[cas-user] Re: What do you use for CAS auditing?

2023-09-26 Thread William Vincent (Wix31) 
Hello,

Is it possible to have the Logstash Grok patterns on a GitHub repository? 
This way, we can avoid reinventing the wheel.

Thank you in advance.

Le mardi 26 mars 2019 à 17:20:09 UTC+1, magicserverpixiedust a écrit :

> Using Elasticsearch for CAS auditing here.  Filebeat agent tails the cas 
> audit logs and sends to logstash for parsing/field mappings then off to 
> Elasticsearch.  Kibana web front end for pretty dashboards/reports.  We 
> have about 15 months worth of CAS audit logs from 30k users in our 
> Elasticsearch cluster, cool stuff.  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f6724d6-65cf-436a-ba99-e48a270e613dn%40apereo.org.

[cas-user] Re: Multi-host feature: contribution?

2023-09-15 Thread William Vincent (Wix31) 
Hello
yes it would be interesting because I have sso.domain.fr sso1.domain.fr 
sso2.domain.fr and I have to modify my configuration file when for example 
I want to test a new version

Le vendredi 15 septembre 2023 à 15:04:26 UTC+2, Jérôme LELEU a écrit :

> Hi,
>
> One of my customers has requested a customisation to support 
> multiple hosts for the OIDC protocol, meaning the same CAS (acting as an 
> OIDC) server works for www.host1.com and www.host2.com.
> For the CAS protocol, there is no problem, it works out of the box.
>
> I'd like to know if this could be a useful contribution.
>
> Has anyone ever implemented or been interested in this feature?
>
> Thanks.
> Best regards,
> Jérôme
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04cf6aa7-f2f4-464f-b4d6-143324dcad1an%40apereo.org.

[cas-user] OIDC : random connection issue

2023-09-15 Thread William Vincent (Wix31) 
Hello
We have a random connection issue with our internal GitLab service via our 
CAS with the OIDC module. In the logs, we see the following message:
"Registered service [oidc-gitlab] is not found or is not authorized for 
access."
A simple container restart is enough to get the connection working again.
Do you have any ideas?

Service configuration:


etc/cas/services/gitlab-101.json
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"serviceId": 
"https://gitlab..fr/users/auth/openid_connect/callback;,
"name": "Gitlab",
"description": "Authentification OpenID à gitlab",
"id": 101,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ChainingAttributeReleasePolicy",
"policies": [
"java.util.ArrayList",
[
{
"@class": 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"cn",
"displayName",
"givenName",
"mail",
"uid",
"sn"
]
],
"order": 0
},
{
"@class": 
"org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy",
"claimMappings": {
"@class": "java.util.TreeMap",
"preferred_username": "uid",
"name": "displayName",
"family_name": "sn",
"email": "mail",
"given_name": "givenName"
},
"order": 1
}
]
]
},
"ticketGrantingTicketExpirationPolicy": {
"@class": 
"org.apereo.cas.services.DefaultRegisteredServiceTicketGrantingTicketExpirationPolicy",
"maxTimeToLiveInSeconds": 72000
},
"clientId": "oidc-gitlab",
"clientSecret": "xxx",
"bypassApprovalPrompt": true,
"scopes": [
"java.util.HashSet",
[
"profile",
"openid",
"offline_access",
"email"
]
],
"supportedResponseTypes": [
"java.util.HashSet",
[
"code"
]
],
"supportedGrantTypes": [
"java.util.HashSet",
[
"authorization_code"
]
]
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5de8ac10-2dfe-41e4-9110-49de23214f70n%40apereo.org.

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-06 Thread William Vincent 
Hi
It works, user can login if using wrong password
William

Le mer. 5 avr. 2023 à 23:56, Ray Bon  a écrit :

> William,
>
> If the throttled user tries to log in after the page refresh, what happens?
>
> Ray
>
> On Wed, 2023-04-05 at 07:14 -0700, William Vincent (Wix31) wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
> Hello
> I have a problem with throttling
> When I do a lot of unsuccessful tries I get the message "Unauthorized
> access You have entered the wrong password too many times in a row. You
> have been rejected.".
> But if I refresh the page, the form is displayed and in
> "cas/actuator/throttles" the line with my ip disappears
> How do I make this persistent?
> Maybe also would it be possible to send this ip to nftables?
> Thanks in advance
>
>
> My configuration :
> CAS 6.6.6
>
> build.graddle:
> //authentication/Configuring-Authentication-Throttling = secu DDOS
> implementation
> "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
> //authentication/Configuring-Authentication-Throttling = secu Brute
> Force
> implementation
> "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
>
> cas.properties:
> # Sécurité DDOS / Brute force
> cas.authn.throttle.failure.range-seconds=30
> cas.authn.throttle.failure.threshold=12
> cas.authn.throttle.core.username-parameter=username
>
> # Throttle DDOS
> cas.authn.throttle.bucket4j.blocking=true
> cas.authn.throttle.bucket4j.enabled=true
> cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
> cas.authn.throttle.bucket4j.bandwidth[0].capacity=50
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/TCiEN94ph4k/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7dc94e757968e5d2e019a89b47740a670590716f.camel%40uvic.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7dc94e757968e5d2e019a89b47740a670590716f.camel%40uvic.ca?utm_medium=email_source=footer>
> .
>


-- 
-- William VINCENT Administrateur systèmes et réseaux

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BU6N_yU3d4xj-y-W-59tZ7W6qChRwLfMSLbXJe7uLQHbcq%3DeQ%40mail.gmail.com.

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-06 Thread William Vincent 
ah ok thank's
i understand now, I confused, I thought it was like a fail2ban, but it's a
rate limiting system!

but it's badly done, because if I set
cas.authn.throttle.failure.range-seconds=3600
cas.authn.throttle.failure.threshold=5

it does not block for 1 hour if I have 5 bad logins

So I have to find another solution for ban , maybe by changing the log
format to have it parsed by fail2ban

Le jeu. 6 avr. 2023 à 09:43, Pascal Rigaux  a
écrit :

> Hi,
>
> Throttling protects against brute force, so the time you refresh the page
> *manually* the throttling has been removed.
>
> We have the exact same throttle conf. This conf allows 1 error per 2.5
> seconds: you must wait 2.5 after a failure otherwise it will be rejected.
> Our integration tests this:
> https://github.com/UnivParis1/integration-tests-cas-server/blob/main/throttle.test.js
> (it checks french msgs, but you should get it)
>
> On this subject, check
> https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Throttling.html#failure-throttling
>
> | Threshold Rate
> |
> | The failure threshold rate is calculated as: failureThreshold /
> failureRangeInSeconds. For instance, the failure rate for the above
> scenario would be 0.33. An authentication
> attempt may be considered throttled if the request submission rate
> (calculated as the difference between the current date and the last
> submission date) exceeds the failure
> threshold rate.
>
> cu
>
>
> On 05/04/2023 16:14, William Vincent (Wix31) wrote:
> > Hello
> > I have a problem with throttling
> > When I do a lot of unsuccessful tries I get the message "Unauthorized
> access You have entered the wrong password too many times in a row. You
> have been rejected.".
> > But if I refresh the page, the form is displayed and in
> "cas/actuator/throttles" the line with my ip disappears
> > How do I make this persistent?
> > Maybe also would it be possible to send this ip to nftables?
> > Thanks in advance
> >
> >
> > My configuration :
> > CAS 6.6.6
> >
> > build.graddle:
> >  //authentication/Configuring-Authentication-Throttling = secu DDOS
> >  implementation
> "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
> >  //authentication/Configuring-Authentication-Throttling = secu Brute
> Force
> >  implementation
> "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
> >
> > cas.properties:
> > # Sécurité DDOS / Brute force
> > cas.authn.throttle.failure.range-seconds=30
> > cas.authn.throttle.failure.threshold=12
> > cas.authn.throttle.core.username-parameter=username
> >
> > # Throttle DDOS
> > cas.authn.throttle.bucket4j.blocking=true
> > cas.authn.throttle.bucket4j.enabled=true
> > cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
> > cas.authn.throttle.bucket4j.bandwidth[0].capacity=50
> >
> > --
> > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> > - Gitter Chatroom: https://gitter.im/apereo/cas <
> https://gitter.im/apereo/cas>
> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> > ---
> > You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+unsubscr...@apereo.org  cas-user+unsubscr...@apereo.org>.
> > To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/527ad47d-a0da-4763-8b9c-b84f89895e9an%40apereo.org
> > <
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/527ad47d-a0da-4763-8b9c-b84f89895e9an%40apereo.org?utm_medium=email_source=footer
> >.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/TCiEN94ph4k/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1dc0899-ce8c-9754-3588-d3193587156d%40univ-paris1.fr
> .
>


-- 
-- William VINCENT Administrateur systèmes et réseaux

-- 
- Websi

[cas-user] Throttling Authentication Attempts doesn't work

2023-04-05 Thread William Vincent (Wix31) 
Hello
I have a problem with throttling
When I do a lot of unsuccessful tries I get the message "Unauthorized 
access You have entered the wrong password too many times in a row. You 
have been rejected.". 
But if I refresh the page, the form is displayed and in 
"cas/actuator/throttles" the line with my ip disappears
How do I make this persistent?
Maybe also would it be possible to send this ip to nftables?
Thanks in advance


My configuration : 
CAS 6.6.6

build.graddle: 
//authentication/Configuring-Authentication-Throttling = secu DDOS
implementation 
"org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
//authentication/Configuring-Authentication-Throttling = secu Brute 
Force
implementation 
"org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"

cas.properties:
# Sécurité DDOS / Brute force
cas.authn.throttle.failure.range-seconds=30
cas.authn.throttle.failure.threshold=12
cas.authn.throttle.core.username-parameter=username

# Throttle DDOS 
cas.authn.throttle.bucket4j.blocking=true
cas.authn.throttle.bucket4j.enabled=true
cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
cas.authn.throttle.bucket4j.bandwidth[0].capacity=50

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/527ad47d-a0da-4763-8b9c-b84f89895e9an%40apereo.org.

Re: [cas-user] Cannot open Apereo CAS version 5.3.x document

2022-04-23 Thread William Jojo 
Try https://apereo.github.io/cas/Older-Versions.html

Sent from a device.

> On Apr 23, 2022, at 11:31 AM, '刘观良' via CAS Community  
> wrote:
> 
> 
> why 5.3.x cannot open, but version 6.x and above can be opened. I checked it 
> out two days ago, and it can be opened.
> 
> 404 appears
> https://apereo.github.io/cas/5.3.x/index.html
> 
> time now 2022-4-23 20:30:22
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1ede8ac3-785a-4c18-be80-99046b303648n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2DB77035-B094-4773-B705-454B809DF4DB%40gmail.com.

Re: [cas-user] How to setup CAS SSO: Help, some ideas or ressources

2022-04-14 Thread William Jojo 
@RootName,

Welcome to CAS!

To better assist you, what exactly do you want out of this? CAS as an IdP
with only the CAS protocol, SAML or both?

Moodle: https://docs.moodle.org/311/en/CAS_server_(SSO)_authentication
Office 365:
https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/
(older, but should still work)

Need more info on the PHP portion and how you are using it.

Depending on you needs check:
https://paulchauvet.github.io/deploying-cas/
https://programmingby.design/knowledge-base/a-cas-primer/

Cheers,
Bill


On Thu, Apr 14, 2022 at 12:00 AM RootName  wrote:

> Hello friends
>
> I am an IT support in a university.
> We want to implement a centralized SSO authentication for internal
> applications and messaging
>
> Our applications and services:
> - Web application (run with php & Symfony)
> - Moodle
> - Office 365
>
> However, I am limited in resources and ideas, I see that we can use LDAP +
> CAS however I understand how it works?
> also in some examples, I see that we need to integrate an identity
> federation like Shibolleth but why?
>
> If you can give me ideas, tracks, resources, it will help me a lot, I'm a
> bit lost.
>
> I am a bit lost. Thank you!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8de37eb-c2c6-4300-bc43-26cbd5b7fdean%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1gHh%3DZ7Qeb%3DfDcYVhdNGpFWobtOp-WaVtxOWYv5ipbaTw%40mail.gmail.com.

[cas-user] Re: CAS 6.x as a Shibboleth replacement ?

2022-04-09 Thread William Jojo 
FWIW, we were once a Shib shop. Then we went to SimpleSAMLphp for the SAML 
piece while CAS served only the CAS protocol. We have since moved 
everything into CAS starting in 6.1. The config is very versatile in the 
service properties. We have some interesting vendors who want the craziest 
names for attributes and we have never had an issue meeting the need.

A lot of our configs were built with the CAS Management app that uses HJSON 
in the properties files. Frankly, that format is much more intuitive since 
there is a lot less eye-twisting punctuation than traditional JSON.

Happy to help, if needed. 

Bill

On Friday, April 8, 2022 at 8:07:37 AM UTC-4 spfma...@e.mail.fr wrote:

> Hi,
>  
> After a long work on a modern version of CAS, it is now time for me to 
> deploy a new Shibboleth Idp.
>  
> Of course, both are tied in our current infrastructure (CAS is the 
> external auth source for a federated Shibboleth server), and some comments 
> here https://github.com/Unicon/shib-cas-authn suggest CAS server is now a 
> good IdP too (as Shibboleth is also a capable CAS protocol provider).
>  
> Is this totally true as of today ?
>  
> If I don't have to invest time and energy in another product, I would 
> appreciate !
>  
> Regards
>
> --
> FreeMail powered by mail.fr 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b68c4ec9-9382-41ea-ac94-a9ad8722558fn%40apereo.org.

[cas-user] Re: CAS PM password reset works on 6.3.7.4 but not 6.4.6.2 (same config)

2022-04-06 Thread William Jojo 
Ugh, a victim of property naming changes, again...

It seems that between 6.3 and 6.4, the properties moved from:

cas.authn.pm.jdbc.sql-Security-Questions

to the group:

cas.authn.pm.jdbc.sql-get-Security-Questions
cas.authn.pm.jdbc.sql-Update-Security-Questions
cas.authn.pm.jdbc.sql-Delete-Security-Questions

There was no mention of the issue with the old property during startup, so 
I never knew it was a problem until the null value for the SQL query and 
then digging through the docs and copious debug logs. 

Hopefully, this helps someone else out there...

Bill

On Wednesday, April 6, 2022 at 5:35:39 AM UTC-4 William Jojo wrote:

> Our password reset config has worked perfectly on 6.1, 6.2, and 6.3. 
> Moving to 6.4 seems to have some bug.
>
> Please see the log entries below. It seems the JDBC PM service thinks the 
> query is null.
>
> 6.3.7.4 debug at the point of using the reset link:
>  
> 2022-04-06 04:49:27,511 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  PROPAGATION_REQUIRED,ISOLATION_READ_COMMITTED>
> 2022-04-06 04:49:27,797 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@1a08d6f1] for JDBC transaction>
> 2022-04-06 04:49:27,798 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceUtils] -  level of JDBC Connection [HikariProxyConnection@933367609 wrapping 
> oracle.jdbc.driver.T4CConnection@1a08d6f1] to 2>
> 2022-04-06 04:49:27,799 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@1a08d6f1] to manual commit>
> 2022-04-06 04:49:27,800 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
> - 
>
> *2022-04-06 04:49:27,800 DEBUG 
> [org.springframework.jdbc.core.JdbcTemplate] -  statement [SELECT cas_question_text question, cas_answer_text answer FROM 
> table(cas.get_question_answers(username_in=>?))]>2022-04-06 04:49:27,801 
> TRACE [org.springframework.jdbc.core.StatementCreatorUtils] -  statement parameter value: column index 1, parameter value [w.jojo], value 
> class [java.lang.String], SQL type unknown>*
> 2022-04-06 04:49:27,824 TRACE 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-06 04:49:27,824 TRACE 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-06 04:49:27,824 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-06 04:49:27,824 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  wrapping oracle.jdbc.driver.T4CConnection@1a08d6f1]>
> 2022-04-06 04:49:27,832 TRACE 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-06 04:49:27,832 TRACE 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-06 04:49:27,832 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@1a08d6f1] after transaction>
>
> 6.4.6.2 debug at the point of using the reset link:
>
> 2022-04-05 16:38:52,272 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  PROPAGATION_REQUIRED,ISOLATION_READ_COMMITTED>
> 2022-04-05 16:38:52,283 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@7afc8e3] for JDBC transaction>
> 2022-04-05 16:38:52,283 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceUtils] -  level of JDBC Connection [HikariProxyConnection@514537969 wrapping 
> oracle.jdbc.driver.T4CConnection@7afc8e3] to 2>
> 2022-04-05 16:38:52,283 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@7afc8e3] to manual commit>
> 2022-04-05 16:38:52,284 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
> 
> 2022-04-05 16:38:52,284 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  [HikariProxyConnection@514537969 wrapping 
> oracle.jdbc.driver.T4CConnection@7afc8e3]>
> 2022-04-05 16:38:52,292 DEBUG 
> [org.springframework.jdbc.datasource.DataSourceTransactionManager] - 
>  oracle.jdbc.driver.T4CConnection@7afc8e3] after transaction>
> 2022-04-05 16:38:52,294 ERROR 
> [org.apereo.cas.pm.web.flow.actions.VerifyPasswordResetRequestAction] - 
> 
> *java.lang.IllegalArgumentException: SQL must not be null*
> at org.springframework.util.Assert.notNull(Assert.java:201) 
> ~[spring-core-5.3.18.jar:5.3.18]
> at 
> org.springframework.jdbc.core.JdbcTemplate$SimplePreparedStatementCreator.(JdbcTemplate.java:1639)
>  
> ~[spring-jdbc-5.3.18.jar:5.3.18]
> at 
> org.springframework.

[cas-user] CAS PM password reset works on 6.3.7.4 but not 6.4.6.2 (same config)

2022-04-06 Thread William Jojo 
Our password reset config has worked perfectly on 6.1, 6.2, and 6.3. Moving 
to 6.4 seems to have some bug.

Please see the log entries below. It seems the JDBC PM service thinks the 
query is null.

6.3.7.4 debug at the point of using the reset link:
 
2022-04-06 04:49:27,511 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,797 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,798 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2022-04-06 04:49:27,799 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,800 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
- 

*2022-04-06 04:49:27,800 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
- ?))]>2022-04-06 04:49:27,801 
TRACE [org.springframework.jdbc.core.StatementCreatorUtils] - *
2022-04-06 04:49:27,824 TRACE 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,824 TRACE 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,824 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,824 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,832 TRACE 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,832 TRACE 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-06 04:49:27,832 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 


6.4.6.2 debug at the point of using the reset link:

2022-04-05 16:38:52,272 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,283 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,283 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2022-04-05 16:38:52,283 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,284 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,284 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,292 DEBUG 
[org.springframework.jdbc.datasource.DataSourceTransactionManager] - 

2022-04-05 16:38:52,294 ERROR 
[org.apereo.cas.pm.web.flow.actions.VerifyPasswordResetRequestAction] - 

*java.lang.IllegalArgumentException: SQL must not be null*
at org.springframework.util.Assert.notNull(Assert.java:201) 
~[spring-core-5.3.18.jar:5.3.18]
at 
org.springframework.jdbc.core.JdbcTemplate$SimplePreparedStatementCreator.(JdbcTemplate.java:1639)
 
~[spring-jdbc-5.3.18.jar:5.3.18]
at 
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:744) 
~[spring-jdbc-5.3.18.jar:5.3.18]
at 
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:757) 
~[spring-jdbc-5.3.18.jar:5.3.18]
at 
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:810) 
~[spring-jdbc-5.3.18.jar:5.3.18]
at 
org.springframework.jdbc.core.JdbcTemplate.queryForList(JdbcTemplate.java:942) 
~[spring-jdbc-5.3.18.jar:5.3.18]
at 
*org.apereo.cas.pm.jdbc.JdbcPasswordManagementService.lambda$getSecurityQuestions$5(JdbcPasswordManagementService.java:130)
 
~[cas-server-support-pm-jdbc-6.4.6.2.jar:6.4.6.2]*
at 
org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140)

Please advise.

Bill


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b052cbdb-e2f1-4ee8-9f14-ef3c3b8ed824n%40apereo.org.

[cas-user] Re: 6.4.6.2 Could not get unknown property 'Files' for task ':getResource' of type org.gradle.api.DefaultTask.

2022-04-01 Thread William Jojo 
Found the reason, but I am not sure why this is an issue:

I had to add import java.nio.file.* to the top of the gradle/tasks.gradle 
code. Then Files, Paths and StandardCopyOption could be found for the line:

Files.copy(Paths.get(resourceFile), Paths.get(toResourceFile), 
StandardCopyOption.REPLACE_EXISTING)

Hope this helps someone else. And, if anyone has an idea why I'd love to 
know...

Bill

On Friday, April 1, 2022 at 9:50:22 AM UTC-4 William Jojo wrote:

> Hello,
>
> I have tried clearing my .gradle cache and I am running out of ideas to 
> get these resources extracted. 
>
> Any help is greatly appreciated.
>
> Thank you!
>
> On Friday, April 1, 2022 at 5:32:37 AM UTC-4 William Jojo wrote:
>
>> Hello all,
>>
>> Trying to extract template views using getResource and I keep getting the 
>> following:
>>
>> > Task :getResource FAILED
>>
>> FAILURE: Build failed with an exception.
>>
>> * Where:
>> Script '/opt/workspace/6.4-new/cas-overlay-template/gradle/tasks.gradle' 
>> line: 341
>>
>> * What went wrong:
>> Execution failed for task ':getResource'.
>> > Could not get unknown property 'Files' for task ':getResource' of type 
>> org.gradle.api.DefaultTask.
>>
>> I have tried:
>>
>> ./gradlew getResource -PresourceName=messages
>> ./gradlew getResource -PresourceName=messages.properties
>> ./gradlew getResource -PresourceName=footer
>> ./gradlew getResource -PresourceName=footer.html
>> and many other resources...
>>
>> The offending line in gradle/tasks.gradle is:
>>
>> Files.copy(Paths.get(resourceFile), Paths.get(toResourceFile), 
>> StandardCopyOption.REPLACE_EXISTING)
>>
>> Any ideas why?
>>
>> Thank you!
>> Bill
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c79d46c2-5670-41dd-a6bc-504f8b99a9fen%40apereo.org.

[cas-user] Re: 6.4.6.2 Could not get unknown property 'Files' for task ':getResource' of type org.gradle.api.DefaultTask.

2022-04-01 Thread William Jojo 
Hello,

I have tried clearing my .gradle cache and I am running out of ideas to get 
these resources extracted. 

Any help is greatly appreciated.

Thank you!

On Friday, April 1, 2022 at 5:32:37 AM UTC-4 William Jojo wrote:

> Hello all,
>
> Trying to extract template views using getResource and I keep getting the 
> following:
>
> > Task :getResource FAILED
>
> FAILURE: Build failed with an exception.
>
> * Where:
> Script '/opt/workspace/6.4-new/cas-overlay-template/gradle/tasks.gradle' 
> line: 341
>
> * What went wrong:
> Execution failed for task ':getResource'.
> > Could not get unknown property 'Files' for task ':getResource' of type 
> org.gradle.api.DefaultTask.
>
> I have tried:
>
> ./gradlew getResource -PresourceName=messages
> ./gradlew getResource -PresourceName=messages.properties
> ./gradlew getResource -PresourceName=footer
> ./gradlew getResource -PresourceName=footer.html
> and many other resources...
>
> The offending line in gradle/tasks.gradle is:
>
> Files.copy(Paths.get(resourceFile), Paths.get(toResourceFile), 
> StandardCopyOption.REPLACE_EXISTING)
>
> Any ideas why?
>
> Thank you!
> Bill
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e5aaf3b1-f374-4924-91ea-f94b3247ff4an%40apereo.org.

[cas-user] 6.4.6.2 Could not get unknown property 'Files' for task ':getResource' of type org.gradle.api.DefaultTask.

2022-04-01 Thread William Jojo 
Hello all,

Trying to extract template views using getResource and I keep getting the 
following:

> Task :getResource FAILED

FAILURE: Build failed with an exception.

* Where:
Script '/opt/workspace/6.4-new/cas-overlay-template/gradle/tasks.gradle' 
line: 341

* What went wrong:
Execution failed for task ':getResource'.
> Could not get unknown property 'Files' for task ':getResource' of type 
org.gradle.api.DefaultTask.

I have tried:

./gradlew getResource -PresourceName=messages
./gradlew getResource -PresourceName=messages.properties
./gradlew getResource -PresourceName=footer
./gradlew getResource -PresourceName=footer.html
and many other resources...

The offending line in gradle/tasks.gradle is:

Files.copy(Paths.get(resourceFile), Paths.get(toResourceFile), 
StandardCopyOption.REPLACE_EXISTING)

Any ideas why?

Thank you!
Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/53082d10-0e5f-4d9d-9890-b7288d7907e9n%40apereo.org.

Re: [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed

2021-12-15 Thread William Vincent 
Hello
i have docker-compose and i use cas-overlay-template/tree/6.3 .
this error happens when I use 'docker-compose build'.
I will not install openjdk because I am in a container .
I try with 6.4 but it's same result :/
thanks for your help

docker-compose build
redis uses an image, skipping
Building cas
Step 1/20 : FROM adoptopenjdk/openjdk11:alpine-slim AS overlay
 ---> 68d79b94d8b9
Step 2/20 : RUN mkdir -p cas-overlay
 ---> Using cache
 ---> 2fbf67e30ccc
Step 3/20 : COPY ./src cas-overlay/src/
 ---> 492ae4217531
Step 4/20 : COPY ./gradle/ cas-overlay/gradle/
 ---> d44ca8ef2c0e
Step 5/20 : COPY ./gradlew ./settings.gradle ./build.gradle 
./gradle.properties /cas-overlay/
 ---> 6c0d5aaa1d06
Step 6/20 : RUN mkdir -p ~/.gradle && echo "org.gradle.daemon=false" >> 
~/.gradle/gradle.properties && echo "org.gradle.configureondemand=true" 
>> ~/.gradle/gradle.properties && cd cas-overlay && chmod 750 
./gradlew && ./gradlew --version;
 ---> Running in 17e37e5f3ced
Downloading https://services.gradle.org/distributions/gradle-7.3.1-bin.zip
...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

Welcome to Gradle 7.3.1!

Here are the highlights of this release:
 - Easily declare new test suites in Java projects
 - Support for Java 17
 - Support for Scala 3

For more details see https://docs.gradle.org/7.3.1/release-notes.html



Gradle 7.3.1


Build time:   2021-12-01 15:42:20 UTC
Revision: 2c62cec93e0b15a7d2cd68746f3348796d6d42bd

Kotlin:   1.5.31
Groovy:   3.0.9
Ant:  Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:  11.0.8 (AdoptOpenJDK 11.0.8+10)
OS:   Linux 4.18.0-348.2.1.el8_5.x86_64 amd64

Removing intermediate container 17e37e5f3ced
 ---> f0df1a5519e8
Step 7/20 : RUN cd cas-overlay && ./gradlew clean build --parallel 
--no-daemon;
 ---> Running in 89755da20e71
To honour the JVM settings for this build a single-use Daemon process will 
be forked. See 
https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon.
Daemon will be stopped at the end of the build 
Configuration on demand is an incubating feature.
> Task :clean
> Task :extractCasBootWarOverlay
> Task :bootBuildInfo
> Task :generateMainEffectiveLombokConfig1
> Task :checkLombokConfig
> Task :compileJava FAILED

Deprecated Gradle features were used in this build, making it incompatible 
with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation 
warnings and determine if they come from your own scripts or plugins.

See 
https://docs.gradle.org/7.3.1/userguide/command_line_interface.html#sec:command_line_warnings
6 actionable tasks: 6 executed

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> error: release version 11 not supported

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 53s
ERROR: Service 'cas' failed to build : The command '/bin/sh -c cd 
cas-overlay && ./gradlew clean build --parallel --no-daemon;' returned 
a non-zero code: 1


Le mardi 19 octobre 2021 à 15:59:13 UTC+2, ro...@mun.ca a écrit :

> You need the openjdk development packages.
>
>  
>
> For instance on RHEL7:
>
>  
>
> > yum install java-11-openjdk-devel
>
>  
>
> *From:* cas-...@apereo.org  *On Behalf Of *Marc 
> Maurice
> *Sent:* Tuesday, October 19, 2021 11:25 AM
> *To:* CAS Community 
> *Subject:* [EXTERNAL SENDER] [cas-user] Overlay template 6.4 build failed
>
>  
>
> Hello,
>
>  
>
> I'm trying to upgrade from cas 6.2 to 6.4.
>
> As explained in the doc I want to start with a clean 6.4 overlay then 
> reapply all my patches.
>
>  
>
> I cloned a fresh 6.4 overlay branch from the github project.
>
> Openjdk 11 installed:
>
>  
>
> [root@15871ceb6a09 myclone]# java -version
>
> openjdk version "11.0.12" 2021-07-20 LTS
>
> OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
>
> OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)
>
>  
>
> I'm getting the following error. Tried to run gradle in debug mode, and 
> googling the error with no success.
>
> gradle is not giving me any clue why it doesn't like my java version...
>
>  
>
> [root@15871ceb6a09 myclone]# ./gradlew clean build
>
> > Task :compileJava FAILED
>
>  
>
> FAILURE: Build failed with an exception.
>
>  
>
> * What went wrong:
>
> Execution failed for task ':compileJava'.
>
> > error: release version 11 not supported
>
>  
>
> * Try:
>
> Run with --stacktrace option to get the stack trace. Run with --info or 
> --debug option to get more log output. Run with --scan to get full insights.
>
>  
>
> * Get more help at

[cas-user] Re: delegated auth not working after upgrade to CAS 6.4.2

2021-11-15 Thread William Jojo 
Noelette,

Confirmed. I am doing non-autoforwarding SAML2 delegation to Azure. I have 
nginx proxy in front of embedded Tomcat app.war. Works in 6.3.7.1, borked 
in 6.4.2. Double-checked all of my cas.properties, nothing amiss.

In 6.3.7.1 (working):

2021-11-15 07:04:50,891 DEBUG 
[org.apereo.cas.web.DelegatedClientWebflowManager] - 
2021-11-15 07:04:50,907 DEBUG 
[org.apereo.cas.web.DelegatedClientWebflowManager] - 
2021-11-15 07:04:50,914 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 07:04:50,921 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 07:04:50,922 DEBUG 
[org.apereo.cas.AbstractCentralAuthenticationService] - 
2021-11-15 07:04:50,923 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 07:04:51,141 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 07:04:51,352 DEBUG 
[org.apereo.cas.web.BaseDelegatedAuthenticationController] - https://casdev.hvcc.edu/cas/login | urlResolver: 
org.pac4j.core.http.url.DefaultUrlResolver@3538d8d6 | callbackUrlResolver: 
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@6785df10 | 
ajaxRequestResolver: 
org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@6e3705e6 | 
redirectionActionBuilder: 
org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@140b4e00 | 
credentialsExtractor: 
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@169e989c | 
authenticator: 
org.pac4j.saml.credentials.authenticator.SAML2Authenticator@65930cf1 | 
profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@10f5 | 
logoutActionBuilder: 
org.pac4j.saml.logout.SAML2LogoutActionBuilder@335d3d90 | 
authorizationGenerators: [] |] as [#HttpAction# | code: 302 |]>


In 6.4.2 (borked):

2021-11-15 06:56:22,281 DEBUG 
[org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] 
- https://casdev.hvcc.edu/cas/login | urlResolver: null | 
callbackUrlResolver: 
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@672e8871 | 
ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@34e68840 | 
logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@510203de | 
authorizationGenerators: [] | checkAuthenticationAttempt: true |]>
2021-11-15 06:56:22,281 DEBUG 
[org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - https://casdev.hvcc.edu/cas/login | urlResolver: null | 
callbackUrlResolver: 
org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@672e8871 | 
ajaxRequestResolver: null | redirectionActionBuilder: null | 
credentialsExtractor: null | authenticator: null | profileCreator: 
org.pac4j.core.profile.creator.AuthenticatorProfileCreator@34e68840 | 
logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@510203de | 
authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
2021-11-15 06:56:22,767 DEBUG 
[org.apereo.cas.web.DefaultDelegatedClientAuthenticationWebflowManager] - 

2021-11-15 06:56:22,788 DEBUG 
[org.apereo.cas.web.DefaultDelegatedClientAuthenticationWebflowManager] - 

2021-11-15 06:56:22,797 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 06:56:22,805 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 06:56:22,805 DEBUG 
[org.apereo.cas.AbstractCentralAuthenticationService] - 
2021-11-15 06:56:22,807 DEBUG 
[org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - 
2021-11-15 06:56:22,811 WARN 
[org.apereo.cas.web.DefaultDelegatedAuthenticationNavigationController] - 

java.lang.IllegalArgumentException: SAML request could not be determined 
from session store
at 
org.apereo.cas.support.saml.web.idp.delegation.SamlIdPDelegatedClientAuthenticationRequestCustomizer.lambda$customize$0(SamlIdPDelegatedClientAuthenticationRequestCustomizer.java:42)
 
~[cas-server-support-saml-idp-web-6.4.2.jar!/:6.4.2]

Looks like ticket mgmt is happening out of order from the debugs. But I am 
guessing...

Bill

On Monday, November 8, 2021 at 2:50:24 PM UTC-5 stou...@isu.edu wrote:

> I had delegated authentication working with CAS 6.3.7.1, but after I 
> upgraded to 6.4.2 I am getting the following error.
>
> 2021-11-08 12:36:40,578 DEBUG 
> [org.pac4j.core.context.session.JEESessionStore] -  retrieved session: null>
> 2021-11-08 12:36:40,578 DEBUG 
> [org.pac4j.core.context.session.JEESessionStore] -  key: SAMLRequest, no session available>
> 2021-11-08 12:36:40,594 WARN 
> [org.apereo.cas.web.DefaultDelegatedAuthenticationNavigationController] - 
> 
> java.lang.IllegalArgumentException: SAML request could not be determined 
> from session store
> at 
> org.apereo.cas.support.saml.web.idp.delegation.SamlIdPDelegatedClientAuthenticationRequestCustomizer.lambda$customize$0(SamlIdPDelegatedClientAuthenticationRequestCustomizer.java:42)
>  
>

Re: [cas-user] 6.3 and 6.4 Deploy embedded Tomcat container behind proxy does not work.

2021-11-15 Thread William Jojo 
Pascal,

I will take a look at these as well.

Bill


On Mon, Nov 15, 2021 at 2:48 AM Pascal Rigaux 
wrote:

> NB : an alternative to cas.server.tomcat.http-proxy.* is
> server.tomcat.remoteip.internal-proxies (on CAS 6.4), cf
> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
> NB2 : it requires rev proxy to set some headers.
> - nginx : proxy_set_header X-Forwarded-Proto $scheme
> - apache2 httpd : RequestHeader set X-Forwarded-Proto
> expr=%{REQUEST_SCHEME}
>
>
> On 15/11/2021 00:07, William Jojo wrote:
> > Hello all,
> >
> > Whenever I try to used the Fawnoos doc on configuring the CAS (6.3 or
> 6.4) embedded Tomcat behind a proxy, I always get:
> >
> > *The AJP Connector is configured with secretRequired="true" but the
> secret attribute is either null or "". This combination is not valid.*
> >
> > Even with the following:
> >
> > |server.port=8080 server.ssl.enabled=false
> cas.server.tomcat.http.enabled=false
> cas.server.tomcat.http-proxy.enabled=true
> cas.server.tomcat.http-proxy.secure=true
> cas.server.tomcat.http-proxy.scheme=https |
> >
> > If I turn all that off and let it start on the default of 8443, then it
> runs, but not the way it was intended.
> >
> > Any thoughts on this?
> >
> > Thank you!
> > Bill
> >
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/13b9ce6d-c47a-d57d-e02f-ed23e15cf206%40univ-paris1.fr
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1iN4jMNOKCPxMDhANppyzyRYvEBsQWnaFZ2cfhjTY8d8g%40mail.gmail.com.

[cas-user] Re: 6.3 and 6.4 Deploy embedded Tomcat container behind proxy does not work.

2021-11-14 Thread William Jojo 
Ugh, of course it makes a difference. It is not using AJP any more...
Clearly some rest is in order...

Bill

On Sun, Nov 14, 2021 at 7:14 PM William Jojo  wrote:

> Well, it seems adding the following:
>
> cas.server.tomcat.http-Proxy.protocol=HTTP/1.1
>
> Makes a difference. Not entirely sure why. Can anyone shed light on this?
>
> Thank you!
> Bill
>
> On Sunday, November 14, 2021 at 6:08:11 PM UTC-5 William Jojo wrote:
>
>> Hello all,
>>
>> Whenever I try to used the Fawnoos doc on configuring the CAS (6.3 or
>> 6.4) embedded Tomcat behind a proxy, I always get:
>>
>> *The AJP Connector is configured with secretRequired="true" but the
>> secret attribute is either null or "". This combination is not valid.*
>>
>> Even with the following:
>>
>> server.port=8080server.ssl.enabled=falsecas.server.tomcat.http.enabled=falsecas.server.tomcat.http-proxy.enabled=truecas.server.tomcat.http-proxy.secure=truecas.server.tomcat.http-proxy.scheme=https
>>
>> If I turn all that off and let it start on the default of 8443, then it
>> runs, but not the way it was intended.
>>
>> Any thoughts on this?
>>
>> Thank you!
>> Bill
>>
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1h9PXG%2B5MfUw9HYiOGZudAg_18YUwxyJ%3Dn8adH2%2BFz7qA%40mail.gmail.com.

[cas-user] Re: 6.3 and 6.4 Deploy embedded Tomcat container behind proxy does not work.

2021-11-14 Thread William Jojo 
Well, it seems adding the following:

cas.server.tomcat.http-Proxy.protocol=HTTP/1.1

Makes a difference. Not entirely sure why. Can anyone shed light on this?

Thank you!
Bill

On Sunday, November 14, 2021 at 6:08:11 PM UTC-5 William Jojo wrote:

> Hello all,
>
> Whenever I try to used the Fawnoos doc on configuring the CAS (6.3 or 6.4) 
> embedded Tomcat behind a proxy, I always get:
>
> *The AJP Connector is configured with secretRequired="true" but the secret 
> attribute is either null or "". This combination is not valid.*
>
> Even with the following:
>
> server.port=8080server.ssl.enabled=falsecas.server.tomcat.http.enabled=falsecas.server.tomcat.http-proxy.enabled=truecas.server.tomcat.http-proxy.secure=truecas.server.tomcat.http-proxy.scheme=https
>
> If I turn all that off and let it start on the default of 8443, then it 
> runs, but not the way it was intended.
>
> Any thoughts on this?
>
> Thank you! 
> Bill
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ded6d12-2dfb-4618-9cac-345ad07ea82en%40apereo.org.

[cas-user] 6.3 and 6.4 Deploy embedded Tomcat container behind proxy does not work.

2021-11-14 Thread William Jojo 
Hello all,

Whenever I try to used the Fawnoos doc on configuring the CAS (6.3 or 6.4)
embedded Tomcat behind a proxy, I always get:

*The AJP Connector is configured with secretRequired="true" but the secret
attribute is either null or "". This combination is not valid.*

Even with the following:

server.port=8080server.ssl.enabled=falsecas.server.tomcat.http.enabled=falsecas.server.tomcat.http-proxy.enabled=truecas.server.tomcat.http-proxy.secure=truecas.server.tomcat.http-proxy.scheme=https

If I turn all that off and let it start on the default of 8443, then it
runs, but not the way it was intended.

Any thoughts on this?

Thank you!
Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1gM9avLEOVPLz%2BkhW-iAC8RipTLdhqFJV6TePyMBgHDOw%40mail.gmail.com.

Re: [cas-user] CAS 6.3.5-Azure AD Delegation-OIDC-JDBC-LDAP

2021-07-29 Thread William Jojo 
Hmmm, well this gets more interesting as I cannot seem to get CAS to Stop
doing this:

2021-07-29 17:41:09,855 DEBUG
[org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractPac4jAuthenticationHandler]
- 
2021-07-29 17:41:09,856 DEBUG
[org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractPac4jAuthenticationHandler]
- 
2021-07-29 17:41:09,863 DEBUG
[org.apereo.cas.authentication.principal.resolvers.PersonDirectoryPrincipalResolver]
- 


I have been going over the docs for how the principal resolver and person
directory works, but I am not getting any closer.

Any insight would be most helpful. I cannot be the only person using the
feature.

Bill



On Thu, Jul 29, 2021 at 1:55 PM William Jojo  wrote:

> To anyone who is familiar with the username (user) value being set by the
> claims of OIDC in Azure AD Delegation. CAS is setting the username to the
> subject (sub) claim. This totally trashes the ability to use JDBC attribute
> resolution like:
>
> 2021-07-29 13:47:18,371 DEBUG [org.springframework.jdbc.core.JdbcTemplate]
> - 
> 2021-07-29 13:47:18,372 DEBUG [org.springframework.jdbc.core.JdbcTemplate]
> -  BANNER_UDC_ID, s_id BANNER_SID, banner_id BANNER_OID, dob BANNER_DOB, last4
> BANNER_LAST4  FROM idmap WHERE *username = ?*]>
> 2021-07-29 13:47:18,377 DEBUG
> [org.springframework.jdbc.datasource.DataSourceUtils] -  Connection from DataSource>
> 2021-07-29 13:47:18,727 TRACE
> [org.springframework.jdbc.core.StatementCreatorUtils] -  statement parameter value: column index 1, parameter value [
> *oASsZI-izB_hpkO3eXRqxY6uh6BkvzYNkY*], value class
> [java.lang.String], SQL type unknown>
>
> This is not the username. The UPN and other values look perfect - except
> this. I cannot find anything in the CAS docs or with Azure AD that allows
> me to compensate for this. Since the JDBC argument injection is so
> primitive there is no way for me to adjust and substitute another value at
> the time this gets invoked for additional attributes.
>
> Can anyone shed light on this?
>
> Thank you!
>
> Bill
>
>
>
> On Wed, Jul 28, 2021 at 6:52 PM William Jojo  wrote:
>
>> Hello,
>>
>> I will try to keep this to the point.
>>
>> CAS is using the subject claim from AzureAD Delegation upon return from
>> auth and setting it as the username regardless of the setting of:
>>
>> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=email
>>
>> I can use email, upn, does not matter, it is always the subject (sub)
>> claim from AzureAD. Even when I tried generic:
>>
>> cas.authn.pac4j.oidc[0].generic.principal-attribute-id=email
>>
>> I am getting all the way through the delegation, completing the
>> authentication, completing the MFA on the account and returning to the app
>> only to have the username be the subject (sub) claim.
>>
>> Even if I set the usernameAttributeProvider it does not change anything.
>>
>> Anyone have an idea of what is going on?
>>
>> Bill
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1j75Xe7Y2KJTz42KEyrgo6Mm--QjaAWdN5T5_WBb00_pA%40mail.gmail.com.

Re: [cas-user] CAS 6.3.5-Azure AD Delegation-OIDC-JDBC-LDAP

2021-07-29 Thread William Jojo 
To anyone who is familiar with the username (user) value being set by the
claims of OIDC in Azure AD Delegation. CAS is setting the username to the
subject (sub) claim. This totally trashes the ability to use JDBC attribute
resolution like:

2021-07-29 13:47:18,371 DEBUG [org.springframework.jdbc.core.JdbcTemplate]
- 
2021-07-29 13:47:18,372 DEBUG [org.springframework.jdbc.core.JdbcTemplate]
- 
2021-07-29 13:47:18,377 DEBUG
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2021-07-29 13:47:18,727 TRACE
[org.springframework.jdbc.core.StatementCreatorUtils] - 

This is not the username. The UPN and other values look perfect - except
this. I cannot find anything in the CAS docs or with Azure AD that allows
me to compensate for this. Since the JDBC argument injection is so
primitive there is no way for me to adjust and substitute another value at
the time this gets invoked for additional attributes.

Can anyone shed light on this?

Thank you!

Bill



On Wed, Jul 28, 2021 at 6:52 PM William Jojo  wrote:

> Hello,
>
> I will try to keep this to the point.
>
> CAS is using the subject claim from AzureAD Delegation upon return from
> auth and setting it as the username regardless of the setting of:
>
> cas.authn.pac4j.oidc[0].azure.principal-attribute-id=email
>
> I can use email, upn, does not matter, it is always the subject (sub)
> claim from AzureAD. Even when I tried generic:
>
> cas.authn.pac4j.oidc[0].generic.principal-attribute-id=email
>
> I am getting all the way through the delegation, completing the
> authentication, completing the MFA on the account and returning to the app
> only to have the username be the subject (sub) claim.
>
> Even if I set the usernameAttributeProvider it does not change anything.
>
> Anyone have an idea of what is going on?
>
> Bill
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1jc1JW1eAU1AffJSmc%3D%3D4COWUJXzZvZP%3DHtyo%2B1uyah5g%40mail.gmail.com.

[cas-user] CAS 6.3.5-Azure AD Delegation-OIDC-JDBC-LDAP

2021-07-28 Thread William Jojo 
Hello,

I will try to keep this to the point.

CAS is using the subject claim from AzureAD Delegation upon return from 
auth and setting it as the username regardless of the setting of:

cas.authn.pac4j.oidc[0].azure.principal-attribute-id=email

I can use email, upn, does not matter, it is always the subject (sub) claim 
from AzureAD. Even when I tried generic:

cas.authn.pac4j.oidc[0].generic.principal-attribute-id=email

I am getting all the way through the delegation, completing the 
authentication, completing the MFA on the account and returning to the app 
only to have the username be the subject (sub) claim. 

Even if I set the usernameAttributeProvider it does not change anything.

Anyone have an idea of what is going on?

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/41fec87d-5c75-40e1-8df6-6154201c5112n%40apereo.org.

[cas-user] Re: CAS 6.1.6 inotify instances skyrocketing with Groovy files in SAML service.

2021-03-08 Thread William Jojo 
Morning Star,

The problem persists on 6.2.8 - which is the latest one I have available to
test at the moment. Seems to only be increasing the inotify list with each
use of the service that uses the external Groovy file (meaning not inline).
Maybe an improvement, but it has been some time since I dug into this issue.

Bill

On Thu, Mar 4, 2021 at 7:46 AM  wrote:

> Morning Star,
>
> Which CAS and OS versions are you using?
>
> The only solution for us was to in-line them. We lost logging, but since
> no one else spoke up about the issue and I had no time to further research
> it myself, I moved on since in-line worked.
>
> Let me try it on my test system and see if 6.2 or 6.3 still have the
> problem. It is possible that it is already fixed.
>
> Bill
>
> Sent from a device.
>
> On Mar 4, 2021, at 12:15 AM, Morning Star  wrote:
>
> Hi William,
>
> We are also facing the same issue like you.  Could you please help us?
>
> On Tuesday, June 2, 2020 at 8:37:03 PM UTC+5:30 William Jojo wrote:
>
>> Well, I was able to stop the hemorrhaging. Have been watching it for
>> about an hour and the inotify list remains constant.
>>
>> By using an inline Groovy script, CAS no longer needed to setup a watcher
>> service for the Groovy scripts. However, I lost the ability to log debug
>> info and compound statements seem to not be allowed in the inline model.
>> Fortunately my code was not so horribly complex that I was able to work it
>> out. For example:
>>
>> AD groups are horribly disfigured (read in DN form) from the LDAP query,
>> so we rewrite them like so:
>>
>>   memberOf:
>>   [
>> java.util.ArrayList
>> [
>>   groovy { def groups = attributes['memberOf']; def result = [];
>> for ( cn in groups )  result.add( ( cn =~ /CN=([^,]+),/)[0][1] ) ;  return
>> result; }
>> ]
>>   ]
>>
>> If anyone has an idea on where to begin looking for the cause of this
>> issue, I am quite happy to help determine why this flies out of control.
>>
>> Also, if anyone has info on the syntax limitations of inline Groovy
>> scripts and how to still do logging in the inline script that would be very
>> helpful for debugging.
>>
>> Thank you!
>>
>> Bill
>>
>>
>> On Monday, June 1, 2020 at 12:44:23 PM UTC-4, William Jojo wrote:
>>>
>>> Been running 6.1.6 for about 2 weeks. No issues - until I added SAML
>>> support. This morning I noticed CAS no longer working. Checked log and
>>> found:
>>>
>>> From log:
>>>
>>> 2020-06-01 09:05:32,086 INFO [org.apereo.cas.util.io.PathWatcherService]
>>> - <*Watching directory at [/etc/cas/saml]*>
>>> 2020-06-01 09:05:32,086 ERROR
>>> [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <*User
>>> limit of inotify instances reached or too many open files*>
>>> java.io.IOException: *User limit of inotify instances reached or too
>>> many open files*
>>> at sun.nio.fs.LinuxWatchService.(LinuxWatchService.java:64) ~[?:?]
>>> at sun.nio.fs.LinuxFileSystem.newWatchService(LinuxFileSystem.java:47)
>>> ~[?:?]
>>> at 
>>> org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:62)
>>> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
>>> at 
>>> org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:40)
>>> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
>>> at 
>>> org.apereo.cas.util.io.FileWatcherService.(FileWatcherService.java:26)
>>> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
>>> at 
>>> org.apereo.cas.util.scripting.*WatchableGroovyScriptResource*.(WatchableGroovyScriptResource.java:31)
>>> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
>>>
>>>
>>> Thought this was odd since never had this problem with any other area of
>>> CAS watch areas. Did some digging and seems this is NOT an issue UNTIL I
>>> added the groovy files to a SAML service.
>>>
>>> The portion of the JSON is as follows:
>>>
>>>   memberOf:
>>>   [
>>> java.util.ArrayList
>>> [
>>> file:/etc/cas/saml/memberOf.groovy
>>> ]
>>>   ]
>>>   eduPersonPrimaryAffiliation:
>>>   [
>>> java.util.ArrayList
>>> [
>>> file:/etc/cas/saml/eduPersonPrimaryAffiliation.groovy
>>> ]
>>>   ]
>>>
>>> Now look at this output:
>>>
>>> root@casdev-master:~# while (

Re: [cas-user] cas-management application

2020-07-28 Thread William Jojo 
Travis,

I am producing some documentation on a bunch of topics that have been 
popping up here of late (Apache-shib, mod-auth-cas, cas-management, locust, 
etc) which I plan to release shortly. I wanted to know if there was a 
branch that needs testing so I can update the cas-management docs 
accordingly.

Thank you!

Bill

On Thursday, July 23, 2020 at 3:49:08 PM UTC-4, Travis Schmidt wrote:
>
> Sorry for my absence and radio silence on this.  I had some high priority 
> projects come up that were eating up my time.  I am finally getting 
> around to looking into a 6.2 deployment.  I will be creating a 6.1.x branch 
> and cutting that release, then I will get master switched over to start 
> creating 6.2.x snapshots for those using the gradel overlays and hopefully 
> a 6.2 GA release soon.
>
> Travis
>
> On Thu, Jul 23, 2020 at 11:51 AM Rich Renomeron  > wrote:
>
>> Hi Bryan,
>>
>> You mentioned a version 6.2 of the cas-management application, but I have 
>> been unable to find that version in Github (the HEAD revision is 
>> 6.1.4-SNAPSHOT).  Since you're using a 6.1.6 CAS, was that a typo, or am 
>> I missing something?  (I'm working on a 6.2 deployment right now, so I'd 
>> love to find a 6.2 cas-management application.)
>>
>> Thanks,
>> Rich
>>
>> On Tue, Jul 7, 2020 at 5:38 AM Stef > 
>> wrote:
>>
>>> Hi Bryan,
>>> If you want to completely disable version control you can do this in 
>>> build.gradle:
>>>
>>> bootWar {
>>> entryCompression = ZipEntryCompression.STORED
>>> overlays {
>>> // 
>>> https://docs.freefair.io/gradle-plugins/current/reference/#_io_freefair_war_overlay
>>> // Note: The "excludes" property is only for files in the war 
>>> dependency.
>>> // If a jar is excluded from the war, it could be brought back 
>>> into the final war as a dependency
>>> // of non-war dependencies. Those should be excluded via normal 
>>> gradle dependency exclusions.
>>> cas {
>>> from 
>>> "org.apereo.cas:cas-mgmt-webapp${project.appServer}:${casMgmtServerVersion}@war"
>>> provided = false
>>> excludes = ["**/cas-mgmt-config-version-control*.jar", 
>>> "**/cas-mgmt-config-delegated*.jar", "**/HikariCP-java7-2.4.13.jar"]
>>> }
>>> }
>>>
>>> }
>>>
>>>
>>> Then the only thing you need for services is 
>>>
>>> cas.serviceRegistry.json.location=file:/etc/cas/services
>>>
>>>
>>> Stéphane
>>>
>>> Le lun. 6 juil. 2020 à 22:47, Bryan Wooten >> > a écrit :
>>>
 Thank you Ray. This helps.

 I see you are very active/helpful on this list...

 Perhaps one day I will return the favor.

 -Bryan

 University of Utah.

 On Mon, Jul 6, 2020 at 1:04 PM Ray Bon > 
 wrote:

> Bryan,
>
> I am just looking into cas management after a bit of a break from my 
> first frustrating attempt. My impression is that cas management is trying 
> to leverage the cas packages. The version of cas management must be the 
> same as a source of cas packages (I am working with 6.1.4-SNAPSHOT), but 
> does not have to be the same as the deployed cas ( it ca be older for 
> sure). This also means that the properties will be the same as those for 
> cas.
> I have not tried turning off version control for the services. First 
> time I tried, it was problematic. For the extra step of confirming 
> changes 
> to a service, it is probably not worth the effort. Just create a writable 
> directory (or make the default writable) for the git repo and be done 
> with 
> it.
> We store our services in ldap (so no file sync), but I am not that far 
> along in my config, maybe later this week or next.
>
> Ray
>
> On Mon, 2020-07-06 at 11:52 -0600, Bryan Wooten wrote:
>
> I was wondering if any of you fine folks could help me. 
>
> I am trying to get cas-management application (6.2) with a Cas 6.1.6 
> server. (I can change the cas-management version if needed.
>
> Anyway I am having trouble understanding the docs and and 
> management.properties settings.
>
> I am simply trying to manage a 1000 json file /etc/cas.config/services 
> directory.
>
> We don't need/want version control at this time or any file sync.
>
> At startup we get errors like this:
>
> Origin: "mgmt.enableVersionControl" from property source 
> "bootstrapProperties"
> Reason: The elements 
> [mgmt.enabledelegatedmgmt,mgmt.enableversioncontrol,mgmt.servicesrepo,mgmt.syncscript,mgmt.userrep
> osdir] were left unbound.
>
> For example, what is mgmt.userrep?
>
> If someone could share the management properties file that would be 
> great.
>
> -Bryan
>
> University of Utah
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I

[cas-user] Re: CAS 6.1.6 inotify instances skyrocketing with Groovy files in SAML service.

2020-06-02 Thread William Jojo 
Well, I was able to stop the hemorrhaging. Have been watching it for about 
an hour and the inotify list remains constant.

By using an inline Groovy script, CAS no longer needed to setup a watcher 
service for the Groovy scripts. However, I lost the ability to log debug 
info and compound statements seem to not be allowed in the inline model. 
Fortunately my code was not so horribly complex that I was able to work it 
out. For example:

AD groups are horribly disfigured (read in DN form) from the LDAP query, so 
we rewrite them like so:

  memberOf:
  [
java.util.ArrayList
[
  groovy { def groups = attributes['memberOf']; def result = []; 
for ( cn in groups )  result.add( ( cn =~ /CN=([^,]+),/)[0][1] ) ;  return 
result; }
]
  ]

If anyone has an idea on where to begin looking for the cause of this 
issue, I am quite happy to help determine why this flies out of control.

Also, if anyone has info on the syntax limitations of inline Groovy scripts 
and how to still do logging in the inline script that would be very helpful 
for debugging.

Thank you!

Bill


On Monday, June 1, 2020 at 12:44:23 PM UTC-4, William Jojo wrote:
>
> Been running 6.1.6 for about 2 weeks. No issues - until I added SAML 
> support. This morning I noticed CAS no longer working. Checked log and 
> found:
>
> From log:
>
> 2020-06-01 09:05:32,086 INFO [org.apereo.cas.util.io.PathWatcherService] - 
> <*Watching directory at [/etc/cas/saml]*>
> 2020-06-01 09:05:32,086 ERROR 
> [org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <*User 
> limit of inotify instances reached or too many open files*>
> java.io.IOException: *User limit of inotify instances reached or too many 
> open files*
> at sun.nio.fs.LinuxWatchService.(LinuxWatchService.java:64) ~[?:?]
> at sun.nio.fs.LinuxFileSystem.newWatchService(LinuxFileSystem.java:47) 
> ~[?:?]
> at 
> org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:62) 
> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
> at 
> org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:40) 
> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
> at 
> org.apereo.cas.util.io.FileWatcherService.(FileWatcherService.java:26) 
> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
> at 
> org.apereo.cas.util.scripting.*WatchableGroovyScriptResource*.(WatchableGroovyScriptResource.java:31)
>  
> ~[cas-server-core-util-api-6.1.6.jar:6.1.6]
>
>
> Thought this was odd since never had this problem with any other area of 
> CAS watch areas. Did some digging and seems this is NOT an issue UNTIL I 
> added the groovy files to a SAML service.
>
> The portion of the JSON is as follows:
>
>   memberOf:
>   [
> java.util.ArrayList
> [
> file:/etc/cas/saml/memberOf.groovy
> ]
>   ]
>   eduPersonPrimaryAffiliation:
>   [
> java.util.ArrayList
> [
> file:/etc/cas/saml/eduPersonPrimaryAffiliation.groovy
> ]
>   ]
>
> Now look at this output:
>
> root@casdev-master:~# while (( 1 == 1 )); do date; lsof | grep inotify | 
> grep 31744 | wc -l; sleep 120; done
>
> Mon Jun  1 11:28:05 EDT 2020
>
> 178
>
> Mon Jun  1 11:30:05 EDT 2020
>
> 178
>
> Mon Jun  1 11:32:06 EDT 2020
>
> 178
>
> Mon Jun  1 11:34:06 EDT 2020
>
> 178
>
> Mon Jun  1 11:36:07 EDT 2020
>
> 178
>
> Mon Jun  1 11:38:08 EDT 2020
>
> 178
>
> Mon Jun  1 11:40:08 EDT 2020
>
> 1872
>
> Mon Jun  1 11:42:09 EDT 2020
>
> 2500
>
> Mon Jun  1 11:44:10 EDT 2020
>
> 3192
>
> Mon Jun  1 11:46:11 EDT 2020
>
> 3948
>
> Mon Jun  1 11:48:12 EDT 2020
>
> 4768
>
> Mon Jun  1 11:50:13 EDT 2020
>
> 5652
>
> Mon Jun  1 11:52:14 EDT 2020
>
> 6600
>
> There are 178 inotify watches consistently UNTIL I edit the service file 
> and allow the Groovy files to be used. Then it just goes out of control. 
> There were this many entries for each:
>
> root@casdev-master:~# lsof | grep inotify | grep 31744 | grep edu | wc -l
> 1200
> root@casdev-master:~# lsof | grep inotify | grep 31744 | grep member | wc 
> -l
> 1104
>
> It seems too be increasing by hundreds of entries per TID in a very brief 
> period of time and it also seems to be affecting other inotify counts as a 
> result. Any thoughts on why this would suddenly go out of control when 
> adding Groovy files to the service?
>
> Thank you!
>
> Bill
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33a38fa3-2d96-4fac-9e6a-1b1bd341a444%40apereo.org.

[cas-user] CAS 6.1.6 inotify instances skyrocketing with Groovy files in SAML service.

2020-06-01 Thread William Jojo 
Been running 6.1.6 for about 2 weeks. No issues - until I added SAML 
support. This morning I noticed CAS no longer working. Checked log and 
found:

>From log:

2020-06-01 09:05:32,086 INFO [org.apereo.cas.util.io.PathWatcherService] - 
<*Watching 
directory at [/etc/cas/saml]*>
2020-06-01 09:05:32,086 ERROR 
[org.apereo.cas.services.ReturnMappedAttributeReleasePolicy] - <*User limit 
of inotify instances reached or too many open files*>
java.io.IOException: *User limit of inotify instances reached or too many 
open files*
at sun.nio.fs.LinuxWatchService.(LinuxWatchService.java:64) ~[?:?]
at sun.nio.fs.LinuxFileSystem.newWatchService(LinuxFileSystem.java:47) 
~[?:?]
at 
org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:62) 
~[cas-server-core-util-api-6.1.6.jar:6.1.6]
at 
org.apereo.cas.util.io.PathWatcherService.(PathWatcherService.java:40) 
~[cas-server-core-util-api-6.1.6.jar:6.1.6]
at 
org.apereo.cas.util.io.FileWatcherService.(FileWatcherService.java:26) 
~[cas-server-core-util-api-6.1.6.jar:6.1.6]
at 
org.apereo.cas.util.scripting.*WatchableGroovyScriptResource*.(WatchableGroovyScriptResource.java:31)
 
~[cas-server-core-util-api-6.1.6.jar:6.1.6]


Thought this was odd since never had this problem with any other area of 
CAS watch areas. Did some digging and seems this is NOT an issue UNTIL I 
added the groovy files to a SAML service.

The portion of the JSON is as follows:

  memberOf:
  [
java.util.ArrayList
[
file:/etc/cas/saml/memberOf.groovy
]
  ]
  eduPersonPrimaryAffiliation:
  [
java.util.ArrayList
[
file:/etc/cas/saml/eduPersonPrimaryAffiliation.groovy
]
  ]

Now look at this output:

root@casdev-master:~# while (( 1 == 1 )); do date; lsof | grep inotify | 
grep 31744 | wc -l; sleep 120; done

Mon Jun  1 11:28:05 EDT 2020

178

Mon Jun  1 11:30:05 EDT 2020

178

Mon Jun  1 11:32:06 EDT 2020

178

Mon Jun  1 11:34:06 EDT 2020

178

Mon Jun  1 11:36:07 EDT 2020

178

Mon Jun  1 11:38:08 EDT 2020

178

Mon Jun  1 11:40:08 EDT 2020

1872

Mon Jun  1 11:42:09 EDT 2020

2500

Mon Jun  1 11:44:10 EDT 2020

3192

Mon Jun  1 11:46:11 EDT 2020

3948

Mon Jun  1 11:48:12 EDT 2020

4768

Mon Jun  1 11:50:13 EDT 2020

5652

Mon Jun  1 11:52:14 EDT 2020

6600

There are 178 inotify watches consistently UNTIL I edit the service file 
and allow the Groovy files to be used. Then it just goes out of control. 
There were this many entries for each:

root@casdev-master:~# lsof | grep inotify | grep 31744 | grep edu | wc -l
1200
root@casdev-master:~# lsof | grep inotify | grep 31744 | grep member | wc -l
1104

It seems too be increasing by hundreds of entries per TID in a very brief 
period of time and it also seems to be affecting other inotify counts as a 
result. Any thoughts on why this would suddenly go out of control when 
adding Groovy files to the service?

Thank you!

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cabd1c8b-8a15-4932-b618-5e17b1188f59%40apereo.org.

[cas-user] Re: CAS V5.3 with Zoom SSO???

2020-05-13 Thread William E. 
We did with saml too, but with the Shibboleth "half" of our CAS+Shibboleth 
combined service.  If you are looking for guidance using CAS as saml IDP 
with it, sorry, can't help.

As for the integration, once you get it going, on the zoom side you can map 
attribute values to zoom roles.  And it auto-creates user account on first 
sso login to zoom.

-William

On Tuesday, May 12, 2020 at 4:37:03 PM UTC-5, Keith Alston (Staff) wrote:
>
> Anyone set up Zoom SSO with CAS?? Any pointers/tips??
>
>  
>
> -Keith Alston
>
> kei...@regent.edu 
>
> Regent University
>
> 757-619-3421
>
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/773af5d2-9d83-4f2c-b931-a3afbd02486a%40apereo.org.

[cas-user] Re: Chrome and samesite cookies

2020-02-27 Thread William E. 
Not us.  Canvas is hosted with the vendor, our CAS is local, we're on 5.3.

-W


On Wednesday, February 26, 2020 at 12:13:47 PM UTC-6, ste...@rutgers.edu 
wrote:
>
> We received an email stating there are issues authenticating to our Canvas 
> instance due to the Chrome SameSite changes.  Has anyone else had issues?  
> Is there a fix for this?  We're running v3.6 at the moment, upgrading to 
> v5.3 within the next 6 months.
>
> thanks,
> ds
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f54fdc28-520b-45de-b27b-27d2b0e1feb9%40apereo.org.

[cas-user] CAS 6.1.3 PM password reset link question.

2020-01-24 Thread William Jojo 
Good morning!

When requesting a password reset from the main CAS login page (not via 
service) you receive a link like the following:

https://casdev.hvcc.edu/cas/login?pswdrst=TST-1-ATe9S6Bym5Vq8Prk6lMa9Pr86war7Ijf

However, if selected from a service's login page, you get the following

https://casdev.hvcc.edu/cas/login?pswdrst=TST-1-ATe9S6Bym5Vq8Prk6lMa9Pr86war7Ijf=https%3A%2F%2Fsite.blackboard.com%2Fwebapps%2Fbb-auth-provider-cas-BB5ca8ab8e56369%2Fexecute%2FcasLogin%3Fcmd%3Dlogin%26authProviderId%3D_124_1%26redirectUrl%3Dhttps%253A%252F%252Fhvcc-site.blackboard.com%252Fwebapps%252Fportal%252Fexecute%252FdefaultTab%26globalLogoutEnabled%3Dtrue

Not sure the service needs to be on this link. As I understand it, the 
transient service ticket is a one shot directed at the password reset 
component, so I am uncertain why the service would be necessary as the link 
also works with the ?service portion removed.

Is this something that ought to be removed from the link?

Thank you! 

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbd48f6b-b6dd-4c69-af51-447ff0455924%40apereo.org.

[cas-user] CAS Management 6.1.0-RC4 BUGS

2020-01-23 Thread William Jojo 
Hope this is the right place to list CAS Management bugs, there are several
to report.

Please know that I love the tool and wanted to provide detailed feedback.


My management.properties looks like:

cas.server.name=https://casdev-master.hvcc.edu
cas.server.prefix=${cas.server.name}/cas

mgmt.serverName=${cas.server.name}
mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.userPropertiesFile=file:/etc/cas/config/users.properties

mgmt.versionControl.servicesRepo=/etc/tomcat9/services-repo
mgmt.versionControl.enabled=false

cas.serviceRegistry.json.location=file:/etc/tomcat9/services-repo

logging.config=file:/etc/cas/config/log4j2-management.xml

cas.authn.attributeRepository.stub.attributes.UDC_IDENTIFIER: UDC_IDENTIFIER
cas.authn.attributeRepository.stub.attributes.cn: cn
cas.authn.attributeRepository.stub.attributes.displayName: displayName
cas.authn.attributeRepository.stub.attributes.givenName: givenName
cas.authn.attributeRepository.stub.attributes.mail: mail
cas.authn.attributeRepository.stub.attributes.sn: sn
cas.authn.attributeRepository.stub.attributes.sAMAccountName: sAMAccountName
cas.authn.attributeRepository.stub.attributes.uid: uid

--

Had to use users.properties with:

w.jojo=notused,ROLE_ADMIN

Since the users.json:

{
  "w.jojo" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
  }
}

Would not work. Received an authorization failure with a redirect error.

--

Many properties have changed having added versionControl to some property
names. For example:


*mgmt.versionControl.servicesRepo*=/etc/tomcat9/services-repo

*mgmt.versionControl.enabled*=false   # had to dig through the code for
this one.


The docs need some care and feeding.


The docs issue aside, if enabled is false, the tool still insists in
finding a git repository and refuses to load the JSON files. The only way
around this was to forcibly create an initialized repo (the directory is
not enough, it MUST be one with “git init” having been done - not mentioned
in the docs) whereby the JSON files are then read and visible in the
management interface list of services.


Some sort of indicator in the management interface regarding a failure to
assess the repo folder (Read only filesystem for jailed Tomcat apps) and
for uninitialized git repos would be really helpful here. Or maybe asking
if the user would like a "git init" done on their behalf indicating the
repo location.


Additionally, if version control is disabled, there would be no need to
validate the repo.


--


After all of that was fixed, I was able to create a new entry. Yay! But saw
a warning in the logs:


[casdev-casapp-1579718776438.json] does not match the recommended pattern
[(\w+)-(\d+)\.json]


Tried renaming a service resulting in


java.nio.file.NoSuchFileException:
/etc/tomcat9/services-repo/casdev-casapp-1579718776438*..*json


Note the extra dot. Looks like a filename handling bug. Had to remove the
file manually then save was successful.


Would it be advantageous to not allow extra hyphens in the service name?
Would it also be possible to notify the user that there was a file handling
error? It currently says there was a problem and you should try again later.


--


Cannot edit service and switch from *Return All* to *Return Allowed*. You
can select it, but the list remains and you have to either pick *Return All*
or *Deny All* to move through the interface. If you do pick *Deny All* and
save it, editing it again reveals that it is still *Return All*.


--


Delete service shows “deleting service” thumb-sucker long after (about
45-60 seconds) file has been deleted from repo. You can select other
actions, it just hangs around for awhile.



Thank you!


Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1jcxKcujD_XPSQ_SLVsWGpJZSzxvw37o7us7kQ2k0%2BNoQ%40mail.gmail.com.

Re: [cas-user] Re: CAS 6.1.3 PM JDBC Bug

2020-01-23 Thread William Jojo 
Andy,

Awesome! Thank you for the heads up!

Bill

On Thu, Jan 23, 2020 at 1:10 AM Andy Ng  wrote:

> Hi Bill,
>
> Seems like the CAS team will be fixing this in latest CAS version, see
> this commit:
>
> https://github.com/apereo/cas/commit/e214dba59c2273409c406cf4301e2dc875183295
>
> Looks to me they implemented a check this line here:
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-pm-jdbc/src/main/java/org/apereo/cas/pm/jdbc/JdbcPasswordManagementService.java#L91
>
> So presumably this bug shouldn't brother you (and others) for the latest
> version :)
>
> Cheers!
> - Andy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/380a2a9f-8163-4035-aa36-c3c8dff80435%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1jo6NMn1W9PaVVO5vD-nJb3r_Z1JTXZAdJNokHw0j8fdQ%40mail.gmail.com.

[cas-user] CAS 6.1.3 PM JDBC Bug

2020-01-16 Thread William Jojo 
Hello all,

Running CAS 6.1.3, OpenJDK 11.0.4, CAS Oracle driver (ojdbc10-19.3.0.0.jar) 
on Ubuntu 18.04.

In 5.3.x we never needed to set a value for the 
*cas.authn.pm.jdbc.sqlFindPhone*. In fact, we do not use it.

It seems in 6.1.3 there must be a query set. Otherwise you get the 
following:

Error: Exception thrown executing 
org.apereo.cas.pm.web.flow.actions.SendPasswordResetInstructionsAction@6b941a59 
in state 'sendPasswordResetInstructions' of flow 'login' -- action execution 
attributes were 'map[[empty]]'

Further down in the stack trace:

Caused by: java.lang.IllegalArgumentException: *SQL must not be null*
at org.springframework.util.Assert.notNull(Assert.java:198)
at 
org.springframework.jdbc.core.JdbcTemplate$SimplePreparedStatementCreator.(JdbcTemplate.java:1550)
at 
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:700)
at 
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:712)
at 
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:783)
at 
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:809)
at 
*org.apereo.cas.pm.jdbc.JdbcPasswordManagementService.findPhone*(JdbcPasswordManagementService.java:72)

If I set the *cas.authn.pm.jdbc.sqlFindPhone* to be the same query as for 
email, it is successful. It is annoying, but I can live with it for the 
moment.

Just wanted others to know this seems be a bug.

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5db93b04-6123-4efa-9025-01cc40f64891%40apereo.org.

Re: [cas-user] Re: CAS 6.x Error while deploying cas.war in tomcat

2020-01-08 Thread William Jojo 
Dmitriy,

Late to the party on this one. This solution worked for me on Ubuntu 18.04 
with distro packaged Tomcat 9.0.16. Thank you!

What are the ramifications of setting this value?

Bill

On Wednesday, November 13, 2019 at 8:58:43 AM UTC-5, Dmitriy Kopylenko 
wrote:
>
> For what it's worth - if anyone is deploying CAS 6.1 to external Tomcat 
> versions that do not have the newer API, and do not want to either upgrade 
> Tomcat or use CAS in the embedded mode, add this line to your 
> cas.properties -> 
> *spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration*
>
> and you should be good to go.
>
> Cheers,
> D.
>
>
> From: Nicolas Teste  
> Reply: cas-...@apereo.org   
> Date: November 13, 2019 at 8:50:17 AM
> To: CAS Community  
> Subject:  [cas-user] Re: CAS 6.x Error while deploying cas.war in tomcat 
>
> I had the same issue a few days ago trying to upgrade from 6.0 to 6.1 on 
> Debian 9 and Tomcat 8.5.38 (from backport).
> It looks like the method is really missing.
>
> Online ressources
>
>- 
>
> https://github.com/apache/tomcat/blame/master/java/org/apache/catalina/valves/RemoteIpValve.java#L480
>  
>- https://bz.apache.org/bugzilla/show_bug.cgi?id=57665#c24 
>
> seems to indicate that the method is quite new and not available in our 
> distro packaged Tomcat
>
> Fixed in:
>> - master for 9.0.23 onwards
>> - 8.5.x for 8.5.44 onwards
>> - 7.0.x for 7.0.97 onwards
>>
>>
> Le vendredi 18 octobre 2019 16:48:06 UTC+2, MW a écrit : 
>>
>> I bet it would run with this command: java -jar /path/to/cas.war
>>
>> However, remove the line in your gradle.properties 
>>
>> tomcatVersion=9.0.16
>>
>> Then, replace -tomcat as your appServer value and recompile. 
>>
>>
>>
>>
>> On Thursday, October 17, 2019 at 9:26:55 AM UTC-6, moncada wrote:
>>
>>> Hello everyone,
>>>
>>> I am Ubuntu Bionic whith Tomcat 9.0.16 and CAS 6.1.0-SNAPSHOT
>>>
>>> I build the war with the command via overlay:
>>>
>>> build.sh package
>>>
>>> I copy cas.war in the webapps directory here is the log:
>>>
>>> 2019-10-17 17:19:27,064 INFO
>>>
>>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>>> - >> [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
>>> 2019-10-17 17:19:27,246 INFO
>>> [org.apereo.cas.web.CasWebApplicationServletInitializer] - >> following profiles are active: standalone>
>>> 2019-10-17 17:19:46,297 DEBUG
>>> [org.apereo.cas.support.saml.OpenSamlConfigBean] - >> successfully.>
>>> 2019-10-17 17:19:46,613 WARN
>>>
>>> [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext]
>>> - >> refresh attempt:
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'tomcatServletWebServerFactory' defined in class path
>>> resource
>>>
>>> [org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryConfiguration$EmbeddedTomcat.class]:
>>> Initialization of bean failed; nested exception is
>>> java.lang.NoSuchMethodError: 'void
>>>
>>> org.apache.catalina.valves.RemoteIpValve.setHostHeader(java.lang.String)'>
>>> 2019-10-17 17:19:46,659 WARN
>>>
>>> [org.springframework.boot.context.properties.migrator.PropertiesMigrationListener]
>>> - <
>>> The use of configuration keys that have been renamed was found in the
>>> environment:
>>>
>>> Property source 'bootstrapProperties':
>>> Key: cas.authn.throttle.appcode
>>> Replacement: cas.authn.throttle.app-code
>>>
>>>
>>> Each configuration key has been temporarily mapped to its replacement
>>> for your convenience. To silence this warning, please update your
>>> configuration to use the new keys.
>>> >
>>> 2019-10-17 17:19:46,703 ERROR
>>> [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <
>>>
>>> ***
>>> APPLICATION FAILED TO START
>>> ***
>>>
>>> Description:
>>>
>>> An attempt was made to call a method that does not exist. The attempt
>>> was made from the following location:
>>>
>>>
>>>
>>> org.springframework.boot.autoconfigure.web.embedded.TomcatWebServerFactoryCustomizer.customizeRemoteIpValve(TomcatWebServerFactoryCustomizer.java:186)
>>>
>>> The following method did not exist:
>>>
>>> 'void
>>> org.apache.catalina.valves.RemoteIpValve.setHostHeader(java.lang.String)'
>>>
>>> The method's class, org.apache.catalina.valves.RemoteIpValve, is
>>> available from the following locations:
>>>
>>>
>>>
>>> jar:file:/usr/share/java/tomcat9-catalina-9.0.16.jar!/org/apache/catalina/valves/RemoteIpValve.class
>>>
>>>
>>> jar:file:/var/lib/tomcat9/webapps/cas/WEB-INF/lib/tomcat-catalina-9.0.27.jar!/org/apache/catalina/valves/RemoteIpValve.class
>>>
>>>
>>> jar:file:/var/lib/tomcat9/webapps/cas/WEB-INF/lib/tomcat-embed-core-9.0.27.jar!/org/apache/catalina/valves/RemoteIpValve.class
>>>
>>> It was loaded from the following location:
>>>
>>>

[cas-user] Re: Inquiring CAS commercial support

2019-09-10 Thread William E. 
We have been using Unicon <https://www.unicon.net/> for a few years now. 
Misagh, who I consider the main CAS developer, works for them.  We're happy 
with their support.

-William


On Monday, September 9, 2019 at 1:38:05 PM UTC-5, Yan Zhou wrote:
>
> Hi,
>
> We use CAS 4.1.9 and CAS 5.3. It has been running well in PROD., We are in 
> health-care industry and would like to look into commercial CAS support. 
>
> One of my biggest unknowns and fear is gaining visibility into CAS ticket 
> registry, hazelcast.  If some of PROD users cannot login, it seems that 
> usually this is because the ticket validation failed. It seems difficult 
> gaining visibility into troubleshooting that in PROD traffic.
>
> I am not sure whether I would better off getting Hazelcast commercial 
> support of CAS commercial support. 
>
> I looked up the CAS documentation, the membership fee is for academic 
> organizations, so we do not qualify. With the list of commercial 
> organizations providing CAS support, anyone has experience with any of them?
>
>
>
> Thx!
> Yan
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f24b9a4c-0345-4303-a42f-e584ba3846c2%40apereo.org.

[cas-user] Re: Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceJwtTicketCipherExecutor] will attempt to produce plain objects

2019-08-09 Thread William E. 
We're on 5.3.11.  Struggled with this as well, could never find a third 
party tool or library that could validate the jwt generated by cas.  I even 
contact the maintainer of one of the python libs and he claims the cas 
generated JWT was invalid.  I was able to write my own java to validate 
based on code provided by cas:  
https://apereo.github.io/cas/5.3.x/installation/Configure-ServiceTicket-JWT.html

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

cas.authn.token.crypto.signing.key=

cas.authn.token.crypto.encryption.key=


Snippet from service configured to return jwt.  Note pre-5.3, somewhere, 
the property name was jwtAsServiceTicket vs. jwtAsResponse.


properties:

  {

@class: java.util.LinkedHashMap

jwtAsResponse:

{

  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty

  values:

  [

java.util.HashSet

[

  "true"

]

  ]

}

  }




On Thursday, August 8, 2019 at 4:15:35 PM UTC-5, Drew Liscomb wrote:
>
> Also, this was working in 5.1.3, but, of course, with the 'old style' 
> properties, before the New Order with *.crypto.* was implemented.
>
> Drew
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7bb150e-e84d-4b7c-96ee-89d4e3136785%40apereo.org.

Re: [cas-user] Re: JWT without encryption key

2018-12-15 Thread William E. 
I think you are seeing the discrepancy due to base64 vs. base64url 
decoding.  I think the jwt spec. wants base64 url vs. plain base64.

https://en.wikipedia.org/wiki/Base64#URL_applications


On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote:
>
> While decoding JWT there is error "Bad Base64 input character decimal 37 
> in array position 806" Which means 37(%) is not allowed in encoded base 64 
> string in JWT.
>
> My JWT looks like below and yellow highlighted is the 806th element that 
> cannot be base 64 decode. 
>
> eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlINTg3In0%3D.
> UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA
>
> On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna  > wrote:
>
>>
>> i'm using io.jsonwebtoken.jjwt library
>>
>> Jwts.parser().setSigningKey().parseClaimsJws();
>>
>>
>>
>> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha 
>> scritto:
>>>
>>> Hello,
>>>
>>> Big Thanks for sharing configuration and as a result JWT is not 
>>> encrypted and only signed. 
>>>
>>> But now I face strange issue. when I try to verify signature it fails. I 
>>> am using AES and single key to sign and JWT is generated. But the generate 
>>> JWT fails signature verification.
>>>
>>> JWT generated as below:
>>> 2018-12-14 12:33:00,684 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> http://localhost:/api] in service registry>
>>> 2018-12-14 12:33:00,685 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> signing and encryption keys for [http://localhost:/api] in service 
>>> registry>
>>> 2018-12-14 12:33:00,690 WARN 
>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> enabled for [Token/JWT Tickets]. The cipher 
>>> [RegisteredServiceTokenTicketCipherExecutor] will only attempt to produce 
>>> signed objects>
>>> 2018-12-14 12:33:00,690 WARN 
>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - >> enabled for [Token/JWT Tickets]. The cipher 
>>> [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce plain 
>>> objects>
>>> 2018-12-14 12:33:00,690 DEBUG 
>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - >> default global keys for [http://localhost:/api]>
>>> 2018-12-14 12:33:00,734 DEBUG 
>>> [org.apereo.cas.authentication.principal.DefaultResponse] - >> for redirect response is [http://localhost:/api]>
>>> 2018-12-14 12:33:00,736 DEBUG 
>>> [org.apereo.cas.authentication.principal.DefaultResponse] - >> response is [
>>> http://localhost:/api?redirect=true=eyJhbGciOiJSUzUxMiJ9
>>>
>>> Verfication code used is:
>>> final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8));
>>>
>>> final JsonWebSignature jws = new JsonWebSignature();
>>> jws.setCompactSerialization(secureJwt);
>>> jws.setKey(key);
>>> if (!jws.verifySignature()) {
>>> throw new Exception("JWT verification failed");
>>> }
>>>
>>> On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna  
>>> wrote:
>>>

 yes


 ###Token/JWT Tickets ENCRIPTION
 cas.authn.token.crypto.enabled=true

 cas.authn.token.crypto.signing-enabled=true
 cas.authn.token.crypto.signing.key=
 Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g

 cas.authn.token.crypto.encryption-enabled=false
 cas.authn.token.crypto.encryption.key=

 and 

 {
   "@class" : "org.apereo.cas.services.RegexRegisteredService",
   "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*",
   "name" : "myApplication",
   "theme" : "myApplication",
   "id" : 1003,
   "description" : "My Application",
   "evaluationOrder" : 1,
   "usernameAttributeProvider" : {
 "@class" : 
 "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
   },
   "attributeReleasePolicy" : {
 "@class" : 
 "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
   },
   "accessStrategy" : {
 "@class" : 
 "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
 "enabled" : true,
 "ssoEnabled" : true
   },
   "proxyPolicy" : {
 "@class" : 
 "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
 "pattern" : "^(http|https)?://.*"
   },
   "properties" : {
 "@class" : "java.util.HashMap",
 "jwtAsServiceTicket" : {
   "@class" : 
 "org.apereo.cas.services.DefaultRegisteredServiceProperty",
   "values" : [ "java.util.HashSet", [ "true" ] ]
 }
   }
 }



 Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia ha 
 scritto:
>
> Sorry, but this does not work.
> How's your service(one with definition of 'jwtAsServiceTicket', etc) 
> looks like ?
>
>
> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna  
> wrote:
>
>> Hi all,
>>  I'm work fine with
>>
>>

[cas-user] Decode nested JWT with Python

2018-12-05 Thread William E. 
Has anyone tried to parse the nested JWT, JWS + JWE, produced by CAS 5.x?  
If so, would you mind posting a snippet please?  I've read that the 
python-jose library can check signatures but not decrypt the payload.  Been 
trying to use jwcrypto but can't seem to get the step put together in the 
correct order.  Admittedly, I am very new to python and may be just making 
newbie mistakes.

My understanding is the JWT from cas is header + encrypted payload with 
signature of these two combined, then all base64 encoded.  Using this 
<https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html#jwt-validation---aes>
 
doc showing java decode/decrypt as a guide: 

  
https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html#jwt-validation---aes


Our cas settings are as follows, keys omitted below.

cas.authn.token.crypto.signing.keySize=512

cas.authn.token.crypto.encryption.keySize=256

cas.authn.token.crypto.alg=AES

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true



My feeble attempts so far look something like this:


import base64

from jwcrypto import jwk, jwe, jws, jwt

from jwcrypto.common import json_encode, json_decode


token = 'eyJhbGciOiJIUzUxMiJ9.ZX' # the base64 jwt 


signKey = jwk.JWK(kty='oct', k=signkeyStr)

encKey = jwk.JWK(kty='oct', k=enckeyStr)


E = jwe.JWE()

# deserialize and decrypt

E.deserialize(token)

E.decrypt(encKey)

raw_payload = E.payload



Which results in:




  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py",
 
line 348, in loads

return _default_decoder.decode(s)

  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py",
 
line 337, in decode

obj, end = self.raw_decode(s, idx=_w(s, 0).end())

  File 
"/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py",
 
line 355, in raw_decode

raise JSONDecodeError("Expecting value", s, err.value) from None

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)





jwcrypto.jwe.InvalidJWEData: Unknown Data Verification Failure





jwcrypto.jwe.InvalidJWEData: Invalid format {InvalidJWEData('Unknown Data 
Verification Failure')}



Thanks,

William


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/760c3248-9a47-41d3-9612-7c5e34d4c961%40apereo.org.

[cas-user] Re: encryption and signing key generation

2018-09-13 Thread William E. 
If you enable jwt in cas.properties by defining these two properties:

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true


But leave these commented out:

cas.authn.token.crypto.signing.key
cas.authn.token.crypto.encryption.key


Your catalina.out should log the generation of both keys, different each 
time you start the app of course.  I would just grab the values, then 
define in your cas.properties, then restart tomcat.

Log lines to look for:

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 


WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - 


-W

On Thursday, September 13, 2018 at 3:01:26 PM UTC-5, Curtis Ruck wrote:
>
> The problem is due to the chicken and egg issue.  I need to prepopulate 
> the cas.properties, so the service can start up and work (without human 
> intervention).  I'm trying my best to avoid having to start a service, 
> parse the logs, and modify config, then restart the service.  The 
> documentation seems very light on these keys.
>
> On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote:
>>
>> +1
>>
>> I ended up grabbing values from the cas startup logs and setting in my 
>> cas.properties.  Seems to work.
>>
>>
>> On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote:
>>>
>>> So i'm trying to automate the generation and persistence of the 
>>> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.
>>>
>>> I'm using the jwk-gen.jar, and when i store the key in cas.properties, 
>>> i end up with "Invalid AES key length: 43 bytes" when trying to access the 
>>> login page.
>>>
>>>
>>> If I let CAS generate a key, its the same exact string length (43 
>>> bytes). What is different between my key versus cas's generated keys? Then 
>>> i'm extracting the k value from the json, and inserting it into my 
>>> cas.properties.
>>>
>>> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks
>>> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9e1fc4-7305-4efe-8da8-7d7ccd465206%40apereo.org.

[cas-user] Re: encryption and signing key generation

2018-09-13 Thread William E. 
+1

I ended up grabbing values from the cas startup logs and setting in my 
cas.properties.  Seems to work.


On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote:
>
> So i'm trying to automate the generation and persistence of the 
> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.
>
> I'm using the jwk-gen.jar, and when i store the key in cas.properties, i 
> end up with "Invalid AES key length: 43 bytes" when trying to access the 
> login page.
>
>
> If I let CAS generate a key, its the same exact string length (43 bytes). 
> What is different between my key versus cas's generated keys? Then i'm 
> extracting the k value from the json, and inserting it into my 
> cas.properties.
>
> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks
> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks
> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks
> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/337c54a8-1b4c-4e08-826c-f4980b54d2a3%40apereo.org.

[cas-user] banner 8 via ssomanager and cas intermittent error

2018-08-03 Thread William E. 
We upgraded cas from 5.2 to 5.3 last night.  Today almost everything is 
working fine except banner 8 sso logins via ellucian's ssomanager(circa 
2013 version).  We're sporadically seeing the below trace in the browser.  
I'm suspecting the 2013 ssomanager app from ellucian is running an outdated 
cas client jar and upgrading it will fix us.  Anyone else seen this issue?

Error 500--Internal Server Error

org.jasig.cas.client.validation.TicketValidationException: 
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:94)
at 
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
at 
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at 
com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown Source)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown 
Source)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at 
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at 
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at 
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at 
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at 
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at 
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at 
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at 
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1499)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at org.opensaml.SAMLObject.fromStream(Unknown Source)
at org.opensaml.SAMLResponse.(Unknown Source)
at 
org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:50)
... 21 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 243; 
cvc-datatype-valid.1.2.1: '27b0904a-b383-4325-8b62-997b606893cd' is not a valid 
value for 'NCName'.
at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)
at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(ErrorHandlerWrapper.java:134)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:437)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:368)
at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:325)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:458)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3237)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processOneAttribute(XMLSchemaValidator.java:2832)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processAttributes(XMLSchemaValidator.java:2769)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2056)
at 
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:746)
at 
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:379)
at

Re: [cas-user] Re: JSON Service Registry cas.serviceRegistry.config.location property setting ineffective after upgrading to CAS version 5.2

2018-04-22 Thread William E. 
Your service provided in this thread:

"serviceId" : "^(https|imaps|http)://.*"

Will not match with a port specified.  Try instead:

"serviceId" : "^(https|imaps|http)://.*:8443/.*"

-W


On Saturday, April 21, 2018 at 8:44:17 PM UTC-5, IOTech Co., Ltd wrote:
>
> i have got error...please help me on this bug. Thanks
>
> Unauthorized Service Access. Service [https://cas01.example.org:8443/cas] 
> is not found in service registry.
>
> 2018-04-22 1:07 GMT+07:00 David Curry  >:
>
>> cas.serviceRegistry.json.location
>>
>>
>>
>> David A. Curry,  CISSP
>> Director of Information Security
>> The New School - Information Technology
>> 71 Fifth Ave., 9th Fl. ~ New York, NY 10003 
>> 
>> +1 212 229-5300 x4728 ~ david...@newschool.edu 
>> Sent from my phone; please excuse typos and inane auto-corrections.
>> 
>>
>> On Sat, Apr 21, 2018, 13:14 IOTech Co., Ltd > > wrote:
>>
>>> i has config as below...but it not work, please help me
>>>
>>>
>>> cas.serviceRegistry.location=file:/etc/cas/services
>>>
>>>
>>>
>>> 2018-04-21 20:59 GMT+07:00 David Curry >> >:
>>>
 This was answered earlier in this thread. You have the wrong property 
 name. It changed between 5.1 and 5.2 to:

 cas.serviceRegistry.json.location: file:/etc/cas/services 

 If you're moving from one version to another, I strongly recommend 
 carefully reading the "ChangeLog" blog posts that Misagh writes for every 
 release candidate before you start. He's pretty good at documenting all 
 the 
 changes, especially the ones that might cause an older configuration to 
 break.

 Go here: https://github.com/apereo/cas/releases/tag/v5.2.0 and click 
 on "RC1," "RC2," "RC3," and "RC4" (the change above is documented in 
 "RC2").

 --Dave


 --

 DAVID A. CURRY, CISSP
 *DIRECTOR OF INFORMATION SECURITY*
 INFORMATION TECHNOLOGY

 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 
 
 +1 212 229-5300 x4728 • david.cu...@newschool.edu 

 [image: The New School]

 On Sat, Apr 21, 2018 at 9:26 AM, IOTech Co., Ltd  wrote:

> I updated my test sever from CAS v5.1.4 to v5.2.0, and my 
> configruation is no longer reading my *.json files from my external file 
> location.
>
> Vào 20:24:46 UTC+7 Thứ Bảy, ngày 21 tháng 4 năm 2018, IOTech Co., Ltd 
> đã viết:
>
>> please help me :
>>
>> #
>> # Service Registry
>> #
>> cas.serviceRegistry.watcherEnabled=true
>> cas.serviceRegistry.repeatInterval=12
>> cas.serviceRegistry.startDelay=15000
>> cas.serviceRegistry.initFromJson=false
>> cas.serviceRegistry.config.location=file:/etc/cas/services
>>
>>
>> *serviceTicket ST-1-5b-doeKww5fM0PDeSvpMPGxk2ak-longtran
>> 200
>> 
>> 
>> admin
>> 
>> *
>>
>>
>>
>>
>> Vào 03:37:16 UTC+7 Thứ Ba, ngày 19 tháng 12 năm 2017, crdaudt đã viết:
>>>
>>> I updated my test sever from CAS v5.1.4 to v5.2.0, and my 
>>> configruation is no longer reading my *.json files from my external 
>>> file 
>>> location.  Here are my relevant property settings:
>>>
>>> #
>>> # Service Registry
>>> #
>>> cas.serviceRegistry.watcherEnabled=true
>>> cas.serviceRegistry.initFromJson=true
>>> cas.serviceRegistry.config.location=file:///etc/cas/services
>>>
>>> I have the following dependency set in pom.xml:
>>>
>>>  
>>>org.apereo.cas
>>>cas-server-support-json-service-registry
>>>${cas.version}
>>> 
>>>
>>> The /etc/cas/services/ directory and json files within it are owned 
>>> by tomcat.
>>>
>>> Nevertheless, the only services loaded are the *.json files located 
>>> in classpath:/services.  On the other hand, if I redeploy the cas.war 
>>> file 
>>> for v5.1.4 and restart tomcat, my JSON files in /etc/cas/services are 
>>> loaded as I would expect.
>>>
>>> Any ideas?
>>>
>>> I have attached copies of my cas.log (with debug enabled), pom.xml, 
>>> and cas.properties.  Thanks in advance for any help with this.
>>>
>>> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google 
> Groups "CAS Community" group.
> To unsubscribe from this group and stop

[cas-user] Re: CAS JWT/JWK oddities

2018-04-19 Thread William E. 
I feel ya...  :-)

My biggest concern at the moment, as others have posted about here as well, 
is the jwt is a url parameter when passed back to the client app.  I would 
much rather it be a header or cookie or post param or anything really 
because my concern is until the jwt expiration time anyone who has access 
to the apache logs, syslogs, etc. of the cas server or the server hosting 
the client app, or has access to the network logs, or sniff the traffic in 
some way, could grab that url parameter and masquerade as that user to the 
client app.

I'm looking at the cas source code in hopes that I can make this an 
option(and make a pull request) but being a non-spring java developer my 
head is currently exploding with all the spring/lombok/etc. "magic" I am 
having to learn.  Not to mention the large amount of highly modularized 
code.  It's looks well written and well commented, it's just a lot to take 
in.  Importing it into eclipse created about a hundred or so source folders 
I am currently perusing.  Argh.



On Wednesday, April 18, 2018 at 7:21:43 AM UTC-5, Karl Banke wrote:
>
> Hello there,
>
> I am using CAS 5.2 and have spent a long time (which translates to a lot 
> of money) on getting JWT Service Tickets to work. 
>
> The CAS documentation states here 
>
>
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>  
> that this should be configured using the 
>
> jwtAsServiceTicket Property
>
> It also states here 
>
> https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#jwt-tickets
>
> that the signing key is a JWK 
>
> My findings so far: 
>
> JWT service tickets do not work at all in CAS 5.2.0. They work in 5.2.4.
>
> But there are some weired "limitations" that I only figured out running CAS 
> inside my debugger. 
>
> (a) The property name is wrong. The property that actually leads to anything 
> happening is jwtAsResponse, as others have pointed out in this community.
>
> But even thenI would like to sign my JWTs with a public RSA key in order 
> to allow Single Page Web Applications to validate the keys. 
>
> (b) When trying to read the private key, the code does never look for a JWK, 
> but - in PrivateKeyFactoryBean - tries to parse a PEM file.
> (c) Even if one is lucky enough to eventually have a RSA key inside the 
> privateKey by supplying a PEM file, you run in trouble because.
> -- taataaa --
> the AbstractCipherExecutor calls a hardcoded method called 
> EncodingUtils.signJwsHMACSha512
> (d) If you chose not to encrypt the JWT payload, you may rest assured that 
> you get another problem, because someone chose to Base64 encode the payload 
> twice rather than once. 
>
>
> I have also considered using the OpenID Connect flow instead of the JWT 
> Service tokens, but since this is a much more complicated interface my 
> expectation 
> is that it's implementation is even more broken and its documentation more 
> inaccurate. 
>
> Sorry for the rant, but I am really about to lose patience with CAS that 
> used to be a very usable, well documented and extensible tool. 
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd5502dd-f0bc-46b4-bedb-942d162ab5ff%40apereo.org.

[cas-user] Re: CAS 5.2 return JWT for service

2018-04-13 Thread William E. 
Posting resolution in hopes it may help someone else out.

In cas 5.2 you are supposed to use the jat property jwtAsServiceTicket but 
it looks like there may be a bug in cas where you need to use the 
(deprecated) jwtAsResponse instead.

properties : {

"@class" : "java.util.HashMap",

"jwtAsResponse" : {

  "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",

  "values" : [ "java.util.HashSet", [ "true" ] ]

}

  }



Additionally, my bad on this one from misunderstanding the cas documents, 
the 

cas.authn.token.crypto.encryption.key and cas.authn.token.crypto.signing.key 
accept key values directly, not file paths to files containing the keys.  


Anyway, much thanks to Paul at Unicon for all his help.  Support money well 
spent.


-William


On Wednesday, April 11, 2018 at 5:40:16 PM UTC-5, William E. wrote:
>
> Hi all,
>
>
> I am trying to follow the CAS docs to configure a service to return jwt's 
> but not having much success. 
>
> Docs I am reading on this:
>
>  
> https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
>  
>  https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service 
> Tickets portion)
>
>
> My cas.properties has:
>
> cas.authn.token.crypto.enabled=true
> cas.authn.token.crypto.encryptionEnabled=true
> cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
> cas.authn.token.crypto.signing.keySize=512
> cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
> cas.authn.token.crypto.encryption.keySize=256
> cas.authn.token.crypto.alg=AES
>
>
> jwk's generated per docs:
>
> wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
> java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
> java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk
>
> $ file /etc/cas/config/token*
> /etc/cas/config/token-encryption.jwk: ASCII text
> /etc/cas/config/token-signing.jwk: ASCII text
>
>
> Using maven overlay, my pom.xml has the rest snippet:
>
> 
> org.apereo.cas
> cas-server-support-token-tickets
> ${cas.version}
> 
>
>
> My service has the jwt as ticket property:
>
> properties:
> {
> @class: java.util.LinkedHashMap
> jwtAsServiceTicket:
> {
> @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
> values:
> [
> java.util.HashSet
> [
> "true"
> ]
> ]
> }
> }
>
> In the CAS CLI I can generate a jwt that appears valid. But when I use my 
> service via web browser I see no header or cookie referencing a ticket with 
> JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- 
> ticket. I'm using a simple tomcat webapp wit cas client filters and 
> java-cas-client 3.5.0. 
>
> Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?
>
> Thanks,
> William
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8e6b961-be8a-4018-8c1b-e5b8d28a0759%40apereo.org.

Re: [cas-user] Re: CAS 5.2 login with UPN removing domain

2018-04-12 Thread William E. 
Try this:

cas.authn.ldap[0].principalAttributeList=uid,userprincipalname

Instead of this:

cas.authn.ldap[0].principalAttributeId=userprincipalname

-William



On Thursday, April 12, 2018 at 2:40:00 AM UTC-5, dag wrote:
>
> Thanks for your comment William.
>
>
> I've in cas.properties:
>
> cas.authn.ldap[0].userFilter=(|(uid={user})(userprincipalname={user}))
> cas.authn.ldap[0].principalAttributeId=userprincipalname
>
> It seems upn is not allowed in this version. Anyway, the filter it's not 
> working. I've to type user@domain to login yet :(
>
> Any other trick please?
>
>
> Regards.
>
>
> 2018-04-12 0:42 GMT+02:00 William E. <wre...@uah.edu >:
>
>> We use ldap and used an ldap filter on uid or'ed with upn.  Ldap search 
>> syntax.
>>
>> Like so:
>>
>> cas.authn.ldap[0].userFilter=(|(uid={user})(upn={user}))
>>
>>
>> -William
>>
>>
>>
>> On Wednesday, April 11, 2018 at 10:26:10 AM UTC-5, dag wrote:
>>>
>>> Hi all,
>>>
>>> I've configured Apereo CAS 5.2, and it's running fine using UPN.
>>> However is there any parameter to include in cas.properties config file 
>>> to allow authenticacion through UPN without typing the domain name?
>>>
>>> Thanks in advance.
>>>
>>>
>>> Regards.
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac9959a0-1338-410c-8297-cf548eb57ae0%40apereo.org.

Re: [cas-user] CAS-Management - Bottle at the sea - Need advice or help

2018-04-12 Thread William E. 
I see you pom.xml has ldap module, but I do not see you ldap properties.  
Did I miss it?  Sorry if so.

The log makes me think cas is trying to do an ldap lookup and all of the 
properties it needs are not defined.  Do you have all of these in you 
cas.properties?

# Authentication
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://ldap.example.edu:636
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].baseDn=ou=People,dc=uah,dc=edu
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=uid=cas,ou=people,dc=example,dc=edu
cas.authn.ldap[0].bindCredential=

# Attribute resolution
cas.authn.attributeRepository.ldap[0].order=0
cas.authn.attributeRepository.ldap[0].ldapUrl=ldaps://ldap.example.edu:636
cas.authn.attributeRepository.ldap[0].useSsl=true
cas.authn.attributeRepository.ldap[0].useStartTls=false
cas.authn.attributeRepository.ldap[0].baseDn=ou=People,dc=example,dc=edu
cas.authn.attributeRepository.ldap[0].bindDn=uid=cas,ou=People,dc=example,dc=edu
cas.authn.attributeRepository.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap[0].userFilter=uid={user}
#
cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.ou=ou
cas.authn.attributeRepository.ldap[0].attributes.o=o
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.cn=cn
cas.authn.attributeRepository.ldap[0].attributes.mail=mail
.


-W


On Thursday, April 12, 2018 at 3:32:55 AM UTC-5, Olivier Calzi wrote:
>
> Hi William,
>
> As i showed in my configuration on my first post i have the same ldap 
> configuration on the management.properties and the cas.properties.
> What do you mean exactly ?
>
> Thanks
>
> On Thursday, April 12, 2018 at 4:23:36 AM UTC+2, William E. wrote:
>>
>> This makes me think you have a bad ldap search filter in your .properties 
>> file, or maybe ldap support partially configured.
>>
>> Caused by: java.lang.NullPointerException
>> at 
>> org.apereo.cas.util.LdapUtils.lambda$newLdaptiveSearchFilter$2(LdapUtils.java:531)
>>  
>> ~[cas-server-support-ldap-core-5.2.2.jar:5.2.2]
>>
>>
>>
>> On Monday, April 9, 2018 at 2:05:47 AM UTC-5, Olivier Calzi wrote:
>>>
>>> Hi,
>>>
>>> No as it's behind an haproxy i'm using the 443.
>>>
>>> Here you will find more logs who may have the lost key to this problem.
>>>
>>>> 2018-04-09 08:54:00,851 ERROR 
>>>> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
>>>> 
>>>> org.pac4j.core.exception.TechnicalException: 
>>>> java.lang.NullPointerException
>>>> at 
>>>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:168)
>>>>  
>>>> ~[pac4j-core-2.2.0.jar:?]
>>>> at 
>>>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65)
>>>>  
>>>> ~[spring-webmvc-pac4j-2.0.0.jar:?]
>>>> at 
>>>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) 
>>>> ~[servlet-api-3.1.jar:?]
>>>> at 
>>>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>>>>  
>>>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) 
>>>> ~[servlet-api-3.1.jar:?]
>>>> at 
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>>>  
>>>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>&g

Re: [cas-user] CAS-Management - Bottle at the sea - Need advice or help

2018-04-11 Thread William E. 
This makes me think you have a bad ldap search filter in your .properties 
file, or maybe ldap support partially configured.

Caused by: java.lang.NullPointerException
at 
org.apereo.cas.util.LdapUtils.lambda$newLdaptiveSearchFilter$2(LdapUtils.java:531)
 
~[cas-server-support-ldap-core-5.2.2.jar:5.2.2]



On Monday, April 9, 2018 at 2:05:47 AM UTC-5, Olivier Calzi wrote:
>
> Hi,
>
> No as it's behind an haproxy i'm using the 443.
>
> Here you will find more logs who may have the lost key to this problem.
>
>> 2018-04-09 08:54:00,851 ERROR 
>> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
>> 
>> org.pac4j.core.exception.TechnicalException: 
>> java.lang.NullPointerException
>> at 
>> org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:168)
>>  
>> ~[pac4j-core-2.2.0.jar:?]
>> at 
>> org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65)
>>  
>> ~[spring-webmvc-pac4j-2.0.0.jar:?]
>> at 
>> org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:133)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:962)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) 
>> ~[servlet-api-3.1.jar:?]
>> at 
>> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>>  
>> ~[spring-webmvc-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) 
>> ~[servlet-api-3.1.jar:?]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) 
>> ~[tomcat8-websocket-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.boot.web.filter.ApplicationContextHeaderFilter.doFilterInternal(ApplicationContextHeaderFilter.java:55)
>>  
>> ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66)
>>  
>> ~[inspektr-common-1.8.0.GA.jar:1.8.0.GA]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
>>  
>> ~[spring-boot-actuator-1.5.8.RELEASE.jar:1.5.8.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>  
>> ~[tomcat8-catalina-8.5.14.jar:8.5.14]
>> at 
>> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
>>  
>> ~[spring-web-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>> at 
>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>>  
>>

[cas-user] Re: CAS 5.2 login with UPN removing domain

2018-04-11 Thread William E. 
We use ldap and used an ldap filter on uid or'ed with upn.  Ldap search 
syntax.

Like so:

cas.authn.ldap[0].userFilter=(|(uid={user})(upn={user}))


-William



On Wednesday, April 11, 2018 at 10:26:10 AM UTC-5, dag wrote:
>
> Hi all,
>
> I've configured Apereo CAS 5.2, and it's running fine using UPN.
> However is there any parameter to include in cas.properties config file to 
> allow authenticacion through UPN without typing the domain name?
>
> Thanks in advance.
>
>
> Regards.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc8d575a-51ba-445d-9bab-a5f08f69b0ec%40apereo.org.

[cas-user] CAS 5.2 return JWT for service

2018-04-11 Thread William E. 
Hi all,


I am trying to follow the CAS docs to configure a service to return jwt's 
but not having much success. 

Docs I am reading on this:

 
https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html
 
 https://apereo.github.io/2017/10/17/cas-jwt-authn-with-duo/ (JWT Service 
Tickets portion)


My cas.properties has:

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=/etc/cas/config/token-signing.jwk
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=/etc/cas/config/token-encryption.jwk
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=AES


jwk's generated per docs:

wget https://raw.githubusercontent.com/apereo/cas/master/etc/jwk-gen.jar
java -jar jwk-gen.jar -t oct -s 512 >/etc/cas/config/token-signing.jwk
java -jar jwk-gen.jar -t oct -s 256 >/etc/cas/config/token-encryption.jwk

$ file /etc/cas/config/token*
/etc/cas/config/token-encryption.jwk: ASCII text
/etc/cas/config/token-signing.jwk: ASCII text


Using maven overlay, my pom.xml has the rest snippet:


org.apereo.cas
cas-server-support-token-tickets
${cas.version}



My service has the jwt as ticket property:

properties:
{
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceProperty
values:
[
java.util.HashSet
[
"true"
]
]
}
}

In the CAS CLI I can generate a jwt that appears valid. But when I use my 
service via web browser I see no header or cookie referencing a ticket with 
JWT- prefix, nor a jwt formatted base64 string, I just see the normal ST- 
ticket. I'm using a simple tomcat webapp wit cas client filters and 
java-cas-client 3.5.0. 

Anyone made JWT's work yet for cas 5.2.3?  Any idea what step I missed?

Thanks,
William


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ce63d92-fef6-41c4-9167-9c388f73d3e7%40apereo.org.

Re: [cas-user] java 1.62 - JCE Unlimited Strength Jurisdiction Policy

2018-04-10 Thread William E. 
I think I've resolved it and it appears to be unrelated to the JCE libs.  
Using jdk 1.8.162 as-is, with #crypto.policy=unlimited comment out as is 
delivered.

I was using cas-management to add the jwt properties and added one too 
many.  When my service has the below, it works without jce error:

.
  properties:
  {
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
  }


But when it has these two entries, it fails with jce error which was 
apparently a JCE red herring.

  properties:
  {
@class: java.util.LinkedHashMap
jwtAsServiceTicket:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
jwtAsResponse:
{
  @class: org.apereo.cas.services.DefaultRegisteredServiceProperty
  values:
  [
java.util.HashSet
[
  "true"
]
  ]
}
  }



On Tuesday, April 10, 2018 at 10:05:14 AM UTC-5, William E. wrote:
>
> Hi Mike,
>
> Thanks for replying.  
>
> 1. Cas startup says "JCE Installed: Yes " but fails to find AES??
>
> 2. Isn't unlimited the default and verified by the jsunscript test?
>
> From the 1.8.162 java.security file you reference:
>
> # Cryptographic Jurisdiction Policy defaults
> #
> # Import and export control rules on cryptographic software vary from
> # country to country.  By default, the JDK provides two different sets of
> # cryptographic policy files:
> #
> # unlimited:  These policy files contain no restrictions on 
> cryptographic
> # strengths or algorithms.
> #
> # limited:These policy files contain more restricted cryptographic
> # strengths, and are still available if your country or
> # usage requires the traditional restrictive policy.
> #
> # The JDK JCE framework uses the unlimited policy files by default.
> # However the user may explicitly choose a set either by defining the
> # "crypto.policy" Security property or by installing valid JCE policy
> # jar files into the traditional JDK installation location.  To better
> # support older JDK Update releases, the "crypto.policy" property is not
> # defined by default.  See below for more information.
> #
> # The following logic determines which policy files are used:
> #
> #  refers to the directory where the JRE was
> # installed and may be determined using the "java.home"
> # System property.
> #
> # 1.  If the Security property "crypto.policy" has been defined,
> # then the following mechanism is used:
> #
> # The policy files are stored as jar files in subdirectories of
> # /lib/security/policy.  Each directory contains a complete
> # set of policy files.
> #
> # The "crypto.policy" Security property controls the directory
> # selection, and thus the effective cryptographic policy.
> #
> # The default set of directories is:
> #
> # limited | unlimited
> #
> # 2.  If the "crypto.policy" property is not set and the traditional
> # US_export_policy.jar and local_policy.jar files
> # (e.g. limited/unlimited) are found in the legacy
> # /lib/security directory, then the rules embedded within
> # those jar files will be used. This helps preserve compatibility
> # for users upgrading from an older installation.
> #
> # 3.  If the jar files are not present in the legacy location
> # and the "crypto.policy" Security property is not defined,
> # then the JDK will use the unlimited settings (equivalent to
> # crypto.policy=unlimited)
> #
> # Please see the JCA documentation for additional information on these
> # files and formats.
> #
> # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
> # TO DETERMINE THE EXACT REQUIREMENTS.
> #
> # Please note that the JCE for Java SE, including the JCE framework,
> # cryptographic policy files, and standard JCE providers provided with
> # the Java SE, have been reviewed and approved for export as mass market
> # encryption item by the US Bureau of Industry and Security.
> #
> # Note: This property is currently used by the JDK Reference 
> implementation.
> # It is not guaranteed to be examined and used by other implementations.
> #
> #crypto.policy=unlimited
>
>
>
> # pwd; find .
> /usr/java/jdk1.8.0_162/jre/lib/security
> .
> ./cacerts
> ./javaws.policy
> ./trusted.libraries
> ./java.security
&

Re: [cas-user] java 1.62 - JCE Unlimited Strength Jurisdiction Policy

2018-04-10 Thread William E. 
Hi Mike,

Thanks for replying.  

1. Cas startup says "JCE Installed: Yes " but fails to find AES??

2. Isn't unlimited the default and verified by the jsunscript test?

>From the 1.8.162 java.security file you reference:

# Cryptographic Jurisdiction Policy defaults
#
# Import and export control rules on cryptographic software vary from
# country to country.  By default, the JDK provides two different sets of
# cryptographic policy files:
#
# unlimited:  These policy files contain no restrictions on 
cryptographic
# strengths or algorithms.
#
# limited:These policy files contain more restricted cryptographic
# strengths, and are still available if your country or
# usage requires the traditional restrictive policy.
#
# The JDK JCE framework uses the unlimited policy files by default.
# However the user may explicitly choose a set either by defining the
# "crypto.policy" Security property or by installing valid JCE policy
# jar files into the traditional JDK installation location.  To better
# support older JDK Update releases, the "crypto.policy" property is not
# defined by default.  See below for more information.
#
# The following logic determines which policy files are used:
#
#  refers to the directory where the JRE was
# installed and may be determined using the "java.home"
# System property.
#
# 1.  If the Security property "crypto.policy" has been defined,
# then the following mechanism is used:
#
# The policy files are stored as jar files in subdirectories of
# /lib/security/policy.  Each directory contains a complete
# set of policy files.
#
# The "crypto.policy" Security property controls the directory
# selection, and thus the effective cryptographic policy.
#
# The default set of directories is:
#
# limited | unlimited
#
# 2.  If the "crypto.policy" property is not set and the traditional
# US_export_policy.jar and local_policy.jar files
# (e.g. limited/unlimited) are found in the legacy
# /lib/security directory, then the rules embedded within
# those jar files will be used. This helps preserve compatibility
# for users upgrading from an older installation.
#
# 3.  If the jar files are not present in the legacy location
# and the "crypto.policy" Security property is not defined,
# then the JDK will use the unlimited settings (equivalent to
# crypto.policy=unlimited)
#
# Please see the JCA documentation for additional information on these
# files and formats.
#
# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
# TO DETERMINE THE EXACT REQUIREMENTS.
#
# Please note that the JCE for Java SE, including the JCE framework,
# cryptographic policy files, and standard JCE providers provided with
# the Java SE, have been reviewed and approved for export as mass market
# encryption item by the US Bureau of Industry and Security.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
#crypto.policy=unlimited



# pwd; find .
/usr/java/jdk1.8.0_162/jre/lib/security
.
./cacerts
./javaws.policy
./trusted.libraries
./java.security
./blacklisted.certs
./java.policy
./blacklist
./policy
./policy/limited
./policy/limited/US_export_policy.jar
./policy/limited/local_policy.jar
./policy/unlimited
./policy/unlimited/US_export_policy.jar
./policy/unlimited/local_policy.jar



-William


On Tuesday, April 10, 2018 at 9:45:41 AM UTC-5, Michael A Grady wrote:
>
> The easiest way to get the latest versions of Java to use unlimited 
> strength algorithms is to:
>
>  Modify the file (within the Java directory):
>
>   jre/lib/security/java.security 
>
>  change the commented out property, near the end of the file:
>
>   #crypto.policy=unlimited
>
> by simply removing the comment marker:
>
>   crypto.policy=unlimited
>
> On Apr 10, 2018, at 8:58 AM, William E. <wre...@uah.edu > 
> wrote:
>
> Has anyone run into a problem with the JCE files on newer JDK's?  It is my 
> understanding that jdk 1.8.161 and later includes the jce unlimited 
> cryptography libs by default, and command line testing seems to confirm 
> this, but CAS 5.2.3 fails with the following:
>
> Caused by: java.lang.RuntimeException: Is JCE Unlimited Strength 
> Jurisdiction Policy installed? AES is an unknown, unsupported or 
> unavailable enc algorithm (not one of [A128CBC-HS256, A192CBC-HS384, 
> A256CBC-HS512, A128GCM, A192GCM, A256GCM]).
>
> CAS startup shows the correct JDK is being used and JCE is present:
>
> CAS Version: 5.2.3 
> CAS Commit Id: 14850a4ef16ef32ce6390f62fda566fdb8fa3948 
> CAS Build Date/Time: 2018-03-07T20:08:12Z 
> Spring Boot Version: 1.5.8.RELEASE 
> -

[cas-user] Re: The CAS management webapp is unavailable. NPE ERROR [org.apereo.cas.mgmt.services.web.AbstractManagementController] - java.lang.NullPointerException

2018-04-10 Thread William E. 
Just guessing here, but I think I would first try trimming down the 
principal list values from:

cas.authn.ldap[0].principalAttributeList=sn:familyName,cn:casId,givenName,mail,memberOf,xxxUID

To maybe:

cas.authn.ldap[0].principalAttributeList=cn,xxxUID

Things that always exist in every ldap record.  My theory is one or more is 
null and throwing the NPE.

If that's not it, I would simplify my properties line by line restarting 
cas-management app each time until the NPE goes away.  Painful, I know, but 
other than reading the source code or paying a vendor like Unicon for 
support, not sure what else to try.

Good luck.

-William




On Tuesday, October 31, 2017 at 5:18:12 AM UTC-5, Krzysztof Kluczynski 
wrote:
>
> Hi,
>
> I am getting an NPE  
> [org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
> java.lang.NullPointerException after a successful login to the CAS 
> management webapp.
>
> Both CAS and the CAS management webapp are configured to use LDAP.
>
> I am using the following versions :
>
> cas-services-management-overlay 5.2.0-SNAPSHOT
> cas-server 5.2.0-RC4
>
> *Configuration files*
>
> *management.properties*
>
>
> #cas.server.prefix: https://jasigcas.herokuapp.com/cas
> cas.server.name:https://xxx.xxx.org
> cas.server.prefix:https://xxx.xxx.org/sso
>
> cas.mgmt.adminRoles=ROLE_ADMIN
> cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
>
> # Update this URL to point at server running this management app
> cas.mgmt.serverName:https://xxx.xxx.org
>
> server.context-path=/cas-management
> server.port=8443
>
> spring.thymeleaf.mode=HTML
> logging.config=file:/etc/cas/config/log4j2-management.xml
>
>
> cas.authn.attributeRepository.defaultAttributesToRelease=sn,cn,givenName,mail,memberOf,xxxUID
> cas.personDirectory.principalAttribute=mail
> cas.personDirectory.returnNull=false
> cas.personDirectory.principalResolutionFailureFatal=false
>
>
> cas.mgmt.ldap.baseDn=ou=cas,ou=system,dc=xxx,dc=net
> cas.mgmt.ldap.ldapUrl=ldaps://xxx.xxx.org/
> cas.mgmt.ldap.connectionStrategy=ACTIVE_PASSIVE
> cas.mgmt.ldap.userFilter=mail={user}
> cas.mgmt.ldap.bindDn=cn=admin,dc=xxx,dc=net
> cas.mgmt.ldap.bindCredential=password
>
> cas.serviceRegistry.ldap.serviceDefinitionAttribute=casServiceDescription
> cas.serviceRegistry.ldap.idAttribute=cn
> cas.serviceRegistry.ldap.objectClass=casRegisteredService
> cas.serviceRegistry.ldap.ldapUrl=ldaps://xxx.xxx.org/
> cas.serviceRegistry.ldap.connectionStrategy=ACTIVE_PASSIVE
> cas.serviceRegistry.ldap.baseDn=ou=cas,ou=system,dc=xxx,dc=net
> cas.serviceRegistry.ldap.bindDn=cn=admin,dc=xxx,dc=net
> cas.serviceRegistry.ldap.bindCredential=password
>
> cas.properties
>
> #cas.server.name: https://cas.example.org:8443
> #cas.server.prefix: https://cas.example.org:8443/cas
>
> cas.server.name:https://xxx.xxx.org
> cas.server.prefix:https://xxx.xxx.org/sso
>
> cas.tgc.crypto.encryption.key=key
> cas.tgc.crypto.signing.key=signingkey
>
> cas.webflow.crypto.encryption.key=encrkey
> cas.webflow.crypto.signing.key=signingkey
>
> cas.logout.followServiceRedirects=true
> cas.logout.redirectParameter=service
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
> cas.monitor.endpoints.enabled=true
> cas.monitor.endpoints.sensitive=false
> cas.adminPagesSecurity.loginUrl=https://xxx.xxx.org/sso/login
> cas.adminPagesSecurity.service=https://xxx.xxx.org/sso/status/dashboard
> cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
> cas.authn.accept.users=
> cas.authn.ldap[0].type=AUTHENTICATED
>
> cas.authn.ldap[0].ldapUrl=ldaps://xxx.xxx.org/
> cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
> cas.authn.ldap[0].baseDn=dc=xxx,dc=net
> cas.authn.ldap[0].userFilter=mail={user}
> cas.authn.ldap[0].bindDn=cn=admin,dc=xxx,dc=net
> cas.authn.ldap[0].bindCredential=credential
>
> cas.authn.ldap[0].dnFormat=cn=%s,ou=users,ou=people,dc=xxx,dc=net
> cas.authn.ldap[0].principalAttributeId=xxxUID
> cas.authn.attributeRepository.ldap[0].attributes.sn=sn
> cas.authn.attributeRepository.ldap[0].attributes.cn=cn
> cas.authn.attributeRepository.ldap[0].attributes.givenName=givenName
> cas.authn.attributeRepository.ldap[0].attributes.mail=mail
> cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf
> cas.authn.attributeRepository.ldap[0].attributes.xxxUID=xxxUID
>
>
> cas.authn.ldap[0].principalAttributeList=sn:familyName,cn:casId,givenName,mail,memberOf,xxxUID
>
>
> cas.authn.attributeRepository.attributes.

Re: [cas-user] Help with LDAP auth

2018-03-14 Thread William E. 
We grab the memberof attribute in the user record. Note it's multivalued.


On Tuesday, March 13, 2018 at 1:28:43 PM UTC-5, Марат Бралиев wrote:
>
> how best practice to check member of specific group? check in LDAP search 
> query, or use some CAS (or ldaptive) handler, and check member of group 
> after simple search? Does CAS support such handler?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8047506b-9d11-44d1-93c5-7dfe6eb6ad92%40apereo.org.

Re: [cas-user] CAS PM JDBC 5.1.5 double query

2018-02-26 Thread William Jojo 
Manfredo,

Hibernate is not posting to my logs. Turned on cas.jdbc.showSql and 
cas.jdbc.genDdl. Also added org.hibernate, org.hibernate.SQL and 
org.hibernate.type.descriptor.sql to the log4j2.xml for both debug and 
trace. Nothing.

This is built using Maven and our own Tomcat server.

Bill

On Saturday, February 24, 2018 at 3:28:23 PM UTC-5, Manfredo Hopp wrote:
>
> Send the same with hibernate debug
>
> El sábado, 24 de febrero de 2018, William Jojo <joj...@gmail.com 
> > escribió:
>
>> My question is very simple. Why on Earth are there two separate calls for 
>> validating PM questions? There is a query to get the question(s) followed 
>> by what seems like another query to get the answer(s). The format requires 
>> the query to be in the form of:
>>
>> select question, answer from table name where user=?
>>
>> Fine. But if you are trying to randomly select a question with say a view 
>> or procedure, the functionality is effective broken because you cannot 
>> guarantee the question/answer pair will match. See below:
>>
>> 2018-02-24 12:26:56,529 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection from DataSource>
>> 2018-02-24 12:26:56,546 TRACE 
>> [org.springframework.jdbc.core.StatementCreatorUtils] - > statement parameter value: column index 1, parameter value [THEUSER], value 
>> class [java.lang.String], SQL type unknown>
>> 2018-02-24 12:26:56,562 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection to DataSource>
>> 2018-02-24 12:26:56,563 DEBUG 
>> [org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] - > security questions for [THEUSER]>
>>
>> 2018-02-24 12:26:59,489 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > query>
>> 2018-02-24 12:26:59,490 DEBUG 
>> [org.springframework.jdbc.core.JdbcTemplate] - > statement [SELECT question,answer from GENERAL.vTestQA where userid=?]>
>> 2018-02-24 12:26:59,490 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection from DataSource>
>> 2018-02-24 12:26:59,506 TRACE 
>> [org.springframework.jdbc.core.StatementCreatorUtils] - > statement parameter value: column index 1, parameter value [THEUSER], value 
>> class [java.lang.String], SQL type unknown>
>> 2018-02-24 12:26:59,523 DEBUG 
>> [org.springframework.jdbc.datasource.DataSourceUtils] - > Connection to DataSource>
>> 2018-02-24 12:26:59,523 DEBUG 
>> [org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] - > security questions for [THEUSER]>
>>
>>
>> There is also the concern that the database is not required to return the 
>> values in the same order every time.
>>
>> Bill
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a6e6fab-f5c3-4c98-8a92-72079c0cc412%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a6e6fab-f5c3-4c98-8a92-72079c0cc412%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/32e639e7-28d9-436e-a744-416287d15489%40apereo.org.

[cas-user] CAS PM JDBC 5.1.5 double query

2018-02-24 Thread William Jojo 
My question is very simple. Why on Earth are there two separate calls for 
validating PM questions? There is a query to get the question(s) followed 
by what seems like another query to get the answer(s). The format requires 
the query to be in the form of:

select question, answer from table name where user=?

Fine. But if you are trying to randomly select a question with say a view 
or procedure, the functionality is effective broken because you cannot 
guarantee the question/answer pair will match. See below:

2018-02-24 12:26:56,529 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2018-02-24 12:26:56,546 TRACE 
[org.springframework.jdbc.core.StatementCreatorUtils] - 
2018-02-24 12:26:56,562 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2018-02-24 12:26:56,563 DEBUG 
[org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] - 

2018-02-24 12:26:59,489 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
- 
2018-02-24 12:26:59,490 DEBUG [org.springframework.jdbc.core.JdbcTemplate] 
- 
2018-02-24 12:26:59,490 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2018-02-24 12:26:59,506 TRACE 
[org.springframework.jdbc.core.StatementCreatorUtils] - 
2018-02-24 12:26:59,523 DEBUG 
[org.springframework.jdbc.datasource.DataSourceUtils] - 
2018-02-24 12:26:59,523 DEBUG 
[org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] - 


There is also the concern that the database is not required to return the 
values in the same order every time.

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a6e6fab-f5c3-4c98-8a92-72079c0cc412%40apereo.org.

[cas-user] Re: CAS 5.2 and Ellucian Banner 9 (XE)

2018-02-22 Thread William E. 
We are on cas 5.2.2, banner 8 via ssomanager and banner 9 admin apps.  
Seems to work fine since we upgraded to cas 5.2.2 in late December.

We populate the udcid in ldap from banner, then map it in cas as:

cas.authn.attributeRepository.ldap[0].attributes.uahUDCID=UDC_IDENTIFIER

Please note, without full BEIS the udcid in banner is not automatically 
populated when new users are created.  Our IDM calls a delivered BEIS 
component to populate any blank udcid values in banner before ldap 
provisioning since we don't use BEIS.

IP_IDENTITY_DATA_EXPORT_UTIL.P_ASSIGN_UDCID();


-William

BEIS = Banner Enterprise Identity Services


On Wednesday, February 21, 2018 at 5:46:21 PM UTC-6, Matthew Uribe wrote:
>
> Hello Community,
>
> I am wondering whether anyone has had success with Banner 9 and CAS 5.2.x 
>
> We have been using the Luminis delivered CAS 3.5.2, but are interested in 
> the features available in 5, such as SAML2 IdP, and MFA using Duo. I have 
> deployed CAS 5.2.0, included cas-server-support-ldap and 
> cas-server-support-saml 
> dependencies, and setup a service for one of our Banner 9 apps, but haven't 
> been able to successfully access the application. I can access the CAS 
> Dashboard, as well as the CAS-Management webapp, but the Banner apps are 
> beyond me at this point. Right now, when I navigate to the Banner 9 app, I 
> am redirected to the CAS login page. After logging in successfully, the 
> browser gives me an error: "HTTP Status 403 - No assertions found".
>
> I figure the problem is either in my service registry, or that I maybe 
> need to import the CAS certificate into a keystore somewhere on the Banner 
> 9 server. Since I don't see anything related to a cert import in the Banner 
> 9 install guides, I'm focused on the first of these two possibilities, but 
> after 2 days of going in circles I've run out of ideas and would eagerly 
> accept the advice of this community.
>
> Thank you,
> Matt
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/524db851-6ae3-4c5a-8670-389faeda2356%40apereo.org.

[cas-user] Re: cas 5 management

2018-02-09 Thread William E. 
Exactly.  cas-management-overlay/target/cas-management.war


Since we use json registry, and ldap, we add the below.


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


 org.apereo.cas
 cas-server-support-ldap
 ${cas.version}




On Friday, February 9, 2018 at 9:13:54 AM UTC-6, Chris Cheltenham wrote:
>
> Hello ,
>
>  
>
> I have embarked on building cas-management via the overlay.
>
> I am assuming you build a totally separate war file with the ldapp 
> dependency is you use ldap.
>
>  
>
> Is that correct?
>
>  
>
>  
>
>  
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571 
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df4774ec-7151-4769-a96d-ee447296bced%40apereo.org.

[cas-user] Re: CAS 5.2.x

2018-02-08 Thread William E. 
For Dave's docs:

We too have been working on using cas 5.2's saml2 capabilities to replace a 
full shibboleth.  Not quite there yet, but still working on it.

FWIW - We use apache's mod_ajp to front tomcat and these lines are what we 
use in proxy_ajp.conf:

ProxyPass /cas ajp://localhost:8009/cas


# CAS for IDP
ProxyPass /idp/shibboleth ajp://localhost:8009/cas/idp/metadata
ProxyPass /idp ajp://localhost:8009/cas/idp


The first is just for regular cas redirects to the cas app on the local 
tomcat.  The latter is specific for the IDP.  We publish our IDP metadata 
to InCommon which is turn published to all it's subscribers in their 
metadata aggregate.  We could republish of course changing host/idp to 
host/cas/idp, but to make the switch seamless, and to not break 
non-incommon SP's that we have to manually exchange metadata with, we use 
proxy_ajp to send host/idp requests to localhost/cas/idp with this line:

ProxyPass /idp ajp://localhost:8009/cas/idp

We have also found that some SP's specifically check idp/shibboleth which 
is not an endpoint cas provides, cas publishes it's IDP metadata as 
/cas/idp/metadata so we use this line to send /idp/shibboleth requests to 
/cas/idp/metadata.

ProxyPass /idp/shibboleth ajp://localhost:8009/cas/idp/metadata

Fortunately, the way ajp works is top to bottom order so the more specific 
/idp/shibboleth is used before the more generic /idp line.

You may need to similar, perhaps with your load balancer.  We use a load 
balancer as well, in front of apache, but found the redirect easiest with 
apache's ajp.

-W


On Monday, February 5, 2018 at 12:14:53 PM UTC-6, Chris Cheltenham wrote:
>
> Hello,
>
> I am not understanding how to bundle the LDAP authentication handler into 
> the cas.war file.
>
> Any suggestions?
>  
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4df5045-a965-4a24-9243-b611b2d304af%40apereo.org.

[cas-user] Re: Application Not Authorized to Use CAS The application you attempted to authenticate to is not authorized to use CAS.

2018-01-22 Thread William E. 
What is in the service url parameter?  Add it as an allowed service regex.

For example, since I access cas-management via localhost, I have a service 
that allows ^http://localhost:8080/cas-management/.*


On Friday, January 19, 2018 at 1:41:38 PM UTC-6, Ramakrishna G wrote:
>
> Application Not Authorized to Use CAS The application you attempted to 
> authenticate to is not authorized to use CAS.
>
> I keep getting this error. CAS-MANAGEMENT i am not able to run. Have any 
> other solution to get rid of this error.
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/723a2a42-cbe5-4644-a43a-692dc8b8fe9c%40apereo.org.

Re: [cas-user] CAS attribute resolution with LDAP

2018-01-10 Thread William E. 
In our cas.properties, we also have:

cas.personDirectory.principalAttribute=uid,mail
cas.personDirectory.returnNull=false
cas.personDirectory.principalResolutionFailureFatal=false

Hope this helps.


On Wednesday, January 10, 2018 at 10:30:38 AM UTC-6, rbon wrote:
>
> Sebastien,
>
> To see what is happening on CAS side, put this in your CAS log config:
>
> 
>  name="org.apereo.cas.DefaultCentralAuthenticationService" level="debug" />
> 
>  name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
>  
> level="debug"/>
>
> 
> 
>
> Have you configured LDAP to release those attributes?
>
> Ray
>
> On Wed, 2018-01-10 at 06:11 -0800, Sébastien Ragons wrote:
>
> Hello, 
>
> I am trying to get attribute from LDAP but with no success since days.
> So i tried a basic configuration but it doesnt work.
>
> My basic configuration:
> # Authentification LDAP
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://frparantgaga:389/
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> cas.authn.ldap[0].baseDn=o=antalis
> cas.authn.ldap[0].userFilter=(|(uid={user})(mail={user}))
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].usePasswordPolicy=true
>
> # Credential to connect to LDAP
> cas.authn.ldap[0].bindDn=cn=root,o=antalis
> cas.authn.ldap[0].bindCredential=passwd
>
> # authentication-attributes
> cas.authn.ldap[0].principalAttributeList=sn,cn,mail,description
> cas.authn.attributeRepository.attributes.sn=sn
> cas.authn.attributeRepository.attributes.cn=cn
> cas.authn.attributeRepository.attributes.mail=mail
> cas.authn.attributeRepository.attributes.description=description 
>
>
> I configured my service to get all attributes
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : ".*",
>   "name" : "Service 3 avec theme 2",
>   "theme" : "theme2",
>   "id" : 3,
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>   }
> }
>
>
> Client side the principal doesnt contain none of the configured attributes.
> CAS server's logs seem to indicate that there is no attribute to release:
>
> .AbstractRegisteredServiceAttributeReleasePolicy] -  attributes [{}] for [seba...@gmail.com ]> 
>
>
>
> I'm aware about the article on the blog about attributes: 
> https://apereo.github.io/2017/02/22/cas51-dbauthn-tutorial/
> I've consulted several questions about this topic on this group.
> I dont understand why it doesnt work.
>
> Could you help me ?
> Thank you 
>
> Sebastien
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f817a19-2b89-4944-a3c7-794b773e7cad%40apereo.org.

[cas-user] SAML FriendlyName and Name using same value

2018-01-10 Thread William E. 
Hi all,

I'm pretty sure this is not a current feature of CAS 5.2.x, but I just 
wanted to ask this community if they found any way to do so by some config 
trickery.  If not, would the awesome CAS developers be interested in 
putting this on the list of future feature enhancements please?

So we're trying to use the saml idp of cas 5.2 to replace our shibboleth 
service.  Seems most SP's work but a few don't and unfortunately getting 
logs from vendors or technical insight is sometimes challenging.  But one 
distinct difference between the attributes shibboleth returns and cas IDP 
returns is that with cas, while you can specify the "return attribute x as 
name y" part, it's used for both the name and friendlyname values.

For example, in our config shibboleth returns the givenName like so:


http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



With Name="urn:oid:2.5.4.42" and FriendlyName="givenName".


In the cas service definition I can specify givenName should be returned as 
urn:oid:2.5.4.42, which is awesome, but the urn:oid... is used for both 
Name and FriendlyName values.


  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes:
{
  @class: java.util.TreeMap
  givenName: "urn:oid:2.5.4.42"
...



http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:type="xsd:string">Jane



Anyone know of a way to specify a different value for FriendlyName than 
Name?


Thanks,
William

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a58be248-9a81-4d24-a3b4-701eaf90c9e9%40apereo.org.

Re: [cas-user] Re: Management Webapp 5.2 issue with attributes release

2017-12-21 Thread William E. 
Hi Travis,

I have had similar issues.  Love the new look BTW, but the erturn mapped UI 
seems to have a bug or two.

Also, the Access strategy tab, maybe it's intentional, but it seems to 
autopopulate with all my defined attributes when I just click on that tab.  
So what I've accidentally run into is editing a service, clicking on access 
strategy to view settings, make no changes, click save service, and now my 
service(json) is set to require all my attributes.

One other, duplicate service has no "Save" button I can find.

Thanks for all your hard work on this!

-William




On Thursday, December 21, 2017 at 10:48:09 AM UTC-6, Travis Schmidt wrote:
>
> Ludovic, 
>   
>Thanks for reporting the issue with the cas-management application.  It 
> seems that I incompletely refactored some code in the attribute-release 
> screens.  A fix for the issue has been submitted as a PR and can be viewed 
> here:
>
> https://github.com/apereo/cas/pull/3108
>
> Once this is merged into the 5.2.x branch you should be able to pull it in 
> using the latest 5.2.x snapshot release.
>
> Thanks again,
> Travis
>
>
>
> On Thu, Dec 21, 2017 at 2:09 AM Ludovic Senecaux <linu...@gmail.com 
> > wrote:
>
>> And I have a problem to release mapped attributes too.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/25f3e76e-da12-4e7b-8460-9f4fa728e9d8%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/25f3e76e-da12-4e7b-8460-9f4fa728e9d8%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c329311-bb2c-47d0-b6ac-928e1f113446%40apereo.org.

[cas-user] Re: Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

2017-12-21 Thread William E. 
Martin,

Thank you.  You might be on to something.  I was quoting from memory and I 
was wrong on swap.  Of the two nodes, both in my mind identical VM's, the 
secondary node has 8GB of swap and a tiny bit used, but the primary, the 
one that is crashing, has no swap configured.  I have requested our systems 
team add 8GB of swap to the primary.

Primary server:

  totalusedfree  shared  buff/cache  
 available
Mem:8010840 4872660  420488  107484 2717692
 2679336
Swap: 0   0   0



Secondary server:

  totalusedfree  shared  buff/cache  
 available
Mem:8010972 1192296 1530500   23196 5288176
 6449948
Swap:   83886044604 8384000


Not sure I understand why it would matter since in theory swap should not 
be needed on a server with 8GB of ram with jvm limit set to 6GB though.  
Any more insight on why, because I would really like to understand the 
reason.


Additionally, I've put the shibboleth IDP back into play, effectively 
rendering the saml services in cas "unused".  I am using proxy_ajp to front 
tomcat with apache so it was easy to copy the idp.war into tomcat and 
re-enable the shib-cas-authenticator. I guess my hope of moving from 
cas+shibb. to just cas will have to wait


Thanks, 
William

P.S. Jeff, thank you for posting your catalina opts!


On Wednesday, December 20, 2017 at 11:30:40 PM UTC-6, Martin Bohun wrote:
>
> I have seen the behavior you are describing when people ran cas (tomcat, 
> mysql, etc.) on a (what I would consider a misconfigured) Linux box with 0 
> swap.
> However you are saying you have 4gb of swap.
> I still do prefer to set my swap to 2 * $MY_RAM; can you try that? adjust 
> or add a swapfile to your swap (so you have 8gb RAM / 16gb swap), I am 
> curious if that would help / solve your problem?
> What error messages are you getting in the jvm and syslog/systemd journal 
> from the OS?
>
> regards,
>
> martin
>
> On Thursday, December 21, 2017 at 1:35:45 PM UTC+11, William E. wrote:
>>
>> RHEL 7, 8GB ram, swap is 4GB.  It's a VM in our vSphere cluster+SAN.  I 
>> actually have three, two PROD nodes behind a load balancer and one test 
>> node.  All have same specs and all show the issue.  Steadily chews up 
>> memory until eventual crash, 1-6 hours depending on load.
>>
>> The asme servers were running cas 3.6 . + shibboleth 3.3.x for quite a 
>> while without memory issues.  Upgraded and tried to consolidate to just cas 
>> 5, using it's saml2 capabilities to replace the shibboleth component.  But, 
>> it's not going as well as I had hoped.
>>
>> Been working with Unicon Support on it, but it appears to be a memory 
>> leak in cas 5.2, based on heap analysis.  So I am kinda of stuck.
>>
>> Thanks for your help!
>>
>>
>>
>> On Wednesday, December 20, 2017 at 6:49:39 PM UTC-6, Martin Bohun wrote:
>>>
>>> What is your:
>>> 1. operation system
>>> 2. how much RAM do you have
>>> 3. how much swap do you have
>>>
>>> if you are on  Linux you can do:
>>> 1.uname -a
>>> 2-3. free -m
>>>
>>> and post the output here
>>>
>>> regards,
>>>
>>> martin
>>>
>>> On Thursday, December 21, 2017 at 11:00:30 AM UTC+11, William E. wrote:
>>>>
>>>> Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
>>>> tomcat 8?
>>>>
>>>> I am finding that our setup steadily eats up memory to the point that 
>>>> it eventually crashes from out of memory and has to be restarted.
>>>>
>>>> Current settings:
>>>>
>>>> CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
>>>> -Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
>>>> -XX:-UseCompressedOops"
>>>>
>>>> JAVA_OPTS=$CATALINA_OPTS
>>>>
>>>>
>>>> Thanks,
>>>> William
>>>>
>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e36f7d2-3bf7-49d2-bcd8-bbc0e22b901b%40apereo.org.

[cas-user] Re: Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

2017-12-20 Thread William E. 
RHEL 7, 8GB ram, swap is 4GB.  It's a VM in our vSphere cluster+SAN.  I 
actually have three, two PROD nodes behind a load balancer and one test 
node.  All have same specs and all show the issue.  Steadily chews up 
memory until eventual crash, 1-6 hours depending on load.

The asme servers were running cas 3.6 . + shibboleth 3.3.x for quite a 
while without memory issues.  Upgraded and tried to consolidate to just cas 
5, using it's saml2 capabilities to replace the shibboleth component.  But, 
it's not going as well as I had hoped.

Been working with Unicon Support on it, but it appears to be a memory leak 
in cas 5.2, based on heap analysis.  So I am kinda of stuck.

Thanks for your help!



On Wednesday, December 20, 2017 at 6:49:39 PM UTC-6, Martin Bohun wrote:
>
> What is your:
> 1. operation system
> 2. how much RAM do you have
> 3. how much swap do you have
>
> if you are on  Linux you can do:
> 1.uname -a
> 2-3. free -m
>
> and post the output here
>
> regards,
>
> martin
>
> On Thursday, December 21, 2017 at 11:00:30 AM UTC+11, William E. wrote:
>>
>> Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
>> tomcat 8?
>>
>> I am finding that our setup steadily eats up memory to the point that it 
>> eventually crashes from out of memory and has to be restarted.
>>
>> Current settings:
>>
>> CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
>> -Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
>> -XX:-UseCompressedOops"
>>
>> JAVA_OPTS=$CATALINA_OPTS
>>
>>
>> Thanks,
>> William
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfe6c835-bf1e-4f24-b507-025d7c0e3172%40apereo.org.

[cas-user] Recommendations for CATALINA_OPTS for cas 5.x with tomcat 8.5.x

2017-12-20 Thread William E. 
Does anyone have any recommendations for CATALINA_OPTS for cas 5.x on 
tomcat 8?

I am finding that our setup steadily eats up memory to the point that it 
eventually crashes from out of memory and has to be restarted.

Current settings:

CATALINA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server 
-Xms1g -Xmx6g -XX:-UseGCOverheadLimit -XX:+UseConcMarkSweepGC 
-XX:-UseCompressedOops"

JAVA_OPTS=$CATALINA_OPTS


Thanks,
William

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe0ba2b3-4918-4e07-870a-3d4196207e87%40apereo.org.

[cas-user] Re: CAS 5.1.0 LDAP - How to get all groups that a user is a member of?

2017-12-01 Thread William E. 
Perhaps try adding these to cas.properties?

cas.authn.attributeRepository.ldap[0].attributes.member=member
cas.authn.attributeRepository.ldap[0].attributes.memberof=memberof



On Thursday, November 23, 2017 at 4:41:33 AM UTC-6, Sanjaya Addula wrote:
>
> Hi,
>
> How can I configure cas to get the LDAP user groups details as a principal 
> attribute.
>
> cas.authn.ldap[0].type=DIRECT
> cas.authn.ldap[0].ldapUrl=ldapurl
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].connectTimeout=5000
> #cas.authn.ldap[0].baseDn=ou=groups,dc=ec2,dc=internal
> cas.authn.ldap[0].baseDn=ou=Users,dc=ec2,dc=internal
> #cas.authn.ldap[0].userFilter=uid=%s,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].userFilter=(&(uid={user})(objectclass=inetOrgPerson))
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].usePasswordPolicy=false
> cas.authn.ldap[0].bindDn=uid=user2,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].bindCredential=xyz
>
> cas.authn.ldap[0].dnFormat=uid=%s,ou=Users,dc=ec2,dc=internal
> cas.authn.ldap[0].principalAttributeId=uid
>
> cas.authn.ldap[0].principalAttributeList=sn,title,mail,telephoneNumber,mobile,manager
>
>
>
> 
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8204b37-ad0f-456c-86ae-05042d0ee1f3%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

2017-11-22 Thread William E. 
Nope.  In my cas 5.1 pom I only have:



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


   org.apereo.cas
   cas-server-support-ldap
   ${cas.version}





org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


  org.apereo.cas
  cas-server-support-saml-idp
  ${cas.version}


 org.apereo.cas
 cas-server-support-token-webflow
 ${cas.version}


 org.apereo.cas
 cas-server-support-saml-sp-integrations
 ${cas.version}








In my cas-management 5.1 pom.xml:



org.apereo.cas
cas-management-webapp
${cas.version}
war





org.apereo.cas
cas-server-support-json-service-registry
${cas.version}










On Wednesday, November 22, 2017 at 7:26:40 AM UTC-6, Justin Andrews wrote:
>
> Gotcha. Do you also have these defined in your pom.xml ?
>
> 
> org.apereo.service.persondir
> person-directory-api
> ${person.directory.version}
> 
> 
> org.apereo.service.persondir
> person-directory-impl
> ${person.directory.version}
> 
>
>
> On Tuesday, November 21, 2017 at 10:24:47 PM UTC-5, William E. wrote:
>>
>> I had to add them to mine for the username drop down in cas management to 
>> get populated.
>>
>>
>> On Tuesday, November 21, 2017 at 2:01:09 PM UTC-6, Justin Andrews wrote:
>>>
>>> No, I do not have those in my cas.properties...
>>>
>>> On Tuesday, November 21, 2017 at 10:49:13 AM UTC-5, William E. wrote:
>>>>
>>>> Do you have entries like below in your cas.properties file?
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.uid=uid
>>>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>>>> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>>>>
>>>> cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
>>>> .
>>>>
>>>>
>>>>
>>>> On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>>>>>
>>>>> Hi folks - What are the requirements to be able to adjust the username 
>>>>> attribute via the CAS management GUI? This is all I see.
>>>>>
>>>>>
>>>>> <https://lh3.googleusercontent.com/-CTPBkMm3cX0/WhLtHf_H7XI/Ahs/eKc-wpYGg80qUzBr54KA00FMkYHYqUPPwCLcBGAs/s1600/Screen%2BShot%2B2017-11-20%2Bat%2B9.54.31%2BAM.png>
>>>>>
>>>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edfcce91-7e7b-42c5-8653-1d59d6b5e144%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

2017-11-21 Thread William E. 
I had to add them to mine for the username drop down in cas management to 
get populated.


On Tuesday, November 21, 2017 at 2:01:09 PM UTC-6, Justin Andrews wrote:
>
> No, I do not have those in my cas.properties...
>
> On Tuesday, November 21, 2017 at 10:49:13 AM UTC-5, William E. wrote:
>>
>> Do you have entries like below in your cas.properties file?
>>
>> cas.authn.attributeRepository.ldap[0].attributes.uid=uid
>> cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
>> cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
>>
>> cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
>> .
>>
>>
>>
>> On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>>>
>>> Hi folks - What are the requirements to be able to adjust the username 
>>> attribute via the CAS management GUI? This is all I see.
>>>
>>>
>>> <https://lh3.googleusercontent.com/-CTPBkMm3cX0/WhLtHf_H7XI/Ahs/eKc-wpYGg80qUzBr54KA00FMkYHYqUPPwCLcBGAs/s1600/Screen%2BShot%2B2017-11-20%2Bat%2B9.54.31%2BAM.png>
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff7d81b5-5caf-46a4-a27a-5be615d04fb5%40apereo.org.

[cas-user] Re: CAS management - new service username attribute provider options

2017-11-21 Thread William E. 
Do you have entries like below in your cas.properties file?

cas.authn.attributeRepository.ldap[0].attributes.uid=uid
cas.authn.attributeRepository.ldap[0].attributes.displayName=displayName
cas.authn.attributeRepository.ldap[0].attributes.cn=commonName
cas.authn.attributeRepository.ldap[0].attributes.affiliation=eduPersonAffiliation
.



On Monday, November 20, 2017 at 8:56:41 AM UTC-6, Justin Andrews wrote:
>
> Hi folks - What are the requirements to be able to adjust the username 
> attribute via the CAS management GUI? This is all I see.
>
>
> 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8bea6203-c587-42cd-8ddc-baf76d9c768f%40apereo.org.

[cas-user] Password Reset "500 Internal Server Error" CAS 5.1.5

2017-11-01 Thread William Jojo 
Is there a way to better handle a user not yet having an email in our 
database of questions for PW reset? Currently get 500 Internal Server Error:

We wish we could be more directly helpful to you.

Error: Exception thrown executing 
org.apereo.cas.pm.web.flow.SendPasswordResetInstructionsAction@6cc54845 in 
state 'sendInstructions' of flow 'login' -- action execution attributes were 
'map[[empty]]'

null


Seems the Null value is not being handled correctly.


Alternatively if I enter the user with no email, the page just resets with no 
information to the user, but asking them for their userid again.


Can a null response, or no available email allow us to configure a proper 
response with a link for assistance?



This is our last major hurdle before releasing to production.



Thank you!


Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c062fff4-17b8-4998-889f-a0cb1dc701df%40apereo.org.

[cas-user] CAS 5.1.x Password reset link contains dot that breaks link on some devices/apps.

2017-09-25 Thread William Jojo 
Is there a quick way to change the link sent from CAS PM? The link often 
contains multiple instances of a period which breaks the links in some 
readers/apps.

Changing the period to %2e works always works, but can this be done within 
CAS? Should I file this as a bug?

Thank you!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfdce48b-e19e-4339-8724-9644256eb3af%40apereo.org.

[cas-user] Re: CAS 5.1.x Custom template. Anyone get this working?

2017-09-25 Thread William Jojo 
We did finally get this working. File placement was key!

Thank you!

On Tuesday, September 19, 2017 at 9:51:06 PM UTC-4, Andy Ng wrote:
>
> To my recall, there has been a lot of theme related posts in this group. I 
> also tried to make theme works on my project when I work on 5.1.x, which 
> lead to failed.
>
> However, when I updated my project to 5.2.0-RC3, I actually make theme 
> works, and here how the folder and file in my project is layout, maybe you 
> will find this useful. (The below method probably are not going to work on 
> 5.1.x, you can try it yourself tho)
>
>
> Let say our theme is called *jurassic*.
>
>
> What I have done is as such:
>
> [Project Layout] ( note: with [] = folder)
>
> -  src/main/resource
>
> n   jurassic.properties (A)
>
> n   application.properties (B) (Optional)
>
> n   [services]
>
> u  JurassicLogin-101.json (C)
>
> n   [templates]
>
> u  casLoginView.html (D)
>
> u  [jurassic]
>
> l   casLoginView.html (E)
>
> n   [statics]
>
> u  [themes]
>
> l   [jurassic]
>
> n   [css]
>
> u  cas.css (F)
>
> n   [js]
>
> u  cas.js (G)
>
> [What is inside each files]
>
> ** jurassic.properties (A)*
>
> #Note: even if you do not need css and js, you just want to place the 
> whole page with yours, you still need this
>
> standard.custom.css.file=/themes/jurassic/css/cas.css
>
> cas.javascript.file=/themes/jurassic/js/cas.js
>
>  
>
> ** application.properties (B)*
>
> #Making a default theme is easy, just do this:
> cas.theme.defaultThemeName=*j*urassic
>
> #However, if you just want to change the default login layout, you can 
> just tried to just replace the normal login pages casLoginView.html (D)
>
>  
>
> ** JurassicLogin-101.json (C)*
>
> {
>
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>
>   "serviceId" : "^https://dino.example.com;,
>
>   "name" : "Jurassic Login",
>
>   "id" : 101,
>
>   "description" : " Jurassic Login Page.",
>
>   "evaluationOrder" : ,
>
>   "theme" : " jurassic"
>
> }
>
>  
>
> ** casLoginView.html (D) (Normal Login Page)*
>
> 
> 
> Your normal login, you can skip making this if you want the look of 
> CAS in normal login
> 
>
>  
>
> ** casLoginView.html (E) (Login Page For the Dino)*
>
> 
>
> 
>
> 
>
> 
>
> You are at Jurassic Theme Park!!
>
>  
>
> 
>
> 
> In 5.2.0-RC3, these are the utmost necessary element in the html (You 
> can check and see if this is the case)
>
> 
>
>  th:object="${credential}">
>
> 
>
>  th:value="${flowExecutionKey}" />
>
> 
>
> 
>
> 
>
>  type="submit"/>
>
> 
>
> 
>
> 
>
> 
>
> 
>
> ** cas.css (F)*
>
> You can even just leave css blank, you do what you need
>
> ** cas.js (G)*
>
> You can even just leave js blank, you do what you want
>
>
> If you access your cas site using this:
> https://cas.sso.com/cas/login?service=https://dino.example.com
> The Jurassic theme should be triggered.
>
> At last, if you really cannot make the theme works on your version of CAS 
> 5, you can also use thymeleaf tricks (although not so elegant), in your 
> normal login page (D), just add the following at the beginning of your 
> casLoginView.html:
>
> https://dino.example.com ')}">
> 
>
> 
>
> See if this helps you!
> -Andy
>
> On Tuesday, 19 September 2017 22:14:00 UTC+8, William Jojo wrote:
>>
>> As the title suggests, we are unable to make this work. Cannot figure out 
>> what 
>> might be causing custom templates to be ignored. CSS/JS theming works fine, 
>> but custom templates are needed to make structural changes. The log shows 
>> the service recognizing the theme name, but our fragments are not being 
>> absorbed. 
>>
>> Can anyone shed light on this? Followed the following to the letter:
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/User-Interface-Customization-Themes.html
>>
>>
>> Thank you!
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de7d87ba-12f5-4c68-a42f-2f344ebdb2f6%40apereo.org.

[cas-user] CAS 5.1.x Custom template. Anyone get this working?

2017-09-19 Thread William Jojo 
As the title suggests, we are unable to make this work. Cannot figure out what 
might be causing custom templates to be ignored. CSS/JS theming works fine, 
but custom templates are needed to make structural changes. The log shows 
the service recognizing the theme name, but our fragments are not being 
absorbed. 

Can anyone shed light on this? Followed the following to the letter:

https://apereo.github.io/cas/5.1.x/installation/User-Interface-Customization-Themes.html


Thank you!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/86e6c496-762b-4bf7-afe7-ee51d8b5f8ab%40apereo.org.

[cas-user] Re: 5.1.3 JDBC Password Management issues (two)

2017-09-01 Thread William Jojo 
Ok, I fixed the update problem - it was the MySQL dialect I chose. 

However, the presentation of multiple questions and accepting multiple 
answers seems like a bug to me.

Bill

On Wednesday, August 30, 2017 at 9:33:45 AM UTC-4, William Jojo wrote:
>
> Good day to you all!
>
> As the subject says, I am having two issues with JDBC Password Management. 
> The first involves the questions.
>
> 2017-08-29 20:42:15,243 DEBUG 
> [org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] -  security questions for [w.jojo]>
>
> All three questions are found in the DB and the form presents all of the 
> questions, accepts the answer through form submission, but says "Password 
> Reset Failed - We are unable to process your password reset request at this 
> time". *If I use only one question, however, it proceeds to the point of 
> entering the new password.*
>
> --- 
>
> The second problem is the JDBC pw update says it completed:
>
> =
>
> WHO: audit:unknown
>
> WHAT: true
>
> ACTION: CHANGE_PASSWORD_SUCCESS
>
> APPLICATION: CAS
>
> WHEN: Tue Aug 29 21:53:05 EDT 2017
>
> CLIENT IP ADDRESS: 151.103.188.47
>
> SERVER IP ADDRESS: 151.103.18.216
>
> =
>
>
> >
>
> 2017-08-29 21:53:05,864 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
>
> =
>
> WHO: audit:unknown
>
> WHAT: true
>
> ACTION: CHANGE_PASSWORD_SUCCESS
>
> APPLICATION: CAS
>
> WHEN: Tue Aug 29 21:53:05 EDT 2017
>
> CLIENT IP ADDRESS: 151.103.188.47
>
> SERVER IP ADDRESS: 151.103.18.216
>
> =
>
> But the record is not actually updated in the DB table. I have tried:
>
> update pm_table_accounts set password=? where user=?
>
> as well as
>
> insert into pm_table_accounts values (password=?, userid=?)
>
> Some cas.properties of relevance:
>
> # JDBC/MySQL
>
> cas.authn.pm.jdbc.sqlSecurityQuestions=SELECT question, answer FROM 
> pm_table_questions WHERE userid=?
>
> cas.authn.pm.jdbc.sqlFindEmail=SELECT email FROM pm_table_accounts WHERE 
> userid=?
>
> cas.authn.pm.jdbc.sqlChangePassword=update pm_table_accounts set 
> password=? where userid=?
>
> cas.authn.pm.jdbc.dialect=org.hibernate.dialect.MySQL5Dialect
>
> cas.authn.pm.jdbc.driverClass=com.mysql.jdbc.Driver
>
> cas.authn.pm.jdbc.passwordEncoder.type=NONE
>
>
> I feel like the latter problem is something rather silly that I am 
> missing... 
>
> Thank you!
>
> Bill
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c444d34-53ff-4c95-a326-cdfefb41d2f1%40apereo.org.

[cas-user] 5.1.3 JDBC Password Management issues (two)

2017-08-30 Thread William Jojo 
Good day to you all!

As the subject says, I am having two issues with JDBC Password Management. 
The first involves the questions.

2017-08-29 20:42:15,243 DEBUG 
[org.apereo.cas.pm.jdbc.JdbcPasswordManagementService] - 

All three questions are found in the DB and the form presents all of the 
questions, accepts the answer through form submission, but says "Password 
Reset Failed - We are unable to process your password reset request at this 
time". *If I use only one question, however, it proceeds to the point of 
entering the new password.*

--- 

The second problem is the JDBC pw update says it completed:

=

WHO: audit:unknown

WHAT: true

ACTION: CHANGE_PASSWORD_SUCCESS

APPLICATION: CAS

WHEN: Tue Aug 29 21:53:05 EDT 2017

CLIENT IP ADDRESS: 151.103.188.47

SERVER IP ADDRESS: 151.103.18.216

=


>

2017-08-29 21:53:05,864 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/14caed25-8b57-4f6d-98dc-c0b7e20b234c%40apereo.org.

Re: [cas-user] AD Password Policy in 5.1.x.

2017-08-29 Thread William Jojo 
Perfect!

As always, thank you so much!

Bill


On Tuesday, August 29, 2017 at 10:21:29 AM UTC-4, Misagh Moayyed wrote:
>
> *password.expiration.warning=Your password expires in {0} day(s). Please 
> change your password now.*
>
>
> Which, of course, translates the href to a local CAS link to {1}. Is the 
> intention to have a configurable property or do we edit this as part of the 
> overlay?
>
> Edit as part of overlay.
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca1ecd83-421e-4741-953f-9153351e25f5%40apereo.org.

[cas-user] AD Password Policy in 5.1.x.

2017-08-29 Thread William Jojo 
Password policy with AD seems like dabbling in the dark arts. ;-)

In 4.2.7 you cannot use it:

*Attribute 'usePasswordPolicy' is not allowed to appear in element 
'ldaptive:ad-authenticator'.*

But you need ad-authenticator to make the return codes work and notify 
users of expired accounts and such.

In 5.1, there is no equivalent (that I have found) to "*password.policy.url*" 
(q.v. version 4.2.x). While I can get the notification to occur and let the 
user know their password will expire in 27 days, I cannot get the URL set. 
However, in *messages.properties* there is:

*password.expiration.warning=Your password expires in {0} day(s). Please change your password now.*

Which, of course, translates the href to a local CAS link to {1}. Is the 
intention to have a configurable property or do we edit this as part of the 
overlay?

Thank you!

Bill

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd708219-446c-4f31-81a8-863e357ac8d8%40apereo.org.

Re: [cas-user] Validating SAML 1.1 request integrated with CAS 4.1.2

2017-07-11 Thread William Brant 
I have a similar issue if you l find the answer could you please forward it
to me

On Jul 11, 2017 1:41 AM, "satheesh k"  wrote:

> Hello,
>
>  We are using CAS V4.1.2 and implemented SAML V1.1. However, while trying
> to validate the SAML request we realized that we need to pass "'service'
> and 'ticket' details to validate it.
>  Could someone help us to know how can we get the  server ticket id once
> the user is authenticated and pass it in SAML request. We tried passing the
> server ticket id which we get it from HTTP header but we are getting
> invalid ticket.
> Can someone help me to resolve this problem.
>
> Regards,
> Satheesh. K
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/a486320f-e3d3-4cba-a3cf-
> 19a3444cdba1%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACfF8XvNgWBjxmTQ1igP%2BgaWfgVugjDDGyVSM9yD%2BnHZTqZZpg%40mail.gmail.com.

Re: [cas-user] Re: Password Management Assistance

2017-07-07 Thread William Jojo 
Just confirming the driver issue remains in 5.1.2-SNAPSHOT:

2017-07-07 18:32:26,402 ERROR [org.apereo.cas.configuration.support.Beans] 
- 

2017-07-07 18:32:26,402 WARN 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
- 

Thank you!

On Friday, July 7, 2017 at 6:26:59 PM UTC-4, William Jojo wrote:
>
> I see all three questions now! But I cannot get to the password entry page 
> unless I only use one question.
>
> Also, I read in another thread that the JDBC drivers have an issue at 
> 5.1.1 (which I, too, experienced) and the person suggested using 5.0.6 - 
> which works. Should this also be fixed in 5.1.2?
>
> On Friday, July 7, 2017 at 1:29:22 PM UTC-4, Misagh Moayyed wrote:
>>
>>  
>>
>> Line 68 is definitely the overridden getSecurityQuestions() with the Map, 
>> but question results are limited to 1? Cannot find this result size in the 
>> code.
>>
>>  
>>
>> Don't think I am missing a config option...
>>
>>  
>>
>>  
>>
>> You are not. That’s a bug, where the queryForMap() expects a single row 
>> as a result. This should be fixed in 5.1.2. Retry with the snapshot in 
>> about an hour.
>>
>
>  
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5872b0f-f4c2-45cf-9be9-8f6bb0d094b0%40apereo.org.

Re: [cas-user] Re: Password Management Assistance

2017-07-07 Thread William Jojo 
I see all three questions now! But I cannot get to the password entry page 
unless I only use one question.

Also, I read in another thread that the JDBC drivers have an issue at 5.1.1 
(which I, too, experienced) and the person suggested using 5.0.6 - which 
works. Should this also be fixed in 5.1.2?

On Friday, July 7, 2017 at 1:29:22 PM UTC-4, Misagh Moayyed wrote:
>
>  
>
> Line 68 is definitely the overridden getSecurityQuestions() with the Map, 
> but question results are limited to 1? Cannot find this result size in the 
> code.
>
>  
>
> Don't think I am missing a config option...
>
>  
>
>  
>
> You are not. That’s a bug, where the queryForMap() expects a single row as 
> a result. This should be fixed in 5.1.2. Retry with the snapshot in about 
> an hour.
>

 

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/220ca968-26f0-4bfa-a168-296c82fff327%40apereo.org.

Re: [cas-user] Re: Password Management Assistance

2017-07-06 Thread William Jojo 
Thank you! I will look at those links. Got basic functionality working 
without questions to gain understanding of the code. LDAP worked great for 
the password reset portion (again, no questions). When working through the 
details of the JDBC component, I have modest MySQL database for testing:

create table questions (

username tinytext not null,

question tinytext not null,

answer tinytext not null

);


create table pwreset (

username tinytext not null,

password tinytext not null

);


create table email (

username tinytext not null,

email tinytext not null

);

Related JDBC queries:

cas.authn.pm.jdbc.sqlSecurityQuestions=SELECT question, answer FROM 
questions WHERE username=?

cas.authn.pm.jdbc.sqlFindEmail=SELECT email FROM email WHERE username=?

cas.authn.pm.jdbc.sqlChangePassword=insert into pwreset (password, 
username) values (?, ?)

Populated user with two emails  - CAS does not like, but I am planning on 
extending this. We have users with multiple personal email as option.

Working around that, I have three questions setup for user, and I know that 
Map is being used:

Caused by: org.springframework.dao.IncorrectResultSizeDataAccessException: 
Incorrect result size: expected 1, actual 3

at 
org.springframework.dao.support.DataAccessUtils.requiredSingleResult(DataAccessUtils.java:74)
 
~[spring-tx-4.3.8.RELEASE.jar:4.3.8.RELEASE]

at 
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:795)
 
~[spring-jdbc-4.3.8.RELEASE.jar:4.3.8.RELEASE]

at 
org.springframework.jdbc.core.JdbcTemplate.queryForMap(JdbcTemplate.java:828) 
~[spring-jdbc-4.3.8.RELEASE.jar:4.3.8.RELEASE]

at 
org.apereo.cas.pm.jdbc.JdbcPasswordManagementService.getSecurityQuestions(JdbcPasswordManagementService.java:68)
 
~[cas-server-support-pm-5.1.1.jar:5.1.1]

Line 68 is definitely the overridden getSecurityQuestions() with the Map, 
but question results are limited to 1? Cannot find this result size in the 
code.

Don't think I am missing a config option...


Bill


On Thursday, July 6, 2017 at 4:06:18 PM UTC-4, Misagh Moayyed wrote:
>
> Great.
>
> What you want to do is mostly controlled by this line:
>
>
> https://github.com/apereo/cas/blob/master/support/cas-server-support-pm/src/main/java/org/apereo/cas/pm/config/PasswordManagementConfiguration.java#L125
>
> Write something that extends/implements PasswordManagementService. Then 
> inject a “bean” instance of it into the runtime engine. CAS will pick up 
> yours instead of the defaults (note that Conditional tag).
>
> To learn how to inject config into CAS dynamically:
>
> https://apereo.github.io/cas/5.1.x/installation/Configuration-Management-Extensions.html
>
> More or less the same:
> https://apereo.github.io/2017/02/21/cas-autocfg-strategy/ 
>
> --Misagh
>
> On July 6, 2017 at 12:48:06 PM, William Jojo (joj...@gmail.com 
> ) wrote:
>
> Thank you, Misagh. I am looking at the code tree at 
> https://github.com/apereo/cas/blob/master/support/cas-server-support-pm/src/main/java/org/apereo/cas/pm/.
>  
> Again, at the moment, I am attempting to trigger the basic PM 
> functionality, then I can determine the injection point. If may attempt is 
> worthy, I am happy to contribute it to CAS.
>
> Bill
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a500a35c-0ae0-4629-a048-06d0b3a652d6%40apereo.org.

Re: [cas-user] Re: Password Management Assistance

2017-07-06 Thread William Jojo 
Thank you, Misagh. I am looking at the code tree at
https://github.com/apereo/cas/blob/master/support/cas-server-support-pm/src/main/java/org/apereo/cas/pm/.
Again, at the moment, I am attempting to trigger the basic PM
functionality, then I can determine the injection point. If may attempt is
worthy, I am happy to contribute it to CAS.

Bill

On Wed, Jul 5, 2017 at 4:52 PM, Misagh Moayyed 
wrote:

>
>>
>> My question is whether the user can reset their password in LDAP (as
>> Active Directory), but have the question answers come from Oracle (JDBC)?
>> My request is a sharing of a config the does basic Password Reset through
>> CAS.
>>
>
>
> No. Sources are assumed to be the same. You're welcome however to design
> your own component and inject it into CAS and that would know how to handle
> each operation per source type.
>
>> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/5dc605c4-7393-49e3-b0b9-
> 5854701c17df%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1gc%3DYifzGBe%2BFOPewHcpCEjUdZvxxAnnkE_TptjWMgEJQ%40mail.gmail.com.

[cas-user] Password Management Assistance

2017-07-04 Thread William Jojo 
First, I thank all of those who contribute to CAS, to the user community
and to the online docs/how-to's which have enlightened my knowledge thus
far. CAS has been a wonderful SSO tool at our college.

Second, I have both a question and request from the community. Currently we
face having to use a product from a less than stellar vendor unless I can
get the Password Management feature of CAS working to our need.

My question is whether the user can reset their password in LDAP (as Active
Directory), but have the question answers come from Oracle (JDBC)? My
request is a sharing of a config the does basic Password Reset through CAS.

I am unable to get a basic model working. While I love and understand the
documentation provided, it seems to go in a circle of Password Management
to CAS properties back to Password Management. I would be deeply grateful
for any clues.

Our development install is 5.1.1 on Tomcat. Thank you all!

Bill

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1hBj0E9ziB4td1EXE%3D-DXX5vbzpn1rubLBYUOUBwR7Brg%40mail.gmail.com.

[cas-user] Shib CAS and converting the ticket to a saml assertion

2017-05-12 Thread William Brant 
I   have the following environment

1.  CAS server 3.51 
2.  Shibboleth 3.x  server
3.  implemented shibcas to force authentcation from the shibboleth server 
to the CAS server.

I  have been able to set and install CAS 3.5.1  ,  Shibboleth 3.x  and 
implemented  shibcas for use the existing 3.51 for username password 
authentication (needed for legacy app).  and it all seem to work pretty 
well but i am missing how to convert the cas tickets to a SAML 2.0 
assertion.

Can some one help?   Have a missed something obvious.

-Bill

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9e38ea20-f2e8-4845-9f92-34f42072be58%40apereo.org.

Re: [cas-user] Can application get TGT ticket?

2016-11-01 Thread William G. Thompson, Jr. 
You should take a look at Proxy Granting Tickets, which allow an
application to securely call another app on behalf of a user.

http://stackoverflow.com/questions/6368358/restful-cas-client-and-proxy-granting-tickets
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough

Best,
Bill


On Tue, Nov 1, 2016 at 3:22 PM, Yan Zhou  wrote:
> Hello,
>
> CAS protocol does not let the apps (CAS client) get TGT ticket. We have a
> need for that.
>
> We have two web apps, both are casified in CAS 4.1.X. One web app has
> AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just
> offers REST services.
>
> Javascript code in App A wants to call REST API in App B.  We run into
> problem with CORS, etc. But, even after CORS are enabled, still run into
> trouble.
>
> So, the thought is, if Javascript code can get hold of TGT after user login
> to the app. A, then, JS code call use CAS REST API to authenticate against
> the 2nd app (the UI-less REST Services).
>
> Is that a bad idea, and how is that possible?
>
> Yan
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuGP3z3M7uQGRsOqni%2BSG0AeZHRwHrM9CY8XJWcVeTUQwQ%40mail.gmail.com.

Re: [cas-user] Logging in with LDAP but return attributes from Mysql

2016-09-14 Thread William G. Thompson, Jr. 
All things are possible with CAS. :)

https://apereo.github.io/cas/4.2.x/integration/Attribute-Resolution.html



On Wed, Sep 14, 2016 at 9:17 AM, Toni McWild  wrote:
> Hi guys,
> I have deployed 4.2 CAS server for my company but now we are facing a
> problem
>
> Our principal Handler is an LDAP, but the way our LDAP server is implemented
> doesn't allow to store every group that a specific user belongs to,
>
> I mean, for user "toni" I can login, I can get the main group that "toni"
> belongs to, but our LDAP doesn't have a field similar to
> "GroupsAUserBelongsTo"
> Our LDAP works the other way arround, for group "Management" there is a list
> of users that belong to this groups.
>
> Anyway, I've got a MySQL DDBB that I can ask to get the groups a user
> belongs to.
>
> so my question is:
>
> Is there any way I can merge both systems? LDAP authentication but right
> after the authentication it goes to MySQL and ask for the groups that a user
> belongs to.
>
> Thanks a lot!
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEzQRepEXmRFeQFROxVE7Eoa5p95PP6EgM1a9Bc8oMaLzPD6Pw%40mail.gmail.com.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuHRf6d0TcmHaVgh7Anf3vW-EP4iB7-63Qhk3HK28YV4xw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] CAS Performance Test Scripts

2016-09-12 Thread William 
Just FYI,

I committed a JMeter script (multi-level-proxy.jmx) that is the equivalent 
of the Multi-Level Proxy test defined here: 

1) https://wiki.jasig.org/display/CAS/CAS+Functional+Tests

2) 
https://github.com/cas-projects/cas-functional-tests/blob/master/src/test/groovy/org/jasig/cas/test/validation/MultiLevelProxySpec.groovy

The plan is to build an entire suite of performance test scripts for load 
testing.

I know the GA for CAS 5 is coming soon.  My plan is to run load tests 
against CAS 5 and post the results back.


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74ad364e-2741-4e04-af9c-99dffbab89d0%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] How to combine LDAP and static users from a file

2016-09-08 Thread William G. Thompson, Jr. 
> 2016-09-08 16:25:21,599 ERROR
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>  not open ServletContext resource [/etc/cas/local-users.properties])>

Read permissions on /etc/cas/local-users.properties?


On Thu, Sep 8, 2016 at 10:32 AM, Josep Manel Andrés <josep.and...@bsc.es> wrote:
> Hi Willian,
> Great! It kind of worked :)
> I have put this in the authenticationManager Bean:
>
>  class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
> 
> 
>  value-ref="proxyPrincipalResolver" />
>  />
> 
> 
> 
>
>
> And this before ldapAuthenticationHandler:
>
>  
> class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
> p:fileName="/etc/cas/local-users.properties" />
>
>
>
>
> But now I am getting this error:
>
> 2016-09-08 16:25:21,599 INFO
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
> 
> 2016-09-08 16:25:21,599 ERROR
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>  not open ServletContext resource [/etc/cas/local-users.properties])>
>
>
> Any hint?
>
> Cheers.
>
>
>
> On 08/09/16 13:58, William G. Thompson, Jr. wrote:
>>
>> Yes, with CAS all things are possible. :)
>>
>> AuthN handlers can be changed so you can have both.  Something like
>> this would work. You'll need to make sure your usernames don't
>> overlap.
>>
>>  >
>> class="org.jasig.cas.adaptors.generic.FileAuthenticationHandler"
>>  p:fileName="/path/to/local-users.properties" />
>>
>>  >
>> class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
>>  p:contextSource-ref="ldapAuthContext"
>>  />
>>
>> Also see
>> https://apereo.github.io/cas/4.1.x/installation/Whitelist-Authentication.html
>>
>> Best,
>> Bill
>>
>>
>>
>> On Thu, Sep 8, 2016 at 4:45 AM, Josep Manel Andrés <josep.and...@bsc.es>
>> wrote:
>>>
>>> Hi all,
>>> We've got a CAS server for our systems with an LDAP backend, which works
>>> great, but we have an special case in which an app needs to be able to
>>> login
>>> with root account, but this is not on the LDAP.
>>>
>>> So my question is how it's possible to combine both systems, LDAP login
>>> and
>>> a username and password for root account only. I would like to keep it
>>> simple.
>>>
>>> Best regards.
>>>
>>> --
>>> Josep Manel Andrés (josep.and...@bsc.es)
>>> Operations - Barcelona Supercomputing Center
>>> C/ Jordi Girona, 31  http://www.bsc.es
>>> 08034 Barcelona, Spain Tel: +34-93-405 42 14
>>> e-mail: syst...@bsc.es Fax: +34-93-413 77 21
>>> ---
>>>
>>> WARNING / LEGAL TEXT: This message is intended only for the use of the
>>> individual or entity to which it is addressed and may contain
>>> information which is privileged, confidential, proprietary, or exempt
>>> from disclosure under applicable law. If you are not the intended
>>> recipient or the person responsible for delivering the message to the
>>> intended recipient, you are strictly prohibited from disclosing,
>>> distributing, copying, or in any way using this message. If you have
>>> received this communication in error, please notify the sender and
>>> destroy and delete any copies you may have received.
>>>
>>> http://www.bsc.es/disclaimer
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to cas-user+unsubscr...@apereo.org.
>>> To post to this group, send email to cas-user@apereo.org.
>>> Visit this group at
>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>> To view this discussion on the web visit
>>>
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57D1250D.1040903%40bsc.es.
>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
>
> --
> Josep Manel Andrés (josep.and...@bsc.es)
> Operations - Barcelona Supercomputing Center
> C/ Jordi Girona, 31  http://www.bsc.es
> 08034 Barcelona, Spain Tel: +34-93-40

Re: [cas-user] How to combine LDAP and static users from a file

2016-09-08 Thread William G. Thompson, Jr. 
Yes, with CAS all things are possible. :)

AuthN handlers can be changed so you can have both.  Something like
this would work. You'll need to make sure your usernames don't
overlap.





Also see 
https://apereo.github.io/cas/4.1.x/installation/Whitelist-Authentication.html

Best,
Bill



On Thu, Sep 8, 2016 at 4:45 AM, Josep Manel Andrés  wrote:
> Hi all,
> We've got a CAS server for our systems with an LDAP backend, which works
> great, but we have an special case in which an app needs to be able to login
> with root account, but this is not on the LDAP.
>
> So my question is how it's possible to combine both systems, LDAP login and
> a username and password for root account only. I would like to keep it
> simple.
>
> Best regards.
>
> --
> Josep Manel Andrés (josep.and...@bsc.es)
> Operations - Barcelona Supercomputing Center
> C/ Jordi Girona, 31  http://www.bsc.es
> 08034 Barcelona, Spain Tel: +34-93-405 42 14
> e-mail: syst...@bsc.es Fax: +34-93-413 77 21
> ---
>
> WARNING / LEGAL TEXT: This message is intended only for the use of the
> individual or entity to which it is addressed and may contain
> information which is privileged, confidential, proprietary, or exempt
> from disclosure under applicable law. If you are not the intended
> recipient or the person responsible for delivering the message to the
> intended recipient, you are strictly prohibited from disclosing,
> distributing, copying, or in any way using this message. If you have
> received this communication in error, please notify the sender and
> destroy and delete any copies you may have received.
>
> http://www.bsc.es/disclaimer
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/57D1250D.1040903%40bsc.es.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuGBEs3ZsatFWgw5%2BrfbqV3F0AvQsT9xwDkW1DPZkTjrXg%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Using Proxy Granting Tickets With the Ignite and Hazelcast Ticket Registries

2016-08-29 Thread William 
This thread is regarding CAS 4.2.x (and probably with CAS 5.0 but did not 
verify).

I noticed with the Ticket Registry Implementations that when a 
ProxyGrantingTicket is created with the 
org.jasig.cas.ticket.ServiceTicketImpl's "grantProxyGrantingTicket(String, 
Authentication, ExpirationPolicy)" that the PGT is added back into the 
TGT's Set of proxyGrantingTickets:


...

   getGrantingTicket().getProxyGrantingTickets().add(pgt);

...


For some reason with the Hazelcast and Ignite ticket registries 
(org.jasig.cas.ticket.registry.HazelcastTicketRegistry and 
org.jasig.cas.ticket.registry.IgniteTicketRegistry) that the Proxy Granting 
Tickets are not staying in the set of proxyGrantingTickets that is in 
org.jasig.cas.ticket.TicketGrantingTicketImpl when the Proxy Granting 
Ticket is generated.  This happens with the TGT is retrieved from the cache.


This does not happen with the EHCache, Infinispan, Memcached, 
and Distributed Ticket Registry implementations.


The reason this is an issue is that I am updating unit tests to push into 
the 4.2.5-SNAPSHOT build.


Test scenario:


1) Use either the org.jasig.cas.ticket.registry.IgniteTicketRegistryTests 
or org.jasig.cas.ticket.registry.HazelcastTicketRegistryTests.

2) Look at the verifyDeleteTicketWithPGT as a sample.

3) Create a TGT that never expires and add it to the registry.

4) Create a Service Ticket of the TGT that never expiries and it to the 
registry.

5) Create a PGT by calling the Service Ticket's grantProxyGrantingTicket

6) Delete the TGT.

7) Verify the Service Ticket is deleted (this passed in my case).

8) Verify the PGT is deleted (this fails in my case for Hazelcast and 
Ignite ticket registries)

 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9388f179-9c0c-4459-b805-2b4c80f70d4b%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Re: CAS-Server SSO - Proxying a valid scenario?

2016-08-24 Thread William G. Thompson, Jr. 
Yes, CAS server supports gateway natively as part of the CAS Protocol
spec...no special config needed on the server.

On Wed, Aug 24, 2016 at 1:12 PM, Mark  wrote:
> Thanks again, I think I'm starting to get the picture :-)
>
> Am I correct if I say that the CAS-Server itself does not need any extra /
> special configuration for gateway-ing because all relevant stuff is done in
> the client?
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/39a94789-c4d1-450d-8a25-ad9d5b0a573c%40apereo.org.
>
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuFWaOoqUNYTvzYg%3Dm00Ct3b8PMWsNEQvFH6GRkFAfikUw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Updated CAS Functional Tests For CAS 4/5

2016-08-24 Thread William 
Misagh and Dmitriy,

I know everyone is really busy, but when you get a chance let me know if 
there is anything you do not like about the functional tests.

The one item I wanted to address was trying to start an embedded container 
with cas-server-webapp, cas-management-webapp, and a small client web app 
(protected-web-app), but it does not appear there is an easy to way to 
start multiple web apps within Spring Boot.  I have found some blog 
articles on it (
http://www.davidtanzer.net/running_multiple_spring_boot_apps_in_the_same_jvm), 
but there does not appear a straight forward way to accomplish this.

I like the way Gretty allows you to do that using farms.  I just wish 
Spring Boot had a way of doing that as well.

Thank you,

Bill Crowell

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/39f0014c-1a24-4390-8c01-006e75a7d558%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT

2016-08-23 Thread William 
Misagh,

It could be an issue with the test, but it would seem that the same test 
would fail in CAS 4.2.x.

Here is the sequence of steps:

1) Post a user name and password to /cas/v1/tickets and get a Ticket 
Granting Ticket.

2) Post the Ticket Granting Ticket and registered service you want to 
access (in this case "/protected-web-app") to "/cas/v1/tickets/" where 
TGT is the Ticket Granting Ticket and obtain a Service Ticket.

3) Send a GET request to "/cas/serviceValidate" containing the service to 
access, the Service Ticket, and the proxy URL of the service (in this case 
"/protected-web-app/proxyUrl" which is the CAS client).  A Proxy Granting 
Ticket IOU will be issued.

4) Send a GET request to the proxy URL of the service (in this case 
"/protected-web-app/proxyUrl" which is the CAS client) and get a Proxy 
Granting Ticket.

5) Send a GET request to "/cas/proxy" containing the Proxy Granting Ticket 
and get a one-time use Proxy Ticket.

6) Send a GET request to "/cas/proxyValidate" containing the service to 
access (in this case "/protected-web-app"), the Proxy Ticket, and the proxy 
URL (in this case "/protected-web-app/proxyUrl" which is the CAS client). 
 You should get the corresponding Proxy Granting Ticket and proxy URL that 
was issued for this Proxy Ticket.

Step 6 is where it fails and says the Proxy Ticket was already used.  

I will look into this a bit more, but I am confused why this would work in 
CAS 4.2.x.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d6daaa-9083-498a-9abc-8912f93af55e%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT

2016-08-22 Thread William 
I am running the following test on the latest CAS 5.0.0.RC1-SNAPSHOT build: 
https://github.com/wcrowell/cas-functional-tests/blob/5.0.x/src/test/groovy/org/apereo/cas/test/validation/MultiLevelProxySpec.groovy

I have run this test successfully against CAS 4.2.2, 4.2.4, 4.2.5-SNAPSHOT.

This test generates proxy tickets to access a really simple web app called 
protected-web-app which is a CAS client.

I noticed a behavior where I cannot use a ProxyTicket after submitting a 
ProxyGrantingTicket to the "/proxy" endpoint.  

For some reason CAS thinks it has already been used:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - 


and then it removes it:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistry] - 


I am not able to attach files in Google Groups for some reason.  Therefore, 
here is the link to the log: 
https://raw.githubusercontent.com/wcrowell/cas-functional-tests/5.0.x/logs/catalina.out

Did something change in CAS 5 with the ticket usage for Proxy Tickets or is 
this potentially a bug?

Thank you.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70c35ab9-9823-43b4-bb85-5694307d3e27%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] [CAS_USER] [HELP SAML]

2016-08-21 Thread William G. Thompson, Jr. 
Try https://addons.mozilla.org/en-US/firefox/addon/sso-tracer/


On Sun, Aug 21, 2016 at 12:07 AM, Bima Sakti Krisdianto
<12.7...@stis.ac.id> wrote:
> guys , iwant use saml protocol on my CAS. im already follow instruction.
> all dummy client work as usual, but how i know that auth protocol used is
> saml not cas protocol?
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6725b3b4-8fee-4c90-bd12-c02027ca1beb%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuHeG_JrKcoCrWnwrurLtr4cmUWo_Ggh6%3DQooniKPC%2BB8w%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS-Server SSO - Proxying a valid scenario?

2016-08-21 Thread William G. Thompson, Jr. 
Yes, proxy tickets are designed to allow a service to call another
service on behalf of a user, so that is not what you are looking for.

In order to achieve the SSO behavior from Website A to Website B you
can use gateway mode on the homepage of B. This will check to see if
there is a CAS SSO session, and if so issue a ST for B and log the
user in.  Another approach would be to have the URL in A go to a CAS
protected URL at B, which should also initiated login.

https://wiki.jasig.org/display/CAS/gateway

Best,
Bill


On Sun, Aug 21, 2016 at 3:14 AM, Mark  wrote:
> I'm currently trying to figure out wether or not the following scenario can
> be done with a CAS-Server setup:
>
>  - Suppose I got 3 Websites / -apps (A,B,C)
>  - All three are setup (via plugins) so that their login systems us the
> CAS-Server (already working fine)
>
> To me this seems like rather basic CAS-stuff. Now two more advanced
> "problems":
>
>  - After I logged in to Website A and I open Website B I'm not already
> logged in but I do have to click "Login" again. I guess that's because CAS
> issues the login and cookies based the indidvidual service that called it
> and there's no way one can be auto-logged in to all sites connected to the
> CAS-login once you logged in to the first site?
>  - Is ticket-proxying a way to achieve this? As far as I understood,
> Proxying tickets would mean that (in my example) A on login also asks CAS
> for a proxy ticket for B which A would present to B upon calling something
> like a webservice at B. Which would rule out proxying for my scenario.
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/29247a7e-9c38-47e1-b70d-c6ff246c1769%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuFTx_kY%2B-H5DMHyuY7_2QZtcwkcPXqdHQAeGiWt5KPuaQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] New to CAS, new to Apereo

2016-08-12 Thread William G. Thompson, Jr. 
We have a similar deployment but are moving to nginx+ and as the
front-end instead of apache+mod_jk. This should give us the ability to
bring backend Tomcat/CAS nodes in and out of production without a
service outage. We are also running with a json backed service
registry, instead of pulling in JPA/RDMBS dependencies.

CAS3 has been rock solid for more than 10 years, but I'm looking
forward to moving to CAS5 with MFA support and simplifying our
deployment configuration even more thanks to Misagh.

Best,
Bill


On Fri, Aug 12, 2016 at 4:08 AM, Philippe MARASSE
 wrote:
> Hello,
>
> 1.
> Here we have about 1400 employees, our architecture is pretty simple : 2
> front servers sharing a virtual IP (active/passive, apache + mod_jk), 2 CAS
> applications servers (CAS v3.5, Clustered tomcat, EHCache ticket registry,
> JPA Service registry). It works like a charm since 2012.
>
> 2.
> Our servers run Debian 7/8. IMHO, OS doesn't matter as long as you use
> custom JVM for your CAS server.
>
> Regards.
>
>
> Le 11/08/2016 à 23:23, Hank Foss a écrit :
>
> Thanks, Misagh, much appreciated.
>
> It sounds like this will work quite well for us. Most of our web apps rely
> on LDAP authentication.
>
> Regarding architecture, hope you don't mind a couple of other questions:
>
>
> How many servers are in your CAS environment (presuming you recommend an HA
> environment) - e.g. 1 web server (Tomcat?) + 2 HA CAS ticketing servers
> Do you recommend RHEL for OS?
>
>
> Our user environment is about 12,000 (2,000 staff + 10,000 students) so I am
> trying to architect the CAS to support that.
>
>
> -Hank
>
> On Thursday, August 11, 2016 at 4:45:43 PM UTC-4, Misagh Moayyed wrote:
>>
>> If you mean CAS is going to provide you with an LDAP server, the answer is
>> no. AFAIK, that has never been the case. If you mean you wish to
>> authenticate via AD/LDAP and get access to your portal and other
>> CAS-protected apps, then it’s quite simple. Since the dawn of time, CAS has
>> supported LDAP/AD authentication. 90% of the deployments use that method of
>> authentication.
>>
>> --
>> Misagh
>> From: Hank Foss 
>> Reply: Hank Foss 
>> Date: August 11, 2016 at 1:38:35 PM
>> To: CAS Community 
>> Subject:  [cas-user] New to CAS, new to Apereo
>>
>>
>>
>> Hello,
>>
>> I'm brand new to CAS and Apereo, and am asking the best way to begin. We
>> are migrating our CAS from the cloud to on-premise as a cost savings
>> measure. This will likely save us $60+k annually, as the vendor is also
>> provides our portal.
>>
>> The externally hosted portal contains LDAP as well as CAS links. I
>> understand CAS 5 comes out this fall (October?) which offers LDAP support,
>> so I am on the fence a bit more. Since AD authentication drives many of our
>> authentication, I have been told that we will either need to use ADFS or
>> Shibboleth. The goal for this to be live is December of this year, so there
>> are learning curve, architecture, installation and customization components
>> of this project that all come into play.
>>
>> I built the Linux box, most current version of CentOS, but I believe being
>> an open source application that the support of at least the OS should
>> actually be a licensed RHEL instance.
>>
>> I'm technical, but this is uncharted territory  so suggestions, comments,
>> and criticism are all greatly welcome.
>>
>>
>> Thanks,
>> CAS-Newbie
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To post to this group, send email to cas-...@apereo.org.
>> Visit this group at
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccf659bc-12d9-4cb8-98dd-4dbf926f403a%40apereo.org.
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/df64e990-a4f5-406a-871e-f4a8ea96d289%40apereo.org.
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
>
> --
> Philippe MARASSE
>
> Responsable pôle Infrastructures - DSIO
> Centre Hospitalier Henri Laborit
> CS 10587 - 370 avenue Jacques Cœur
> 86021 Poitiers Cedex
> Tel : 05.49.44.57.19
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop

[cas-user] Re: [cas-announce] CAS Community Survey Results

2016-07-14 Thread William G. Thompson, Jr. 
Misagh,

Excellent write up! Thanks for organization the survey and publishing the
results.  Very much looking forward to deploying CAS5 with MFA!

Best,
Bill


On Thu, Jul 14, 2016 at 3:01 PM, Misagh Moayyed  wrote:

> I have put together a blog post, reviewing the results of the recent CAS
> community survey:
>
> https://mmoayyed.github.io/2016/06/26/cas-survey-results/
>
> Thanks for participating.
>
> --
> Misagh
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Announcements" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-announce+unsubscr...@apereo.org.
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-announce/.
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuE3SrZKZ13BpOkU%2B1AkKvWXN3yr97YaAqWW9ke3j_o2yA%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Minor Issue With CAS Functional Tests

2016-07-06 Thread William 
Issue 1869 created for this issue:

*Destroying the TGT Does Not Remove the PGT #1869*
https://github.com/apereo/cas/issues/1869

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f881ae28-deaa-4c81-9c81-bf191de3b4f5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Minor Issue With CAS Functional Tests

2016-07-05 Thread William 
Good to hear!  Maybe I can take this a step further and track this down.  I 
am getting more familiar with the code base everyday.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af9442b2-b861-4c48-a1fe-7aa74bed1f47%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

  1   2   >