somebody has hit something similar would be greatly 
appreciated.

Cheers

Sam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a9ad024e-e848-4b3b-bb07-a219f0bcc90en%40apereo.org.

[cas-user] Username field cleared in login screen after bad password entered? 5.x vs 6.x

[Sam Galosh]

I'm updating from cas 5.2 to 6.4 and am noticing a difference in the login 
screen's handling of an incorrect password.

In cas 5.2, when the user enters an invalid password the /cas/login screen 
is reloaded (with an appropriate message) and the username previously 
entered is populated in the username field. 

In cas 6.4 the username field is empty after the page refresh. 

Debugging into the code I can see that the ClearWebflowCredentialAction is 
executing which is clearing out the username. Is this an intentional change 
in CAS? Is there some way to revert to the previous behavior?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8481f83b-e565-4400-91f8-dec1021cdf58n%40apereo.org.

[cas-user] Re: CAS cas-overlay-template branch 6.3 not available

[Sam Hough]

I think you are just meant to use the CAS Initializr... I'm not a big fan 
but I think that is the "official" way. I still commit the generated stuff 
to local git so I can see what has changed.

On Monday, 21 February 2022 at 10:30:09 UTC jorgem...@gmail.com wrote:

> Hi,
>
> does anyone know what's up with branch 6.3 of cas-overlay-template in 
> GitHub?
>
> https://github.com/apereo/cas-overlay-template/tree/6.3 displays no 
> files, just a readme.md:
>
> IMPORTANT NOTE
>
> *This repository is always automatically generated from the CAS 
> Initializr. Do NOT submit pull requests here as the change-set will be 
> overwritten on the next sync.To learn more, please visit the CAS 
> documentation .*
>
> REgards,
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79882957-7cdf-4811-8106-cea1179549ebn%40apereo.org.

Re: [cas-user] Re: id vs. login

[Sam Hough]

Hi Lars,

I'm afraid I've only found this in 6.0-RC2. I think I've got stable-ish 
automated tests so I might try a binary search on the version it changed so 
there might be some clue as to the intent.

I think I'm in a similar position to you 
now. cas.personDirectory.principalResolutionConflictStrategy=first seems to 
"fix" the issue but more of a workaround. I've no clue if the "original" 
principal should be in the list and if it is if the change in order is a 
feature or a bug... or something else.

I'll report back if I get any further.

Cheers

Sam

On Wednesday, 2 February 2022 at 13:03:37 UTC Lars Feistner wrote:

> Hi Sam,
>
> unfortunately I first wanted to see if anyone has some insights before 
> digging deeper into the code.
>
> Did it work for you in any other 6.x release or are you as well upgrading 
> from 5 to 6? If first then I could try and find out which version breaks 
> the "feature" and then we could look at the code changes there were made 
> between the changes.
>
> But I actually still hope the someone will tell us if this setting was 
> originally meant to change the id of the principal or not.
>
> Best regards,
> Lars
>
> On 02.02.22 10:51, Sam Hough wrote:
>
> Hi, 
>
> I think I might have hit this too in 6.5.0-RC2. After some debugging it 
> looks like the original principal and the new one are hitting 
> the ChainingPrincipalElectionStrategy::nominate method and the one we want 
> (that honours principal-attribute) is losing to the "original". I need to 
> do more debugging if I can see how to change this behaviour.
>
> Did you get anywhere?
>
> Cheers
>
> Sam
>
> On Wednesday, 19 January 2022 at 10:18:51 UTC Lars Feistner wrote:
>
>> Hi everybody,
>>
>> we recently switched from version 5.x to 6.4.4.2. In version 5 we used the 
>> setting 
>> cas.personDirectory.principalAttribute=id 
>> to switch the id of the UserProfil to be the id and not the login.
>>
>> Now in version 6.4.4.2 I used the same setting 
>> cas.person-directory.principal-attribute=id but after login in the web view 
>> I see the login instead of the id.
>>
>>
>>
>>
>> Is this a bug in 6.4.42 or did I use the wrong setting to do this or what do 
>> I have to do to switch the principal id from login to id?
>>
>> Thank you,
>> Lars
>>
>> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a54f1925-37a4-4cf2-a46b-4a6aba3a4c1en%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a54f1925-37a4-4cf2-a46b-4a6aba3a4c1en%40apereo.org?utm_medium=email_source=footer>
> .
>
>
> -- 
> *Lars Feistner*
> Entwicklungsleitung
> Phone: +49 6221/186749-5
> Mail: l.fei...@cares.institute 
> *Institut für Kommunikations- und Prüfungsforschung gGmbH*
> Institute for Communication and Assessment Research
> Wieblinger Weg 92a
> 69123 Heidelberg, Germany
> Web: www.ucan-assess.org 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d06bba7-6f27-492a-b695-c0e755e4528dn%40apereo.org.

[cas-user] Re: id vs. login

[Sam Hough]

Hi,

I think I might have hit this too in 6.5.0-RC2. After some debugging it 
looks like the original principal and the new one are hitting 
the ChainingPrincipalElectionStrategy::nominate method and the one we want 
(that honours principal-attribute) is losing to the "original". I need to 
do more debugging if I can see how to change this behaviour.

Did you get anywhere?

Cheers

Sam

On Wednesday, 19 January 2022 at 10:18:51 UTC Lars Feistner wrote:

> Hi everybody,
>
>
> we recently switched from version 5.x to 6.4.4.2. In version 5 we used the 
> setting 
> cas.personDirectory.principalAttribute=id 
> to switch the id of the UserProfil to be the id and not the login.
>
> Now in version 6.4.4.2 I used the same setting 
> cas.person-directory.principal-attribute=id but after login in the web view I 
> see the login instead of the id.
>
>
>
>
> Is this a bug in 6.4.42 or did I use the wrong setting to do this or what do 
> I have to do to switch the principal id from login to id?
>
> Thank you,
> Lars
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a54f1925-37a4-4cf2-a46b-4a6aba3a4c1en%40apereo.org.

[cas-user] Re: delegated auth not working after upgrade to CAS 6.4.2

[Sam Hough]

Don't need the "just" ;)

I'd like to move away from CAS but we use the CAS protocol a lot (although 
deprecated for new services) and there is always talk of a big project that 
would make it silly to replace this little bit.

I'm a Java developer and have been spending a long time debugging CAS. Not 
much fun.

Anyway, good luck with your logout. I've not got that far yet ;)

On Tuesday, 14 December 2021 at 16:47:28 UTC stou...@isu.edu wrote:

> lol, I wish. I'm just a sysadmin with a lot of years of troubleshooting.
>
> At this point, it's as much trial and error as anything. I look up the 
> various possible settings and try different things. For now, I'm running 
> 6.3.7.2 in dev and prod where people are actually using it. So to some 
> extent, I also just wait for the next release and try again. I'm thinking 
> of just jumping to 6.5x and see if I can get everything to play nice and be 
> happy there.  We were supposed to be moving off CAS to a 3rd party SAML 
> SSO. However, I've had various issues getting things to work with direct 
> authentication, so I set my CAS servers up to do delegated authentication. 
> I can't decide if I'm happy or not that everything "just works" when I run 
> it through CAS. 
>
> The other way I get stuff fixed is to post here and hope someone has a 
> better idea than I do :-D
>
> On Tue, Dec 14, 2021 at 9:39 AM Sam Hough  wrote:
>
>> Oh no. Probably showing my age... but without a bug database what is your 
>> process for getting this stuff fixed? Are you a Java developer?
>>
>> On Tuesday, 14 December 2021 at 16:35:59 UTC stou...@isu.edu wrote:
>>
>>> That sounds terrible. Once I moved from alpha to dev, I've just 
>>> discovered that logout is throwing a 500 error
>>>
>>> On Tue, Dec 14, 2021 at 9:12 AM Sam Hough  wrote:
>>>
>>>> Thanks for letting us know. I think I'm stuck on a different issue 
>>>> related to pac4j change that break pulling over the only attribute I 
>>>> want...
>>>>
>>>> Cheers
>>>>
>>>> Sam
>>>>
>>>> On Tuesday, 14 December 2021 at 15:59:23 UTC stou...@isu.edu wrote:
>>>>
>>>>> I thought I'd just post an update on this. I tried this again with 
>>>>> 6.4.4. Since my CAS server is not acting as a SAML IdP, I removed all 
>>>>> saml-idp modules from my build which seems to have resolved the issue.
>>>>>
>>>>> Noelette
>>>>>
>>>>> On Monday, November 15, 2021 at 7:01:30 AM UTC-7 Noelette Stout wrote:
>>>>>
>>>>>> At least I feel less crazy now :-)  I've been going nuts wondering 
>>>>>> what changed in the configs (that I haven't touched) with the upgrade. 
>>>>>> I've 
>>>>>> gone through double-checking syntax on everything.  
>>>>>>
>>>>>> Thanks for confirming, Bill.
>>>>>>
>>>>>> Noelette
>>>>>>
>>>>>> On Monday, November 15, 2021 at 6:52:58 AM UTC-7 William Jojo wrote:
>>>>>>
>>>>>>> Noelette,
>>>>>>>
>>>>>>> Confirmed. I am doing non-autoforwarding SAML2 delegation to Azure. 
>>>>>>> I have nginx proxy in front of embedded Tomcat app.war. Works in 
>>>>>>> 6.3.7.1, 
>>>>>>> borked in 6.4.2. Double-checked all of my cas.properties, nothing amiss.
>>>>>>>
>>>>>>> In 6.3.7.1 (working):
>>>>>>>
>>>>>>> 2021-11-15 07:04:50,891 DEBUG 
>>>>>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >>>>>> properties [{method=, theme=, locale=en}]>
>>>>>>> 2021-11-15 07:04:50,907 DEBUG 
>>>>>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >>>>>> authentication request ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] 
>>>>>>> for 
>>>>>>> service [null] with properties [{theme=, targetService=null, method=, 
>>>>>>> locale=en, service=null}]>
>>>>>>> 2021-11-15 07:04:50,914 DEBUG 
>>>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
>>>>>>> >>>>>> ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] to registry.>
>>>>>>> 2021-11-15 07:04:50,921 DEBUG 
>>>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketR

[cas-user] Re: delegated auth not working after upgrade to CAS 6.4.2

[Sam Hough]

Oh no. Probably showing my age... but without a bug database what is your 
process for getting this stuff fixed? Are you a Java developer?

On Tuesday, 14 December 2021 at 16:35:59 UTC stou...@isu.edu wrote:

> That sounds terrible. Once I moved from alpha to dev, I've just discovered 
> that logout is throwing a 500 error
>
> On Tue, Dec 14, 2021 at 9:12 AM Sam Hough  wrote:
>
>> Thanks for letting us know. I think I'm stuck on a different issue 
>> related to pac4j change that break pulling over the only attribute I want...
>>
>> Cheers
>>
>> Sam
>>
>> On Tuesday, 14 December 2021 at 15:59:23 UTC stou...@isu.edu wrote:
>>
>>> I thought I'd just post an update on this. I tried this again with 
>>> 6.4.4. Since my CAS server is not acting as a SAML IdP, I removed all 
>>> saml-idp modules from my build which seems to have resolved the issue.
>>>
>>> Noelette
>>>
>>> On Monday, November 15, 2021 at 7:01:30 AM UTC-7 Noelette Stout wrote:
>>>
>>>> At least I feel less crazy now :-)  I've been going nuts wondering what 
>>>> changed in the configs (that I haven't touched) with the upgrade. I've 
>>>> gone 
>>>> through double-checking syntax on everything.  
>>>>
>>>> Thanks for confirming, Bill.
>>>>
>>>> Noelette
>>>>
>>>> On Monday, November 15, 2021 at 6:52:58 AM UTC-7 William Jojo wrote:
>>>>
>>>>> Noelette,
>>>>>
>>>>> Confirmed. I am doing non-autoforwarding SAML2 delegation to Azure. I 
>>>>> have nginx proxy in front of embedded Tomcat app.war. Works in 6.3.7.1, 
>>>>> borked in 6.4.2. Double-checked all of my cas.properties, nothing amiss.
>>>>>
>>>>> In 6.3.7.1 (working):
>>>>>
>>>>> 2021-11-15 07:04:50,891 DEBUG 
>>>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >>>> properties [{method=, theme=, locale=en}]>
>>>>> 2021-11-15 07:04:50,907 DEBUG 
>>>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >>>> authentication request ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] 
>>>>> for 
>>>>> service [null] with properties [{theme=, targetService=null, method=, 
>>>>> locale=en, service=null}]>
>>>>> 2021-11-15 07:04:50,914 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >>>> ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] to registry.>
>>>>> 2021-11-15 07:04:50,921 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >>>> [TST-396f9908-6411-4a39-9318-53da7953330a] could not be found>
>>>>> 2021-11-15 07:04:50,922 DEBUG 
>>>>> [org.apereo.cas.AbstractCentralAuthenticationService] - >>>> [TST-396f9908-6411-4a39-9318-53da7953330a] by type 
>>>>> [TransientSessionTicket] 
>>>>> cannot be found in the ticket registry.>
>>>>> 2021-11-15 07:04:50,923 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >>>> ticket [TST-396f9908-6411-4a39-9318-53da7953330a] to registry.>
>>>>> 2021-11-15 07:04:51,141 DEBUG 
>>>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >>>> ticket [TST-396f9908-6411-4a39-9318-53da7953330a] to registry.>
>>>>> 2021-11-15 07:04:51,352 DEBUG 
>>>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >>>> final redirect action for client [#SAML2Client# | name: HVCC Login - POC 
>>>>> | 
>>>>> callbackUrl: https://casdev.hvcc.edu/cas/login | urlResolver: 
>>>>> org.pac4j.core.http.url.DefaultUrlResolver@3538d8d6 | 
>>>>> callbackUrlResolver: 
>>>>> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@6785df10 | 
>>>>> ajaxRequestResolver: 
>>>>> org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@6e3705e6 | 
>>>>> redirectionActionBuilder: 
>>>>> org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@140b4e00 | 
>>>>> credentialsExtractor: 
>>>>> org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@169e989c | 
>>>>> authenticator: 
>>>>> org.pac4j.saml.credentials.authenticator.SAML2Authenticator@65930cf1 | 
>>>>> profileCreator: 
>>>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@10f5 | 

[cas-user] Re: delegated auth not working after upgrade to CAS 6.4.2

[Sam Hough]

Thanks for letting us know. I think I'm stuck on a different issue related 
to pac4j change that break pulling over the only attribute I want...

Cheers

Sam

On Tuesday, 14 December 2021 at 15:59:23 UTC stou...@isu.edu wrote:

> I thought I'd just post an update on this. I tried this again with 6.4.4. 
> Since my CAS server is not acting as a SAML IdP, I removed all saml-idp 
> modules from my build which seems to have resolved the issue.
>
> Noelette
>
> On Monday, November 15, 2021 at 7:01:30 AM UTC-7 Noelette Stout wrote:
>
>> At least I feel less crazy now :-)  I've been going nuts wondering what 
>> changed in the configs (that I haven't touched) with the upgrade. I've gone 
>> through double-checking syntax on everything.  
>>
>> Thanks for confirming, Bill.
>>
>> Noelette
>>
>> On Monday, November 15, 2021 at 6:52:58 AM UTC-7 William Jojo wrote:
>>
>>> Noelette,
>>>
>>> Confirmed. I am doing non-autoforwarding SAML2 delegation to Azure. I 
>>> have nginx proxy in front of embedded Tomcat app.war. Works in 6.3.7.1, 
>>> borked in 6.4.2. Double-checked all of my cas.properties, nothing amiss.
>>>
>>> In 6.3.7.1 (working):
>>>
>>> 2021-11-15 07:04:50,891 DEBUG 
>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >> properties [{method=, theme=, locale=en}]>
>>> 2021-11-15 07:04:50,907 DEBUG 
>>> [org.apereo.cas.web.DelegatedClientWebflowManager] - >> authentication request ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] for 
>>> service [null] with properties [{theme=, targetService=null, method=, 
>>> locale=en, service=null}]>
>>> 2021-11-15 07:04:50,914 DEBUG 
>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >> ticket [TST-1-dWlIqP8W8O7dFxCdIVvxFZ7YM2xj-dai] to registry.>
>>> 2021-11-15 07:04:50,921 DEBUG 
>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >> [TST-396f9908-6411-4a39-9318-53da7953330a] could not be found>
>>> 2021-11-15 07:04:50,922 DEBUG 
>>> [org.apereo.cas.AbstractCentralAuthenticationService] - >> [TST-396f9908-6411-4a39-9318-53da7953330a] by type [TransientSessionTicket] 
>>> cannot be found in the ticket registry.>
>>> 2021-11-15 07:04:50,923 DEBUG 
>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >> ticket [TST-396f9908-6411-4a39-9318-53da7953330a] to registry.>
>>> 2021-11-15 07:04:51,141 DEBUG 
>>> [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - >> ticket [TST-396f9908-6411-4a39-9318-53da7953330a] to registry.>
>>> 2021-11-15 07:04:51,352 DEBUG 
>>> [org.apereo.cas.web.BaseDelegatedAuthenticationController] - >> final redirect action for client [#SAML2Client# | name: HVCC Login - POC | 
>>> callbackUrl: https://casdev.hvcc.edu/cas/login | urlResolver: 
>>> org.pac4j.core.http.url.DefaultUrlResolver@3538d8d6 | callbackUrlResolver: 
>>> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@6785df10 | 
>>> ajaxRequestResolver: 
>>> org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@6e3705e6 | 
>>> redirectionActionBuilder: 
>>> org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@140b4e00 | 
>>> credentialsExtractor: 
>>> org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@169e989c | 
>>> authenticator: 
>>> org.pac4j.saml.credentials.authenticator.SAML2Authenticator@65930cf1 | 
>>> profileCreator: 
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@10f5 | 
>>> logoutActionBuilder: 
>>> org.pac4j.saml.logout.SAML2LogoutActionBuilder@335d3d90 | 
>>> authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>
>>>
>>>
>>> In 6.4.2 (borked):
>>>
>>> 2021-11-15 06:56:22,281 DEBUG 
>>> [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] 
>>> - >> callbackUrl: https://casdev.hvcc.edu/cas/login | urlResolver: null | 
>>> callbackUrlResolver: 
>>> org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@672e8871 | 
>>> ajaxRequestResolver: null | redirectionActionBuilder: null | 
>>> credentialsExtractor: null | authenticator: null | profileCreator: 
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@34e68840 | 
>>> logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@510203de | 
>>> authorizationGenerators: [] | checkAuthenticationAttempt: true |]>
>>> 2021-11-15 06:56:22,281 DEBUG 
>>> [org.aper

[cas-user] SAML2 Identity Provider Discovery

[Sam Hough]

Hi,

I'm wondering if anyone has used this feature?

https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml2-identity-provider-discovery

I assume you point CAS at a resource with:
cas.authn.pac4j.saml-discovery.resource[0].location=file:/etc/cas/config/json-feed.json
and that will point at IdPs but I'm struggling to find any more 
usage/documentation on it.

It sounds useful as I want to integrate 
with https://www.ukfederation.org.uk/ without re-inventing the wheel but 
I'm a bit lost. e.g. does this way of doing it not need a keystore if CAS 
is acting as an SP or have a missed the point?

Any pointers welcome. Googling that property didn't give the usual helpful 
hits.

Cheers

Sam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bae07616-80ed-4d8a-9ea9-4057e668f0fdn%40apereo.org.

[cas-user] Re: delegated auth not working after upgrade to CAS 6.4.2

[Sam Hough]

Hi,

I'm not even manging to get this far, would you be kind enough to share 
your config? I'm really struggling with the documentation. I've had it 
working with previous versions. I should probably trawl through the RC 
docs, I think that is meant to be the migration guide.

Cheers

Sam

On Monday, 8 November 2021 at 19:50:24 UTC stou...@isu.edu wrote:

> I had delegated authentication working with CAS 6.3.7.1, but after I 
> upgraded to 6.4.2 I am getting the following error.
>
> 2021-11-08 12:36:40,578 DEBUG 
> [org.pac4j.core.context.session.JEESessionStore] -  retrieved session: null>
> 2021-11-08 12:36:40,578 DEBUG 
> [org.pac4j.core.context.session.JEESessionStore] -  key: SAMLRequest, no session available>
> 2021-11-08 12:36:40,594 WARN 
> [org.apereo.cas.web.DefaultDelegatedAuthenticationNavigationController] - 
> 
> java.lang.IllegalArgumentException: SAML request could not be determined 
> from session store
> at 
> org.apereo.cas.support.saml.web.idp.delegation.SamlIdPDelegatedClientAuthenticationRequestCustomizer.lambda$customize$0(SamlIdPDelegatedClientAuthenticationRequestCustomizer.java:42)
>  
> ~[cas-server-support-saml-idp-web-6.4.2.jar:6.4.2]
> at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
> at 
> org.apereo.cas.support.saml.web.idp.delegation.SamlIdPDelegatedClientAuthenticationRequestCustomizer.customize(SamlIdPDelegatedClientAuthenticationRequestCustomizer.java:42)
>  
> ~[cas-server-support-saml-idp-web-6.4.2.jar:6.4.2]
> at 
> org.apereo.cas.web.BaseDelegatedAuthenticationController.lambda$getRedirectionAction$1(BaseDelegatedAuthenticationController.java:81)
>  
> ~[cas-server-support-pac4j-webflow-6.4.2.jar:6.4.2]
> at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) 
> ~[?:?]
> at 
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177) 
> ~[?:?]
> at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357) 
> ~[?:?]
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485) 
> ~[?:?]
> at 
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) 
> ~[?:?]
> at 
> java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) 
> ~[?:?]
> at 
> java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
>  
> ~[?:?]
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 
> ~[?:?]
> at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497) 
> ~[?:?]
> at 
> org.apereo.cas.web.BaseDelegatedAuthenticationController.getRedirectionAction(BaseDelegatedAuthenticationController.java:81)
>  
> ~[cas-server-support-pac4j-webflow-6.4.2.jar:6.4.2]
> at 
> org.apereo.cas.web.BaseDelegatedAuthenticationController.getResultingView(BaseDelegatedAuthenticationController.java:134)
>  
> ~[cas-server-support-pac4j-webflow-6.4.2.jar:6.4.2]
> at 
> org.apereo.cas.web.DefaultDelegatedAuthenticationNavigationController.redirectToProvider(DefaultDelegatedAuthenticationNavigationController.java:63)
>  
> ~[cas-server-support-pac4j-webflow-6.4.2.jar:6.4.2]
> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:?]
> at 
> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>  
> ~[?:?]
> at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> at 
> org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
>  
> ~[spring-web-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
>  
> ~[spring-web-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
>  
> ~[spring-webmvc-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
>  
> ~[spring-webmvc-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
>  
> ~[spring-webmvc-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
>  
> ~[spring-webmvc-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064)
>  
> ~[spring-webmvc-5.3.9.jar:5.3.9]
> at 
> org.springframework.web.servlet.DispatcherSer

[cas-user] Re: 6.2 to 6.4 upgrade : no jdbc Handler

[Sam Hough]

Hi Marc,

What dependency do you have? The "overlay war" generator thing seems to 
spit out 'implementation 
"org.apereo.cas:cas-server-support-jdbc-authentication"' which is what I 
was using but the documentation and what works for me is 'implementation 
"org.apereo.cas:cas-server-support-jdbc"'

I'd raise a bug but I don't think they want bug reports!?

Cheers

Sam

On Friday, 5 November 2021 at 15:05:25 UTC Sam Hough wrote:

> Hi,
>
> No help but I think I've hit this too. Did you get anywhere? I'll start 
> looking again Monday.
>
> Cheers
>
> Sam
>
> On Friday, 22 October 2021 at 17:22:41 UTC+1 Marc Maurice wrote:
>
>> Hello,
>>
>> I'm trying to upgrade from 6.2 to 6.4.
>>
>> I have two authentications handler : 1 : jdbc mysql , 2 : ADFS-wsfed.
>>
>> ADFS is working, but not mysql.
>>
>> In the debug Log, 6.2, I can see : 
>>
>> oct. 22 17:47:15 campus-sso-01 cas.war[104218]: 2021-10-22 17:47:15,947 
>> DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a878778,
>>  
>> *org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler*@6e612122, 
>> org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@69d61a6f]]>
>>
>> In the 6.4 log, there is no jdbc handler detected.
>>
>> Any clue or log to enable in log4j to debug that ?
>>
>> cas.properties section :
>>
>> cas.authn.jdbc.query[0].sql=SELECT * FROM users WHERE email=?
>> cas.authn.jdbc.query[0].field-password=password
>> cas.authn.jdbc.query[0].url=jdbc:mysql://
>> 1.2.3.4/cas_recette?useLegacyDatetimeCode=false=Europe/Paris
>> #cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
>> cas.authn.jdbc.query[0].user=cas_recette
>> cas.authn.jdbc.query[0].password=xxx
>> cas.authn.jdbc.query[0].driver-class=com.mysql.cj.jdbc.Driver
>> cas.authn.jdbc.query[0].principal-transformation.case-conversion=LOWERCASE
>> cas.authn.jdbc.query[0].password-encoder.type=BCRYPT
>> cas.authn.jdbc.query[0].password-encoder.secret=x
>> cas.authn.jdbc.query[0].password-encoder.strength=10
>>
>> cas.authn.jdbc.query[0].principal-attribute-list=email,firstname,lastname,cas_admin
>>
>> cas.authn.attribute-repository.core.default-attributes-to-release=email,firstname,lastname,cas_admin
>>
>>
>> Thanks in advance,
>>
>> Marc
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a79e4717-d187-4fef-878a-8aa4eeded8b2n%40apereo.org.

[cas-user] Re: 6.2 to 6.4 upgrade : no jdbc Handler

[Sam Hough]

Hi,

No help but I think I've hit this too. Did you get anywhere? I'll start 
looking again Monday.

Cheers

Sam

On Friday, 22 October 2021 at 17:22:41 UTC+1 Marc Maurice wrote:

> Hello,
>
> I'm trying to upgrade from 6.2 to 6.4.
>
> I have two authentications handler : 1 : jdbc mysql , 2 : ADFS-wsfed.
>
> ADFS is working, but not mysql.
>
> In the debug Log, 6.2, I can see : 
>
> oct. 22 17:47:15 campus-sso-01 cas.war[104218]: 2021-10-22 17:47:15,947 
> DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  [[org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@6a878778,
>  
> *org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler*@6e612122, 
> org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler@69d61a6f]]>
>
> In the 6.4 log, there is no jdbc handler detected.
>
> Any clue or log to enable in log4j to debug that ?
>
> cas.properties section :
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM users WHERE email=?
> cas.authn.jdbc.query[0].field-password=password
> cas.authn.jdbc.query[0].url=jdbc:mysql://
> 1.2.3.4/cas_recette?useLegacyDatetimeCode=false=Europe/Paris
> #cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
> cas.authn.jdbc.query[0].user=cas_recette
> cas.authn.jdbc.query[0].password=xxx
> cas.authn.jdbc.query[0].driver-class=com.mysql.cj.jdbc.Driver
> cas.authn.jdbc.query[0].principal-transformation.case-conversion=LOWERCASE
> cas.authn.jdbc.query[0].password-encoder.type=BCRYPT
> cas.authn.jdbc.query[0].password-encoder.secret=x
> cas.authn.jdbc.query[0].password-encoder.strength=10
>
> cas.authn.jdbc.query[0].principal-attribute-list=email,firstname,lastname,cas_admin
>
> cas.authn.attribute-repository.core.default-attributes-to-release=email,firstname,lastname,cas_admin
>
>
> Thanks in advance,
>
> Marc
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f43d6b26-7d96-427a-af87-ec8ffe1cb597n%40apereo.org.

[cas-user] Re: What's the point of Initializr?

[Sam Hough]

I'm not really sure. I only hit this yesterday. I've had the job of 
customising CAS for the last seven years or so and every time my heart 
sinks as it is always really painful. My guess is (supported by links from 
the documentation) that you can more quickly start a build with custom 
features BUT seems a bit of an extra nightmare as the gradle file has so 
much extra stuff in it.

I tried pushing on with my maven based build (it was running tests, making 
an RPM so I didn't want to just trash it) but hit weird errors. I read 
about the "submit pull requests not bug reports" which is all great unless 
you are trying to work out if you have hit a bug. 

I know it is free software and I'm possibly biased by it being a Friday 
afternoon after an annoying week.

What did you decide to do? I'm wondering if I can have whatever the 
latest/greatest way to get a CAS build is in a black box then have an 
independent build system to customise it. Seems overkill for a SpringBoot 
thing.

Cheers

Sam

On Saturday, 31 July 2021 at 00:11:09 UTC+1 Dustin Luck wrote:

>
> I see that starting with today's release of CAS 6.3.6, the 
> cas-overlay-template project is being automatically generated from the CAS 
> Initializr. My current build process is as follows:
>
>1. Check out or pull the latest source for the overlay template
>2. Add the modules necessary for my specific build in build.gradle
>3. Set my CAS version & container in gradle.properties
>4. Configure properties files
>5. Add UI customizations
>6. Build WAR File (gradlew clean build)
>
> Does the Initializr just replace steps 1 & 2 or am I missing something? 
> Are there any benefits of using the Initializr over starting with the base 
> overlay template for someone who is experienced with configuring the 
> modules already?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c012cb7b-5d2c-4a5a-a81c-1bd901cc92d9n%40apereo.org.

Re: [cas-user] CAS 5.2.4 Endpoint access

[Sam Erie]

Thank you very much, that did the trick. Your site is a huge help, very
nice to have clear examples and explanations. The only thing I am still not
sure about is how to secure the /status endpoint.

On Fri, Oct 25, 2019 at 3:45 AM David Curry 
wrote:

> At first blush it looks like your cas.properties property names are wrong;
> there might be other things too that you didn't happen to quote. Here's a
> step-by-step for enabling them all, if you find it helpful:
>
>
> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
>
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david.cu...@newschool.edu
>
>
> On Fri, Oct 25, 2019 at 1:09 AM Sam Erie  wrote:
>
>> I have been struggling to get access to development CAS v5.2.4 status
>> endpoints. I was unable to get them unsecured and went on to add Spring
>> Security with master user, who it is correctly validating, but somehow my
>> IP is still not authorized. Following are relevant properties and logs. I'm
>> confused by the fact that it should be matching any IP with .+ yet it still
>> says Unauthorized IP address. Any help would be much appreciated.
>>
>>
>> endpoints.status.enabled=true
>> endpoints.status.sensitive=false
>> endpoints.dashboard.enabled=true
>> endpoints.dashboard.sensitive=false
>> cas.adminPagesSecurity.ip=.+
>> security.user.name=admin
>> security.user.password=admin
>>
>>
>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> <===
>> SECURITY ===>
>>
>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> > https://sanitized/cas/status>
>>
>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> 
>>
>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> 
>> 2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>  - > #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
>> IpRegexpAuthenticator[.+ ]
>>
>>  | profileCreator: 
>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>  | authorizationGenerators: [] |]>
>>
>> 2019-10-23 21:58:11,095 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> 
>>
>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - 
>> 
>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>  - > #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: 
>> IpRegexpAuthenticator[.+ ]
>>
>>  | profileCreator: 
>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>  | authorizationGenerators: [] |>
>>
>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
>> 
>>
>> 2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] - 
>> > 172.21.96.74>
>>
>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - 
>> 
>>
>> org.pac4j.core.exception.CredentialsException: Unauthorized IP address: 
>> 172.21.96.74
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google

[cas-user] CAS 5.2.4 Endpoint access

[Sam Erie]

I have been struggling to get access to development CAS v5.2.4 status
endpoints. I was unable to get them unsecured and went on to add Spring
Security with master user, who it is correctly validating, but somehow my
IP is still not authorized. Following are relevant properties and logs. I'm
confused by the fact that it should be matching any IP with .+ yet it still
says Unauthorized IP address. Any help would be much appreciated.


endpoints.status.enabled=true
endpoints.status.sensitive=false
endpoints.dashboard.enabled=true
endpoints.dashboard.sensitive=false
cas.adminPagesSecurity.ip=.+
security.user.name=admin
security.user.password=admin

2019-10-23 21:58:11,093 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] - <===
SECURITY ===>
2019-10-23 21:58:11,093 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] - https://sanitized/cas/status>
2019-10-23 21:58:11,093 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] - 
2019-10-23 21:58:11,093 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] - 
2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
 - 
2019-10-23 21:58:11,095 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] -

2019-10-23 21:58:11,110 DEBUG
[org.pac4j.core.engine.DefaultSecurityLogic] - 
2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
 - 
2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient]
- 
2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] -

2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient]
- 
org.pac4j.core.exception.CredentialsException: Unauthorized IP
address: 172.21.96.74

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com.

[cas-user] Re: CAS 5.0.6, VersionResourceResolver and Cache-Busting

[Sam Hough]

Alternative solution (definitely not saying better):

Have own version of cas-theme-default.properties
cas.standard.css.file=/css/cas.css?v=${project.version}
cas.admin.css.file=/css/admin.css?v=${project.version}
cas.javascript.file=/js/cas.js?v=${project.version}

Get Maven to "filter" this file (stupid name), seems horribly verbose but 
best I've found is:


src/main/resources
false

**/cas-theme-default.properties



src/main/resources
true

**/cas-theme-default.properties




Easier in other build systems?

Bit shameful when this problem bit me.

Cheers

Sam


On Thursday, January 11, 2018 at 5:45:50 PM UTC, John Sampson wrote:
>
> Hello, I'm currently upgrading a highly customized 4.X CAS version to 
> 5.0.6 and running into a problem with cached assets on our F5 Appliance. 
>
> The problem is that many of the customized assets have the same name (ex. 
> cas.js) but different content, and while we can clear the F5 Ram Cache, 
> this does not allow us the flexibility to switch cleanly back and 
> forth between the two versioned deployments and we would rather add 
> a VersionResourceResolver to the newer version (5.0.X) of the application 
> so that all assets have hash codes in the file names so that the F5 
> appliance will cache the proper version, and the two applications will not 
> be getting one another's assets. 
>
>  If someone has already done this and could provide some pointers I would 
> appreciate it. I think I'm half way there, but am not sure I'm not mixing 
> solutions. We have a desire to get away from our highly customized versions 
> and back inline with the direction of the underlying CAS software (and this 
> is out first step).
>
> I've read several articles and gotten as far as encoding the urls in the 
> templates, but when the login page is accessed, the server returns a 404 
> for the javascript assets, so here is what I have in the 5.0.6 application:
>
> *Background/Environment:*
>
>  
>
>- Software: CAS 5.0.6 built with an overlay
>- Application.properties in src/main/resources
>- JavaScript resources in: src/main/resources/static/js
>- Thymeleaf templates in in: src/main/resources/static/templates
>- Environment:
>   -  Local: build and run locally via a fat jar.
>   -  Everywhere else: fat jar built on Jenkins, Docker Image deployed 
>   to K8S Cluster with an F5
>
>
> *Resources I've reviewed:*
>
>
>- CAS User Interface Customization 
>
> <https://apereo.github.io/cas/5.0.x/installation/User-Interface-Customization-CSSJS.html>
>  (No 
>real info)
>- Spring Boot 1.4.2 Reference 
>
> <https://docs.spring.io/spring-boot/docs/1.4.2.RELEASE/reference/html/boot-features-developing-web-applications.html#boot-features-spring-mvc-static-content>
>  (Static 
>Content, which suggests that the ResourceUrlEncodingFilter should be 
>AutoConfigured and handled internally by Thymeleaf but it doesn't seem to 
>be, which is why I added the bean and additional syntax to the templates 
>below).
>
>
> *Application.properties*
>
> *spring.resources.chain.strategy.content.enabled*=*true**spring.resources.chain.strategy.content.paths*=*/***
>
> *StaticResourceConfig.java*
>
> @Configuration*public class *StaticResourceConfig *extends 
> *WebMvcConfigurerAdapter {
> @Override*public void *addResourceHandlers(ResourceHandlerRegistry 
> registry) {
> VersionResourceResolver versionResourceResolver = *new 
> *VersionResourceResolver()
> .addVersionStrategy(*new *ContentVersionStrategy(), 
> *"/js/*.js"*);
>
> registry.addResourceHandler(*"/js/**"*)
> .addResourceLocations(*"classpath:/static/"*)
> .setCachePeriod(60 * 60 * 24 * 365) */* one year */*  
>   .resourceChain(*true*)
> .addResolver(versionResourceResolver);
> }
>
> */ * Enables usage of versioned assets in thyme leaf templates.** 
> * **@return* **/*@Bean*public *ResourceUrlEncodingFilter 
> resourceUrlEncodingFilter(){
> *return new *ResourceUrlEncodingFilter();
> }
> } 
>
> *LoginForm.html* 
>
>  ... 
>
> <*script **type=**"text/javascript" 
> **th**:src=**"${@mvcResourceUrlProvider.getForLookupPath('/js/login.js')}" 
> */> 
>
> ...
>
>  
> The the script tag above  is rendered properly in the page by 
> the ResourceUrlEncodingFilter:
>
> 

[cas-user] ajp with cas-management-overlay

[Sam Erie]

Is there a way to use ajp with the cas-management-overlay?

I am using ajp with cas-overlay 5.2.4, but it uses the tomcat appserver -
and it doesn't look like that is available yet for the
cas-management-overlay.

The settings for my cas-overlay are as follows:

cas.server.ajp.secure=true
cas.server.ajp.enabled=true
cas.server.ajp.proxyPort=443
cas.server.ajp.protocol=AJP/1.3
cas.server.ajp.asyncTimeout=5
cas.server.ajp.scheme=https
cas.server.ajp.maxPostSize=20971520
cas.server.ajp.port=8009

I have tried to use similar properties for the manager, but it doesn't
work. I'm not entirely sure how the executable profile works, so I don't
know if what I'm trying is even possible.

The server I'm setting up needs to use httpd to serve pages, so ajp is not
an option at this point. I could attempt to use the built war in my own
servlet container to accomplish this, but if there is an easier way that is
just not documented yet I want to know.

Thanks in advance, I'm pretty new to this so any advice is appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BK-XHEeSWcXiCVYA9XvpxvdZvMSgq9HbzeWYucpps89Vg%40mail.gmail.com.

Re: [cas-user] How to route new page

[Sam Erie]

Seems so obvious now that you say it. Thank you very much, works like a
charm.

On Thu, May 24, 2018 at 12:14 PM, David Curry <david.cu...@newschool.edu>
wrote:

> The "root" of the web server, i.e., where "https://casserver/cas; points,
> is the ".../webapps/cas/WEB-INF/classes/static" directory. And you can't
> "../" your way out of there, for security reasons.
>
> So on further thought, you probably need to move "timeout.html" into the
> "static" directory and then redirect to "/timeout.html".
>
> --Dave
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
>
> On Thu, May 24, 2018 at 4:05 PM Sam Erie <se...@alaska.edu> wrote:
>
>> Absolutely that would work. I think I am still doing something wrong
>> though. I have timedOut.html under templates next to casLoginView.html etc.
>> When I redirect to /cas/timedOut.html it gives me a cas page not found
>> page. When I redirect to /timedOut.html it says my page is not found on the
>> server. I could put the page directly on my server, but I would much rather
>> keep it in the cas webapp to make deploying on other servers easier.
>>
>> Perhaps there is a better way to redirect, I'm upgrading an old version
>> of cas so I may be using an outdated method. I do window.location =
>> myRedirect; in a script in the loginform.html fragment. Where myRedirect is
>> "/cas/timedOut.html". It just goes to https://server/cas/timedOut.html.
>>
>> Thank you for your time, and I apologize I have limited experience with
>> java webflows.
>>
>> On Thu, May 24, 2018 at 11:39 AM, David Curry <david.cu...@newschool.edu>
>> wrote:
>>
>>> How strongly do you feel about having "https://server/cas/timeout; as
>>> opposed to "https://server/cas/timeout.html;?
>>>
>>> If you're fine with the latter, you should just be able to drop
>>> "timeout.html" into the same place where all the other casWhateverView.html
>>> pages are and redirect to "/timeout.html".
>>>
>>> Or, since you have access to jQuery and all that good stuff, you could
>>> perhaps do something like:
>>>
>>> $("#cas.login").replaceWith("TimeoutYou are too slow. Go
>>> away.");
>>>
>>>
>>> If you really want the "/cas/timeout" thing, then I believe you'd have
>>> to add it to extend the webflow (or create a new one?).
>>>
>>> Just some ideas...
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>>
>>> On Thu, May 24, 2018 at 3:18 PM Sam Erie <se...@alaska.edu> wrote:
>>>
>>>> I am trying to provide a timeout page to redirect to when a timer on my
>>>> login page goes off. I can get it to redirect, but there is no page so it
>>>> just goes to the not found page. Is there an easy way to route an extra
>>>> page so I can go to https://server:8443/cas/timeOut?
>>>>
>>>> Or how would I go about using fragments to show my timeOut.html page?
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to cas-user+unsubscr...@apereo.org.
>>>> To view this discussion on the web visit https://groups.google.com/a/
>>>> apereo.org/d/msgid/cas-user/CAMM6z%2BJzJRHQPvCm09Wo8M_3%
>>>> 2BL_b1%3DHZCc04bmSROZkiyzE9QQ%40mail.gmail.com
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BJzJRHQPvCm09Wo8M_3%2BL_b1%3DHZCc04bmSROZkiyzE9QQ%40mail.gmail.com?utm_

Re: [cas-user] How to route new page

[Sam Erie]

Absolutely that would work. I think I am still doing something wrong
though. I have timedOut.html under templates next to casLoginView.html etc.
When I redirect to /cas/timedOut.html it gives me a cas page not found
page. When I redirect to /timedOut.html it says my page is not found on the
server. I could put the page directly on my server, but I would much rather
keep it in the cas webapp to make deploying on other servers easier.

Perhaps there is a better way to redirect, I'm upgrading an old version of
cas so I may be using an outdated method. I do window.location =
myRedirect; in a script in the loginform.html fragment. Where myRedirect is
"/cas/timedOut.html". It just goes to https://server/cas/timedOut.html.

Thank you for your time, and I apologize I have limited experience with
java webflows.

On Thu, May 24, 2018 at 11:39 AM, David Curry <david.cu...@newschool.edu>
wrote:

> How strongly do you feel about having "https://server/cas/timeout; as
> opposed to "https://server/cas/timeout.html;?
>
> If you're fine with the latter, you should just be able to drop
> "timeout.html" into the same place where all the other casWhateverView.html
> pages are and redirect to "/timeout.html".
>
> Or, since you have access to jQuery and all that good stuff, you could
> perhaps do something like:
>
> $("#cas.login").replaceWith("TimeoutYou are too slow. Go
> away.");
>
>
> If you really want the "/cas/timeout" thing, then I believe you'd have to
> add it to extend the webflow (or create a new one?).
>
> Just some ideas...
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003=gmail=g>
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
>
> On Thu, May 24, 2018 at 3:18 PM Sam Erie <se...@alaska.edu> wrote:
>
>> I am trying to provide a timeout page to redirect to when a timer on my
>> login page goes off. I can get it to redirect, but there is no page so it
>> just goes to the not found page. Is there an easy way to route an extra
>> page so I can go to https://server:8443/cas/timeOut?
>>
>> Or how would I go about using fragments to show my timeOut.html page?
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/CAMM6z%2BJzJRHQPvCm09Wo8M_3%
>> 2BL_b1%3DHZCc04bmSROZkiyzE9QQ%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BJzJRHQPvCm09Wo8M_3%2BL_b1%3DHZCc04bmSROZkiyzE9QQ%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CA%2Bd9XAPcBDMjbs76yN0uaLurdd8exn
> PLO6QbDMxvfWxLqLmjZg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPcBDMjbs76yN0uaLurdd8exnPLO6QbDMxvfWxLqLmjZg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BL4-h3xAQioCOLCpvJpetAAP%2BVBK6e73oQdT8L0jc%3Di%2Bg%40mail.gmail.com.

[cas-user] How to route new page

[Sam Erie]

I am trying to provide a timeout page to redirect to when a timer on my
login page goes off. I can get it to redirect, but there is no page so it
just goes to the not found page. Is there an easy way to route an extra
page so I can go to https://server:8443/cas/timeOut?

Or how would I go about using fragments to show my timeOut.html page?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BJzJRHQPvCm09Wo8M_3%2BL_b1%3DHZCc04bmSROZkiyzE9QQ%40mail.gmail.com.

[cas-user] How to set custom Java TrustStore for CAS Maven Overlay

[Sam Erie]

So I have tested my certifications using the suggested SSLPoke tool, and I
know I can use the java option -Djavax.net.ssl.trustStore= to make
CAS use the correct custom java truststore for my ldap connection. I was
even able to get it to run like java -Djavax.net.ssl.trustStore= -jar
target/cas.war. However I am trying to set it up to use ./build.sh run
maven command.

My question is how can I set a custom truststore for CAS to run? There is a
keystore property, and a trustCertificates property (which does not take a
keystore, only loose certs). There is a truststore property for server or
httpClient. I must be missing something, because this seems like a pretty
common usage case.

Or is there a way to set the execution command? Or an environmental
variable I can set? (I tried JAVA_OPTS, MAVEN_OPTS, CATALINA_OPTS etc) I
have tried many things, but there is so much documentation I am having
trouble finding this specific answer.

I appreciate any advice, hopefully this isn't something extremely obvious
that is just eluding me because I have been staring at it for so long.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BKXXY-j_iFi3KjNBj%2BT1FK1mJJoPS0vavqZvsaw1yUE4g%40mail.gmail.com.

Re: [cas-user] Service Manager question

[Sam Erie]

So I tried putting in a simple test.war that I know can be served from my
local version of tomcat. When I use cas with ./build.sh run I am able to
access the cas webapp from my browser. After the build I have tried putting
test.war into /cas-overlay-template/target/test.war by the cas.war. I also
tried putting it into
/cas-overlay-template/build/tomcat/work/Tomcat/localhost/test/test.war.

It serves cas with a nice 302 in the access logs, but test gets a 404.

I don't see a place to put it, like my local tomcat has a webapps folder. I
have not tried it with the cas-management.war yet because I am having build
problems. I think I need to try the gradle build, as the maven is giving me
issues.

Am I missing something, like does cas' embedded tomcat need the war in a
special format? Or did I misunderstand you and I do need to run these from
my own local tomcat?


On Mon, May 21, 2018 at 5:35 PM, Mailvaganam, Hari <hari.mailvaga...@ubc.ca>
wrote:

> >Is this the intended replacement service manager?
>
> Yes --- for management via a UI
>
> >I could imagine just adding the war to the work directory of the cas
> tomcat build, but the build folder doesn't contain cas.war, or any tomcat
> config files,
>
> Drop in the WAR file after build --- default name is 'cas-management'
>
> You will have 2 paths in same tomcat ---
>
> hxxps://foobar/cas
> hxxps://foobar/cas-management
>
> --
> *From:* cas-user@apereo.org [cas-user@apereo.org] on behalf of Sam Erie [
> se...@alaska.edu]
> *Sent:* Monday, May 21, 2018 15:53
> *To:* cas-user@apereo.org
> *Subject:* [cas-user] Service Manager question
>
> I am attempting to recreate my university's cas installation from version
> 3.5 currently in production to the new 5.2. The service manager in use now
> uses j_acegi_cas_security_check. As far as I can tell from the
> documentation this has been separated into a new webapp, which I am
> currently exploring at https://github.com/apereo/cas-management-overlay.
>
> Is this the intended replacement service manager?
>
> Assuming that it is I need to plan how to run these webapps from a single
> server. Initially I was planning to use the maven cas-overlay's embedded
> tomcat server to serve cas. Ideally the server would not need to run two
> instances of tomcat. If I was to run only the executable war for cas is
> there a way to package the cas-management.war and run it from the cas
> embedded tomcat?
>
> I could imagine just adding the war to the work directory of the cas
> tomcat build, but the build folder doesn't contain cas.war, or any tomcat
> config files, so I am a little confused as to how this would work.
>
> Is there some intended way to do this I am overlooking? Or is the best
> option to just package both webapps to run on my own servlet container, and
> run from a locally installed tomcat on my server?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAMM6z%2BKUq%3DVwq4EL4hdLuV%3D-WovpYLhD-vT8o2%
> 3DhhZpinM7Xwg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BKUq%3DVwq4EL4hdLuV%3D-WovpYLhD-vT8o2%3DhhZpinM7Xwg%40mail.gmail.com?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/EC0CBF4FEE159740B93D387CA8E301
> 86021EC7C34F%40S-ITSV-MBX07P.ead.ubc.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/EC0CBF4FEE159740B93D387CA8E30186021EC7C34F%40S-ITSV-MBX07P.ead.ubc.ca?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BKR7WfDPCtONHzEA9dZWN1mB%3DGGY1adZjSZjg5HyEkGew%40mail.gmail.com.

[cas-user] Service Manager question

[Sam Erie]

I am attempting to recreate my university's cas installation from version
3.5 currently in production to the new 5.2. The service manager in use now
uses j_acegi_cas_security_check. As far as I can tell from the
documentation this has been separated into a new webapp, which I am
currently exploring at https://github.com/apereo/cas-management-overlay.

Is this the intended replacement service manager?

Assuming that it is I need to plan how to run these webapps from a single
server. Initially I was planning to use the maven cas-overlay's embedded
tomcat server to serve cas. Ideally the server would not need to run two
instances of tomcat. If I was to run only the executable war for cas is
there a way to package the cas-management.war and run it from the cas
embedded tomcat?

I could imagine just adding the war to the work directory of the cas tomcat
build, but the build folder doesn't contain cas.war, or any tomcat config
files, so I am a little confused as to how this would work.

Is there some intended way to do this I am overlooking? Or is the best
option to just package both webapps to run on my own servlet container, and
run from a locally installed tomcat on my server?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BKUq%3DVwq4EL4hdLuV%3D-WovpYLhD-vT8o2%3DhhZpinM7Xwg%40mail.gmail.com.

Re: [cas-user] Re: Size of maven cas-overlay-template

[Sam Erie]

Thank you sir. That is how it seemed, just wanted to make sure I have done
everything possible before requesting more space on the server.

On Wed, May 16, 2018 at 10:40 PM, Andy Ng <long...@gmail.com> wrote:

> Hi Sam,
>
> Since the default CAS 5 server already included so many components, the
> large size is to be expected I think,
> and I also tried but failed to find any way to shrink down the size of CAS
> 5.
>
> However, my previous blockage is actually *I hit tomcat default
> max-file-size*, and actually I can do this and be fine: "
> https://maxrohde.com/2011/04/27/large-war-file-cannot-be-
> deployed-in-tomcat-7/". If it is also your case then this might help you.
>
> But if for other reason, then I probably can't help you...
>
> Cheers!
> - Andy
>
>
> On Thursday, 17 May 2018 09:01:14 UTC+8, Sam Erie wrote:
>>
>> I am putting together CAS version 5.2.4.x, and I would like to run it as
>> an executable war, however the size of the built project is still too big
>> for the server I am developing it for. I have taken out as many of the
>> obviously unneeded dependancies from pom.xml as I can, but I can not seem
>> to get build any smaller than 309 MB.
>>
>> Is there any documentation on minimal builds? Or does that seem like a
>> minimal size? Any information on how I could go about pairing down the
>> final build size and still be able to run as executable war would be
>> appreciated.
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/48f50e28-168e-4a12-ae4a-
> 0b42d25b6527%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/48f50e28-168e-4a12-ae4a-0b42d25b6527%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLFEiqVnMTBrKMuqqjE_J%2BbyEtwjRkRxxDCOksoF7F84A%40mail.gmail.com.

[cas-user] Size of maven cas-overlay-template

[Sam Erie]

I am putting together CAS version 5.2.4.x, and I would like to run it as an
executable war, however the size of the built project is still too big for
the server I am developing it for. I have taken out as many of the
obviously unneeded dependancies from pom.xml as I can, but I can not seem
to get build any smaller than 309 MB.

Is there any documentation on minimal builds? Or does that seem like a
minimal size? Any information on how I could go about pairing down the
final build size and still be able to run as executable war would be
appreciated.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLgLZcqMHP6cNOAnKo2r-3%2Bshye_Sa%2BDbermH8dK3e%2BJg%40mail.gmail.com.

[cas-user] CAS 5.1 and principal resolver

[Sam Hough]

Hello,

I'm trying to upgrade a 4.0.x installation to 5.1.x (time to upgrade plus 
looks easier to add oauth, saml etc)...

One bit I'm really struggling is via JDBC users can validate using one 
combination of username/password BUT if present we resolve the principal as 
a different username (again via JDBC). NB we have multiple authentication 
handlers and this bit is only needed for one of them.

This was pretty easy in 4.0.x as all setup via spring and I could wire in a 
PrincipalResolver.

I get the impression that in 5.1.x personDirectory is the thing to use but 
I'm struggling to see how to use it, never mind only kick in for one 
handler.

Please could somebody point me in the right direction?

Cheers

Sam

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/54228c3e-91bd-49f7-bee2-3a44687811a7%40apereo.org.

[cas-user] CAS 3.5.2 -> 4.2.5 migration with ClearPass Proxy Authentication

[Sam]

Hi,

First off thanks to Dmitriy and Travis for your help with my Duo question; 
moving to version 5.0.0 would be what I would want to do but I think I have 
a legacy dependency problem that I need to sort out before I can.

Currently I'm working to migrate an old CAS 3.5.2 installation to something 
that is at least getting security updates. One feature of the 3.5.2 
installation is that it uses the original proxy style ClearPass described 
here: 
https://apereo.github.io/cas/4.2.x/integration/ClearPass-Proxy-Authentication.html
 
.

I can see this is deprecated (and rightly so) and that there is an 
alternative that uses public key encryption, however thinking about our 
specific context I know there is a dependant service that uses ClearPass by 
proxy. I suspect that it'd be about as much work to change that to 
ClearPass by encryption as it would be to remove ClearPass entirely, and I 
think a change to encrypted ClearPass would mean we'd have to synchronise 
the changes to the authentication stack to coincide with the changes to the 
dependant service (removing ClearPass doesn't have this issue). I don't 
think changing the dependant service is going to be trivial but long term 
it obviously needs to happen. So I'm left with what I can do short term.

So after quite a lot of preamble/disclaimer here is the problem I've been 
working on:

I followed these instructions 
(https://apereo.github.io/cas/4.2.x/integration/ClearPass-Proxy-Authentication.html)
 
and on starting Tomcat got an exception:

2016-11-07 12:00:08,802 ERROR 
[org.springframework.web.context.ContextLoader] - 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'singleSignOnSessionsReportController': Injection of 
autowired dependencies failed; nested exception is 
org.springframework.beans.factory.BeanCreationException: Could not autowire 
field
: private org.jasig.cas.authentication.AuthenticationSystemSupport 
org.jasig.cas.web.report.SingleSignOnSessionsReportController.authenticationSystemSupport;
 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'defaul
tAuthenticationSystemSupport': Injection of autowired dependencies failed; 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Could not autowire 
field: private 
org.jasig.cas.authentication.AuthenticationTransactionManager 
org.jasig.cas.authentica
tion.DefaultAuthenticationSystemSupport.authenticationTransactionManager; 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'defaultAuthenticationTransactionManager': Injection of 
autowired dependencies failed; nest
ed exception is org.springframework.beans.factory.BeanCreationException: 
Could not autowire field: private 
org.jasig.cas.authentication.AuthenticationManager 
org.jasig.cas.authentication.DefaultAuthenticationTransactionManager.authenticationManager;
 
nested exception is or
g.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'authenticationManager': Injection of resource dependencies 
failed; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'authenticat
ionMetadataPopulators': Cannot create inner bean 
'org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator#38b9242e' 
of type 
[org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator] while 
setting bean property 'sourceList' with key [2]; nested exce
ption is org.springframework.beans.factory.BeanCreationException: Error 
creating bean with name 
'org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator#38b9242e' 
defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: 
Cannot resolve reference
 to bean 'encryptedMap' while setting constructor argument; nested 
exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'encryptedMap' is defined

I've taken the liberty of trimming it to that point for brevity sake; there 
wasn't a bean called encryptedMap so the initialisation of the ClearPass 
CacheCredentialsMetaDataPopulator failed and in turn the overall context 
failed to start.

After sometime I managed to get past this point by defining a bean like the 
one below:


This seems to allow the beans to start, and the overall CAS webapp seems to 
run and allow logins. I still need to find a way to functionally test the 
ClearPass part however so I don't know if it actually works!

My question is two fold:
1) Is the use of HashMap suitable here?
2) Is this the right way to configure this style of ClearPass on this 
version of CAS (4.2.x)?

All the best,

Sam Jones

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas