[cas-user] One-to-many User mapping question in Delegated AuthN
HI there, CAS 6.6.x, delegated authN to IdP, such as CAS delegating to external IdP, when user mapping is one-to-may. For historical reasons, one person may have multiple usernames across apps protected by the same CAS instance, these usernames map to the same username on external IdP, thus one-to-many. For instance, App A and B are protected by CAS, same person but two different usernames: jsmith on A, smithj on B. CAS provides authentication today. Tomorrow, CAS delegates authN to external IdP, this person already has username johnsmith on that external IdP. During login, he enters johnsmith and credential, after authentication and response back to CAS as johnsmith, CAS needs to figure out whether username is jsmith or smithj. The ask is to present a UI and let the person select, as he would know best. It feels like a bad idea (as we are letting user say who he is, but, this is a migration and user is already authenticated, and we fully trust that external IdP, it is the best user-experience for backward compatibility), I cannot explain why this maybe an insecure practice. any thoughts? thanks! Yan Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d9a90bc-720b-442a-b481-53611c4ce52en%40apereo.org.
Re: [cas-user] Re: CAS7 bean creation override question
Here is what I found, is this a bug in CAS source code? Reading this code, I declared my bean to override "jdbcPasswordChangeService", that did Not work. class JdbcPasswordManagementConfiguration { static class JdbcPasswordManagementServiceConfiguration { @ConditionalOnMissingBean(name = "jdbcPasswordChangeService") public PasswordManagementService passwordChangeService( because the framework is looking for a different name, Once I named my bean as "passwordChangeService", it worked well. But I had to go through a lot scratching-my-head and debugging in order to figure this out. I noted that such naming inconsistency does not exist in password-pm-rest and password-pm-ldap module. I am hoping to create a unit test to demonstrate this as a bug to be fixed in CAS7.1.0 RC. public interface PasswordManagementService { String DEFAULT_BEAN_NAME = "passwordChangeService"; On Tuesday, May 7, 2024 at 6:53:14 PM UTC-4 Ray Bon wrote: > Yan, > > Configuration classes are driven by spring. Perhaps this class runs before > the debugger can connect to the [starting] app. > > For your Configuration class to be called, it needs to be added to > src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports > > Ray > > On Mon, 2024-05-06 at 10:04 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > My thought is that this bean ( jdbcPasswordChangeService) is already > created somehow, see below logs, but I do not know how to find it who > created it, I set a breakpoint in the only occurrence of this bean > definition, JdbcPasswordManagementConfiguration, the method does not > appear invoked in debugger. > > 2024-05-06 12:23:41,783 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > <== i have my class re-defined this and breakpoint is invoked successfully > > 2024-05-06 12:23:41,804 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > <== do Not know who created it. > > 2024-05-06 12:23:41,836 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > > any idea to find out who created this instance? > > On Monday, May 6, 2024 at 11:53:07 AM UTC-4 Yan Zhou wrote: > > Hi, > > CAS 7.1.0 overlay, I need to override password change implementation, > using my own PasswordManagementService. > > I basically want to provide my own impl. of > JdbcPasswordManagementConfiguration. > See below QuestCasConfiguration, > > also defined in META-INF/spring/...AutoImports > org.apereo.cas.config.CasOverlayOverrideConfiguration > org.apereo.cas.config.QuestCasConfiguration > > > @EnableTransactionManagement(proxyTargetClass = false) > @EnableConfigurationProperties(CasConfigurationProperties.class) > @Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false) > public class QuestCasConfiguration { > > @Bean(name = "jdbcPasswordChangeService") > public PasswordManagementService passwordChangeService( > ... > > final PasswordHistoryServicepasswordHistoryService) { > return new > QuestJdbcPasswordManagementService(passwordManagementCipherExecutor, > casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(), > jdbcPasswordManagementDataSource, > jdbcPasswordManagementTransactionTemplate, passwordHistoryService, encoder); > <=== this is Not called > } > > @Bean(name = "jdbcPasswordManagementDataSource") > > public > DataSourcejdbcPasswordManagementDataSource(finalCasConfigurationProperties > casProperties) { > > > return JpaBeans.newDataSource > (casProperties.getAuthn().getJdbc().getQuery().get(0)); <=== this is > called > } > } > > > the problem is that the two bean methods, one ( > jdbcPasswordManagementDataSource) is called but the other( > passwordChangeService) is not, not sure why. I set a breakpoint in my > class to see how the code is invoked. > > This means passwordChangeService is already created somewhere else, but I > cannot figure that out, either. > > I set a breakpoint in CAS source code:JdbcPasswordManagementConfiguration, > I do not see any method stopped during debug when CAS starts up. > > what did I miss? here are related logs > > 2024-05-06 10:49:55,104 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > definition: replacing
[cas-user] Re: CAS7 bean creation override question
Finally figured this out. The bean seems incorrectly named in the CAS source code. I will see if I can submit a fix. Yan On Monday, May 6, 2024 at 9:49:45 PM UTC-4 Yan Zhou wrote: > My thought is that this bean ( jdbcPasswordChangeService) is already > created somehow, see below logs, but I do not know how to find it who > created it, I set a breakpoint in the only occurrence of this bean > definition, JdbcPasswordManagementConfiguration, the method does not > appear invoked in debugger. > > 2024-05-06 12:23:41,783 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > <== i have my class re-defined this and breakpoint is invoked successfully > > 2024-05-06 12:23:41,804 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > <== do Not know who created it. > > 2024-05-06 12:23:41,836 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > > > any idea to find out who created this instance? > > On Monday, May 6, 2024 at 11:53:07 AM UTC-4 Yan Zhou wrote: > >> Hi, >> >> CAS 7.1.0 overlay, I need to override password change implementation, >> using my own PasswordManagementService. >> >> I basically want to provide my own impl. of >> JdbcPasswordManagementConfiguration. >> See below QuestCasConfiguration, >> >> also defined in META-INF/spring/...AutoImports >> org.apereo.cas.config.CasOverlayOverrideConfiguration >> org.apereo.cas.config.QuestCasConfiguration >> >> >> @EnableTransactionManagement(proxyTargetClass = false) >> @EnableConfigurationProperties(CasConfigurationProperties.class) >> @Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false) >> public class QuestCasConfiguration { >> >> @Bean(name = "jdbcPasswordChangeService") >> public PasswordManagementService passwordChangeService( >> ... >> final PasswordHistoryService passwordHistoryService) { >> return new >> QuestJdbcPasswordManagementService(passwordManagementCipherExecutor, >> casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(), >> jdbcPasswordManagementDataSource, >> jdbcPasswordManagementTransactionTemplate, passwordHistoryService, >> encoder); <=== this is Not called >> } >> >> @Bean(name = "jdbcPasswordManagementDataSource") >> public DataSource jdbcPasswordManagementDataSource(final >> CasConfigurationProperties >> casProperties) { >> return JpaBeans.newDataSource >> (casProperties.getAuthn().getJdbc().getQuery().get(0)); <=== this is >> called >> } >> } >> >> the problem is that the two bean methods, one ( >> jdbcPasswordManagementDataSource) is called but the other( >> passwordChangeService) is not, not sure why. I set a breakpoint in my >> class to see how the code is invoked. >> >> This means passwordChangeService is already created somewhere else, but I >> cannot figure that out, either. >> >> I set a breakpoint in CAS source code: JdbcPasswordManagementConfiguration, >> I do not see any method stopped during debug when CAS starts up. >> >> what did I miss? here are related logs >> >> 2024-05-06 10:49:55,104 DEBUG [restartedMain] >> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >> > definition: replacing [Root bean: class [null]; scope=; abstract=false; >> lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; >> primary=false; >> factoryBeanName=org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration; >> >> factoryMethodName=localeResolver; initMethodNames=null; >> destroyMethodNames=[(inferred)]; defined in class path resource >> [org/springframework/boot/autoconfigure/web/servlet/WebMvcAutoConfiguration$EnableWebMvcConfiguration.class]] >> >> with [Root bean: class [null]; scope=refresh; abstract=false; >> lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; >> primary=false; factoryBeanName=CasWebAppConfiguration; >> factoryMethodName=localeResolver; initMethodNames=null; >> destroyMethodNames=[(inferred)]; defined in class path resource >> [org/apereo/cas/config/CasWebAppConfiguration.class]]> >> 2024-05-06 10:49:55,107 DEBUG [restartedMain] >> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >> > with a different definition: replacing [Root bean: class [null]; >> scope=refresh; ab
[cas-user] Re: CAS7 bean creation override question
My thought is that this bean ( jdbcPasswordChangeService) is already created somehow, see below logs, but I do not know how to find it who created it, I set a breakpoint in the only occurrence of this bean definition, JdbcPasswordManagementConfiguration, the method does not appear invoked in debugger. 2024-05-06 12:23:41,783 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - <== i have my class re-defined this and breakpoint is invoked successfully 2024-05-06 12:23:41,804 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - <== do Not know who created it. 2024-05-06 12:23:41,836 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - any idea to find out who created this instance? On Monday, May 6, 2024 at 11:53:07 AM UTC-4 Yan Zhou wrote: > Hi, > > CAS 7.1.0 overlay, I need to override password change implementation, > using my own PasswordManagementService. > > I basically want to provide my own impl. of > JdbcPasswordManagementConfiguration. > See below QuestCasConfiguration, > > also defined in META-INF/spring/...AutoImports > org.apereo.cas.config.CasOverlayOverrideConfiguration > org.apereo.cas.config.QuestCasConfiguration > > > @EnableTransactionManagement(proxyTargetClass = false) > @EnableConfigurationProperties(CasConfigurationProperties.class) > @Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false) > public class QuestCasConfiguration { > > @Bean(name = "jdbcPasswordChangeService") > public PasswordManagementService passwordChangeService( > ... > final PasswordHistoryService passwordHistoryService) { > return new > QuestJdbcPasswordManagementService(passwordManagementCipherExecutor, > casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(), > jdbcPasswordManagementDataSource, > jdbcPasswordManagementTransactionTemplate, passwordHistoryService, encoder); > <=== this is Not called > } > > @Bean(name = "jdbcPasswordManagementDataSource") > public DataSource jdbcPasswordManagementDataSource(final > CasConfigurationProperties > casProperties) { > return JpaBeans.newDataSource > (casProperties.getAuthn().getJdbc().getQuery().get(0)); <=== this is > called > } > } > > the problem is that the two bean methods, one ( > jdbcPasswordManagementDataSource) is called but the other( > passwordChangeService) is not, not sure why. I set a breakpoint in my > class to see how the code is invoked. > > This means passwordChangeService is already created somewhere else, but I > cannot figure that out, either. > > I set a breakpoint in CAS source code: JdbcPasswordManagementConfiguration, > I do not see any method stopped during debug when CAS starts up. > > what did I miss? here are related logs > > 2024-05-06 10:49:55,104 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > definition: replacing [Root bean: class [null]; scope=; abstract=false; > lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; > primary=false; > factoryBeanName=org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration; > > factoryMethodName=localeResolver; initMethodNames=null; > destroyMethodNames=[(inferred)]; defined in class path resource > [org/springframework/boot/autoconfigure/web/servlet/WebMvcAutoConfiguration$EnableWebMvcConfiguration.class]] > > with [Root bean: class [null]; scope=refresh; abstract=false; > lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; > primary=false; factoryBeanName=CasWebAppConfiguration; > factoryMethodName=localeResolver; initMethodNames=null; > destroyMethodNames=[(inferred)]; defined in class path resource > [org/apereo/cas/config/CasWebAppConfiguration.class]]> > 2024-05-06 10:49:55,107 DEBUG [restartedMain] > [org.springframework.beans.factory.support.DefaultListableBeanFactory] - > with a different definition: replacing [Root bean: class [null]; > scope=refresh; abstract=false; lazyInit=null; autowireMode=3; > dependencyCheck=0; autowireCandidate=true; primary=false; > factoryBeanName=JdbcPasswordManagementDataConfiguration; > factoryMethodName=jdbcPasswordManagementDataSource; initMethodNames=null; > destroyMethodNames=[(inferred)]; defined in class path resource > [org/apereo/cas/config/JdbcPasswordManagementConfiguration$JdbcPasswordManagementDataConfiguration.class]] > > with [Root bean: class [null]; scope=; abstract=false; lazyInit=null; > autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=fa
[cas-user] CAS7 bean creation override question
Hi, CAS 7.1.0 overlay, I need to override password change implementation, using my own PasswordManagementService. I basically want to provide my own impl. of JdbcPasswordManagementConfiguration. See below QuestCasConfiguration, also defined in META-INF/spring/...AutoImports org.apereo.cas.config.CasOverlayOverrideConfiguration org.apereo.cas.config.QuestCasConfiguration @EnableTransactionManagement(proxyTargetClass = false) @EnableConfigurationProperties(CasConfigurationProperties.class) @Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false) public class QuestCasConfiguration { @Bean(name = "jdbcPasswordChangeService") public PasswordManagementService passwordChangeService( ... final PasswordHistoryService passwordHistoryService) { return new QuestJdbcPasswordManagementService(passwordManagementCipherExecutor, casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(), jdbcPasswordManagementDataSource, jdbcPasswordManagementTransactionTemplate, passwordHistoryService, encoder); <=== this is Not called } @Bean(name = "jdbcPasswordManagementDataSource") public DataSource jdbcPasswordManagementDataSource(final CasConfigurationProperties casProperties) { return JpaBeans.newDataSource (casProperties.getAuthn().getJdbc().getQuery().get(0)); <=== this is called } } the problem is that the two bean methods, one ( jdbcPasswordManagementDataSource) is called but the other( passwordChangeService) is not, not sure why. I set a breakpoint in my class to see how the code is invoked. This means passwordChangeService is already created somewhere else, but I cannot figure that out, either. I set a breakpoint in CAS source code: JdbcPasswordManagementConfiguration, I do not see any method stopped during debug when CAS starts up. what did I miss? here are related logs 2024-05-06 10:49:55,104 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 2024-05-06 10:49:55,107 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - 2024-05-06 10:49:55,257 DEBUG [restartedMain] [org.springframework.beans.factory.support.DefaultListableBeanFactory] - JdbcPasswordHistoryManagementConfiguration matched: - Requested features [PasswordManagementHistory] are enabled (CasFeatureEnabledCondition) JdbcPasswordManagementConfiguration matched: - Requested features [PasswordManagement] are enabled (CasFeatureEnabledCondition) JdbcPasswordManagementConfiguration.JdbcPasswordManagementDataConfiguration#jdbcPasswordManagementDataSource matched: - @ConditionalOnMissingBean (names: jdbcPasswordManagementDataSource; SearchStrategy: all) did not find any beans (OnBeanCondition) JdbcPasswordManagementConfiguration.JdbcPasswordManagementServiceConfiguration#passwordChangeService matched: - @ConditionalOnMissingBean (names: jdbcPasswordChangeService; SearchStrategy: all) did not find any beans (OnBeanCondition) JdbcPasswordManagementConfiguration.JdbcPasswordManagementTransactionConfiguration#jdbcPasswordManagementTransactionTemplate matched: - @ConditionalOnMissingBean (names: jdbcPasswordManagementTransactionTemplate; SearchStrategy: all) did not find any beans (OnBeanCondition) thanks! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d9523583-4942-4c50-a755-fafb8434b2aan%40apereo.org.
[cas-user] CAS6 MFA trusted device question, why client IP in addition to cookie value
hello, CAS 6.6 MFA trusted device implementation, the doc says Device Fingerprint's default is: - Randomly generated cookie plus the client IP (default) But in cas.properties have this as default: cas.authn.mfa.trusted.device-fingerprint.client-ip.enabled=false 1, what is the default device fingerprint component: Cookie only or Cookie and client-IP? 2, why would we need client IP in addition to cookie? is not cookie unique to the browser instance that navigating to CAS? when we add Client IP, the same browser on the same device is not always recognized as a registered device (as device may get a different IP, but the device itself is the same one), and that may add customer confusion (why did not CAS remember Me?) in our production, we have this, it seems to work for us well. cas.authn.mfa.simple.trustedDeviceEnabled=true cas.authn.mfa.trusted.device-fingerprint.client-ip.enabled=false cas.authn.mfa.trusted.device-fingerprint.cookie.enabled=true cas.authn.mfa.trusted.device-fingerprint.user-agent.enabled=false I did not want to unknowingly introduce weakness in device fignerprint. did i miss anything? Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/77df9f26-68f3-4ae2-9a3f-ecb0736996b6n%40apereo.org.
Re: [cas-user] cas7, how do I load thymeleaf files in Intellij?
that is good to know! What we have been asked to do is to use a different look & feel, basically, we will keep the HTML elements, but CSS, layout, look/feel will be different. I suppose we might as well get the entire cas-server-support-thymeleaf directory as we will be modifying every HTML file there, plus adding some more since we have customized flow added. anyway, I tried this approach, it is fairly slow, took over 3 minutes to get casLoginView.html, and it failed. The file is correctly copied over in build directory, it is not clear why it failed. Illegal char <:> at index 49. Any idea? Yan > Task :unzipWAR Unzipped WAR into C:\gitworkspace\cas7-suite\cas-overlay-template\build/app > Task :unzip Exploded WAR resources into C:\gitworkspace\cas7-suite\cas-overlay-template\build/cas-resources > Task :getResource FAILED FAILURE: Build failed with an exception. * Where: Script 'C:\gitworkspace\cas7-suite\cas-overlay-template\gradle\tasks.gradle' line: 313 * What went wrong: Execution failed for task ':getResource'. > Illegal char <:> at index 49: C:\gitworkspace\cas7-suite\cas-overlay-template\C:\gitworkspace\cas7-suite\cas-overlay-template\build\cas-resources\templates\login\casLoginView.html * Try: > Run with --stacktrace option to get the stack trace. > Run with --info or --debug option to get more log output. > Run with --scan to get full insights. > Get more help at https://help.gradle.org. BUILD FAILED in 3m 9s 10 actionable tasks: 9 executed, 1 up-to-date On Saturday, April 13, 2024 at 12:18:06 AM UTC-4 Ray Bon wrote: > Yan, > > The overlay project is a shell that makes deployment simple because it > _does not_ include all of the files from cas. > When you build the overlay, it pulls in the cas war file, replacing any > files you may want to override with ones from your overlay src folder. > > If you want to make changes to the thymeleaf files, you can bring them > into the overlay, see > https://fawnoos.com/2023/12/15/cas70x-gettingstarted-overlay/#user-interface-customizations > > Ray > > > > On Fri, 2024-04-12 at 11:08 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > I am new to Intellij, and is using CAS7 overlay project. I imported it > into Intellij. I was unable to load classes and html files in > cas-server-support-thymeleaf. > > See screen shot, in my project, thymeleaf is correctly listed on > compileClassPath on the right, but not listed in External libraries on the > left, that maybe why I cannot locate the files in Intellij. > > If I had to add this in buid.gradle, then thymeleaf shows up in external > libraries and I also can load the HTML and class files in thymeleaf packages > > implementation "org.apereo.cas:cas-server-support-thymeleaf" > > i should not have to do that, what am I missing? > > Thx, > Yan > > Thx! > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2eeb343c-a22d-4039-abcc-4a4d024e0ae1n%40apereo.org.
[cas-user] cas7, how do I load thymeleaf files in Intellij?
Hello, I am new to Intellij, and is using CAS7 overlay project. I imported it into Intellij. I was unable to load classes and html files in cas-server-support-thymeleaf. See screen shot, in my project, thymeleaf is correctly listed on compileClassPath on the right, but not listed in External libraries on the left, that maybe why I cannot locate the files in Intellij. If I had to add this in buid.gradle, then thymeleaf shows up in external libraries and I also can load the HTML and class files in thymeleaf packages implementation "org.apereo.cas:cas-server-support-thymeleaf" i should not have to do that, what am I missing? Thx, Yan Thx! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/483eb651-ddcb-4cc9-a7f5-13600dacad07n%40apereo.org.
Re: [cas-user] how to handle idle timeout in App?
Thanks, i think my understanding of SLO is correct. The apps are looking to CAS to handle synchronized idle timeout. for instance, i am in both A and B, i switch from A to B and stays in B for one hour. A will idle timeout, but what they want is, if A and B are both up, as long as user is active in one app., user should be active in both. This requires some kind of session manager, which is beyond CAS. On Tue, Mar 26, 2024 at 12:17 AM Ray Bon wrote: > Yan, > > Single logout is messy business. > > Cas has a session that is independent from an application session. Cas > session may be longer or shorter than an application, it may have different > settings and conditions for how its length is determined. > Application participation in single log out can be set in the service > definition (or disabled globally). > Cas, by default, will send a logout request to each application under a > ticket granting ticket. So if user logs out of an application and it sends > the user to the cas logout page, cas will try to log user out of other > applications. Whether those applications honour the logout request is up to > the individual application. > So if application B idles out and sends a logout to cas, then cas sends a > logout request to A; If A honours that request, then user could lose > unsaved work. > > When you refer to 'idle timeout', are you referring to cas session or > application session? > > When Cas session times out (idle timeout or otherwise), the TGT is > removed, no single logout takes place (nor can it take place if requested > by an application). > > > Ray > > Single Log Out is not what you think it is; and it will never do what you > want. > > On Mon, 2024-03-25 at 12:35 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > > Two webapps, both protected by CAS. user is in both apps via SSO. > > when user idle timeout kicks in, he is also logged out of CAS, i believe > this is the correct behavior. Otherwise, after idle timeout, simply > accessing B will get user in right away, which is a security problem. say, > User walks away, app's idle timeout kicks in, but SSO session is still > valid, now, some one else comes and access the app, that person would be > right in B without being prompted for credentials. > > this brings up another usability problem. say, user is busy in one app A > and idle in the other app B. B's idle timeout kicks in and also logged out > of CAS. User remains in A, but when he access B, he is prompted for > credentials (no SSO since CAS SSO session was already terminated). > > is my understanding correct? > > Thanks, > Yan > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/ODAW7-hM5Dw/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c7d3fa7c1e5dff6f251addaf8246a66b67067cd.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c7d3fa7c1e5dff6f251addaf8246a66b67067cd.camel%40uvic.ca?utm_medium=email_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZem8b22yGOZuaS9YP35sZ5OyK7iNqqSDTsQn8oPbVOQg4Q%40mail.gmail.com.
[cas-user] how to handle idle timeout in App?
Hi, Two webapps, both protected by CAS. user is in both apps via SSO. when user idle timeout kicks in, he is also logged out of CAS, i believe this is the correct behavior. Otherwise, after idle timeout, simply accessing B will get user in right away, which is a security problem. say, User walks away, app's idle timeout kicks in, but SSO session is still valid, now, some one else comes and access the app, that person would be right in B without being prompted for credentials. this brings up another usability problem. say, user is busy in one app A and idle in the other app B. B's idle timeout kicks in and also logged out of CAS. User remains in A, but when he access B, he is prompted for credentials (no SSO since CAS SSO session was already terminated). is my understanding correct? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8e74f8f8-1533-456e-9c6a-15e7ec943a58n%40apereo.org.
[cas-user] Re: Redis ticket registry 7.0.0-RC8 - Azure cache for Redis support
Hi Mike, How is it going now? did you ever make it work? Mine is 6.6.x, it should be functional equivalent to CAS7 as far as this code is concerned, i am getting "Unable to connect to " message. I verified that i am using Redis Standalone config, which is suitable for Azure Cloud for Redis. Yan On Monday, October 16, 2023 at 1:13:06 AM UTC-4 Mike Rokitka wrote: > Hi, > > We are currently testing CAS v7 via the latest RC8, but have run into a > blocker with the configuration of the Redis based ticket registry. There > does not appear to be a way to configure the Redis registry/client to > connect without a username (Azure cache for Redis does not use usernames). > If we set the username to an empty string via configuration properties (or > null programmatically), then it fails due to username assertions in > lettuce. > Eg. > > Caused by: java.lang.IllegalArgumentException: User name must not be null > at > io.lettuce.core.internal.LettuceAssert.notNull(LettuceAssert.java:71) > at > io.lettuce.core.RedisURI$Builder.withAuthentication(RedisURI.java:1563) > at > org.apereo.cas.redis.core.RedisObjectFactory.newRedisModulesCommands(RedisObjectFactory.java:132) > > This can be traced to RedisObjectFactory.newRedisModulesCommands() in > cas-server-support-redis-core, as it assumes a username is present if a > password is present (via uriBuilder.withAuthentication call). This > should check for a null/empty username first and use > uriBuilder.withPassword instead in that case. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2b0f23a-e3a9-4b6a-b0c9-ead235fb34f2n%40apereo.org.
[cas-user] Take user back to Login page after MFA login error
Hi, CAS 6.6.x with MFA. After I correctly enter user credentials, I will be asked for a code, if that fails, CAS shows casMfaDeniedView. The following CAS code (if user enters incorrect code) simply takes user back to MFA login page, so that user can retry. I would not want users to have unlimited retry, so I want to extend the flow, adding a button that takes user back to login page, clearing credentials already established during the initial login flow. But, MFA flow and Login flow are two different flows, i have trouble to implement this correctly. How do you do this? Thanks, Yan val realSubmitState = createActionState(flow, CasWebflowConstants.STATE_ID_REAL_SUBMIT, createEvaluateAction(CasWebflowConstants.ACTION_ID_OTP_AUTHENTICATION_ACTION)); createTransitionForState(realSubmitState, CasWebflowConstants.TRANSITION_ID_SUCCESS, CasWebflowConstants.STATE_ID_SUCCESS); createTransitionForState(realSubmitState, CasWebflowConstants.TRANSITION_ID_ERROR, CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM); -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/30c1374d-2230-47d4-ac91-8d7f0b20677fn%40apereo.org.
[cas-user] CAS 6.6.12 LDAP error messages
Hi there, CAS 6.6.12 on ActiveDirectory authN, Seeing this error intermittently. I can login successfully and authN works correctly, but seeing errors fairly often, not sure what they mean. It seems AD is closing the connection unexpectedly, but why? thanks! cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].searchFilter= (&(objectCategory=Person)(sAMAccountName={user})) cas.authn.ldap[0].baseDn=. cas.authn.ldap[0].bindCredential=. cas.authn.ldap[0].bindDn=. cas.authn.ldap[0].ldapUrl=ldaps://ldaps..com:636 cas.authn.ldap[0].keystore=file:///C:/./ldapkeystore cas.authn.ldap[0].keystorePassword=c.t # I am using the default value BIND for poolPassivator. I do not think that is related. 2024-02-15 11:09:07,213 WARN [ldaptive-ConnectionFactoryTransport-io-1-3] [org.ldaptive.transport.netty.NettyConnection] - java.io.IOException: An existing connection was forcibly closed by the remote host at sun.nio.ch.SocketDispatcher.read0(Native Method) ~[?:?] at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43) ~[?:?] at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:276) ~[?:?] at sun.nio.ch.IOUtil.read(IOUtil.java:233) ~[?:?] at sun.nio.ch.IOUtil.read(IOUtil.java:223) ~[?:?] at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:358) ~[?:?] at io.netty.buffer.PooledByteBuf.setBytes(PooledByteBuf.java:258) ~[netty-buffer-4.1.80.Final.jar:4.1.80.Final] at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:1132) ~[netty-buffer-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:357) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at java.lang.Thread.run(Thread.java:834) ~[?:?] 2024-02-15 11:09:07,930 WARN [ldaptive-ConnectionFactoryTransport-io-3-2] [org.ldaptive.transport.netty.NettyConnection] - java.io.IOException: An existing connection was forcibly closed by the remote host at sun.nio.ch.SocketDispatcher.read0(Native Method) ~[?:?] at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43) ~[?:?] at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:276) ~[?:?] at sun.nio.ch.IOUtil.read(IOUtil.java:233) ~[?:?] at sun.nio.ch.IOUtil.read(IOUtil.java:223) ~[?:?] at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:358) ~[?:?] at io.netty.buffer.PooledByteBuf.setBytes(PooledByteBuf.java:258) ~[netty-buffer-4.1.80.Final.jar:4.1.80.Final] at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:1132) ~[netty-buffer-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:357) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.80.Final.jar:4.1.80.Final] at java.lang.Thread.run(Thread.java:834) ~[?:?] I actually do not understand what this CAS comment referring to, is it saying the default value BIND is designed to
Re: [cas-user] how do I add dependency without being tied to version?
that did help, thanks a lot to you both! Yan On Tuesday, February 6, 2024 at 9:51:39 PM UTC-5 Petr Bodnár wrote: > Hi, > > AFAIK, just specifying the library without the version *should *be > sufficient: > > implementation "org.apache.shiro:shiro-core" > > Because like for the other libraries from your example, the version of the > dependency is already specified in the imported CAS BOM (e.g. > cas-server-support-bom-6.6.15.pom > <https://repo1.maven.org/maven2/org/apereo/cas/cas-server-support-bom/6.6.15/cas-server-support-bom-6.6.15.pom>). > > The BOM is imported by the following line in the CAS overlay's > build.gradle > <https://github.com/apereo/cas-overlay-template/blob/6.6/build.gradle#L256C38-L256C75> > : > > implementation > enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}") > > You can see e.g. > https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import > for how this works. > > (Ad lombokVersion: As this special, compile-only, library is not specified > in the BOM, I'm doing the same, i.e. I copy the version manually to my > project.) > > I hope this helps > Petr > > On Tuesday 6 February 2024 at 05:36:17 UTC+1 Ray Bon wrote: > >> Yan, >> >> You can put the version into gradle.properties (I put this at the bottom >> of my file): >> >> lombokVersion=1.18.30 >> ... >> >> In build.gradle: >> >> compileOnly "org.projectlombok:lombok:${lombokVersion}" >> testCompileOnly("org.projectlombok:lombok:${lombokVersion}") >> >> If the library is included in cas, then you do not need to use >> implementation. >> >> >> Ray >> >> On Mon, 2024-02-05 at 08:22 -0800, Yan Zhou wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> HI there, >> >> with CAS 6.6.x overlay, I need to create my own authentication handler, >> which uses Apache Shiro's hash service, etc., it comes with CAS, but I have >> to explicitly list them in my project dependency so my code can compile. >> >> looks like the following, Note that I first find out CAS is using >> shiro-core 1.9.1 and then explicitly include it in build.gradle, is there a >> better way to manage this (such as I do Not have to explicitly include >> shiro dependency by specific version# ? this makes it difficult for >> upgrade.) >> >> implementation "org.apereo.cas:cas-server-support-jdbc" >> implementation "org.apereo.cas:cas-server-support-jdbc-authentication" >> implementation "org.apache.shiro:shiro-core:1.9.1" >> implementation "org.apereo.cas:cas-server-support-ldap" >> >> Thanks, >> Yan >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a31c7d46-e3f6-476d-a245-5d76218e3a75n%40apereo.org.
[cas-user] CAS 6.6.x overlay, Oracle jdbc driver class Not Found, but exists
Hello, cas.log complains, it cannot find jdbc driver class, but it exists in cas.war and also declared in gradle dependency. Can anyone suggest what to do? thanks! I have a CAS 6.6.12 overlay, in build.gradle, i have the following: implementation "org.apereo.cas:cas-server-support-jdbc" implementation "org.apereo.cas:cas-server-support-jdbc-authentication" implementation "org.apereo.cas:cas-server-support-jdbc-drivers" implementation "org.apereo.cas:cas-server-support-jpa-hibernate" in cas.properties. cas.authn.jdbc.query[0].name=MyCustomDatabaseAuthenticationHandler cas.authn.jdbc.query[0].driver-class=oracle.jdbc.driver.OracleDriver cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.Oracle12cDialect cas.authn.jdbc.query[0].url=jdbc:oracle:thin:@(description=(ADDRESS=(PROTOCOL=TCP)(..) When I build cas.war, I can see ojdbc10-19.3.0.0.jar in WEB-INF/lib, but when I start CAS, cas.log still has the following error, it does work fine with authN via database, but not sure why it cannot find driver. driverClassName=oracle.jdbc.driver.OracleDriver was not found. 2024-02-07 10:12:55,769 WARN [https-jsse-nio-8543-exec-5] [com.zaxxer.hikari.HikariConfig] - <3ad14adb-01bc-4a19-92e8-4187ab797f10 - idleTimeout is close to or more than maxLifetime, disabling it.> 2024-02-07 10:12:55,769 INFO [https-jsse-nio-8543-exec-5] [com.zaxxer.hikari.HikariDataSource] - <3ad14adb-01bc-4a19-92e8-4187ab797f10 - Starting...> 2024-02-07 10:12:55,806 WARN [https-jsse-nio-8543-exec-5] [com.zaxxer.hikari.util.DriverDataSource] - 2024-02-07 10:12:56,766 INFO [https-jsse-nio-8543-exec-5] [com.zaxxer.hikari.pool.HikariPool] - <3ad14adb-01bc-4a19-92e8-4187ab797f10 - Added connection oracle.jdbc.driver.T4CConnection@6d4f10b1> 2024-02-07 10:12:56,768 INFO [https-jsse-nio-8543-exec-5] [com.zaxxer.hikari.HikariDataSource] - <3ad14adb-01bc-4a19-92e8-4187ab797f10 - Start completed.> == END == -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66f4c84b-191d-4e7a-9da2-76e7f92fa0dan%40apereo.org.
[cas-user] how do I add dependency without being tied to version?
HI there, with CAS 6.6.x overlay, I need to create my own authentication handler, which uses Apache Shiro's hash service, etc., it comes with CAS, but I have to explicitly list them in my project dependency so my code can compile. looks like the following, Note that I first find out CAS is using shiro-core 1.9.1 and then explicitly include it in build.gradle, is there a better way to manage this (such as I do Not have to explicitly include shiro dependency by specific version# ? this makes it difficult for upgrade.) implementation "org.apereo.cas:cas-server-support-jdbc" implementation "org.apereo.cas:cas-server-support-jdbc-authentication" implementation "org.apache.shiro:shiro-core:1.9.1" implementation "org.apereo.cas:cas-server-support-ldap" Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c59e43c5-32c2-42cc-b499-eb2de79ad9fcn%40apereo.org.
Re: [cas-user] how do i enable jdbc feature in CAS 6.6.12?
HI All, i figured out my problem! that is interesting. this is my customized configuration public Collection jdbcAuthenticationHandlers() { jdbc.getEncode().forEach(b -> handlers .add(queryAndEncodeDatabaseAuthenticationHandler(b))); .. this is my cas.properties: cas.authn.jdbc.search[0].. the code does not match properties (code expects getEncode(), but property only has jdbc.search) I cannot figure this out because there was Not any error in logs. very interesting. Now is working as expected. Yan On Monday, January 29, 2024 at 1:49:01 PM UTC-5 Mohamed Amdouni wrote: > Hello, > > For debugging, I just download the whole cas repository. (The > corresponding tag version) then I import this project to IntelliJ and > connect to the overlay remote jvm. > It doesn’t matter if the project compile or not if you would like to just > debug. > > > Le lun. 29 janv. 2024 à 17:45, Ray Bon a écrit : > >> Yan, >> >> I have found that intellij will report errors/missing references but code >> compiles just fine. >> The build process with cas-overlay places files (compiled coded and >> resources) from src onto the prebuilt cas.war. >> I have not tried to replace jar files, so I am not sure how you would get >> those into the build (unless you added them manually after deployment - but >> that seems ineffective). >> >> If you are trying to debug your custom authenticator, you should not need >> the external jars (you could use log lines). If you are trying to fix an >> error in those external jars, you would have to work with the main cas >> project. >> >> You can increase spring logging to see how it treats your configuration >> class. >> This logger may also help >> >> >> >> >> Did you create your authenticator from scratch (as described in >> https://fawnoos.com/2017/02/02/cas51-authn-handlers/) >> <https://fawnoos.com/2017/02/02/cas51-authn-handlers/> or did you copy >> from and existing authenticator? >> >> Ray >> >> On Mon, 2024-01-29 at 07:02 -0800, Yan Zhou wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> Hello, >> >> thank you both! But, neither helped. >> >> I have been on CAS for quite some time, making customization, but it is >> always Maven/Eclipse that I am working with, i wonder if that is because my >> lack of knowledge with Overlay's gradle build set-up. >> >> in my cas-overlay build.gradle, I placed all dependencies there, CAS >> loads correctly, it is reading Service Registry from JSON, as I placed >> dependency there. it is also generating SAML-related artifacts. >> >> But, when I added ...-support-jdbc... and >> -support-jdbc-authenitcaiton.... jars into intellij, so that I can debug >> the CAS source code (i add these as External Dependencies with Jar and >> Source Code), Intellij says they are Not used. Hmm, I wonder maybe that >> is the problem, even though it is listed, somehow they are not loaded. >> But, I am new to Gradle and to Intellij >> >> Yan >> >> . >> >> dependencies { >> /** >> * Do NOT modify the lines below or else you will risk breaking dependency >> management. >> */ >> implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${ >> project.'cas.version'}") >> implementation platform(org.springframework.boot.gradle.plugin. >> SpringBootPlugin.BOM_COORDINATES) >> >> /** >> * Do NOT modify the lines below or else you will risk breaking the build. >> */ >> implementation "org.apereo.cas:cas-server-core-api-configuration-model" >> implementation "org.apereo.cas:cas-server-webapp-init" >> >> developmentOnly "org.springframework.boot:spring-boot-devtools:${project. >> springBootVersion}" >> >> /** >> * CAS dependencies and modules may be listed here. >> * >> * There is no need to specify the version number for each dependency >> * since versions are all resolved and controlled by the dependency >> management >> * plugin via the CAS bom. >> **/ >> implementation "org.apereo.cas:cas-server-support-rest" >> implementation "org.apereo.cas:cas-server-support-saml-idp" >> implementation "org.apereo.cas:cas-server-support-pac4j-webflow" >> implementation "org.apereo.cas:cas-server-support-json-service-registry" >> implementation "org.aper
Re: [cas-user] how do i enable jdbc feature in CAS 6.6.12?
Hello, thank you both! But, neither helped. I have been on CAS for quite some time, making customization, but it is always Maven/Eclipse that I am working with, i wonder if that is because my lack of knowledge with Overlay's gradle build set-up. in my cas-overlay build.gradle, I placed all dependencies there, CAS loads correctly, it is reading Service Registry from JSON, as I placed dependency there. it is also generating SAML-related artifacts. But, when I added ...-support-jdbc... and -support-jdbc-authenitcaiton jars into intellij, so that I can debug the CAS source code (i add these as External Dependencies with Jar and Source Code), Intellij says they are Not used. Hmm, I wonder maybe that is the problem, even though it is listed, somehow they are not loaded. But, I am new to Gradle and to Intellij Yan . dependencies { /** * Do NOT modify the lines below or else you will risk breaking dependency management. */ implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${ project.'cas.version'}") implementation platform(org.springframework.boot.gradle.plugin. SpringBootPlugin.BOM_COORDINATES) /** * Do NOT modify the lines below or else you will risk breaking the build. */ implementation "org.apereo.cas:cas-server-core-api-configuration-model" implementation "org.apereo.cas:cas-server-webapp-init" developmentOnly "org.springframework.boot:spring-boot-devtools:${project. springBootVersion}" /** * CAS dependencies and modules may be listed here. * * There is no need to specify the version number for each dependency * since versions are all resolved and controlled by the dependency management * plugin via the CAS bom. **/ implementation "org.apereo.cas:cas-server-support-rest" implementation "org.apereo.cas:cas-server-support-saml-idp" implementation "org.apereo.cas:cas-server-support-pac4j-webflow" implementation "org.apereo.cas:cas-server-support-json-service-registry" implementation "org.apereo.cas:cas-server-core-webflow-api" implementation "org.apereo.cas:cas-server-core-api-webflow" implementation "org.apereo.cas:cas-server-core-web-api" implementation "org.apereo.cas:cas-server-support-jdbc" implementation "org.apereo.cas:cas-server-support-jdbc-authentication" implementation "org.apereo.cas:cas-server-core-api-authentication" implementation "org.apereo.cas:cas-server-core-authentication-api" implementation "org.apereo.cas:cas-server-support-jpa-util" implementation "org.apereo.cas:cas-server-support-oidc" if (project.hasProperty("casModules")) { def dependencies = project.getProperty("casModules").split(",") dependencies.each { def projectsToAdd = rootProject.subprojects.findAll {project -> project.name == "cas-server-core-${it}" || project.name == "cas-server-support-${it}" } projectsToAdd.each {implementation it} } } On Friday, January 26, 2024 at 1:44:58 PM UTC-5 Mohamed Amdouni wrote: > Hi, > > Did you tried to add the driver dependency ? > > cas-server-support-jdbc-drivers > > > > > Le ven. 26 janv. 2024 à 18:42, Yan Zhou a écrit : > >> Hi there, >> >> I maybe missing something obvious. >> >> I created my own JDBC-based authenticator, I noticed that the JDBC >> authentication is Not registered, so login does not load jdbc-authenticator >> at all. >> >> set breakpoint in CasJdbcAuthenticationConfiguration, it is not called >> during CAS start-up. >> >> how is this configuration being loaded, see the code below? >> >> @ConditionalOnFeatureEnabled(feature = >> CasFeatureModule.FeatureCatalog.Authentication, module = "jdbc") >> >> is this driven by the presence of cas.auth.jdbc and jdbc jars in >> dependenices? >> >> Yan >> >> Project dependencies. >> >> implementation "org.apereo.cas:cas-server-support-jdbc" >> implementation "org.apereo.cas:cas-server-support-jdbc-authentication" >> >> >> I added configuration in META-INF/spring.factories like this, i created >> my own class, so as to load my custom jdbc Authenticator. >> >> org.apereo.cas.adaptors.jdbc.config.MyCasJdbcAuthenticationConfiguration >> >> then in cas.properties, i have all the properties filled. >> >> cas.authn.jdbc.search[0].. >> >> thanks, >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups
[cas-user] how do i enable jdbc feature in CAS 6.6.12?
Hi there, I maybe missing something obvious. I created my own JDBC-based authenticator, I noticed that the JDBC authentication is Not registered, so login does not load jdbc-authenticator at all. set breakpoint in CasJdbcAuthenticationConfiguration, it is not called during CAS start-up. how is this configuration being loaded, see the code below? @ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.Authentication, module = "jdbc") is this driven by the presence of cas.auth.jdbc and jdbc jars in dependenices? Yan Project dependencies. implementation "org.apereo.cas:cas-server-support-jdbc" implementation "org.apereo.cas:cas-server-support-jdbc-authentication" I added configuration in META-INF/spring.factories like this, i created my own class, so as to load my custom jdbc Authenticator. org.apereo.cas.adaptors.jdbc.config.MyCasJdbcAuthenticationConfiguration then in cas.properties, i have all the properties filled. cas.authn.jdbc.search[0].. thanks, -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7991cac7-97e9-4487-bb6e-99e7065c0daen%40apereo.org.
[cas-user] CAS as SP using SAML?
HI there, I have CAS delegated authN via SAML working. But I have trouble getting a much simpler flow to work. I would like CAS to act as a SAML2 ServiceProvider, it accepts a HTTP POST with SAML Response (user is already authenticated by another Idp such as Okta, which Posts SAML response to CAS), after validation, it gets the URL defined in RelayState or ACS, and redirect browser to that URL. Much like Idp initiated SSO flow, in this case, the initiating IdP is some other app such as Okta, user is already in Okta portal, he sets up a SAML 2.0 integration in Okta, with SSO Url points to CAS endpoint, and relayState or ACS has the URL to be launched (e.g., points to another app protected by CAS). I have trouble getting this work, With CAS SSO profiles, they all assume CAS is the IdP, and therefore, accepts only AuthnRequest. This sounds a lot simpler than delegated AuthN, but I cannot get it to work. Here is what I am thinking, CAS is a Spring Boot app, which can act as SAML2 SP, that requires the Spring dependency, spring-security-saml2-service-provider, which is Not included in CAS by default. Is this something I need to do to get what I want to work? In other words, CAS is always intended to be IdP, to be an SP like an app., we need to do something different. An alternative is to have Okta points SSO Url to the App, but that is not what I am looking for in this flow. The App does Not understand SAML, it uses CAS for authN. I want CAS to be the SP, and then some mechanism to redirect to the App after CAS session is created. Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/97663e4f-1af9-414e-90b9-cf327933ea81n%40apereo.org.
Re: [cas-user] CAS 6.6.12 compiler error, though jars are in classpath
gradlew --debug clean build, i am using Gradle 7.6, JDK11, on Windows. basically, everything comes with Overlay project, other than I am adding my own classes. On Monday, December 11, 2023 at 12:31:50 PM UTC-5 Ray Bon wrote: > Yan, > > What is your build command / process? > > Ray > > On Mon, 2023-12-11 at 07:01 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > HI, > > i am using CAS 6.6.12 overlay, new to Gradle, so I maybe missing something > obvious. > > I need to create my own authentication handler class, so, In my > build.gradle, I added: > > implementation "org.apereo.cas:cas-server-core-authentication-api" > implementation "org.apereo.cas:cas-server-core-api-authentication" > > keep getting compiler error, although the classes are there in my > classpath. > > this is the portion of my build.gradle file. the dependencies are listed > there. > > dependencies { > /** > * Do NOT modify the lines below or else you will risk breaking dependency > management. > */ > implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${ > project.'cas.version'}") > implementation platform(org.springframework.boot.gradle.plugin. > SpringBootPlugin.BOM_COORDINATES) > > /** > * Do NOT modify the lines below or else you will risk breaking the build. > */ > implementation "org.apereo.cas:cas-server-core-api-configuration-model" > implementation "org.apereo.cas:cas-server-webapp-init" > > developmentOnly "org.springframework.boot:spring-boot-devtools:${ > project.springBootVersion}" > > /** > * CAS dependencies and modules may be listed here. > * > * There is no need to specify the version number for each dependency > * since versions are all resolved and controlled by the dependency > management > * plugin via the CAS bom. > **/ > implementation "org.apereo.cas:cas-server-support-rest" > implementation "org.apereo.cas:cas-server-support-saml-idp" > implementation "org.apereo.cas:cas-server-support-pac4j-webflow" > implementation "org.apereo.cas:cas-server-support-json-service-registry" > implementation "org.apereo.cas:cas-server-core-authentication-api" > implementation "org.apereo.cas:cas-server-core-api-authentication" > implementation "org.apereo.cas:cas-server-core-webflow-api" > implementation "org.apereo.cas:cas-server-core-api-webflow" > implementation "org.apereo.cas:cas-server-core-web-api" > > if (project.hasProperty("casModules")) { > ... > } > > testImplementation "org.springframework.boot:spring-boot-starter-test" > } > > this is the output of gradle build, i verified that the classes are right > there in the two jars, not sure why the build cannot find the two symbols: > AuthenticationHandler and AbstractAuthenticationHandler. > > 2023-12-11T09:40:59.478-0500 [INFO] > [org.gradle.jvm.toolchain.internal.DefaultToolchainJavaCompiler] Compiling > with toolchain 'C:\Program Files\Java\jdk-11.0.12'. > 2023-12-11T09:40:59.484-0500 [DEBUG] > [org.gradle.api.internal.tasks.compile.NormalizingJavaCompiler] Compiler > arguments: --release 11 -d > C:\apereocas66x\cas-overlay-template\build\classes\java\main -encoding > UTF-8 -h > C:\apereocas66x\cas-overlay-template\build\generated\sources\headers\java\main > > -g -sourcepath "" -processorpath > C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.projectlombok\lombok\1.18.28\a2ff5da8bcd8b1b26f36b806ced63213362c6dcc\lombok-1.18.28.jar > > -s > C:\apereocas66x\cas-overlay-template\build\generated\sources\annotationProcessor\java\main > > -XDuseUnsharedTable=true -classpath > C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-authentication-api\6.6.12\93b4e0a396cb935b7f967a813a70181976934f0e\cas-server-core-authentication-api-6.6.12.jar; > > . > C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-api-authentication\6.6.12\38150afad77cd42a83879eb4027e272c85b6047c\cas-server-core-api-authentication-6.6.12.jar;..C:\Users\yaou\.m3\repository\com\github\scribejava\scribejava-java8\8.3.1\scribejava-java8-8.3.1.jar > > -parameters -Xlint:-processing > C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java > > C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationHandler.java > > C:\aper
[cas-user] CAS 6.6.12 compiler error, though jars are in classpath
HI, i am using CAS 6.6.12 overlay, new to Gradle, so I maybe missing something obvious. I need to create my own authentication handler class, so, In my build.gradle, I added: implementation "org.apereo.cas:cas-server-core-authentication-api" implementation "org.apereo.cas:cas-server-core-api-authentication" keep getting compiler error, although the classes are there in my classpath. this is the portion of my build.gradle file. the dependencies are listed there. dependencies { /** * Do NOT modify the lines below or else you will risk breaking dependency management. */ implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${ project.'cas.version'}") implementation platform(org.springframework.boot.gradle.plugin. SpringBootPlugin.BOM_COORDINATES) /** * Do NOT modify the lines below or else you will risk breaking the build. */ implementation "org.apereo.cas:cas-server-core-api-configuration-model" implementation "org.apereo.cas:cas-server-webapp-init" developmentOnly "org.springframework.boot:spring-boot-devtools:${ project.springBootVersion}" /** * CAS dependencies and modules may be listed here. * * There is no need to specify the version number for each dependency * since versions are all resolved and controlled by the dependency management * plugin via the CAS bom. **/ implementation "org.apereo.cas:cas-server-support-rest" implementation "org.apereo.cas:cas-server-support-saml-idp" implementation "org.apereo.cas:cas-server-support-pac4j-webflow" implementation "org.apereo.cas:cas-server-support-json-service-registry" implementation "org.apereo.cas:cas-server-core-authentication-api" implementation "org.apereo.cas:cas-server-core-api-authentication" implementation "org.apereo.cas:cas-server-core-webflow-api" implementation "org.apereo.cas:cas-server-core-api-webflow" implementation "org.apereo.cas:cas-server-core-web-api" if (project.hasProperty("casModules")) { ... } testImplementation "org.springframework.boot:spring-boot-starter-test" } this is the output of gradle build, i verified that the classes are right there in the two jars, not sure why the build cannot find the two symbols: AuthenticationHandler and AbstractAuthenticationHandler. 2023-12-11T09:40:59.478-0500 [INFO] [org.gradle.jvm.toolchain.internal.DefaultToolchainJavaCompiler] Compiling with toolchain 'C:\Program Files\Java\jdk-11.0.12'. 2023-12-11T09:40:59.484-0500 [DEBUG] [org.gradle.api.internal.tasks.compile.NormalizingJavaCompiler] Compiler arguments: --release 11 -d C:\apereocas66x\cas-overlay-template\build\classes\java\main -encoding UTF-8 -h C:\apereocas66x\cas-overlay-template\build\generated\sources\headers\java\main -g -sourcepath "" -processorpath C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.projectlombok\lombok\1.18.28\a2ff5da8bcd8b1b26f36b806ced63213362c6dcc\lombok-1.18.28.jar -s C:\apereocas66x\cas-overlay-template\build\generated\sources\annotationProcessor\java\main -XDuseUnsharedTable=true -classpath C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-authentication-api\6.6.12\93b4e0a396cb935b7f967a813a70181976934f0e\cas-server-core-authentication-api-6.6.12.jar; . C:\Users\yaou\.gradle\caches\modules-2\files-2.1\org.apereo.cas\cas-server-core-api-authentication\6.6.12\38150afad77cd42a83879eb4027e272c85b6047c\cas-server-core-api-authentication-6.6.12.jar;..C:\Users\yaou\.m3\repository\com\github\scribejava\scribejava-java8\8.3.1\scribejava-java8-8.3.1.jar -parameters -Xlint:-processing C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationHandler.java C:\apereocas66x\cas-overlay-template\src\main\java\org\apereo\cas\config\CasOverlayOverrideConfiguration.java 2023-12-11T09:40:59.485-0500 [INFO] [org.gradle.api.internal.tasks.compile.JdkJavaCompiler] Compiling with JDK Java compiler API. 2023-12-11T09:41:01.136-0500 [ERROR] [system.err] C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration.java:20: error: cannot find symbol 2023-12-11T09:41:01.137-0500 [ERROR] [system.err] public AuthenticationHandler qdxTrustedSamlAuthenticationHandler() { 2023-12-11T09:41:01.137-0500 [ERROR] [system.err]^ 2023-12-11T09:41:01.137-0500 [ERROR] [system.err] symbol: class AuthenticationHandler 2023-12-11T09:41:01.137-0500 [ERROR] [system.err] location: class QdxTrustedSamlAuthenticationEventExecutionPlanConfiguration 2023-12-11T09:41:01.137-0500 [ERROR] [system.err] C:\apereocas66x\cas-overlay-template\src\main\java\com\quest\cas\trusted\QdxTrustedSamlAuthenticationHandler.java:9: error: cannot find symbol 2023-12-11T09:41:01.138-0500 [ERROR] [system.err] public class QdxTrustedSamlAuthenticationHandler extends
[cas-user] Re: CAS 6.4.x, windows only Bind exception on cas.properties
well, figured out after careful reading of the console logs. I accidentally deleted the temp folder under tomcat, the initial start-up failed. Yan On Wednesday, December 6, 2023 at 11:02:45 AM UTC-5 Yan Zhou wrote: > Hi there, > > this is very odd, but I cannot figure this out. I am setting up SAML and > Delegated AuthN on CAS. > > I am on CAS 6.4.6.6, it works on Linux servers, but on my Windows laptop, > CAS starts up with this error. > > I confirmed that it is loading the right cas.properties on Windows, as > long as I remove the following values, it starts up just fine, but once I > put them back, I got this error. My cas WEB-INF/lib does > have: cas-server-core-api-configuration-model-6.4.6.6.jar, which > contains: Pac4jSamlClientProperties, it looks correct to me the way I > define cas properties below. > > how can I debug this? for instance, how do I set ignoreInvalidFields to > false so that I can still more? right now, it says: > 'CasConfigurationProperties' : prefix=cas, ignoreInvalidFields=false, > ignoreUnknownFields=true. I cannot find anywhere that is defined. > > here is the relevant portion of cas.properties, I do Not see anything > wrong, it works well on Linux. > > thanks in advanc! > Yan > > cas.authn.saml-idp.core.entity-id=https://localhost:8443/idp > > cas.authn.saml-idp.metadata.fileSystem.location=file:///C:/apereocas66x/config/idpmetadata > # > ###cas.authn.pac4j.core.discovery-selection.selection-type=DYNAMIC > > > cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore > cas.authn.pac4j.saml[0].keystorePassword=changeit > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > cas.authn.pac4j.saml[0].serviceProviderEntityId= > https://localhost:8443/cas/samlsp > cas.authn.pac4j.saml[0].clientName=Okta > cas.authn.pac4j.saml[0].forceAuth=false > cas.authn.pac4j.saml[0].passive=false > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml > cas.authn.pac4j.saml[0].identityProviderMetadataPath= > https://dev-1xx8.okta.com/app/ex7/sso/saml/metadata > cas.authn.pac4j.saml[0].useNameQualifier=false > #cas.authn.pac4j.saml[0].autoRedirectType=CLIENT > cas.authn.pac4j.saml[0].signAuthnRequest=true > cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true > > > *** > APPLICATION FAILED TO START > *** > > Description: > > Failed to bind properties under 'cas.authn.pac4j.saml[0]' to > org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties: > > Property: cas.authn.pac4j.saml[0].force-auth > Value: false > Origin: "cas.authn.pac4j.saml[0].force-auth" from property source > "bootstrapProperties-applicationProfilesCompositeProperties" > Reason: java.io.IOException: The system cannot find the path specified > > Action: > > Update your application's configuration > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/59d8df56-89a5-4d56-a5bb-d323abeec7e8n%40apereo.org.
Re: [cas-user] app not authorized error with IdP initiated SAML SSO
here is what I try to do, AppB, authenticated by CAS. AppB does Not speak SAML, it uses CAS protocol to authenticate against CAS. With SP initiated flow, i go to AppB, it redirects to CAS (cas protocol, NO SAML), CAS then delegates authN to Okta using SAML and validates SAML response, CAS SSO session created, user is in AppB. This is working. There is No SAML between AppB and CAS, there is SAML between CAS and Okta. In IdP initiated flow, I want Okta to post SAMLResponse to CAS SSO endpoint: /idp/profile/SAML2/Unsolicited/SSO, then something on URL (such as ProviderId parameter) will redirect to AppB URL after SAML response is validated and CAS session created. Next, user is directed to B, B uses CAS protocol for authN, CAS session is created, so user is in B. When I tried, it does not work that way. I got error on /idp/profile/SAML2/Unsolicited/SSO, this does Not accept HTTP POST, it expects GET, But IdP initiated flow always does POST since SAML response is included. I hope that makes sense. Yan On Monday, December 4, 2023 at 2:46:08 PM UTC-5 Ray Bon wrote: Yan, Could you configure IdP initiated login to redirect to appB rather than cas? fails due to the following, Is something missing after this? Ray On Mon, 2023-11-27 at 11:36 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, I am on CAS 6.4.x. Two apps, appA, authenticated by Okta, and appB, authenticated by CAS, cas delegates authN to Okta for appB. This is working correctly: I login to appA via Okta, when I got to appB URL, SSO happens. If I go straight to appB without login to Okta first, delegated authN takes me to Okta login page, etc. That works, partly because I have setup an Application inside Okta Admin portal, for Okta to post SAML response to CAS SSO endpoint: https:///cas/login?client_name=Okta But, this is Not working. I login to my Okta portal, I click on the SAML2 application icon in Okta portal, i.e., Idp initiated flow, I expect that I will be in appB via SSO, but I am getting "application not authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost identical in both cases, but the IdP-initiated flow fails due to the following, is that because there is Not CAS delegating to Okta, since it is Okta-initiated request, so the call fails? What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which CAS delegates authN to) work? Thanks! protected TransientSessionTicket retrieveSessionTicketViaClientId(final WebContext webContext, final String clientId) { try { val ticket = configContext.getCentralAuthenticationService().getTicket(clientId, TransientSessionTicket.class); LOGGER.debug("Located delegated authentication client identifier as [{}]", ticket.getId()); return ticket; } catch (final Exception e) { LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/15356588-638f-4cbc-a7f7-3bb012e15d95n%40apereo.org.
[cas-user] CAS 6.4.x, windows only Bind exception on cas.properties
Hi there, this is very odd, but I cannot figure this out. I am setting up SAML and Delegated AuthN on CAS. I am on CAS 6.4.6.6, it works on Linux servers, but on my Windows laptop, CAS starts up with this error. I confirmed that it is loading the right cas.properties on Windows, as long as I remove the following values, it starts up just fine, but once I put them back, I got this error. My cas WEB-INF/lib does have: cas-server-core-api-configuration-model-6.4.6.6.jar, which contains: Pac4jSamlClientProperties, it looks correct to me the way I define cas properties below. how can I debug this? for instance, how do I set ignoreInvalidFields to false so that I can still more? right now, it says: 'CasConfigurationProperties' : prefix=cas, ignoreInvalidFields=false, ignoreUnknownFields=true. I cannot find anywhere that is defined. here is the relevant portion of cas.properties, I do Not see anything wrong, it works well on Linux. thanks in advanc! Yan cas.authn.saml-idp.core.entity-id=https://localhost:8443/idp cas.authn.saml-idp.metadata.fileSystem.location=file:///C:/apereocas66x/config/idpmetadata # ###cas.authn.pac4j.core.discovery-selection.selection-type=DYNAMIC cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp cas.authn.pac4j.saml[0].clientName=Okta cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1xx8.okta.com/app/ex7/sso/saml/metadata cas.authn.pac4j.saml[0].useNameQualifier=false #cas.authn.pac4j.saml[0].autoRedirectType=CLIENT cas.authn.pac4j.saml[0].signAuthnRequest=true cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true *** APPLICATION FAILED TO START *** Description: Failed to bind properties under 'cas.authn.pac4j.saml[0]' to org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties: Property: cas.authn.pac4j.saml[0].force-auth Value: false Origin: "cas.authn.pac4j.saml[0].force-auth" from property source "bootstrapProperties-applicationProfilesCompositeProperties" Reason: java.io.IOException: The system cannot find the path specified Action: Update your application's configuration > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04384dc9-b8fd-4152-b96a-e69220ffc464n%40apereo.org.
[cas-user] app not authorized error with IdP initiated SAML SSO
Hi, I am on CAS 6.4.x. Two apps, appA, authenticated by Okta, and appB, authenticated by CAS, cas delegates authN to Okta for appB. This is working correctly: I login to appA via Okta, when I got to appB URL, SSO happens. If I go straight to appB without login to Okta first, delegated authN takes me to Okta login page, etc. That works, partly because I have setup an Application inside Okta Admin portal, for Okta to post SAML response to CAS SSO endpoint: https:///cas/login?client_name=Okta But, this is Not working. I login to my Okta portal, I click on the SAML2 application icon in Okta portal, i.e., Idp initiated flow, I expect that I will be in appB via SSO, but I am getting "application not authorized error" on CAS. Using SAML tracer, I found the SAML payload is almost identical in both cases, but the IdP-initiated flow fails due to the following, is that because there is Not CAS delegating to Okta, since it is Okta-initiated request, so the call fails? What do I need to do to make Idp initiated flow (i.e., initiated by Okta, which CAS delegates authN to) work? Thanks! protected TransientSessionTicket retrieveSessionTicketViaClientId(final WebContext webContext, final String clientId) { try { val ticket = configContext.getCentralAuthenticationService().getTicket(clientId, TransientSessionTicket.class); LOGGER.debug("Located delegated authentication client identifier as [{}]", ticket.getId()); return ticket; } catch (final Exception e) { LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ee1f500-7a5a-4060-b729-8e98996ee544n%40apereo.org.
[cas-user] Re: CAS6.4.x, common-codec error with SAML delegated AuthN
never mind, we had the same class brought by another 3rd party dependenceis. Yan On Thursday, November 2, 2023 at 1:46:23 PM UTC-4 Yan Zhou wrote: > > I looked at the code. it seems that either 1.15 or 1.16.0, both should > work.Not sure why we get NoSuchMethod error. > > /** Encoder used to produce chunked output. */ > @Nonnull private static final Base64 CHUNKED_ENCODER = new Base64(76, > new byte[] { '\n' }, > false, CodecPolicy.STRICT); > > * @since 1.15 > */ > public Base64(final int lineLength, final byte[] lineSeparator, final > boolean urlSafe, > final CodecPolicy decodingPolicy) { > > On Thursday, November 2, 2023 at 1:40:43 PM UTC-4 Yan Zhou wrote: > >> Hi there, >> >> CAS 6.4.6.6 overlay, using CAS for SAML delegated authN, getting this >> error when go to /cas/login page, while it is generating CAS sp-metadata.xml >> >> CAS comes with commons-codec-1.15.jar, one some RHEL, I had success with >> replacing it with commons-codec-1.16.0.jar, but it still fails on other >> RHEL. I suppose it is more than just commons-codec version? >> >> Thanks, >> >> >> cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore >> cas.authn.pac4j.saml[0].keystorePassword=changeit >> cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp >> cas.authn.pac4j.saml[0].privateKeyPassword=changeit >> cas.authn.pac4j.saml[0].serviceProviderEntityId=https://../cas/samlsp >> cas.authn.pac4j.saml[0].clientName=Okta >> >> ^[[1;31m2023-11-02 17:19:38,864 ERROR [https-jsse-nio-8543-exec-14] >> [org.springframework.boot.web.servlet.support.ErrorPageFilter] - >> > [org.apache.commons.codec.binary.Base64.(I[BZLorg/apache/commons/codec/CodecPolicy;)V]> >> ^[[m java.lang.NoSuchMethodError: >> org.apache.commons.codec.binary.Base64.(I[BZLorg/apache/commons/codec/CodecPolicy;)V >> at >> net.shibboleth.utilities.java.support.codec.Base64Support.(Base64Support.java:46) >> >> ~[java-support-8.2.1.jar:?] >> at >> org.opensaml.xmlsec.keyinfo.KeyInfoSupport.buildX509Certificate(KeyInfoSupport.java:380) >> >> ~[opensaml-xmlsec-api-4.1.1.jar:?] >> at >> org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.processEntityCertificate(X509KeyInfoGeneratorFactory.java:475) >> >> ~[opensaml-xmlsec-impl-4.1.1.jar:?] >> at >> org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.generate(X509KeyInfoGeneratorFactory.java:437) >> >> ~[opensaml-xmlsec-impl-4.1.1.jar:?] >> at >> org.pac4j.saml.crypto.KeyStoreCredentialProvider.generateKeyInfoForCredential(KeyStoreCredentialProvider.java:128) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.crypto.KeyStoreCredentialProvider.getKeyInfo(KeyStoreCredentialProvider.java:94) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildSPSSODescriptor(BaseSAML2MetadataGenerator.java:240) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildEntityDescriptor(BaseSAML2MetadataGenerator.java:157) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.prepareServiceProviderMetadata(SAML2ServiceProviderMetadataResolver.java:42) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.(SAML2ServiceProviderMetadataResolver.java:27) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.client.SAML2Client.initServiceProviderMetadataResolver(SAML2Client.java:201) >> >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:113) >> ~[pac4j-saml-5.3.1.jar:?] >> at >> org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) >> ~[pac4j-core-5.3.1.jar:?] >> at >> org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) >> ~[pac4j-core-5.3.1.jar:?] >> at >> org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.produce(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:101) >> >> ~[cas-server-support-pac4j-webflow-6.4.6.6.jar:6.4.6.6] >> at >> org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.lambda$produce$3(DefaultDelegatedClientI
Re: [cas-user] Strange delegated SAML Error on RHEL (CAS6.4.6.6)
well, we finally figured it out. It is not CAS, we have some network security that is blocking the request. I was just wget to get the login page from one of the servers, it worked fine, that made me think; why it did not work when I access from laptop. Thx! On Tuesday, October 24, 2023 at 9:47:36 PM UTC-4 Ray Bon wrote: > Yan, > > Does samlkeystore exist and is writable (same for path to sp metadata)? > But there should be no metadata file when cas starts if you want it to be > generated. > > You can also create metadata manually, see > https://www.samltool.com/sp_metadata.php > > Ray > > On Tue, 2023-10-24 at 13:15 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi there, > > I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN > to Okta. I run into a strange error, on Windows, this works fine (i.e., > once I point to /cas/login, it generates SP metadata and keystore), but on > Linux, CAS does not generate SP meta data and SP keystore. I am not sure > why. I did not see any error in logs. > > This is the portion of relevant cas.properties. > > cas.authn.saml-idp.core.entity-id= https://qa...com/idp > > > cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata > > cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore > > cas.authn.pac4j.saml[0].keystorePassword=changeit > > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > > cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa. > ..com/cas/samlsp > > cas.authn.pac4j.saml[0].clientName=Okta > > cas.authn.pac4j.saml[0].forceAuth=false > > cas.authn.pac4j.saml[0].passive=false > > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml > > cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1.. > 8.okta.com/app/e...b5d7/sso/saml/metadata > > cas.authn.pac4j.saml[0].useNameQualifier=false > > cas.authn.pac4j.saml[0].signAuthnRequest=true > > cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true > > > > On windows (it says: Initializing: SAML2Client), then it generates > keystore and SP metadata. > > == > > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - clients are built: [[#SAML2Client# | name: Okta | callbackUrl: > https://localhost:8443/cas/login | urlResolver: null | > callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | > logoutActionBuilder:org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee > | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > > > > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] > [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - > > > > > 2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - 0, last: null)> > > > > 2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - IDhttps://localhost:8443/cas/samlsp> > > > > 2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] > [org.pac4j.core.util.InitializableObject] - SAML2Configuration (nb: 0, last: null)> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.config.SAML2Configuration] - for/via: file [C:\apereocas66x\config\casas-samlsp\samlkeystore]> > > > > 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - keystore type pkcs12> > > > > 2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] > [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - keystore file [C:\apereocas66x\config\casas-samlsp\samlkeystore] with key > alias cas-samlsp> > > > > On linux, notice it says: Initializing: RefreshableDelegatedClients > . Not sure why it does not recognize it is a SAML2Client. Any idea? > > Thanks, > > == > > ^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] > [org.apereo.cas.supp
[cas-user] Re: CAS6.4.x, common-codec error with SAML delegated AuthN
I looked at the code. it seems that either 1.15 or 1.16.0, both should work.Not sure why we get NoSuchMethod error. /** Encoder used to produce chunked output. */ @Nonnull private static final Base64 CHUNKED_ENCODER = new Base64(76, new byte[] { '\n' }, false, CodecPolicy.STRICT); * @since 1.15 */ public Base64(final int lineLength, final byte[] lineSeparator, final boolean urlSafe, final CodecPolicy decodingPolicy) { On Thursday, November 2, 2023 at 1:40:43 PM UTC-4 Yan Zhou wrote: > Hi there, > > CAS 6.4.6.6 overlay, using CAS for SAML delegated authN, getting this > error when go to /cas/login page, while it is generating CAS sp-metadata.xml > > CAS comes with commons-codec-1.15.jar, one some RHEL, I had success with > replacing it with commons-codec-1.16.0.jar, but it still fails on other > RHEL. I suppose it is more than just commons-codec version? > > Thanks, > > cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore > cas.authn.pac4j.saml[0].keystorePassword=changeit > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > cas.authn.pac4j.saml[0].serviceProviderEntityId=https://../cas/samlsp > cas.authn.pac4j.saml[0].clientName=Okta > > ^[[1;31m2023-11-02 17:19:38,864 ERROR [https-jsse-nio-8543-exec-14] > [org.springframework.boot.web.servlet.support.ErrorPageFilter] - > [org.apache.commons.codec.binary.Base64.(I[BZLorg/apache/commons/codec/CodecPolicy;)V]> > ^[[m java.lang.NoSuchMethodError: > org.apache.commons.codec.binary.Base64.(I[BZLorg/apache/commons/codec/CodecPolicy;)V > at > net.shibboleth.utilities.java.support.codec.Base64Support.(Base64Support.java:46) > > ~[java-support-8.2.1.jar:?] > at > org.opensaml.xmlsec.keyinfo.KeyInfoSupport.buildX509Certificate(KeyInfoSupport.java:380) > > ~[opensaml-xmlsec-api-4.1.1.jar:?] > at > org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.processEntityCertificate(X509KeyInfoGeneratorFactory.java:475) > > ~[opensaml-xmlsec-impl-4.1.1.jar:?] > at > org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.generate(X509KeyInfoGeneratorFactory.java:437) > > ~[opensaml-xmlsec-impl-4.1.1.jar:?] > at > org.pac4j.saml.crypto.KeyStoreCredentialProvider.generateKeyInfoForCredential(KeyStoreCredentialProvider.java:128) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.crypto.KeyStoreCredentialProvider.getKeyInfo(KeyStoreCredentialProvider.java:94) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildSPSSODescriptor(BaseSAML2MetadataGenerator.java:240) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildEntityDescriptor(BaseSAML2MetadataGenerator.java:157) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.prepareServiceProviderMetadata(SAML2ServiceProviderMetadataResolver.java:42) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.(SAML2ServiceProviderMetadataResolver.java:27) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.client.SAML2Client.initServiceProviderMetadataResolver(SAML2Client.java:201) > > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:113) > ~[pac4j-saml-5.3.1.jar:?] > at > org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) > ~[pac4j-core-5.3.1.jar:?] > at > org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) > ~[pac4j-core-5.3.1.jar:?] > at > org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.produce(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:101) > > ~[cas-server-support-pac4j-webflow-6.4.6.6.jar:6.4.6.6] > at > org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.lambda$produce$3(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:70) > > ~[cas-server-support-pac4j-webflow-6.4.6.6.jar:6.4.6.6] > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d2ab698-8307-4c07-b15f-de6894942997n%40apereo.org.
[cas-user] CAS6.4.x, common-codec error with SAML delegated AuthN
Hi there, CAS 6.4.6.6 overlay, using CAS for SAML delegated authN, getting this error when go to /cas/login page, while it is generating CAS sp-metadata.xml CAS comes with commons-codec-1.15.jar, one some RHEL, I had success with replacing it with commons-codec-1.16.0.jar, but it still fails on other RHEL. I suppose it is more than just commons-codec version? Thanks, cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://../cas/samlsp cas.authn.pac4j.saml[0].clientName=Okta ^[[1;31m2023-11-02 17:19:38,864 ERROR [https-jsse-nio-8543-exec-14] [org.springframework.boot.web.servlet.support.ErrorPageFilter] - (I[BZLorg/apache/commons/codec/CodecPolicy;)V]> ^[[m java.lang.NoSuchMethodError: org.apache.commons.codec.binary.Base64.(I[BZLorg/apache/commons/codec/CodecPolicy;)V at net.shibboleth.utilities.java.support.codec.Base64Support.(Base64Support.java:46) ~[java-support-8.2.1.jar:?] at org.opensaml.xmlsec.keyinfo.KeyInfoSupport.buildX509Certificate(KeyInfoSupport.java:380) ~[opensaml-xmlsec-api-4.1.1.jar:?] at org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.processEntityCertificate(X509KeyInfoGeneratorFactory.java:475) ~[opensaml-xmlsec-impl-4.1.1.jar:?] at org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator.generate(X509KeyInfoGeneratorFactory.java:437) ~[opensaml-xmlsec-impl-4.1.1.jar:?] at org.pac4j.saml.crypto.KeyStoreCredentialProvider.generateKeyInfoForCredential(KeyStoreCredentialProvider.java:128) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.crypto.KeyStoreCredentialProvider.getKeyInfo(KeyStoreCredentialProvider.java:94) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildSPSSODescriptor(BaseSAML2MetadataGenerator.java:240) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.metadata.BaseSAML2MetadataGenerator.buildEntityDescriptor(BaseSAML2MetadataGenerator.java:157) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.prepareServiceProviderMetadata(SAML2ServiceProviderMetadataResolver.java:42) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.metadata.SAML2ServiceProviderMetadataResolver.(SAML2ServiceProviderMetadataResolver.java:27) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.client.SAML2Client.initServiceProviderMetadataResolver(SAML2Client.java:201) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:113) ~[pac4j-saml-5.3.1.jar:?] at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.3.1.jar:?] at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) ~[pac4j-core-5.3.1.jar:?] at org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.produce(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:101) ~[cas-server-support-pac4j-webflow-6.4.6.6.jar:6.4.6.6] at org.apereo.cas.web.flow.DefaultDelegatedClientIdentityProviderConfigurationProducer.lambda$produce$3(DefaultDelegatedClientIdentityProviderConfigurationProducer.java:70) ~[cas-server-support-pac4j-webflow-6.4.6.6.jar:6.4.6.6] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4af5265-37f3-4185-a2cd-7215747ec54en%40apereo.org.
[cas-user] Strange delegated SAML Error on RHEL (CAS6.4.6.6)
Hi there, I am using CAS 6.4.6.6 for delegated authN using SAML, CAS delegates authN to Okta. I run into a strange error, on Windows, this works fine (i.e., once I point to /cas/login, it generates SP metadata and keystore), but on Linux, CAS does not generate SP meta data and SP keystore. I am not sure why. I did not see any error in logs. This is the portion of relevant cas.properties. cas.authn.saml-idp.core.entity-id= https://qa...com/idp cas.authn.saml-idp.metadata.fileSystem.location=file:///opt/jboss/ssoconf/idpmetadata cas.authn.pac4j.saml[0].keystorePath=/opt/jboss/ssoconf/samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://qa...com/cas/samlsp cas.authn.pac4j.saml[0].clientName=Okta cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/opt/jboss/ssoconf/samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-1..8.okta.com/app/e...b5d7/sso/saml/metadata cas.authn.pac4j.saml[0].useNameQualifier=false cas.authn.pac4j.saml[0].signAuthnRequest=true cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true On windows (it says: Initializing: SAML2Client), then it generates keystore and SP metadata. == > 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@59d1889c | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4ddff72c | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@1d8000ee | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> 2023-10-24 16:05:23,317 DEBUG [https-openssl-nio-8443-exec-7] [org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper] - 2023-10-24 16:05:23,318 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - 2023-10-24 16:05:23,321 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - https://localhost:8443/cas/samlsp> 2023-10-24 16:05:23,321 DEBUG [https-openssl-nio-8443-exec-7] [org.pac4j.core.util.InitializableObject] - 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.config.SAML2Configuration] - 2023-10-24 16:05:23,326 WARN [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - 2023-10-24 16:05:23,435 INFO [https-openssl-nio-8443-exec-7] [org.pac4j.saml.metadata.keystore.BaseSAML2KeystoreGenerator] - On linux, notice it says: Initializing: RefreshableDelegatedClients . Not sure why it does not recognize it is a SAML2Client. Any idea? Thanks, == ^[[m^[[36m2023-10-24 15:59:35,488 DEBUG [main] [org.apereo.cas.support.pac4j.authentication.DefaultDelegatedClientFactory] - https://qacom/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]> ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.apereo.cas.support.pac4j.RefreshableDelegatedClients] - https://qacom/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@76eec7bb | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6c83322b | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@241532d3 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> ^[[m^[[36m2023-10-24 15:59:35,489 DEBUG [main] [org.pac4j.core.util.InitializableObject] - ^[[m^[[32m2023-10-24 15:59:35,489 INFO [main] [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] - ^[[m^[[36m2023-10-24 15:59:35,744 DEBUG [main] [org.apereo.cas.config.CasPersonDirectoryConfiguration] - ^[[m^[[32m2023-10-24 15:59:36,180 INFO [main] [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List
[cas-user] CAS 6, AbstractNonInteractiveCredentialsAction on Trusted AuthN with incoming SAML Assertion
hello, for historical reasons, our CAS set-up needs to support accepting an incoming SAML Assertion (validate, etc.) from HTTP request parameter, perform authentication as the user principal in the incoming SAML assertion, basically, we trust the SAML authN done by our vendor earlier, and create CAS session so that user can SSO into our apps. We have overridden AbstractNonInteractiveCredentialsAction to constructCredentialsFromRequest(), i.e., we create a user-defined Credential object and then authenticate, create SSO, by overriding AbstractAuthenticationHandler. that has worked well, but I do not see any documentation on this in CAS 6.6.x document, the class is still there in 6.6.x, is there now a better and easier way to implement Trusted Authentication based on SAML (XML) input from HTTP request parameter? Thx! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/54640f96-6fdc-4891-99ab-a9180e538e82n%40apereo.org.
Re: [cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?
Figured out! cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true I was looking for signature element in XML SAML Response. actually, with delegated authN to Okta, the signature is not in XML, it is a parameter in GET request, along with SAMLRequest parameter. What got me there is that I thought about CAS delegated authN to Okta has been working, how did that carry signature, and I also saw the property. Thx! On Monday, September 11, 2023 at 1:44:33 PM UTC-4 Yan Zhou wrote: > HI, > > Looks like CAS already performed logout (TGC cookie is already removed) > before it redirect to Okta doing Logout, but it does not have a signature > element in Logout request sent to Okta. > > Would that be a problem, even if Okta would recognize and log user out, it > will redirect back to CAS, now that SSO session is already destroyed, CAS > would not know how to handle Okta response. I did see this message in Log, > but it is not marked as error: Can not evaluate delegated authentication > policy without a service > > Yan > > 2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] > [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] > > - callbackUrl: https://localhost:8443/cas/login | urlResolver: > org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | > ajaxRequestResolver: > org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | > redirectionActionBuilder: > org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | > credentialsExtractor: > org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | > authenticator: > org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | > profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | > logoutActionBuilder: > org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]> > 2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] > [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] > > - http://localhost:8081/saml/logout?SAMLResponse=pZI%2Fb8IwEMX3forI...bELxwQ%3D%3D > ]> > 2023-09-11 13:12:18,950 INFO [scheduling-1] > [org.apereo.cas.services.AbstractServicesManager] - from [JsonServiceRegistry].> > 2023-09-11 13:12:19,887 INFO [https-jsse-nio-8443-exec-3] [Spring Security > Debugger] - < > > > > Request received for POST '/login?client_name=bootsp2=true': > .. > > > > > > 2023-09-11 13:12:19,888 DEBUG [https-jsse-nio-8443-exec-3] > [org.apereo.cas.web.flow.CasFlowHandlerMapping] - [FlowHandlerMapping.DefaultFlowHandler@1f480c09]> > 2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] > [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedClients] > > - callbackUrl: https://localhost:8443/cas/login | urlResolver: > org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | > ajaxRequestResolver: > org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | > redirectionActionBuilder: > org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | > credentialsExtractor: > org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | > authenticator: > org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | > profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | > logoutActionBuilder: > org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | > authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> > 2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] > [org.pac4j.core.client.Clients] - bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: > org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | > ajaxRequestResolver: > org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | > redirectionActionBuilder: > org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | > credentialsExtractor: > org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | > authenticator: > org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | > profileCreator: > org.pac4j.core.profile.c
Re: [cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?
HI, Looks like CAS already performed logout (TGC cookie is already removed) before it redirect to Okta doing Logout, but it does not have a signature element in Logout request sent to Okta. Would that be a problem, even if Okta would recognize and log user out, it will redirect back to CAS, now that SSO session is already destroyed, CAS would not know how to handle Okta response. I did see this message in Log, but it is not marked as error: Can not evaluate delegated authentication policy without a service Yan 2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] - https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]> 2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] - http://localhost:8081/saml/logout?SAMLResponse=pZI%2Fb8IwEMX3forI...bELxwQ%3D%3D]> 2023-09-11 13:12:18,950 INFO [scheduling-1] [org.apereo.cas.services.AbstractServicesManager] - 2023-09-11 13:12:19,887 INFO [https-jsse-nio-8443-exec-3] [Spring Security Debugger] - < Request received for POST '/login?client_name=bootsp2=true': .. > 2023-09-11 13:12:19,888 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.CasFlowHandlerMapping] - 2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedClients] - https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]> 2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.pac4j.core.client.Clients] - https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2> 2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActi
Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?
Thanks Ray! Good direction, I finally made some progress after doing what you suggested, except SLO scenario, I posted a new message as that seems to be separate from what this is. Yan On Monday, August 28, 2023 at 1:09:58 PM UTC-4 Ray Bon wrote: > Yan, > > It still sounds like you are mixing the client with the delegated authn > (okta). > > If your client app is communicating with SAML, then cas should be > configured as the IdP for client app. The client app will have cas IdP > metadata (with cas url in it) and cas will have client app SP metadata and > the service will be registered as SamlRegisteredService. Hopefully you can > test this setup with the default cas user (casuser:Mellon). (You will have > to modify the client app json file to turn off redirect.) > > Once the cas <-> client app is working correctly, then you can configure > cas and okta. > > Cas will get okta IdP metadata and okta will get cas SP metadata (_not_ > client app). (Remember to turn on redirect in client app json file.) > > Sorry about the oidc endpoint stuff. Cas SAML endpoints are here, > https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html#saml-endpoints > You will most likely use the /idp/profile/SAML2/Redirect/SSO or > /idp/profile/SAML2/POST/SSO endpoints set in your client app. > > This post might be useful > https://fawnoos.com/2022/03/25/cas66-saml-authn-refeds/ > > Ray > > On Fri, 2023-08-25 at 17:05 -0400, Yan wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi there, > > I made a mistake, changed dependencies without rebuilding the project. > Now made progress, auto-redirect is working now, > > Client App goes to IDP directly (because the IDP meta data generated by > CAS has Okta URL in it). But after I login through Okta, it redirects to > CAS, this is where I still got problem. > > URL is: https://localhost:8443/cas/login?client_name=bootsp2 > > Error: > > 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] > [org.pac4j.core.client.Clients] - bootsp2 | callbackUrl:https://localhost:8443/cas/login | urlResolver: > null | callbackUrlResolver: > org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | > ajaxRequestResolver: null | redirectionActionBuilder: null | > credentialsExtractor: null | authenticator: null | profileCreator: > org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | > logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | > authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: > bootsp2> > 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - relay-state for the SAML2 client> > 2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - > 2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - request [https://localhost:8443/cas/login?client_name=bootsp2]> > 2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> > org.apereo.cas.services.UnauthorizedServiceException: > at > org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) > > ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) > > ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285) > > ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) > > ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123) > > ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] > at java.util.Optional.orElseGet(Optional.java:369) ~[?:?] > at > org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthentication
[cas-user] SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?
Hi, I have almost completed SAML delegated authN with CAS and Okta, CAS delegates to Okta, except for SLO. When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta says "invalid signature", the SAML Logout request from CAS has no signature element. See below. I verified Okta setting, Nowhere says it requires signature in Logout Request, regardless, I cannot figure out how to get CAS to sign SLO request when in delgated authN. this setting made no difference even when set. cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true This is the SLO from CAS to Okta, no signature element, I suppose that is why Okta says "Invalid Signature", but I do not know how to get Okta turn off checking, In Okta, "Validate SAML requests with signature certificates" is OFF. Ideas? thanks in advance Yan https://dev-...okta.com/app/dev-11p_1/ex..7/slo/saml; ID= "_2701..ca870e07705" IssueInstant="2023-09-08T20:09:28.830Z" Version ="2.0" > https://localhost:8443/cas/samlsp yan...com _4ba2..3a4b0 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/24badbd3-7615-4ff8-9395-b3f4a3f70437n%40apereo.org.
Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?
Hi, Mine is SAML2. based on the principle that Client App should not be aware of whether CAS is the IDP or CAS is delegating, I thought SSO url remains the same: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO But when client app redirects to this above SSO endpoint, CAS is looking for service registry for "org.apereo.cas.support.saml.services.SamlRegisteredService", but my client app is of: "org.apereo.cas.services.CasRegisteredService" in JSON, since it delegates to external IDP. now I got this error in CAS log, my app runs on localhost:8081, CAS cannot find it in registry. I do not know why it is looking for SamlRegisteredServices, I do not want CAS to be the IDP. [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <[http://localhost:8081/saml/metadata] is not found in the registry or service access is denied.> 2023-08-25 16:13:41,975 WARN [https-jsse-nio-8443-exec-5] [org.apereo.cas.util.function.FunctionUtils] - org.apereo.cas.services.UnauthorizedServiceException: screen.service.error.message at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at Yan On Friday, August 25, 2023 at 3:34:08 PM UTC-4 Ray Bon wrote: > Yan, > > My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to > /cas/login. In your case, cas should redirect to the remote IdP. > The cas endpoints are described here, > https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html > (though > I note that the protocol differs from what my client is doing above and > says cas/oidc/authorize). > > Your client app should know nothing about how or where the login takes > place. It should only know about cas. That way you can change the upstream > IdP in cas and not have to make changes to your client. > > Ray > > On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > This is my environment: > > CAS 6.6.x, SAML2 delegated authN, SpringBoot app -> CAS -> Okta (CAS > delegates to Okta, CAS is a SP to Okta, Okta is IDP). > > one trouble I have is on client app side, it needs to specify IDP, which > should be CAS, but I do not know what should be the CAS SSO endpoint below > (since CAS is also a SP to Okta). I tried /cas/login, as I go to the > client app, it redirects to CAS login page, I see the external identity > provider on login page. However, autoRedirect is not working, that tells > me something is not set up correctly. > > Did I have SSO endpoint correct in the following: /cas/login, /cas/logout? > > Yan > > IDP meta data file placed on sprintboot client app side > > entityID="http://www.okta.com/exkas4vj25jdUfJEx5d7;> > protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> > > > .. > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= > "https://localhost:8443/cas/logout"/> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > https://localhost:8443/cas/logout"/> > > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:8443/cas/login"/> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" > https://localhost:8443/cas/login"/> > > > > > cas.properties, runs on localhost:8443/cas > = > > > cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore > cas.authn.pac4j.saml[0].keystorePassword=changeit > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > cas.authn.pac4j.saml[0].serviceProviderEntityId= > https://localhost:8443/cas/samlsp > cas.authn.pac4j.saml[0].clientName=bootsp2 > cas.authn.pac4j.saml[0].forceAuth=false > cas.authn.pac4j.saml[0].passive=false > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/ap
Re: [cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?
Hi there, I made a mistake, changed dependencies without rebuilding the project. Now made progress, auto-redirect is working now, Client App goes to IDP directly (because the IDP meta data generated by CAS has Okta URL in it). But after I login through Okta, it redirects to CAS, this is where I still got problem. URL is: https://localhost:8443/cas/login?client_name=bootsp2 Error: 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.pac4j.core.client.Clients] - https://localhost:8443/cas/login | urlResolver: null | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@2a2798a2 | ajaxRequestResolver: null | redirectionActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2b9ecd05 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@31f1b268 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2> 2023-08-25 17:02:54,604 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-25 17:02:54,605 DEBUG [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-25 17:02:54,605 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-25 17:02:54,607 ERROR [https-jsse-nio-8443-exec-5] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:285) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.lambda$doExecute$0(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at java.util.Optional.orElseGet(Optional.java:369) ~[?:?] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:123) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE] On Fri, Aug 25, 2023 at 3:34 PM Ray Bon wrote: > Yan, > > My local OIDC goes to cas/oidc/oidcAuthorize where cas redirects to > /cas/login. In your case, cas should redirect to the remote IdP. > The cas endpoints are described here, > https://apereo.github.io/cas/6.6.x/authentication/OIDC-Authentication.html > (though > I note that the protocol differs from what my client is doing above and > says cas/oidc/authorize). > > Your client app should know nothing about how or where the login takes > place. It should only know about cas. That way you can change the upstream > IdP in cas and not have to make changes to your client. > > Ray > > On Fri, 2023-08-25 at 11:49 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > > This is my environment: > > CAS 6.6.x, SAML2 delegated authN, SpringBoot app -> CAS -> Okta (CAS > delegates to Okta, CAS is a SP to Okta, Okta is IDP). > > one trouble I have is on client app side, it needs to specify IDP, which > should be CAS, but I do not know what should be the CAS SSO endpoint below > (since CAS is also a SP to Okta). I tried /cas/login, as I go to the > client app, it redirects to CAS login page, I see the external identity > provider on login page. However, autoRedirect is not working, that tells > me something is not set up correctly. > > Did I have SSO endpoint correct in the following: /cas/login, /cas/logout? > > Yan > > IDP meta d
[cas-user] what is the CAS 6.6.x SSO endpoint as SP in delegated SAML AuthN?
Hi, This is my environment: CAS 6.6.x, SAML2 delegated authN, SpringBoot app -> CAS -> Okta (CAS delegates to Okta, CAS is a SP to Okta, Okta is IDP). one trouble I have is on client app side, it needs to specify IDP, which should be CAS, but I do not know what should be the CAS SSO endpoint below (since CAS is also a SP to Okta). I tried /cas/login, as I go to the client app, it redirects to CAS login page, I see the external identity provider on login page. However, autoRedirect is not working, that tells me something is not set up correctly. Did I have SSO endpoint correct in the following: /cas/login, /cas/logout? Yan IDP meta data file placed on sprintboot client app side http://www.okta.com/exkas4vj25jdUfJEx5d7;> .. https://localhost:8443/cas/logout"/> https://localhost:8443/cas/logout"/> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress https://localhost:8443/cas/login"/> https://localhost:8443/cas/login"/> cas.properties, runs on localhost:8443/cas = cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/samlsp cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=3600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/casas-samlsp/sp-metadata.xml cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://okta.com/app/.../sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false cas.authn.pac4j.saml[0].autoRedirect=true == client app service registry, sprint boot app runs on localhost:8081 { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^http://localhost:8081(/.*)?", "name" : "myclientapp", "id" : 1005, "description" : "sample", "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "delegatedAuthenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", "allowedProviders" : [ "java.util.ArrayList", [ "bootsp2" ] ] } } } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6bb96ac-4fa0-4981-9d7b-e7ec90dbd122n%40apereo.org.
[cas-user] SAML delegation CAS 6.6.x, which XML to use on ClientApp side, IDP or SP metadata?
HI there, I am a bit confused with a couple configuration. Say, client app (bootsp2) wants to authN against CAS 6.6.x via SAML2, which delegates to Okta IDP using SAML2. CAS starts up fine, generates meta data for SP as well. 1. my CAS login page, under External Provider, shows "bootsp2", not "Okta". this does not sound right. is that because of this line in cas.properties? i see no where else to indicate the name of the external provider. cas.authn.pac4j.saml[0].clientName=bootsp2 2. on my client app (bootstp2), it needs the IDP XML, which one should I use? https://cinwl912vj2j.us.qdx.com:8443/cas/sp/metadata, OR, https://cinwl912vj2j.us.qdx.com:8443/cas/sp/idp/metadata it feels like I need to take sp/metadata and place it as IDP on client side, since the flow is for client -> CAS -> Okta? thanks, yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a7cc26c-1332-4dda-84f3-8a8f470b3284n%40apereo.org.
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
It is finally working after debug Source code, I am so grateful with open source, here is the key. thanks Ray! on CAS side, the generated sp-metadata.xml says: https://localhost:8443/cas/login?client_name=bootsp2"/> But, on my client, where I specify IDP XML, it needs to use CAS_CLIENT_ID, as opposed to client_name,Does anyone know why? https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/> https://localhost:8443/cas/login?CAS_CLIENT_ID=bootsp2"/> here is CAS client definition json. = { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^(https?|imaps)://.*", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } SSO URL, if I use: https://localhost:8443/cas/login?client_name=bootsp2, got this error (it cannot find the matching, i have to use CAS_CLIENT_ID as parameter name, then it will work.). 2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-15 11:25:01,951 DEBUG [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - 2023-08-15 11:25:01,952 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-15 11:25:01,955 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieveSessionTicketViaClientId(DefaultDelegatedClientAuthenticationWebflowManager.java:236) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager.retrieve(DefaultDelegatedClientAuthenticationWebflowManager.java:84) ~[cas-server-support-pac4j-core-6.6.9.jar!/:6.6.9] at DefaultDelegatedClientAuthenticationWebflowManager: it is looking for CAS_CLIENT_ID_SESSION_KEY in request parameter. === protected String getDelegatedClientId(final WebContext webContext, final Client client) { var clientId = webContext.getRequestParameter(PARAMETER_CLIENT_ID) .map(String::valueOf).orElse(StringUtils.EMPTY); if (StringUtils.isBlank(clientId)) { if (client instanceof SAML2Client) { LOGGER.debug("Client identifier could not found in request parameters. Looking at relay-state for the SAML2 client"); clientId = webContext.getRequestParameter(SamlProtocolConstants. PARAMETER_SAML_RELAY_STATE) .map(String::valueOf).orElse(StringUtils.EMPTY); } } clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OAuth20Client.class, OAUTH20_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OidcClient.class, OIDC_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, OAuth10Client.class, OAUTH10_CLIENT_ID_SESSION_KEY); clientId = getDelegatedClientIdFromSessionStore(webContext, client, clientId, CasClient.class, CAS_CLIENT_ID_SESSION_KEY); LOGGER.debug("Located delegated client identifier [{}]", clientId); return clientId; } If you know whether I missed anything, I would love to know. I still do not understand why I cannot just use client_name in SSO URL parameter on client side. thanks, Yan On Tuesday, August 15, 2023 at 10:53:50 AM UTC-4 Yan Zhou wrote: > > on my client side where it loads IDP xml, what should SSO URL be, when CAS > delegates SAML authN to Okta? > > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"/> > - this results in error on CAS, it tries to load from service registry, > matching SAML Service, which is not the case in delegated authN > > OR > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" > https://localhost:8443/cas/login?client_name=bootsp2"/> > - this matches in error on CAS, > > 2023-08-15 10:30:16,666 ERROR [https-jsse-nio-8443-exec-4] > [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] > - request [https://localhost:8443/cas/login?client_name=bootsp2]> > 2023-08-15 10:30:16,667 ERROR [https-jsse-nio-8443-exec-4] > [org.apereo.cas
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
on my client side where it loads IDP xml, what should SSO URL be, when CAS delegates SAML authN to Okta? https://localhost:8443/cas/idp/profile/SAML2/POST/SSO"/> - this results in error on CAS, it tries to load from service registry, matching SAML Service, which is not the case in delegated authN OR https://localhost:8443/cas/login?client_name=bootsp2"/> - this matches in error on CAS, 2023-08-15 10:30:16,666 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager] - https://localhost:8443/cas/login?client_name=bootsp2]> 2023-08-15 10:30:16,667 ERROR [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - < DefaultDelegatedClientAuthenticationWebflowManager.java:retrieveSessionTicketViaClientId:236 DefaultDelegatedClientAuthenticationWebflowManager.java:retrieve:84 DelegatedClientAuthenticationAction.java:restoreAuthenticationRequestInContext:285 > 2023-08-15 10:30:16,667 WARN [https-jsse-nio-8443-exec-4] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <> org.apereo.cas.services.UnauthorizedServiceException: at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.restoreAuthenticationRequestInContext(DelegatedClientAuthenticationAction.java:292) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction.populateContextWithService(DelegatedClientAuthenticationAction.java:205) ~[cas-server-support-pac4j-webflow-6.6.9.jar!/:6.6.9] at On Tuesday, August 15, 2023 at 9:39:52 AM UTC-4 Yan Zhou wrote: > Thanks Ray, making some progress, I now see the SP Meta data and > keystore being generated. > > for delegated AuthN, here is the SAML request from my client app, it goes > to CAS, the authN request seems correct. > > AssertionConsumerServiceURL="http://localhost:8081/saml/SSO; Destination=" > https://localhost:8443/cas/idp/profile/SAML2/POST/SSO; > ... > "urn:oasis:names:tc:SAML:2.0:assertion"> > http://localhost:8081/saml/metadata > > > But then I run into error in CAS, it is stilling loading IDP > functionality and tries to find the client in service registry, this is > where I do not understand how SAML delegated authN works different from CAS > as IDP itself. > > this is my service definition as CAS documentation says. > { > "@class" : "org.apereo.cas.services.CasRegisteredService", > "serviceId" : "bootsp2", > "name" : "bootsp2", > "id" : 1005, > "description" : "sample", > "attributeReleasePolicy" : { > "@class" : > "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", > "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", > "middle_name" ] ] > } > } > > 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <[http://localhost:8081/saml/metadata] is not found in the registry or > service access is denied.> > 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] > [org.apereo.cas.util.function.FunctionUtils] - > > org.apereo.cas.services.UnauthorizedServiceException: > screen.service.error.message > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:315) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$handleSsoPostProfileRequest$4(AbstractSamlIdPProfileHandlerController.java:652) > > ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$9(FunctionUtils.java:330) > > ~[cas-server-core-util-api-6.6.9.jar!/:6.6.9] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.handleSsoPostProfileRequest(AbstractSa
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
Thanks Ray, making some progress, I now see the SP Meta data and keystore being generated. for delegated AuthN, here is the SAML request from my client app, it goes to CAS, the authN request seems correct. http://localhost:8081/saml/SSO; Destination= "https://localhost:8443/cas/idp/profile/SAML2/POST/SSO; ... > http://localhost:8081/saml/metadata But then I run into error in CAS, it is stilling loading IDP functionality and tries to find the client in service registry, this is where I do not understand how SAML delegated authN works different from CAS as IDP itself. this is my service definition as CAS documentation says. { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "bootsp2", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <[http://localhost:8081/saml/metadata] is not found in the registry or service access is denied.> 2023-08-15 09:30:23,875 WARN [https-jsse-nio-8443-exec-9] [org.apereo.cas.util.function.FunctionUtils] - org.apereo.cas.services.UnauthorizedServiceException: screen.service.error.message at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlRegisteredService(AbstractSamlIdPProfileHandlerController.java:172) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:490) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:315) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$handleSsoPostProfileRequest$4(AbstractSamlIdPProfileHandlerController.java:652) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.util.function.FunctionUtils.lambda$doAndHandle$9(FunctionUtils.java:330) ~[cas-server-core-util-api-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.handleSsoPostProfileRequest(AbstractSamlIdPProfileHandlerController.java:653) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPPostProfileHandlerController.handleSaml2ProfileSsoPostRequest(SSOSamlIdPPostProfileHandlerController.java:74) ~[cas-server-support-saml-idp-web-6.6.9.jar!/:6.6.9] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] On Monday, August 14, 2023 at 5:05:26 PM UTC-4 Ray Bon wrote: > Yan, > > I was browsing the docs and > cas.authn.pac4j.saml[0].serviceProviderMetadataPath > cas.authn.pac4j.saml[0].serviceProviderEntityId > are for cas as a service provider metadata, not the destination > application. > > https://apereo.github.io/cas/6.6.x/integration/Delegate-Authentication-SAML.html > > Ray > > > On Mon, 2023-08-14 at 12:25 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > i think i am missing something fundamentally, but I do not know what it > is. > > I first excluded the dependency on cas-server-support-saml-idp because CAS > is delegating authN to Okta, I realize the login page does not even come > up, nothing shows in SAML Tracer. Then, I added this dependency, see > below. > > implementation > "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" > implementation > "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}" > > Now the login page comes up, and I can see authN request coming to CAS, > but I do not see how CAS delegates authN. It seems that something is > missing so that CAS is -not- generating SP meta data, which it should. Not > sure what I am missing. > > I based on cas.properties from the following documentation, but it is not > working, i.e., nothing is
Re: [cas-user] CAS 6.6.x SAML delegated authN to Okta not working
i think i am missing something fundamentally, but I do not know what it is. I first excluded the dependency on cas-server-support-saml-idp because CAS is delegating authN to Okta, I realize the login page does not even come up, nothing shows in SAML Tracer. Then, I added this dependency, see below. implementation "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" implementation "org.apereo.cas:cas-server-support-pac4j-webflow:${project.'cas.version'}" Now the login page comes up, and I can see authN request coming to CAS, but I do not see how CAS delegates authN. It seems that something is missing so that CAS is -not- generating SP meta data, which it should. Not sure what I am missing. I based on cas.properties from the following documentation, but it is not working, i.e., nothing is being generated by CAS, no error, either. in delegated AutN, when client come to CAS, which then delegate to Okta, should /cas/idp/profile/SAML2/POST/SSO be called at all? # Settings required for CAS SP metadata generation process # The keystore will be automatically generated by CAS with # keys required for the metadata generation and/or exchange. # # cas.authn.pac4j.saml[0].keystorePassword= # cas.authn.pac4j.saml[0].privateKeyPassword= # cas.authn.pac4j.saml[0].keystorePath= # The entityID assigned to CAS acting as the SP # cas.authn.pac4j.saml[0].serviceProviderEntityId= # Path to the auto-generated CAS SP metadata # cas.authn.pac4j.saml[0].serviceProviderMetadataPath= # cas.authn.pac4j.saml[0].maximumAuthenticationLifetime= # Path/URL to delegated IdP metadata # cas.authn.pac4j.saml[0].identityProviderMetadataPath= On Monday, August 14, 2023 at 1:53:24 PM UTC-4 Ray Bon wrote: > Yan, > > Is it possible that the okta-cas config is incorrect and okta is returning > an error response which cas does not understand? > Are you using SAML Tracer to see the exchanges between SPs and IdPs? > If the keystore is not created, you can create it yourself. Or, turn off > SAML encryption between SPs and IdPs. > > Ray > > On Fri, 2023-08-11 at 13:42 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi there, > > When CAS is the SAML2 IDP, I am able to run a client app authenticating > successfully. But have trouble when CAS delegates authN to Okta (cas is > set up as a SP in Okta) > > Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, > delegate to Okta SAML2 IDP. > > Here is my problem, i likely misunderstood how delegated authN should > work, but do not know how. > > When go to client: localhost:8081, redirects to: > http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp > > Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO > > I would expect Okta login page comes up, but I am getting CAS error page > that says: page Not found, I did not see any error in cas log. > > > > In Okta, i configured my local CAS as a SAML 2.0 application > > == > > SSO URL: https://localhost:8443/cas/login > > Audience URI: https://localhost:8443/cas/idp > > > > cas.properties > > == > > > cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore > > <== i do not see keystore being created, why is this not > created? > > cas.authn.pac4j.saml[0].keystorePassword=changeit > > cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp > > cas.authn.pac4j.saml[0].privateKeyPassword=changeit > > cas.authn.pac4j.saml[0].serviceProviderEntityId= > http://localhost:8081/saml/metadata > > <== same SP entity ID when CAS was the IDP itself, without > delegated authN > > cas.authn.pac4j.saml[0].clientName=bootsp2 > > cas.authn.pac4j.saml[0].forceAuth=false > > cas.authn.pac4j.saml[0].passive=false > > cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 > > > cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml > > <== same SP meta data when CAS was the IDP itself, without > delegated authN > > cas.authn.pac4j.saml[0].identityProviderMetadataPath= > https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata > > > cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST > > cas.authn.pac4j.saml[0].userNameQualifier=false > > > > > > JSON file in service registry > > == > > { > > "@class
[cas-user] CAS 6.6.x SAML delegated authN to Okta not working
Hi there, When CAS is the SAML2 IDP, I am able to run a client app authenticating successfully. But have trouble when CAS delegates authN to Okta (cas is set up as a SP in Okta) Client app runs on localhost:8081, CAS 6.6.x runs on localhost:8443, delegate to Okta SAML2 IDP. Here is my problem, i likely misunderstood how delegated authN should work, but do not know how. When go to client: localhost:8081, redirects to: http://localhost:8081/saml/login?idp=https%3A%2F%2Flocalhost%3A8443%2Fidp Redirects to: https://localhost:8443/cas/idp/profile/SAML2/POST/SSO I would expect Okta login page comes up, but I am getting CAS error page that says: page Not found, I did not see any error in cas log. In Okta, i configured my local CAS as a SAML 2.0 application == SSO URL: https://localhost:8443/cas/login Audience URI: https://localhost:8443/cas/idp cas.properties == cas.authn.pac4j.saml[0].keystorePath=file:///C:/apereocas66x/config/casas-samlsp/samlkeystore <== i do not see keystore being created, why is this not created? cas.authn.pac4j.saml[0].keystorePassword=changeit cas.authn.pac4j.saml[0].keystoreAlias=cas-samlsp cas.authn.pac4j.saml[0].privateKeyPassword=changeit cas.authn.pac4j.saml[0].serviceProviderEntityId=http://localhost:8081/saml/metadata <== same SP entity ID when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].clientName=bootsp2 cas.authn.pac4j.saml[0].forceAuth=false cas.authn.pac4j.saml[0].passive=false cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=1209600 cas.authn.pac4j.saml[0].serviceProviderMetadataPath=file:///C:/apereocas66x/config/spmetadata/1005-metadata.xml <== same SP meta data when CAS was the IDP itself, without delegated authN cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-11792448.okta.com/app/exkas4vj25jdUfJEx5d7/sso/saml/metadata cas.authn.pac4j.saml[0].destinationBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST cas.authn.pac4j.saml[0].userNameQualifier=false JSON file in service registry == { "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "bootsp2", "name" : "bootsp2", "id" : 1005, "description" : "sample", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy", "allowedAttributes" : [ "java.util.ArrayList", [ "name", "first_name", "middle_name" ] ] } } thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f98e1a51-d49f-4f44-9de4-ec5ebb727239n%40apereo.org.
[cas-user] who are using CAS, where can I find this?
Hi there, My organization is asking: who are using CAS out there? that is one of the key factors for commercial companies to consider for adoption. several years ago, we had a survey on this, is there a recent survey? the survey I mentioned listed industries such as university, healthcare, etc., but did not have any specific names. I understand that companies may not want others to know they are using CAS for various reasons, but, do we have a sample of companies/organizations using CAS in production from different industries/sectors? thanks, yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f247cf63-0a55-45b0-9e34-00b82f1d5df8n%40apereo.org.
Re: [cas-user] embedded tomcat startup error cas6.6.x
I did run to get submodules. Same error. I am not as familiar with Gradle, so cannot figure out why. But if anyone knows why, this maybe quite simple. I would appreciate the help! Yan C:\apereocas66x\cas-server\support\cas-server-support-thymeleaf>"../../gradlew" build Configuration on demand is an incubating feature. > Task :support:cas-server-support-thymeleaf:compileJava FAILED FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':support:cas-server-support-thymeleaf:compileJava'. > Could not resolve all files for configuration ':support:cas-server-support-thymeleaf:compileClasspath'. > Could not find nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.1.0 . Searched in the following locations: - file:/C:/Users/yan.x.zhou/.m3/repository/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/3.1.0 /thymeleaf-layout-dialect-3.1.0 .pom - https://repo.maven.apache.org/maven2/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/3.1.0 /thymeleaf-layout-dialect-3.1.0 .pom - https://oss.sonatype.org/content/repositories/releases/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/3.1.0 /thymeleaf-layout-dialect-3.1.0 .pom - https://repo.spring.io/milestone/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/3.1.0 /thymeleaf-layout-dialect-3.1.0 .pom Required by: project :support:cas-server-support-thymeleaf * Try: > Run with --stacktrace option to get the stack trace. > Run with --info or --debug option to get more log output. > Run with --scan to get full insights. * Get more help at https://help.gradle.org BUILD FAILED in 1m 10s 168 actionable tasks: 2 executed, 166 up-to-date C:\apereocas66x\cas-server\support\cas-server-support-thymeleaf> On Tue, Jul 18, 2023 at 3:50 PM Ray Bon wrote: > Yan, > > There is this > https://apereo.github.io/cas/developer/Contributor-Guidelines.html#how-do-i-do-this > and > this https://apereo.github.io/cas/development/developer/Build-Process.html for > developing cas. > > There is a step for getting submodules; Was that missed? > > Ray > > On Tue, 2023-07-18 at 12:21 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > HI Ray, > > Overlay did work, thx a lot! Still, I should be able to run CAS as any > CAS developer would, not sure why i run into this > > this is what I did on my Windows, overlay works fine with additional > command line arguments, so I attempted the same on CAS project, > > C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" > build bootRun --parallel --offline --configure-on-demand --build-cache > --stacktrace > --args=--spring.profiles.active=standalone,--cas.standalone.configuration-directory=C:\apereocas66x\config > Configuration on demand is an incubating feature. > > > Task :api:cas-server-core-api-configuration-model:compileJava > Note: Some input files use or override a deprecated API. > Note: Recompile with -Xlint:deprecation for details. > Note: > C:\apereocas66x\cas-server\api\cas-server-core-api-configuration-model\src\main\java\org\apereo\cas\configuration\metadata\ConfigurationMetadataGenerator.java > uses unchecked or unsafe operations. > Note: Recompile with -Xlint:unchecked for details. > > > Task :support:cas-server-support-thymeleaf:compileJava FAILED > <==---> 82% EXECUTING [1m 46s] > > > :api:cas-server-core-api-configuration-model:generateConfigurationMetadata > > > In my IntelliJ IDE, it reports this error, I am sure the CAS project > itself has no problem, but I cannot figure out why it is missing Thymeleaf > layout dialect jar, and where is this supposed to be specified? > > :support:cas-server-support-openid-webflow:test: Could not find > nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.1.0 . > Required by: > project :support:cas-server-support-openid-webflow > project > :support:cas-server-support-thymeleaf > > Possible solution: > - Declare repository providing the artifact, see the documentation at > https://docs.gradle.org/current/userguide/declaring_repositories.html > > > Thanks, > Yan > On Tuesday, July 18, 2023 at 12:29:49 PM UTC-4 Ray Bon wrote: > > Yan, > > It looks like you are using cas instead of cas-overlay-template. The main > project is for developers. This is for deployers > https://github.com/apereo/cas-overlay-template > > Ray > > On Mon, 2023-07-17 at 12:15 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > HI > > i followed doc to this step, b
Re: [cas-user] embedded tomcat startup error cas6.6.x
HI Ray, Overlay did work, thx a lot! Still, I should be able to run CAS as any CAS developer would, not sure why i run into this this is what I did on my Windows, overlay works fine with additional command line arguments, so I attempted the same on CAS project, C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" build bootRun --parallel --offline --configure-on-demand --build-cache --stacktrace --args=--spring.profiles.active=standalone,--cas.standalone.configuration-directory=C:\apereocas66x\config Configuration on demand is an incubating feature. > Task :api:cas-server-core-api-configuration-model:compileJava Note: Some input files use or override a deprecated API. Note: Recompile with -Xlint:deprecation for details. Note: C:\apereocas66x\cas-server\api\cas-server-core-api-configuration-model\src\main\java\org\apereo\cas\configuration\metadata\ConfigurationMetadataGenerator.java uses unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. > Task :support:cas-server-support-thymeleaf:compileJava FAILED <==---> 82% EXECUTING [1m 46s] > :api:cas-server-core-api-configuration-model:generateConfigurationMetadata In my IntelliJ IDE, it reports this error, I am sure the CAS project itself has no problem, but I cannot figure out why it is missing Thymeleaf layout dialect jar, and where is this supposed to be specified? :support:cas-server-support-openid-webflow:test: Could not find nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:3.1.0 . Required by: project :support:cas-server-support-openid-webflow > project :support:cas-server-support-thymeleaf Possible solution: - Declare repository providing the artifact, see the documentation at https://docs.gradle.org/current/userguide/declaring_repositories.html Thanks, Yan On Tuesday, July 18, 2023 at 12:29:49 PM UTC-4 Ray Bon wrote: > Yan, > > It looks like you are using cas instead of cas-overlay-template. The main > project is for developers. This is for deployers > https://github.com/apereo/cas-overlay-template > > Ray > > On Mon, 2023-07-17 at 12:15 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > HI > > i followed doc to this step, but not sure why it failed. I am on Windows > and using CAS 6.6.9. it built fine, but when running in embedded tomcat, > run into error. > > not sure what it tries to do in /etc/cas/templates, I am on Windows, so I > am hoping to find where it is specified and change it to Windows path. > > thanks in advance! > > Yan > > C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" > build bootRun --parallel --offline --configure-on-demand --build-cache > --stacktrace > Configuration on demand is an incubating feature. > <-> 0% CONFIGURING [1m 24s] > > Task :webapp:cas-server-webapp-tomcat:processBootRunResources FAILED > > FAILURE: Build failed with an exception. > > * What went wrong: > Execution failed for task > ':webapp:cas-server-webapp-tomcat:processBootRunResources'. > > Cannot fingerprint input file property 'rootSpec$1': Could not stat file > \\etc\cas\templates > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cd1fb480-238b-400b-b02a-ec5f1ef2e49dn%40apereo.org.
[cas-user] embedded tomcat startup error cas6.6.x
HI i followed doc to this step, but not sure why it failed. I am on Windows and using CAS 6.6.9. it built fine, but when running in embedded tomcat, run into error. not sure what it tries to do in /etc/cas/templates, I am on Windows, so I am hoping to find where it is specified and change it to Windows path. thanks in advance! Yan C:\apereocas66x\cas-server\webapp\cas-server-webapp-tomcat>"../../gradlew" build bootRun --parallel --offline --configure-on-demand --build-cache --stacktrace Configuration on demand is an incubating feature. <-> 0% CONFIGURING [1m 24s] > Task :webapp:cas-server-webapp-tomcat:processBootRunResources FAILED FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':webapp:cas-server-webapp-tomcat:processBootRunResources'. > Cannot fingerprint input file property 'rootSpec$1': Could not stat file \\etc\cas\templates -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c83fa72-4d66-45d2-8309-9b0d27dd538cn%40apereo.org.
[cas-user] start up error CAS 6.6.x embedded tomcat
hi there, i am following CAS doc to setup Intellij to start up CAS via embedded tomcat container, but keeps getting this error. I do not understand why it keeps saying the bean is already registered.. thanks in advance! Yan here is the output console. "C:\Program Files\Java\jdk-11.0.12\bin\java.exe" -agentlib:jdwp=transport=dt_socket,address=127.0.0.1:54125,suspend=y,server=n -Duser.timezone=UTC -Dspring.profiles.active=standalone -Dcas.standalone.configuration-directory=C:\apereocas66x\config -javaagent:C:\Users\y..\AppData\Local\JetBrains\IdeaIC2023.1\groovyHotSwap\gragent.jar -javaagent:C:\Users\y..\AppData\Local\JetBrains\IdeaIC2023.1\captureAgent\debugger-agent.jar=file:/C:/Users/y../AppData/Local/Temp/capture1.props -Dfile.encoding=UTF-8 @C:\Users\y..\AppData\Local\Temp\idea_arg_file593654062 org.apereo.cas.web.CasWebApplication Connected to the target VM, address: '127.0.0.1:54125', transport: 'socket' 2023-07-17 15:10:36.066 INFO 18084 --- [ restartedMain] .c.c.CasConfigurationPropertiesValidator : Validated CAS property sources and configuration successfully. 2023-07-17 15:10:39.022 INFO 18084 --- [ restartedMain] .e.DevToolsPropertyDefaultsPostProcessor : Devtools property defaults active! Set 'spring.devtools.add-properties' to 'false' to disable _ _ _ ___ _ / \ | _ \| | _ \| / _ \ / ___| / \ / ___| / _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \ / ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) | /_/ \_\_| |_|_| \_\_\___/ \/_/ \_\/ CAS Version: Not Available CAS Branch: master CAS Commit Id: Not Available CAS Build Date/Time: 2023-07-14T19:43:48.113Z Spring Boot Version: 2.7.3 Spring Version: 5.3.22 Java Home: C:\Program Files\Java\jdk-11.0.12 Java Vendor: Oracle Corporation Java Version: 11.0.12 JVM Free Memory: 195 MB JVM Maximum Memory: 7 GB JVM Total Memory: 610 MB OS Architecture: amd64 OS Name: Windows 10 OS Version: 10.0 OS Date/Time: 2023-07-17T15:10:47.610637600 OS Temp Directory: C:\Users\Y...\AppData\Local\Temp\ Apache Tomcat Version: Apache Tomcat/9.0.76 2023-07-17 15:10:47.861 INFO 18084 --- [ restartedMain] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at : http://localhost: 2023-07-17 15:10:50.339 INFO 18084 --- [ restartedMain] c.c.c.ConfigServicePropertySourceLocator : Connect Timeout Exception on Url - http://localhost:. Will be trying the next url if available 2023-07-17 15:10:50.339 WARN 18084 --- [ restartedMain] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: I/O error on GET request for "http://localhost:/application/standalone": Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect 2023-07-17 15:10:50.456 INFO 18084 --- [ restartedMain] tCasConfigurationPropertiesSourceLocator : Configuration files found at [C:\apereocas66x\config] are [[file [C:\apereocas66x\config\application-standalone.properties], file [C:\apereocas66x\config\application-standalone.properties]]] under profile(s) [[standalone]] 2023-07-17 15:10:50.521 INFO 18084 --- [ restartedMain] b.c.PropertySourceBootstrapConfiguration : Located property source: [BootstrapPropertySource {name='bootstrapProperties-casCompositePropertySource'}] 2023-07-17 15:10:51,019 INFO [restartedMain] [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - 2023-07-17 15:10:51,019 INFO [restartedMain] [org.apereo.cas.web.CasWebApplication] - 2023-07-17 15:10:59,279 WARN [restartedMain] [org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext] - 2023-07-17 15:10:59,306 INFO [restartedMain] [org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingListener] - < Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.> 2023-07-17 15:11:24,641 ERROR [restartedMain] [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - < *** APPLICATION FAILED TO START *** Description: Error creating bean named messageSource, with resource description class path resource [org/apereo/cas/config/CasCoreWebConfiguration$CasCoreWebMessageSourceConfiguration.class], due to: Invalid bean definition with name 'messageSource' defined in class path resource [org/apereo/cas/config/CasCoreWebConfiguration$CasCoreWebMessageSourceConfiguration.class]: Cannot register bean definition [Root bean: class [null]; scope=refresh; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true;
Re: [cas-user] CAS 6.4 OIDC JWKS missing key fields?
Does your JWKS have "alg" field? it does not seem to have that option. This is what JWKS looks like in general, they do have "alg" field. I do not know how to get CAS JWKS to include it. Yan On Tuesday, March 7, 2023 at 10:29:12 AM UTC-5 waldbiec wrote: > I noticed my JWKS was missing a kid and causing weird results in one of > the OIDC libraries I use for testing. > I just added the kid to my key in the "keystore.jwks" manually. I just > generated a uuid4, but you can use any ID unique to your keystore from what > I understand. > The kid then appears on the endpoint. > > Thanks, > Carl Waldbieser > ITS > Lafayette College > > On Tue, Mar 7, 2023 at 12:13 AM Yan Zhou wrote: > >> Hi,, >> >> CAS 6.4 OIDC JWKS endpoint looks like this. Our vendor has problem with >> its missing fields such as alg, kid, and use. >> >> Anyone knows how to show these fields in JWKS? They showed us what Okta >> and Google OIDC provider presents, yes, they do have these fields. >> >> This probably affects OIDC JWT access token header attributes as well. >> >> Thanks, >> Yan >> >> { >> >> "keys": >> >> [ >> >> { >> >> "kty":"RSA", >> >> "n":"pwNNGZn0..RW18eq6Asiw", >> >> "e":"AQAB" >> >> } >> >> ] >> >> } >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org?utm_medium=email_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/449d95f3-714d-479a-84b8-caeb1db30c15n%40apereo.org.
Re: [cas-user] Preventing removal of OAuth tokens upon TGT expiration for one service
Hi, We are using CAS 6.4.6.6, I still find this is the case, RT is removed (We like it to expire in 7 days), but it was removed after 8 hours, because the underlying TGT expired, which is default to 8 hours. i did not understand why Logout behavior would affect RT retention when TGT is removed. I did not logout, I tried to set TGT expiration policy under this particular service to a much bigger value in JSON service registry, but run into Nullpointer exception error in CAS in code below, part of DefaultSingleSignOnParticipationStrategy. val tgtPolicy = registeredService.getTicketGrantingTicketExpirationPolicy(); if (tgtPolicy != null) { val ticketState = getTicketState(ssoRequest);<== ticketState is Null return tgtPolicy.toExpirationPolicy() .map(policy -> !policy.isExpired(ticketState.get())).orElse(Boolean.TRUE); } Is this fixed in CAS 6.4.6.6? Thanks, Yan On Thursday, March 15, 2018 at 3:48:01 PM UTC-4 Jon wrote: > Hi, > > We just found this: https://github.com/apereo/cas/pull/3221 > > It looks like it is a known issue and it will (hopefully) get solved in > the next release :) > > Jon > > > On Thursday, March 15, 2018 at 8:00:02 PM UTC+1, Jon wrote: >> >> Hi, >> >> We are running into the same issue you had. This is how we set our >> expiration properties: >> >> cas.ticket.tgt.timeToKillInSeconds=7200 >> cas.ticket.tgt.maxTimeToLiveInSeconds=28800 >> >> cas.authn.oauth.refreshToken.timeToKillInSeconds=604800 >> >> cas.authn.oauth.accessToken.timeToKillInSeconds=86400 >> cas.authn.oauth.accessToken.maxTimeToLiveInSeconds=86400 >> >> We tried setting the "cas.logout.removeDescendantTickets" property to >> false but this only prevents the TGT ticket from being deleted. However, if >> the TGT ticket has expired (because of the TGT max life setting), both the >> access token and refresh token are invalid. If we try to use the refresh >> token to generate a new access token, we get an "invalid_request" error. >> >> Did you figure out how to solve it? >> >> Thanks in advance, >> >> Jon >> >> On Tuesday, September 26, 2017 at 1:25:04 AM UTC+2, Caleb D wrote: >>> >>> Hey Ray, thanks for responding. >>> >>> Yes, the application frequently uses the OAuth access token and refresh >>> token given to it after the user authenticates. During each application >>> invocation, the application uses the access token it was given as >>> authentication in some web service calls. If the access token is expired, >>> it uses the refresh token to obtain a new access token (this is typical >>> behavior in OAuth 2). However, if the refresh token is invalid (e.g. due to >>> expired TGT), the application interaction is halted. The UX for this >>> scenario is poor and this behavior is outside our control. This is for some >>> hands free voice integration work, so even if we could somehow reprompt for >>> authentication the user wouldn't be in a good position to provide >>> credentials (or might not be able to because the hardware was configured by >>> someone else). >>> >>> That leads us to a solution of keeping refresh tokens alive for a long >>> time, but we don't want to increase the TGT max life because that would >>> affect other services as well and feels too broad with unknown implications. >>> >>> We've set logoutType to NONE on the service definition for this >>> application, but this only disables CAS' behavior of POSTing to a logout >>> endpoint for the application. It doesn't change the behavior of expiring >>> OAuth refresh tokens when the parent TGT expires. It looks like the way to >>> change that behavior is to override the logoutExecutionPlan bean or to >>> define our own LogoutManager and I was hoping to find or hear of an >>> example of doing such. >>> >>> The problematic code we want to work around can be seen in the CAS >>> source, the method >>> CasCoreLogoutConfiguration::configureLogoutExecutionPlan >>> <https://github.com/apereo/cas/blob/5.1.x/core/cas-server-core-logout/src/main/java/org/apereo/cas/logout/config/CasCoreLogoutConfiguration.java#L108>. >>> >>> When a TGT is expired, all descendant tickets are also deleted. The default >>> logoutExecutionPlan bean configures the behavior, so hence my questions >>> regarding overriding it. >>> >>> Thanks, >>> Caleb >>> >>> >>&
[cas-user] CAS 6.4 OIDC JWKS missing key fields?
Hi,, CAS 6.4 OIDC JWKS endpoint looks like this. Our vendor has problem with its missing fields such as alg, kid, and use. Anyone knows how to show these fields in JWKS? They showed us what Okta and Google OIDC provider presents, yes, they do have these fields. This probably affects OIDC JWT access token header attributes as well. Thanks, Yan { "keys": [ { "kty":"RSA", "n":"pwNNGZn0..RW18eq6Asiw", "e":"AQAB" } ] } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a816b9c5-662f-4a75-b87e-414f350df5d3n%40apereo.org.
Re: [cas-user] how to customize a filter used in CAS?
That is what I have been doing, this means a duplication of the entire class with only change to one-line. When we upgrade to next CAS release, we would have to find such customization and duplicating it. I thought there maybe a better way. OK! Yan On Monday, October 17, 2022 at 11:53:40 AM UTC-4 Ray Bon wrote: > Yan, > > Copy RegisteredServiceResponseHeadersEnforcementFilter into your project > and modify it. The build will replace the cas version with yours. > You may need to add some compile dependencies to build.gradle. > > Ray > > On Mon, 2022-10-17 at 07:19 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi there, > > I am using CAS 6.4.x. > > CasFiltersConfiguration defines filters, I wish to provide my own > RegisteredServiceResponseHeadersEnforcementFilter (using a different name). > > How would I do that without copying the entire CasFiltersConfiguration > or RegisteredServiceResponseHeadersEnforcementFilter and just change a > couple lines? > > I understand this is a Sprint boot question, but I think some may have a > quick answer for me. Thanks a lot! > > Yan > > > @ConditionalOnProperty(prefix = "cas.http-web-request.header", name = > "enabled", havingValue = "true", matchIfMissing = true) > @RefreshScope > @Bean > public FilterRegistrationBean responseHeadersSecurityFilter() { > val header = casProperties.getHttpWebRequest().getHeader(); > val initParams = new HashMap(); > > ... > > val bean = new > FilterRegistrationBean(); > bean.setFilter(new > RegisteredServiceResponseHeadersEnforcementFilter(servicesManager.getObject(), > argumentExtractor.getObject(), > authenticationRequestServiceSelectionStrategies.getObject(), > registeredServiceAccessStrategyEnforcer.getObject())); > > ... > > return bean; > } > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/15600683-1f15-4302-991e-ce00b258d470n%40apereo.org.
[cas-user] Could this be a performance issue in CAS6?
Hi there, this following validation is new in CAS6.x OIDC endpoint: cas/oidc/token (request access token using authCode) OAuth20AuthorizationCodeGrantTypeTokenRequestValidator the log says it all, if authCode is expired, it will attempt to revoke all access tokens issued to the authCode (new to CAS6), however, it does so by querying the entire registry: getTicketRegistry().getTickets() @Override protected boolean validateInternal(final WebContext context, final String grantType, final ProfileManager manager, final UserProfile uProfile) { ... if (valid) { val token = getConfigurationContext().getTicketRegistry().getTicket(code.get(), OAuth20Code.class); if (token == null || token.isExpired()) { LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", code.get()); val accessTokensByCode = getConfigurationContext().getTicketRegistry().getTickets(ticket -> ticket instanceof OAuth20AccessToken && StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), code.get())); accessTokensByCode.forEach(ticket -> { LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket.getId(), code.get()); getConfigurationContext().getTicketRegistry().deleteTicket(ticket); }); LOGGER.warn("Request OAuth code [{}] is not found or has expired", code.get()); return false; } ... this is CAS HazelcastTicketRegistry code. note: this.ticketCatalog.findAll() @Override public Collection getTickets() { return this.ticketCatalog.findAll() .stream() .map(metadata -> getTicketMapInstanceByMetadata(metadata).values()) .flatMap(tickets -> { if (pageSize > 0) { return tickets.stream().limit(pageSize).collect(Collectors.toList()).stream(); } return new ArrayList<>(tickets).stream(); }) .map(this::decodeTicket) .collect(Collectors.toSet()); } Would not that be a performance issue? Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce6a5a42-cb73-4da2-a551-b481eb63e7b9n%40apereo.org.
[cas-user] Re: Trouble CAS 6.3.x autowire JPA Repository Beans
Hi, I remember spending a lot of time on this when we moved from CAS5 to CAS6, to get Spring Data Repository working, the reason was because Spring 5 feature changes. All I had to do is: -Dspring.index.ignore=trueadd this to startup script. Spring 5 has this new feature that CAS builds on, it won’t load JPA repository beans unless one of its modules has it included in META-INF/spring.components you do NOT need to manually specify JPA and Repo classes in sprint.components file, but you will have to use this flag which alters default Spring 5 behavior. I am sure it is there for a good reason, I do not mind adding entity and repo classes manually, because I prefer simply sticking to the default behavior of Spring and CAS. Yan On Fri, Apr 1, 2022 at 4:53 PM Pablo Vidaurri wrote: > Thanks for the input Yan. > > I would hate to do that for every class, but I'll try it for one or two > entities/repos to see if it gets past my problem. > > In my current project that works for 6.3 ... > 1) META-INF/spring.factories: > > org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.xxx.cas.config.MyDbConfiguration > > note, i have repos, entities, services for jpa related classes in a > different repo than the cas classes I overlay. > > 2) in MyDbConfiguration.java class: > @Configuration > @EnableConfigurationProperties(CustomConfigurationProperties.class) > @EnableJpaRepositories( > entityManagerFactoryRef = "myEntityManagerFactory", > basePackages = {"com.xxx.cas.repository"}<--- repository > interfaces > ) > > @Bean(name = "=myEntityManagerFactory") > public EntityManagerFactory myEntityManagerFactory() { > . > . > . > > // entity packages > factory.setPackagesToScan("com.xxx.cas.entity"); <-- entity > classes > > . > . > . > } > > Error on startup: > 022-04-01 15:46:49,438 WARN [org.apereo.cas.web.CasWebApplicationContext] > - attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: > Error creating bean with name 'scopedTarget.UserViewService': Unsatisfied > dependency expressed through field 'userViewRepository'; nested exception > is org.springframework.beans.factory.NoSuchBeanDefinitionException: No > qualifying bean of type 'com.xxx.cas.repository.UserViewRepository' > available: expected at least 1 bean which qualifies as autowire candidate. > Dependency annotations: > {@org.springframework.beans.factory.annotation.Autowired(required=true)}> > > > -psv > > On Thursday, March 31, 2022 at 11:56:18 AM UTC-5 Yan Zhou wrote: > >> Hi, >> >> If JPA worked for you in 6.3 but not in 6.4, you may have a different >> problem than I had. >> >> JPA Repository does work for me in 6.4.4., this is what I did. under >> project's resources/META-INF/spring.components, I explicitly spelled out >> all Repo and Entity classes. >> >> == these are my classes == >> >> >> >> com...model.CasUserPwdresEventRepository=org.springframework.data.repository.Repository >> com...model.CasUser=javax.persistence.Entity=javax.persistence.Entity >> ... >> >> == >> >> Like i said, this would be the same for 6.3 and 6.4. >> >> Yan >> >> On Thu, Mar 31, 2022 at 10:42 AM Pablo Vidaurri >> wrote: >> >>> I'm still having trouble with this. >>> >>> Has anyone upgraded to 6.4.x or above with jpa repository classes? >>> >>> It's as if @EnableJpaRepositories is being ignored. >>> >>> On Tuesday, March 1, 2022 at 10:05:41 AM UTC-6 Pablo Vidaurri wrote: >>> >>>> Hi Yan, have you tried this with CAS 6.4.5 which uses SpringBoot 2.5.4? >>>> I am seeing issues finding my repositiory beans, I have not been able to >>>> get it working. All continue to works with 6.3.7.4. >>>> >>>> On Monday, August 30, 2021 at 12:16:38 PM UTC-5 Yan Zhou wrote: >>>> >>>>> Hello, >>>>> >>>>> CAS6 and CAS5 are different, but they both disable >>>>> DataSourceAutoConfiguration, so we need to configure database ourselves. >>>>> >>>>> this is what I do. under org.apereo.cas.config package. And then, >>>>> under spring.factories, include it in auto-configuration: >>>>> >>>>> org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ >>>>> MyConfiguration >>>>> >>>>> Hope that works. >>>>> >
[cas-user] Re: Trouble CAS 6.3.x autowire JPA Repository Beans
Hi, If JPA worked for you in 6.3 but not in 6.4, you may have a different problem than I had. JPA Repository does work for me in 6.4.4., this is what I did. under project's resources/META-INF/spring.components, I explicitly spelled out all Repo and Entity classes. == these are my classes == com...model.CasUserPwdresEventRepository=org.springframework.data.repository.Repository com...model.CasUser=javax.persistence.Entity=javax.persistence.Entity ... == Like i said, this would be the same for 6.3 and 6.4. Yan On Thu, Mar 31, 2022 at 10:42 AM Pablo Vidaurri wrote: > I'm still having trouble with this. > > Has anyone upgraded to 6.4.x or above with jpa repository classes? > > It's as if @EnableJpaRepositories is being ignored. > > On Tuesday, March 1, 2022 at 10:05:41 AM UTC-6 Pablo Vidaurri wrote: > >> Hi Yan, have you tried this with CAS 6.4.5 which uses SpringBoot 2.5.4? I >> am seeing issues finding my repositiory beans, I have not been able to get >> it working. All continue to works with 6.3.7.4. >> >> On Monday, August 30, 2021 at 12:16:38 PM UTC-5 Yan Zhou wrote: >> >>> Hello, >>> >>> CAS6 and CAS5 are different, but they both disable >>> DataSourceAutoConfiguration, so we need to configure database ourselves. >>> >>> this is what I do. under org.apereo.cas.config package. And then, >>> under spring.factories, include it in auto-configuration: >>> >>> org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ >>> MyConfiguration >>> >>> Hope that works. >>> >>> Yan >>> >>> @Configuration("MyDatabaseConfiguration") >>> @EnableJpaRepositories( >>>entityManagerFactoryRef = "entityManagerFactory", >>>basePackages = { "."} // packages where >>> repository live >>> ) >>> public class MyDatabaseConfiguration { >>> private static final Logger logger = >>> LoggerFactory.getLogger(QuestDatabaseConfiguration.class); >>> >>> >>> @Bean(name = "casDataSource") >>> protected DataSource casDS() { >>> try { >>> JndiObjectFactoryBean bean = new JndiObjectFactoryBean(); >>> bean.setJndiName("java:comp/."); >>> bean.setProxyInterface(DataSource.class); >>> bean.setLookupOnStartup(false); >>> bean.afterPropertiesSet(); >>> return (DataSource)bean.getObject(); >>> } catch (Exception ex) { >>> logger.error("Cannot find datasource.", ex); >>> return null; >>> } >>> } >>> >>> @Bean(name = "entityManagerFactory") >>> public EntityManagerFactory entityManagerFactory() { >>> HibernateJpaVendorAdapter vendorAdapter = new >>> HibernateJpaVendorAdapter(); >>> >>> LocalContainerEntityManagerFactoryBean factory = new >>> LocalContainerEntityManagerFactoryBean(); >>> factory.setJpaVendorAdapter(vendorAdapter); >>> factory.setJpaProperties(additionalProperties()); >>> >>> // packages where entities live >>> factory.setPackagesToScan(new String[] {"..."}); >>> >>> factory.setDataSource(casDS()); >>> factory.afterPropertiesSet(); >>> >>> return factory.getObject(); >>> } >>> >>> Properties additionalProperties() { >>> Properties properties = new Properties(); >>> properties.setProperty( >>> "hibernate.dialect", "org.hibernate.dialect.Oracle10gDialect"); >>> >>> return properties; >>> } >>> >>> @Bean >>> public PlatformTransactionManager transactionManager( >>> @Qualifier("entityManagerFactory") EntityManagerFactory emf) { >>> JpaTransactionManager txManager = new JpaTransactionManager(); >>> txManager.setEntityManagerFactory(emf); >>> return txManager; >>> } >>> >>> >>> On Mon, Aug 30, 2021 at 4:12 AM Ivan Green wrote: >>> >>>> Hello! >>>> >>>> I would be very grateful for your help. >>>> >>>> Faced the same problem on CAS 5.2.3. >>>> >>>> I am using spring data jpa. >>>> >>>> In the application.properties file, I described the connection to the >>>> database through the standard: >>>> >>>>
Re: [cas-user] Re: Hazelcast integration, TGT, ST, OIDC tokens serialization jars?
This is CAS HazelCastTicketRegistry code, it is writing to HZ IMap object, with TGT object. I do not see any special code, it seems writing the TGTTicketImpl object into Imap. public void addTicketInternal(final Ticket ticket) { val metadata = this.ticketCatalog.find(ticket); val ticketMap = getTicketMapInstanceByMetadata(metadata); if (ticketMap != null) { ticketMap.set(encTicket.getId(), encTicket, ttl, TimeUnit.SECONDS); } } On Mon, Feb 28, 2022 at 12:26 PM Ray Bon wrote: > Yan Zhou, > > I would think that cas prepares the tickets prior to sending them to > hazelcast. Hazelcast should not need to know about the specifics of the > data being stored. > > Ray > > > On Mon, 2022-02-28 at 08:45 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > > I realize what maybe happening, the CAS documentation assumes embedded > HZ, HZ and CAS live in the same JVM and therefore having access to all CAS > jars. > > But, our HZ is external to CAS, multiple CAS apps point to the same HZ > cluster running on separate VMs. How do I know which jars to package and > place under HZ's lib directory to resolve all these errors? > > And further, we have CAS5 and CAS6, can I place the mix of cas5 and cas6 > jars under the same HZ lib without conflict? > > 2022-02-25 17:40:55 ERROR QueryPartitionOperation - > [devcas705.mdc.qdx.com]:5701 > [hz-nist-dev] [4.2] java.lang.ClassNotFoundException: > org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshToken > > com.hazelcast.nio.serialization.HazelcastSerializationException: > java.lang.ClassNotFoundException: > org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshToken > > at > com.hazelcast.internal.serialization.impl.defaultserializers.JavaDefaultSerializers$JavaSerializer.read(JavaDefaultSerializers.java:90) > > at > com.hazelcast.internal.serialization.impl.defaultserializers.JavaDefaultSerializers$JavaSerializer.read(JavaDefaultSerializers.java:79) > > at > com.hazelcast.internal.serialization.impl.StreamSerializerAdapter.read(StreamSerializerAdapter.java:44) > > at > com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:208) > > at > com.hazelcast.map.impl.record.Records.tryStoreIntoCache(Records.java:203) > > at > com.hazelcast.map.impl.record.Records.getValueOrCachedValue(Records.java:170) > > at > com.hazelcast.map.impl.query.PartitionScanRunner$1.accept(PartitionScanRunner.java:94) > > at > com.hazelcast.map.impl.query.PartitionScanRunner$1.accept(PartitionScanRunner.java:89) > > at > com.hazelcast.map.impl.recordstore.DefaultRecordStore.forEach(DefaultRecordStore.java:278) > > at > com.hazelcast.map.impl.recordstore.DefaultRecordStore.forEach(DefaultRecordStore.java:261) > > > On Monday, February 28, 2022 at 11:11:44 AM UTC-5 Yan Zhou wrote: > > Hi there, > > Anyone having to deal with token/ticket storage that require serializing > CAS objects like Hazelcast? > > For instance, TGT, ST, OIDC RT/AT all go to Hazelcast ticket registry, > which requires to serialize any objects put on IMap. > > Would I have to package all jars containing these class and place on > hazelcast lib folder? > > These classes are non-trivial, always have a tree of other objects, how > do you deal with > that? > > Below is an example of TGT in CAS5, let alone the other objects in > CAS5/CAS6, etc. > > Thanks, > Yan > > > public class TicketGrantingTicketImpl extends AbstractTicket implements > TicketGrantingTicket { > > /** > * Unique Id for serialization. > */ > private static final long serialVersionUID = -8608149809180911599L; > > /** > * The authenticated object for which this ticket was generated for. > */ > @Lob > @Column(name = "AUTHENTICATION", nullable = false, length = > Integer.MAX_VALUE) > private Authentication authentication; > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | r...@uvic.ca > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- Yo
[cas-user] Re: Hazelcast integration, TGT, ST, OIDC tokens serialization jars?
Hi, I realize what maybe happening, the CAS documentation assumes embedded HZ, HZ and CAS live in the same JVM and therefore having access to all CAS jars. But, our HZ is external to CAS, multiple CAS apps point to the same HZ cluster running on separate VMs. How do I know which jars to package and place under HZ's lib directory to resolve all these errors? And further, we have CAS5 and CAS6, can I place the mix of cas5 and cas6 jars under the same HZ lib without conflict? 2022-02-25 17:40:55 ERROR QueryPartitionOperation - [devcas705.mdc.qdx.com]:5701 [hz-nist-dev] [4.2] java.lang.ClassNotFoundException: org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshToken com.hazelcast.nio.serialization.HazelcastSerializationException: java.lang.ClassNotFoundException: org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshToken at com.hazelcast.internal.serialization.impl.defaultserializers.JavaDefaultSerializers$JavaSerializer.read(JavaDefaultSerializers.java:90) at com.hazelcast.internal.serialization.impl.defaultserializers.JavaDefaultSerializers$JavaSerializer.read(JavaDefaultSerializers.java:79) at com.hazelcast.internal.serialization.impl.StreamSerializerAdapter.read(StreamSerializerAdapter.java:44) at com.hazelcast.internal.serialization.impl.AbstractSerializationService.toObject(AbstractSerializationService.java:208) at com.hazelcast.map.impl.record.Records.tryStoreIntoCache(Records.java:203) at com.hazelcast.map.impl.record.Records.getValueOrCachedValue(Records.java:170) at com.hazelcast.map.impl.query.PartitionScanRunner$1.accept(PartitionScanRunner.java:94) at com.hazelcast.map.impl.query.PartitionScanRunner$1.accept(PartitionScanRunner.java:89) at com.hazelcast.map.impl.recordstore.DefaultRecordStore.forEach(DefaultRecordStore.java:278) at com.hazelcast.map.impl.recordstore.DefaultRecordStore.forEach(DefaultRecordStore.java:261) On Monday, February 28, 2022 at 11:11:44 AM UTC-5 Yan Zhou wrote: > Hi there, > > Anyone having to deal with token/ticket storage that require serializing > CAS objects like Hazelcast? > > For instance, TGT, ST, OIDC RT/AT all go to Hazelcast ticket registry, > which requires to serialize any objects put on IMap. > > Would I have to package all jars containing these class and place on > hazelcast lib folder? > > These classes are non-trivial, always have a tree of other objects, how > do you deal with > that? > > Below is an example of TGT in CAS5, let alone the other objects in > CAS5/CAS6, etc. > > Thanks, > Yan > > > public class TicketGrantingTicketImpl extends AbstractTicket implements > TicketGrantingTicket { > > /** > * Unique Id for serialization. > */ > private static final long serialVersionUID = -8608149809180911599L; > > /** > * The authenticated object for which this ticket was generated for. > */ > @Lob > @Column(name = "AUTHENTICATION", nullable = false, length = > Integer.MAX_VALUE) > private Authentication authentication; > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ead5feec-b085-4adc-b834-ebb29297f7f2n%40apereo.org.
[cas-user] Hazelcast integration, TGT, ST, OIDC tokens serialization jars?
Hi there, Anyone having to deal with token/ticket storage that require serializing CAS objects like Hazelcast? For instance, TGT, ST, OIDC RT/AT all go to Hazelcast ticket registry, which requires to serialize any objects put on IMap. Would I have to package all jars containing these class and place on hazelcast lib folder? These classes are non-trivial, always have a tree of other objects, how do you deal with that? Below is an example of TGT in CAS5, let alone the other objects in CAS5/CAS6, etc. Thanks, Yan public class TicketGrantingTicketImpl extends AbstractTicket implements TicketGrantingTicket { /** * Unique Id for serialization. */ private static final long serialVersionUID = -8608149809180911599L; /** * The authenticated object for which this ticket was generated for. */ @Lob @Column(name = "AUTHENTICATION", nullable = false, length = Integer.MAX_VALUE) private Authentication authentication; -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1ac61e9-8383-4192-b994-aa57f984a574n%40apereo.org.
[cas-user] cas6, scope exists even if attribute not released?
Hi there, I am using CAS 6.4.4, OIDC flow with custom scope and attributes This is what I expected to see: if authHandler puts in attributes (mapped to claims) required by the scope, access token introspection will show the token has that scope, otherwise, it will not show the scope. For instance, a client requests readOrders and wirteOrders scope, and the app does support both, But the authHandler may determine that the login user can only have readOrders permission but not writeOrders permission, and therefore, does not set the attributes required for writeOrders. Such an access token obtained as a result of OIDC should have readOrders but not writeOrders scope. But in reality, my token always show readOrders both AND writeOrders scopes, even if the attribute release for writeOrders scope is null (and thus not released). Did I misunderstand scope/claim/attributes in some way? Thanks, Yan cas.authn.oidc.discovery.scopes=openid,email,profile,readOrders,writeOrders cas.authn.oidc.core.userDefinedScopes.readOrders=readOrders cas.authn.oidc.core.userDefinedScopes.writeOrders=writeOrders cas.authn.oidc.discovery.claims=sub,name,preferred_username,family_name, \ given_name,middle_name,profile, \ picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \ email,email_verified,phone_number,phone_number_verified,address, \ readOrders,writeOrders cas.authn.oidc.core.claimsMap.readOrders=readOrders cas.authn.oidc.core.claimsMap.writeOrders=writeOrders And the authHandler sets attributes public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler { if (doesNotHaveWritePermission(...) { attributes.put("readOrders", List.of("true")); } else { attributes.put("readOrders", List.of("true")); attributes.put("writeOrders", List.of("true")); } principal = this.principalFactory.createPrincipal(user.getLoginName(), attributes); return createHandlerResult(credential, principal); == END == -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a632b6f-3c49-4acc-a634-974ab103f32en%40apereo.org.
[cas-user] CAS 6.4, Skip MFA for NonInteractiveCredentialsAction
Hi there, CAS 6.4.x. we have global MFA turned on for all requests, but we want our SSO traffic to skip MFA. I run into problem with CAS looking for simple-mfa during our SSO login flow. I followed the CAS' source on token authentication, but has not found a solution. The following are some info. Thanks in advance! cas.properties: cas.authn.mfa.triggers.global.global-provider-id=mfa-simple cas.authn.mfa.simple.name=mfa-simple cas.authn.mfa.simple.order=1 service json: "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "bypassPrincipalAttributeName": "questSkipMFA" } we have a separate SSO authenticationHandler that will set principal attribute, so that MFA module will know to skip MFA. this is my SSO webflow, once SSO passes, we issue TGT, and authN completes. public class SsoLoginWebflowConfigurer extends AbstractCasWebflowConfigurer { } @Override protected void doInitialize() { val flow = getLoginFlow(); if (flow != null) { val state = getState(flow, CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM, ActionState.class); createTransitionForState(state, TRANSITION_ID_SSO_AUTHENTICATION_CHECK, STATE_ID_SSO_AUTHENTICATION_CHECK); val actionState = createActionState(flow, STATE_ID_SSO_AUTHENTICATION_CHECK, createEvaluateAction("oktaSamlNonInteractiveCredentialsAction")); createTransitionForState(actionState, CasWebflowConstants.TRANSITION_ID_ERROR, "lsmSAMLFailed"); val lsmSamlFailed = createViewState(flow, "lsmSAMLFailed", "error/casLsmTokenErrorView"); createStateDefaultTransition(lsmSamlFailed, "viewLoginForm"); createTransitionForState(actionState, CasWebflowConstants.TRANSITION_ID_SUCCESS, CasWebflowConstants.STATE_ID_CREATE_TICKET_GRANTING_TICKET); . here is the error I get. I looks like CAS is looking for mfa-simple state (probably because I have globally turned on MFA). How can I append the mfa-simple flow into this flow definition? And when I do so, I assume it will note the attribute and skip the actual mfa flow? 2021-12-17 00:42:17,828 DEBUG [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] - 2021-12-17 00:42:17,832 DEBUG [org.apereo.cas.authentication.mfa.trigger.GlobalMultifactorAuthenticationTrigger] - 2021-12-17 00:42:17,832 TRACE [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 2021-12-17 00:42:17,833 TRACE [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 2021-12-17 00:42:17,834 ERROR [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 2021-12-17 00:42:17,836 DEBUG [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - == end == Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/df95fadd-0fbc-4944-8668-51f6443f4fd9n%40apereo.org.
[cas-user] Re: Trouble CAS 6.3.x autowire JPA Repository Beans
Hello, CAS6 and CAS5 are different, but they both disable DataSourceAutoConfiguration, so we need to configure database ourselves. this is what I do. under org.apereo.cas.config package. And then, under spring.factories, include it in auto-configuration: org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ MyConfiguration Hope that works. Yan @Configuration("MyDatabaseConfiguration") @EnableJpaRepositories( entityManagerFactoryRef = "entityManagerFactory", basePackages = { "."} // packages where repository live ) public class MyDatabaseConfiguration { private static final Logger logger = LoggerFactory.getLogger(QuestDatabaseConfiguration.class); @Bean(name = "casDataSource") protected DataSource casDS() { try { JndiObjectFactoryBean bean = new JndiObjectFactoryBean(); bean.setJndiName("java:comp/."); bean.setProxyInterface(DataSource.class); bean.setLookupOnStartup(false); bean.afterPropertiesSet(); return (DataSource)bean.getObject(); } catch (Exception ex) { logger.error("Cannot find datasource.", ex); return null; } } @Bean(name = "entityManagerFactory") public EntityManagerFactory entityManagerFactory() { HibernateJpaVendorAdapter vendorAdapter = new HibernateJpaVendorAdapter(); LocalContainerEntityManagerFactoryBean factory = new LocalContainerEntityManagerFactoryBean(); factory.setJpaVendorAdapter(vendorAdapter); factory.setJpaProperties(additionalProperties()); // packages where entities live factory.setPackagesToScan(new String[] {"..."}); factory.setDataSource(casDS()); factory.afterPropertiesSet(); return factory.getObject(); } Properties additionalProperties() { Properties properties = new Properties(); properties.setProperty( "hibernate.dialect", "org.hibernate.dialect.Oracle10gDialect"); return properties; } @Bean public PlatformTransactionManager transactionManager( @Qualifier("entityManagerFactory") EntityManagerFactory emf) { JpaTransactionManager txManager = new JpaTransactionManager(); txManager.setEntityManagerFactory(emf); return txManager; } On Mon, Aug 30, 2021 at 4:12 AM Ivan Green wrote: > Hello! > > I would be very grateful for your help. > > Faced the same problem on CAS 5.2.3. > > I am using spring data jpa. > > In the application.properties file, I described the connection to the > database through the standard: > > spring.datasource.url = > spring.datasource.username = > spring.datasource.password = > spring.jpa.show-sql = > spring.jpa.hibernate.ddl-auto = > spring.jpa.properties.hibernate.dialect = > > Next, I created entities and repository extends CrudRepository. > > When trying to @Autowired my repos in services, I get a > NoSuchBeanDefinition error. > > The configuration goes through the spring.factories file: > > org.springframework.boot.autoconfigure.EnableAutoConfiguration = > ru.test.security.core.cas.config.CasMainPropertiesConfig > > CasMainPropertiesConfig, which contains: > > @Configuration ("ConfigurationName") > @EnableConfigurationProperties (CasConfigurationProperties.class) > @ComponentScan ("ru.test.security.core") > @PropertySource ("file: C /.../ cas.standalone.properties") > public class CasMainPropertiesConfig { > > } > > When trying to insert @EnableJpaRepository or @EntityScan here, the > application simply does not start with an error: > > [org.apereo.cas.web.CasWebApplicationContext] - during context initialization - cancelling refresh attempt: > org.springframework.beans.factory.BeanDefinitionStoreException: Failed to > process import candidates for configuration class [org.apereo.cas.web. > CasWebApplication]; nested exception is java.lang.NoClassDefFoundError: org > / springframework / data / repository / config / BootstrapMode> > > What's going wrong? Tried adding -Dspring.index.ignore = true to run and > nothing changes. > > I hope very much for your help. > > суббота, 15 мая 2021 г. в 00:10:12 UTC+3, Yan Zhou: > >> I figured out before I was about to give up. All I had to do is: >> -Dspring.index.ignore=trueadd this to startup script. >> >> Spring 5 has this new feature that CAS builds on, it won’t load JPA >> repository beans unless one of its modules has it included in >> META-INF/spring.components >> >> Once I understood that, I can follow CAS framework to get it done >> without using that flag. >> >> On Thursday, May 13, 2021 at 9:55:00 PM UTC-4 Pablo Vidaurri wrote: >> >>> I assume you are also using >>> org.springframework.bo
[cas-user] how to specify log4j2.xml not to use /tmp/logs in CAS6.4 overlay?
Hello, I am using CAS6.4 overlay. I package the war and deploy to tomcat. cas-server-webapp-tomcat-6.4.0-RC6.jar has log4j2.xml that points to /tmp/logs. I have already set this in my cas.properties. # mine is Windows logging.config=c://apache-tomcat-cas6/lib/cas6/log4j2.xml the log4j2.xml is observed. however, I still see /tmp/logs being created. How can I disable the use of log4j2.xml inside cas-server-webapp-tomcat-6.4.0-RC6.jar Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8317d9db-6b91-4480-bbeb-2f0093ac8401n%40apereo.org.
Re: [cas-user] CAS 6.2.8 In-memory ticket registry still starting when using Hazelcast ticket registry
Hello, I see this in 6.4 RC4.I use Hazelcast, I see connections made but tickets do not go into HZ. is that because they are still in memory? Yan On Monday, July 19, 2021 at 12:38:11 PM UTC-4 Ray Bon wrote: > Jeremy, > > I see this in cas 6.3.4 as well. > > Ray > > On Mon, 2021-07-19 at 15:19 +, Wickham, Jeremy wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > I am looking to go to production with v6.2.8 very soon and I am seeing the > following log file when I am starting up. > > WARN [com.hazelcast.cp.CPSubsystem] - <[130.18.50.51]:5701 [dev] [4.0.1] > CP Subsystem is not enabled. CP data structures will operate in UNSAFE > mode! Please note that UNSAFE mode will not provide strong consistency > guarantees.> > > DEBUG [org.apereo.cas.config.HazelcastTicketRegistryConfiguration] - > [DefaultTicketDefinitionProperties(cascadeRemovals=false, > storageName=serviceTicketsCache, storageTimeout=10, storagePassword=null, > excludeFromCascade=false)]> > > … > > DEBUG [org.apereo.cas.config.HazelcastTicketRegistryConfiguration] - > > > DEBUG [org.apereo.cas.util.CoreTicketUtils] - encryption/signing is enabled for [hazelcast]> > > > > Then later in the logs I see the following > > > > WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - is used as the persistence storage for retrieving and managing tickets. > Tickets that are issued during runtime will be LOST when the web server is > restarted. This MAY impact SSO functionality.>^[[m > > INFO [org.apereo.cas.util.CoreTicketUtils] - encryption/signing is turned off. This MAY NOT be safe in a clustered > production environment. Consider using other choices to handle encryption, > signing and verification of ticket registry tickets, and verify the chosen > ticket registry does support this behavior.> > > > > I am reviving this old thread, as it seemed to not have any response that > I can find. I am not able to find a solution for this issue just yet. Was > wondering if this has been resolved in a newer version? Or is there a work > around to ensure that the in-memory ticket registry is not being used? > Also is there any insight into the CP Subsystem not enabled warning? > > > > Thanks, > > -Jeremy > > > > *From:* cas-...@apereo.org *On Behalf Of *Christian > Schmidt > *Sent:* Friday, September 20, 2019 10:16 AM > *To:* CAS Community > *Cc:* mmoa...@unicon.net > *Subject:* Re: [cas-user] CAS 5.1.0-RC4 In-memory ticket registry still > starting when using Hazelcast ticket registry > > > > Hi, > > > > I just went through the logs of a new installation of 6.1 RC6 and found > the same logging entry like Matt with Version 5.1. > > > > 2019-09-20 16:38:26,277 DEBUG > [org.apereo.cas.config.HazelcastTicketRegistryConfiguration] - Hazelcast map configuration for > [DefaultTicketDefinitionProperties(cascade=false, > storageName=serviceTicketsCache, storageTimeout=10, storagePassword=null)]> > > ... > > 2019-09-20 16:38:33,655 INFO [org.apereo.cas.util.CoreTicketUtils] - > a clustered production environment. Consider using other choices to handle > encryption, signing and verification of ticket registry tickets, and verify > the chosen ticket registry does support this behavior.> > > > > Accoring to the logs HZ ist starting and according to netstat is is also > running as expected. > > > > > > I had a quick look at the soruces and there is no way around, that the > function ticketRegistry() in the CasCoreTicketsConfiguration class is > getting called after the HZ ticket registry is created > > > > > > --> where can I, as mentioned by Misagh, report this as a Bug? > > > > > > > > > > -- > - Website: https://apereo.github.io/cas > <https://secure-web.cisco.com/14QBSUrYePzL61bE32PgsjevzuxKR6dR8T7RsIKRH5PLKLHHPB1sz0bygAfcNGGkW7qkVHRv_M30uT6lNVBSWDWaAAH9AOI_MXdjb1nxGVzzp2DoSosviN_Zzk5oNSINUh8BC2ldV0cQxdT1btHAcw_gfcPjx7XHzMp0uZJsJDU6ghl5kxWZ1qImm9R63UpgTox0PDvLCEBR0IHzePwoCMGCThh8G7D4Of_U2MhCRA_iyG3CGdAJzKw4Lz_bz9V_Wjr1410TdIiJAKGWzV0TB3efcL3a7rINTNNPx3NKs2d20K-ozx5Bp_vy7ZolqEHHjFR8uxObZ3ZN8Sp94ltjNgIVUyC5-FFezfitrJ7by_eg/https%3A%2F%2Fapereo.github.io%2Fcas> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://secure-web.cisco.com/1nRTMSoYbE-GAIsO_1r7hLBVuSUlodygkpZFCTL3f5nSZabQKP0isEKMcuNMy8pvrhje7NbaXn_p_ATU2tPx83ZyzgJCLLG8-RNUMIbXr-DYdQ8Wp0VfZcllet5rdWwYXAFfEI9vn_iNHTHlfXNCp5DPi446EIJ4nZGrvCvwTQKBK-QFI3XLF4SRiQi0w81gaJJPJEBEEoPIBNcmK7zZbu5ThLF6J3dqtHf
[cas-user] CAS double submit issue?
Hi, I noticed this in CAS4.x and CAS5.x. CAS is built on Spring Webflow, it should automatically prevent double submission, but on my CAS overlay, it does not. After form submits (such as Login, Password Reset), if the action takes longer to complete, and user clicks again before the Post is completed, I see the 2nd call coming in while the first is still being executed. What am I missing? How would CAS (or Spring Webflow) prevent double-submit out of box? P.S., this is not about the browser refresh, which happens when form is submitted for the 2nd time _AFTER_ the 1st POST completes. Mine is about clicking the submit button very fast, you generate multiple execution into the same action, when it should only be one. Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7957f34e-a7bf-4f84-83e7-e6c4cd9c02c1n%40apereo.org.
[cas-user] Re: Trouble CAS 6.3.x autowire JPA Repository Beans
I figured out before I was about to give up. All I had to do is: -Dspring.index.ignore=trueadd this to startup script. Spring 5 has this new feature that CAS builds on, it won’t load JPA repository beans unless one of its modules has it included in META-INF/spring.components Once I understood that, I can follow CAS framework to get it done without using that flag. On Thursday, May 13, 2021 at 9:55:00 PM UTC-4 Pablo Vidaurri wrote: > I assume you are also using > org.springframework.boot:spring-boot-starter-data-jpa > > or is there a special CAS dependency to use instead? > > On Thursday, May 13, 2021 at 5:42:23 PM UTC-5 Yan Zhou wrote: > >> Hello, >> >> I am about to give up, and stay with jdbcTemplate. I am unable to get >> Spring JPA Data Repository to work with CAS 6.4 snapshot. >> >> This is my CasWebApplication, everything about data repository is >> enabled. But there is no indication in logs that data-jpa autoConfiguration >> is taking place. >> >> @SpringBootApplication( >> scanBasePackages = {"org.apereo.cas", "com.quest.cas"}, >> exclude = { >> GroovyTemplateAutoConfiguration.class >> }, >> proxyBeanMethods = false) >> @EnableJpaRepositories(basePackages = {"com.quest.cas.prs.model"}) >> @EntityScan(basePackages = {"com.quest.cas.prs.model"}) >> @EnableConfigurationProperties(CasConfigurationProperties.class) >> @EnableAsync >> @EnableAspectJAutoProxy(proxyTargetClass = true) >> @EnableTransactionManagement(proxyTargetClass = true) >> @EnableScheduling >> @NoArgsConstructor >> @Slf4j >> public class CasWebApplication { >> >> >> There must be something preventing Data repository running, see below for >> some conditions from Spring, I think my runtime environment should allow >> it to run, but it does not. >> >> @Configuration(proxyBeanMethods = false) >> @ConditionalOnBean(DataSource.class) >> @ConditionalOnClass(JpaRepository.class) >> @ConditionalOnMissingBean({ JpaRepositoryFactoryBean.class, >> JpaRepositoryConfigExtension.class }) >> @ConditionalOnProperty(prefix = "spring.data.jpa.repositories", name = >> "enabled", havingValue = "true", >> matchIfMissing = true) >> @Import(JpaRepositoriesRegistrar.class) >> @AutoConfigureAfter({ HibernateJpaAutoConfiguration.class, >> TaskExecutionAutoConfiguration.class }) >> public class JpaRepositoriesAutoConfiguration { >> >> Yan >> >> >> On Wednesday, May 12, 2021 at 2:33:07 PM UTC-4 Pablo Vidaurri wrote: >> >>> Having same problem with the autowire of the repository annotated class. >>> Any help would be appreciated. >>> >>> -psv >>> >>> On Tuesday, May 11, 2021 at 8:43:05 AM UTC-5 Yan Zhou wrote: >>> >>>> Hello, >>>> >>>> CAS uses Spring JdbcTemplate, it does not use Spring JPA Data >>>> Repository. I was able to easily add that in CAS 5.3, but run into >>>> difficulty with CAS 6.3. >>>> >>>> The Spring JPA Data Repository allows me to define interface and Spring >>>> provides beans that implement them and Spring cares for all the injection. >>>> >>>> In Cas 6.3, I keep getting error: NoSuchBeanDefinition, in other words, >>>> Spring did not instantiate beans for repository interfaces as it should. >>>> >>>> I believe all my Spring Data Repository configuration is correct and >>>> that is why it is working in CAS5.3, such as the spring-data-jpa >>>> dependencies, specifying packages for @EnableJpaRepository, @EntityScan in >>>> a @Configuration class. >>>> >>>> Here is CAS 5.3. I can see Spring is instantiating beans for repository >>>> interfaces, but this is not happening in CAS 6.3 >>>> >>>> Did the wiring and bean instantiation change in cas 6.3? >>>> >>>> Thanks, >>>> Yan >>>> >>>> 2021-05-11 02:00:29,041 DEBUG >>>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >>>> >>> org.springframework.beans.factory.support.DefaultListableBeanFactory@66345a4f: >>>> >>>> defining beans . (some of them are the JPA Data Repository >>>> beans) >>>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/de63b4c5-e238-4489-a9b8-20075418eff1n%40apereo.org.
[cas-user] Re: Trouble CAS 6.3.x autowire JPA Repository Beans
Hello, I am about to give up, and stay with jdbcTemplate. I am unable to get Spring JPA Data Repository to work with CAS 6.4 snapshot. This is my CasWebApplication, everything about data repository is enabled. But there is no indication in logs that data-jpa autoConfiguration is taking place. @SpringBootApplication( scanBasePackages = {"org.apereo.cas", "com.quest.cas"}, exclude = { GroovyTemplateAutoConfiguration.class }, proxyBeanMethods = false) @EnableJpaRepositories(basePackages = {"com.quest.cas.prs.model"}) @EntityScan(basePackages = {"com.quest.cas.prs.model"}) @EnableConfigurationProperties(CasConfigurationProperties.class) @EnableAsync @EnableAspectJAutoProxy(proxyTargetClass = true) @EnableTransactionManagement(proxyTargetClass = true) @EnableScheduling @NoArgsConstructor @Slf4j public class CasWebApplication { There must be something preventing Data repository running, see below for some conditions from Spring, I think my runtime environment should allow it to run, but it does not. @Configuration(proxyBeanMethods = false) @ConditionalOnBean(DataSource.class) @ConditionalOnClass(JpaRepository.class) @ConditionalOnMissingBean({ JpaRepositoryFactoryBean.class, JpaRepositoryConfigExtension.class }) @ConditionalOnProperty(prefix = "spring.data.jpa.repositories", name = "enabled", havingValue = "true", matchIfMissing = true) @Import(JpaRepositoriesRegistrar.class) @AutoConfigureAfter({ HibernateJpaAutoConfiguration.class, TaskExecutionAutoConfiguration.class }) public class JpaRepositoriesAutoConfiguration { Yan On Wednesday, May 12, 2021 at 2:33:07 PM UTC-4 Pablo Vidaurri wrote: > Having same problem with the autowire of the repository annotated class. > Any help would be appreciated. > > -psv > > On Tuesday, May 11, 2021 at 8:43:05 AM UTC-5 Yan Zhou wrote: > >> Hello, >> >> CAS uses Spring JdbcTemplate, it does not use Spring JPA Data Repository. >> I was able to easily add that in CAS 5.3, but run into difficulty with CAS >> 6.3. >> >> The Spring JPA Data Repository allows me to define interface and Spring >> provides beans that implement them and Spring cares for all the injection. >> In Cas 6.3, I keep getting error: NoSuchBeanDefinition, in other words, >> Spring did not instantiate beans for repository interfaces as it should. >> >> I believe all my Spring Data Repository configuration is correct and that >> is why it is working in CAS5.3, such as the spring-data-jpa dependencies, >> specifying packages for @EnableJpaRepository, @EntityScan in a >> @Configuration class. >> >> Here is CAS 5.3. I can see Spring is instantiating beans for repository >> interfaces, but this is not happening in CAS 6.3 >> >> Did the wiring and bean instantiation change in cas 6.3? >> >> Thanks, >> Yan >> >> 2021-05-11 02:00:29,041 DEBUG >> [org.springframework.beans.factory.support.DefaultListableBeanFactory] - >> > org.springframework.beans.factory.support.DefaultListableBeanFactory@66345a4f: >> >> defining beans . (some of them are the JPA Data Repository >> beans) >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8d25643-164d-4117-8105-35d3df8f438fn%40apereo.org.
[cas-user] Trouble CAS 6.3.x autowire JPA Repository Beans
Hello, CAS uses Spring JdbcTemplate, it does not use Spring JPA Data Repository. I was able to easily add that in CAS 5.3, but run into difficulty with CAS 6.3. The Spring JPA Data Repository allows me to define interface and Spring provides beans that implement them and Spring cares for all the injection. In Cas 6.3, I keep getting error: NoSuchBeanDefinition, in other words, Spring did not instantiate beans for repository interfaces as it should. I believe all my Spring Data Repository configuration is correct and that is why it is working in CAS5.3, such as the spring-data-jpa dependencies, specifying packages for @EnableJpaRepository, @EntityScan in a @Configuration class. Here is CAS 5.3. I can see Spring is instantiating beans for repository interfaces, but this is not happening in CAS 6.3 Did the wiring and bean instantiation change in cas 6.3? Thanks, Yan 2021-05-11 02:00:29,041 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7af5bd78-11aa-4480-93e2-d9e38aa7a5b2n%40apereo.org.
[cas-user] Mobile OIDC without browser view
Hello, Does CAS5.x or CAS6.x support OIDC for native Mobile apps that does not use Web View, instead, using REST API, etc.? I thought CAS would always require a webview since it needs to present the login page? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8d95507e-5dcc-4c39-af9f-7e48ade71b59n%40apereo.org.
[cas-user] CAS5 OIDC support hybrid flow?
Hi there, CAS 5.3.x. oidc flow. it works well with authorization code flow. does it support "hybrid flow", i.e., the response type is "code token" or "code id_token". I am getting "application not authorized to use CAS" error. Is this by design? 2021-03-07 04:40:24,173 WARN [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController] - https://localhost:8543/cas5/oidc/authorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug=openid_type=code%20token_mode=form_post=bq50c2y1iy] no OAuth20 validator could declare support for its syntax> 2021-03-07 04:40:24,174 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController] - Thanks! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0278898f-3389-46be-ae22-30be246c1484n%40apereo.org.
[cas-user] CAS 5.3.x WebUI to support login history, remote logout, etc.?
Hi there, I am aware of the CAS dashboard UI, I am looking for a user-oriented UI that provide common security mitigations. remote logout, login history For instance, when user no longer has access to a device (mobile phone), he can initiate logout from another device. And, he or an admin user can see his login history. Is there Web UI that either comes with CAS 5.3 or another project that provides visibility into CAS and provide these following? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ffbebee7-60e7-407a-a7ca-f45075d882c8n%40apereo.org.
[cas-user] CAS 5.3, OIDC redirect back to root when using bookmarks
Hello, We noticed an issue on CAS 5.3 with OIDC. I finally realized what maybe going on, but do not have a solution. App uses CAS for authentication via OIDC, App redirects to CAS login page. When people bookmark the apps, the first opportunity they have is the CAS login page, the URL usually reads like this: https://../cas/login?service=https://app.com Next time, they use the bookmark and go straight to this URL, as oppose to let App redirect to CAS. This is where the problem comes with OIDC. Here is the flow when user type up the App endpoint in browser and let App redirect: GET /cas/oidc/authorize/.. (this is due to the OIDC client in App side, crucial first step) GET /cas/login?service=.cas/oauth2.0/callbackAuthorize/ login page shows up, user bookmarks it, and enter credentials POST /cas/login?service=.cas/oauth2.0/callbackAuthorize/ GET /cas5/p3/serviceValidate?ticket= GET /cas5/oauth2.0/callbackAuthorize?client_id= GET /cas5/oidc/authorize?client_id= After user logout, and close browser, Restart browser, they use the saved bookmark. Now the flow is showing CAS login page immediately without going through the first endpoint on /odic/authorize (see above). When user login, they are redirected to root /, as oppose to proceed to /oidc/authorize endpoint, this is due to how pac4j works. it almost like a stack pushing/popping, and we did not anything to pop, so we default to root. The root is usually the wrong page, such as the Tomcat welcome page or the domain root. This is fairly consistently seen on IE. Does that make sense? I think this could be happening with any bookmarked CAS login page with service parameter and will be seen in OIDC client apps. Any idea to work around or fix this? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20f5f19a-c440-4e00-8af2-18a3413a6d35n%40apereo.org.
[cas-user] CAS5.3.x, OIDC, Redirect back to context root problem after login
Hello, We are running CAS 5.3.x on Tomcat9. One of our clients uses OIDC. Intermittently, after login, instead of getting into the app's landing page, they got redirected to the root context, which is the Tomcat page. What I noticed is at the end: 2021-01-20 23:31:49,158 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - if redirectUrl says /, they got redirected to Tomcat page, which is incorrect. I turned off browser prefetch, that made no difference. Since this is intermittent, I compared with the good login. With successful login, what happens after OAuth20CasCallbackUrlResolver is: ProfileHelper, but with the ones being redirected to Tomcat, what happens after OAuth20CasCallbackUrlResolver is OAuth20AuthenticationServiceSelectionStrategy. Unfortunately, I do not know why the difference. Suggestions? The following are the logs of good login vs. incorrect login flow. I masked username as "username", as well as hostnames. Thanks! Yan == Good Login flow, seeing App landing page after login === 2021-01-20 23:25:35,682 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <=== CALLBACK ===> 2021-01-20 23:25:35,683 DEBUG [org.pac4j.core.client.finder.DefaultCallbackClientFinder] - 2021-01-20 23:25:35,683 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - https://hostname.com/cas5/oauth2.0/callbackAuthorize | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48371f3c | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@7426f632 | redirectActionBuilder: org.apereo.cas.config.CasOAuthConfiguration$$Lambda$216/1668099728@40ee12f1 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@3fcefb48 | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@27009c04 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1cf616c6 | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: nulllogout | postLogoutUrlParameter: service | | authorizationGenerators: [org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@57bea927] | configuration: #CasConfiguration# | loginUrl: https://hostname.com/cas5/login | prefixUrl: https://hostname.com/cas5/ | restUrl: https://hostname.com/cas5/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: null | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca | | urlResolver: org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver@25ffc2ca |> 2021-01-20 23:25:35,692 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - trackableSession: org.apache.catalina.session.StandardSessionFacade@146a5284> 2021-01-20 23:25:35,693 DEBUG [org.pac4j.core.logout.handler.DefaultLogoutHandler] - 2021-01-20 23:25:35,767 DEBUG [org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver] - https://hostname.com/cas5/oauth2.0/callbackAuthorize?client_id=qaw-oauth2client_uri=https%3A%2F%2Fclientapp.com%2FQawSSO%2Flogin_type=code]> 2021-01-20 23:25:35,868 INFO [org.pac4j.core.profile.ProfileHelper] - 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - 2021-01-20 23:25:35,871 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - https://hostname.com/cas5/oidc/authorize?client_id=qaw-oauth2client_uri=https://clientapp.com/QawSSO/login_type=code=openid%20profile%20email=eG9lVx> == Bad Login flow, seeing Tomcat page after login === 2021-01-20 23:31:49,079 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - <=== CALLBACK ===> 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.client.finder.DefaultCallbackClientFinder] - 2021-01-20 23:31:49,080 DEBUG [org.pac4j.core.engine.DefaultCallbackLogic] - https://hostname.com/cas5/oauth2.0/callbackAuthorize | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@48371f3c | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@7426f632 | redirectActionBuilder: org.apereo.cas.config.CasOAuthConfiguration$$Lambda$216/1668099728@40ee12f1 | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@3fcefb48 | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@27009c04 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@1cf616c6 | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: nulllogout | postLogoutUrlParameter: service | | authorizationGenerators: [org.pac4j.cas.authorization.DefaultCasAuthorizationGenerator@57bea927] | configuration: #CasConfiguration# | loginUrl: https://hostname.com/cas5/login | pr
Re: [cas-user] Getting 403 when POST to /cas endpoint
Hi, Try to implement this: people logged into their app (that does not use CAS), they click a link in their webapp, that triggers a POST to CAS /login endpoint, with SAML Assertion in POST body. My CAS implementation will detect the payload and then follow a different route of validating SAML, etc. (the CAS login page does not show up, instead, we are validating SAML Assertion). I thought the non-interactive type of login also comes in through the /login endpoint. Because we still want it to go through service validation, TGT/ST generation, etc., so it has to go through CAS login flow. But we noticed that such POST made by another Webapp on /cas endpoint fails in FF and Chrome, it works in IE. CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see anything in CAS or Tomcat logs (after turn on DEBUG). My guess is there is some kind of CSRF type of protection in CAS preventing such post? I placed "executionKey" in the form post, made no difference, still 403. How would such non-interactive flow work? If CAS indeed has something prevent such POST, why does IE work and what that is? Thanks, Yan On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp wrote: > Why are you trying to POST to the login URL? It looks like this isn't > the POST from the login page? What do the CAS logs say? > > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > > Hello, > > > > i am using CAS 5.3.X, but I think the same would apply to CAS4 or > > CA5. > > > > > action="https://.MyCASEndPoint,,>/cas/login"> > > > > > > In browser, when I submit this form, I get 403, > > > > But, when I use PostMan, it returns CAS login page. > > > > I do not understand why in browser (FF and Chrome), I am getting 403, > > is that because of CSRF? I tried to put in "execution" as hidden > > value, but that did not help). > > > > Why does Postman return a different result as Chrome/FF? > > > > Thanks, > > Yan > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1704227-b04a-48c0-9fbb-ce9fe7ca1ccdn%40apereo.org.
[cas-user] Getting 403 when POST to /cas endpoint
Hello, i am using CAS 5.3.X, but I think the same would apply to CAS4 or CA5. https://.MyCASEndPoint,,>/cas/login"> In browser, when I submit this form, I get 403, But, when I use PostMan, it returns CAS login page. I do not understand why in browser (FF and Chrome), I am getting 403, is that because of CSRF? I tried to put in "execution" as hidden value, but that did not help). Why does Postman return a different result as Chrome/FF? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed75ec30-3910-4120-b237-bc347e467147n%40apereo.org.
Re: [cas-user] CAS4/CAS5, What is in TGT and ST?
thanks a lot for reply. We have customized CAS flow and added additional flows. So, upgrading means to move all this over, we are actually upgrading to CAS5 already. CAS5 does support encryption. I do not see we need to move to CAS6 to satisfy security requirements. CAS4 does not support encryption, so we have to use secure channel to protect communication (since we cannot encrypt data). Please correct me If I missed anything. Thanks, Yan On Friday, November 20, 2020 at 3:47:14 PM UTC-5 Ray Bon wrote: > Yan, > > That sounds right. It has been a while since I used those versions of cas. > I know that with cas 6 there are properties for ticket encryption, and > they have to be set. > > What is preventing you from upgrading? > Is cas 5 still supported? What about the java versions and host OS, are > they supported? > > This older software is the type of place where unauthorized users can gain > access. > > If your management insists that data be encrypted, they should provide you > with the resources to keep this software current. > Upgrade and you will be able to meet the security policy requirements. > > Remember, cas is THE point of security to all your apps. > > Ray > > On Fri, 2020-11-20 at 12:24 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > Thanks for the info., We use both CAS4/CAS5 in production. > > Due to our security policy, we need to encrypt anything having user info. > (even in the backend), this means we need to encrypt TGT in the ticket > storage. Otherwise, someone on our network can intercept the traffic > between CAS and hazelcast registry and misuse the TGT coming across the > wire. As I understand, CAS4 does NOT support encrypting TGT, that > capability is new in CAS5. > > For both CAS4/CAS5, what has been encrypted and secured is the TGC (the > thing that is sent to browser). But our security policy requires even the > backend be encrypted, as long as it has user info. > > With CAS5, we can do that, but with CAS4, that is not possible (the only > alternative it to use secure channel to store/read TGT). > > Sounds right? > Yan > > On Thursday, November 19, 2020 at 5:22:04 PM UTC-5 Ray Bon wrote: > > Yan, > > The TGT stays on the cas server and the ticket storage system. It stores > the user session details. The TGC is sent to the browser. It is just an > identifier for cas to find a TGT. > The ST is just an identifier and stores no info. > > See > https://apereo.github.io/cas/6.2.x/planning/Security-Guide.html#protocol-ticket-encryption, > > for encryption options. > > Ray > > On Thu, 2020-11-19 at 14:07 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > is there any user info. being stored in TGT and ST? I would think so, I > see Authentication being part of TGT. > > Due to some security policy, we are asked whether we need to encrypt TGT > and ST, because there is User Auth info., it sounds like we should encrypt > it. > > Does that sound right? Thanks, > Yan > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/77880734-9252-4c0f-8870-8a83016a031an%40apereo.org.
Re: [cas-user] CAS4/CAS5, What is in TGT and ST?
Hi Ray, Thanks for the info., We use both CAS4/CAS5 in production. Due to our security policy, we need to encrypt anything having user info. (even in the backend), this means we need to encrypt TGT in the ticket storage. Otherwise, someone on our network can intercept the traffic between CAS and hazelcast registry and misuse the TGT coming across the wire. As I understand, CAS4 does NOT support encrypting TGT, that capability is new in CAS5. For both CAS4/CAS5, what has been encrypted and secured is the TGC (the thing that is sent to browser). But our security policy requires even the backend be encrypted, as long as it has user info. With CAS5, we can do that, but with CAS4, that is not possible (the only alternative it to use secure channel to store/read TGT). Sounds right? Yan On Thursday, November 19, 2020 at 5:22:04 PM UTC-5 Ray Bon wrote: > Yan, > > The TGT stays on the cas server and the ticket storage system. It stores > the user session details. The TGC is sent to the browser. It is just an > identifier for cas to find a TGT. > The ST is just an identifier and stores no info. > > See > https://apereo.github.io/cas/6.2.x/planning/Security-Guide.html#protocol-ticket-encryption, > > for encryption options. > > Ray > > On Thu, 2020-11-19 at 14:07 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > is there any user info. being stored in TGT and ST? I would think so, I > see Authentication being part of TGT. > > Due to some security policy, we are asked whether we need to encrypt TGT > and ST, because there is User Auth info., it sounds like we should encrypt > it. > > Does that sound right? Thanks, > Yan > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1dc2a595-f0e9-4b74-88e2-f37792d8319fn%40apereo.org.
[cas-user] CAS4/CAS5, What is in TGT and ST?
Hello, is there any user info. being stored in TGT and ST? I would think so, I see Authentication being part of TGT. Due to some security policy, we are asked whether we need to encrypt TGT and ST, because there is User Auth info., it sounds like we should encrypt it. Does that sound right? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f798f4f3-bdb6-4c4c-a67a-203de58c2329n%40apereo.org.
[cas-user] CAS5.3 OIDC, scopes?
hi there, I am having trouble understanding CAS5.3 claim/scope mapping. My JS app uses OIDC to authenticate against CAS5, customers login with their credentials (using the implicit grant type). let us say, I have two custom-defined scope: questCAS and questExtra. Anyone logged in successfully gets the claims from scope: questCAS, but only selected users gets claims for scope: questExtra. My understanding is this: Service definition in CAS will have both scopes (see below), the client app will request both scopes. For user A, let us say he should get scope questExtra, so CAS will set the attribute "hashedPwd", which gets mapped to scope: questExtra. For user B, let us say he should not get scope questExtra, CAS will NOT set attribute "hasedPwd". There is no mapping, "questExtra" as a scope is not returned. In other words, the presence or absence of attributes set by CAS Authenticator determines whether scope is included. Does this sound right? Thanks, Yan This is the definition in service: === attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllAttributeReleasePolicy (I am returning ALL attributes) principalAttributesRepository: { . scopes: [ java.util.HashSet [ openid profile email questCAS questExtra ] ] This is the related section in cas.properties, cas.authn.oidc.scopes=openid,email,profile,questCAS,questExtra cas.authn.oidc.userDefinedScopes.questCAS=loginFromTheme,userRoles cas.authn.oidc.userDefinedScopes.questExtra=hashedPwd cas.authn.oidc.claims=sub,name,preferred_username,family_name, \ given_name,middle_name,profile, \ picture,nickname,website,zoneinfo,locale,updated_at,birthdate, \ email,email_verified,phone_number,phone_number_verified,address, \ loginFromTheme,userRoles,hashedPwd cas.authn.oidc.claimsMap.loginFromTheme=loginFromTheme cas.authn.oidc.claimsMap.userRoles=userRoles cas.authn.oidc.claimsMap.hasedPwd=hashedPwd This is my AuthenticationHandler code = attributes.put("name", user.getFirstName() + " " + user.getLastName()); attributes.put("given_name", user.getFirstName()); attributes.put("last_name", user.getLastName()); attributes.put("sub", user.getLoginName()); attributes.put("preferred_username", user.getLoginName()); attributes.put("loginFromTheme", theme); attributes.put("last_name", user.getLastName()); boolean privilegedUser = ...; if (privilegedUser) { attributes.put("hashedPwd", user.getHashPassword()); < I assume this is how I selectively populate an attribute, attributes are part of principal. } return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(credential), this.principalFactory.createPrincipal(user.getLoginName(), attributes)); === END === -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7765a727-e610-474b-96b5-257a50a6151co%40apereo.org.
[cas-user] Re: CAS5.3 support oidc/logout with post_logout_redirect_uri?
cas/logout does work, but it does not redirect back to the app URL, the OIDC standard uses this: /cas/logout?id_token_hint=xx_logout_redirect_uri=yyy CAS does not understand the query parameter "post_logout_redirect_uri", it only knows "service" Yan On Tuesday, July 28, 2020 at 1:47:56 PM UTC-4, Yan Zhou wrote: > > Hi there, > > oidc/logout. with post_logout_redirect_uri > is part of OIDC spec, but I do not see CAS 5.3 support that endpoint. It > is not mentioned on the CAS OIDC documentation, either. > > Am I missing something? > > Thx! > Yan > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f44a655d-878e-41c3-bcc0-761f9f6d1e97o%40apereo.org.
[cas-user] CAS5.3 support oidc/logout with post_logout_redirect_uri?
Hi there, oidc/logout. with post_logout_redirect_uri is part of OIDC spec, but I do not see CAS 5.3 support that endpoint. It is not mentioned on the CAS OIDC documentation, either. Am I missing something? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c280bb59-84ff-43a5-9a6c-ca9310e6525eo%40apereo.org.
[cas-user] CAS5.3.x, oidc, how do I get additional scopes other than openid?
Hello, I have CAS5.3.x, and OIDC working. I am setting up a client with scopes like "readUser" and "writeUser". With a valid access token, at /introspect endpoint, I expect to see the scopes defined in the service registry, but all I see is "openid", I am missing all the other scopes included in the service registry. What am I missing? Thanks, Yan My service registry has this: ... scopes: [ java.util.HashSet [ openid profile email writeUser readUser ] ] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da275145-cc8b-4563-b4cc-d3d3b69965e5o%40apereo.org.
[cas-user] CAS5.3 oidc/introspect return incorrect exp value??
Hello, CAS 5.3.9. oidc/introspect is returning incorrect value in "exp" attribute. Spring framework (and others) after calling the introspect endpoint, may consider the token invalid, because "exp" is before "iat". It seems that "exp" is the time token expires, it should always be after "iat", not how long the token is valid for? How can I work around this? This is going to be a problem integrating with Spring. Thanks, Yan OidcIntrospectionEndpointController .. private ResponseEntity createIntrospectionResponse( final OAuthRegisteredService service, final AccessToken ticket) { ... introspect.setExp(ticket.getExpirationPolicy().getTimeToLive());<== this is a bug, it should be set to the time the token expires, not how long the token is still valid introspect.setIat(ticket.getCreationTime().toInstant().getEpochSecond()); -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbe9e2f7-ea99-45ea-8915-1f7236fe8fe6o%40apereo.org.
[cas-user] CAS5.3.x CORS support not working?
Hi, I want to have an Angular App authenticate against CAS5.3.x. I set the following properties in cas.properties. When launching app from my localhost:4200, i see this error, when my Angular App tries to redirect browser to CAS5 login page, Access to XMLHttpRequest at ' https:///cas5/oidc/.well-known/openid-configuration' <https://devcas5.dev.medplus.com/cas5/oidc/.well-known/openid-configuration'> from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Am I missing something? I ended up removing these from cas.properties and configure CORS in tomcat8 (my CAS5 runs in Tomcat), that works. Yan cas.httpWebRequest.cors.enabled=true cas.httpWebRequest.cors.allowCredentials=true cas.httpWebRequest.cors.allowOrigins[0]=http://localhost:4200 cas.httpWebRequest.cors.allowMethods[0]=GET,POST,HEAD,OPTIONS,PUT cas.httpWebRequest.cors.allowHeaders[0]=Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization cas.httpWebRequest.cors.maxAge=3600 cas.httpWebRequest.cors.exposedHeaders[0]=Access-Control-Allow-Origin,Access-Control-Allow-Credentials -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6de43bf-be82-466f-9bbe-e373b3141f38o%40apereo.org.
[cas-user] cas5 rebuild and restart for every change??
Hi there, CAS5.3.x overlay. It looks like we have to build it into a WAR file first, then either run it as an executable WAR or deploy to external container. There is also a way to run CAS as an executable WAR via Spring Boot's maven plugin, but that requires NO change to CAS dependencies, which is not my use case (I have made a lot changes in CAS dependencies). Is there some way that I can do a hot swap, e.g., see the static HTML/CSS change with the refresh of a browser? Even in standalone mode, it takes several minutes for CAS 5.3 to startup. Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9bb54a7c-ff43-4f95-9eba-58ec7edcfbe2%40apereo.org.
[cas-user] CAS5 Redis Labs (clustering) support
Hi there, CAS5 supports Redis sentinel. When seeing Redis in this group, I am assuming it is all about Redis Sentinel. Has anyone integrated CAS5 with Redis Labs (the commercial offering of Redis clustering)? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/224317fd-894c-4c53-a2e4-1e77ea5c1564%40apereo.org.
[cas-user] cas5 start up time much longer, development productivity?
Hello, I have done both CAS4 and CAS5 overlay development. CAS5 start up seems much longer (I already set it to use embed mode, i.e., not look for configuration from remote server, everything is local), close to 3 minutes. In addition, since I had to add additional dependencies in CAS POM, I cannot simply run CAS5 at command line without first packaging it in a WAR. This presents a problem with development, where we frequently change code and see how it works. I have to first build the WAR, then launch it from command line, all this takes quite a few minutes. How does this work for everyone else? When you extend CAS5 in an overlay, do you find yourself having to build the war, then wait for it to fully start? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c4ae02be-ad45-4e97-931f-f9eb187f5fd2%40apereo.org.
[cas-user] CAS5 hazelcast registry, how to support management center monitoring?
Hello, CAS5's hazelcast module does not seem to support Hazelcast Management Center. The properties does not include URL for mancenter, etc. How do I extend CAS hazelcast support so that I can set additional properties under hazelcast Config class? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f8e15a0-fffc-4fea-8d6a-374039b48141%40apereo.org.
[cas-user] CAS4 and CAS5 webflow encryption key size, 12 or 16 bytes?
Hello, Documentation in CAS4/CAS5 both say it requires size 16 for webflow encryption key. However, for CAS4, it is 16 after base64 encoding, which means the key itself is 12 bytes, correct? This seems to be corrected in CAS5, it is using size 16 before base64 encoding, which is 24 afterwards. See below as a generated key from CAS4. Cas4: Generated encryption key jLDwMdhnKGlETWoy of size 16. is this correct? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/80a4e76a-8a4e-4d5d-a5d3-968bc77af314%40apereo.org.
[cas-user] CAS4, how to modify hazelcast-integration jar with XML change?
Hi, CAS 4.1.9, I need to modify hazelcast-ticket-registry.xml under cas-server-integration-hazelcast jar, to add the following section. How would I do that? http://localhost:8080/hazelcast-mancenter}"/> Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0210de00-1588-47bb-921c-1cfaaa422caa%40apereo.org.
[cas-user] Inquiring CAS commercial support
Hi, We use CAS 4.1.9 and CAS 5.3. It has been running well in PROD., We are in health-care industry and would like to look into commercial CAS support. One of my biggest unknowns and fear is gaining visibility into CAS ticket registry, hazelcast. If some of PROD users cannot login, it seems that usually this is because the ticket validation failed. It seems difficult gaining visibility into troubleshooting that in PROD traffic. I am not sure whether I would better off getting Hazelcast commercial support of CAS commercial support. I looked up the CAS documentation, the membership fee is for academic organizations, so we do not qualify. With the list of commercial organizations providing CAS support, anyone has experience with any of them? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c3ef75f9-22c2-4245-938e-a5234aa05a01%40apereo.org.
[cas-user] CAS4, how to use ServiceValidateController.onSuccessfulValidation()
Hello, CAS 4.1.x, I wish to implement onSuccessfulValidation() when /serviceValidate is successful. How do I do this? see the documentation below. /** * Triggered on successful validation events. Extensions are to * use this as hook to plug in behvior. * * @param serviceTicketId the service ticket id * @param assertion the assertion */ protected void onSuccessfulValidation(final String serviceTicketId, final Assertion assertion) { // template method with nothing to do. } Thx! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/55455c82-3d1e-4486-b906-60eff3077313%40apereo.org.
[cas-user] Re: CAS return password in encrypted format so that App can still work when CAS is unavailable?
Thanks for the reply. What we might consider is a strip-down version of very simple authentication API when CAS is down, app will call it, just so customers can still get some work done. We will not support SSO with that strip-down version. There is no write operation on this API, either, just validating credential, so that some users can get the most basic work done in the application, even when CAS is down. One option is to build a separate service that validates user credential (like CAS REST API does, but does not use CAS infrastructure at all), and let each application to call when CAS is unavailable. Having said that, there is additional work on the App side to do this, very little CAS work. Well, if the app. wants to do it, I cannot force them not to. Question, what is the danger of returning encrypted password as an attribute in /serviceValidate call to the app.? Yan On Wednesday, August 21, 2019 at 2:39:54 AM UTC-4, jm wrote: > > In this case, I suggest you to use another authentication method rather > than still rely on CAS protocol. I was asked to design a plan B for this > incident the other day, but the plan is still not ready until now. > > It is hard to make a balance between user experience and security.In my > opinion, plan B should be some kind of challenge authentication. When CAS > is down, and you happened to found it was down when you try to authenticate > user, you just show a challenge authentication page to user(or just a > username/password form). > > It is easy to do so in a normal website, but my case is most of our client > are SPA. In classic web application, we can provide a single SDK (ie. a > filter for Java Spring applications) to make it easier for website > developers to make use of both CAS and chanllenge authentication. But in > SPA scenario, we have to care about both front-end and backend, which is > difficult. > > Or you just build another service, which mocks CAS protocol APIs, and when > CAS server is down, just turn to the mock server, but I doubt it can ensure > security or not. > > 在 2019年8月21日星期三 UTC+8上午4:51:40,Yan Zhou写道: >> >> Hello, >> >> Our organization wants to make sure customers can still use their apps, >> in the event that CAS is down or unavailable (even though we have HA, etc.). >> >> The idea is to have CAS return password in encrypted format to some apps. >> that is critical. When CAS is down, the app. can authenticate using >> encrypted password themselves. SSO does not need to work during that time. >> >> That smells bad, but, I know technically this can be easily done and that >> is what we have been asked to do. >> >> What do you suggest? >> >> Yan >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aef7bcd1-acfd-4971-99eb-ed235c922349%40apereo.org.
[cas-user] CAS return password in encrypted format so that App can still work when CAS is unavailable?
Hello, Our organization wants to make sure customers can still use their apps, in the event that CAS is down or unavailable (even though we have HA, etc.). The idea is to have CAS return password in encrypted format to some apps. that is critical. When CAS is down, the app. can authenticate using encrypted password themselves. SSO does not need to work during that time. That smells bad, but, I know technically this can be easily done and that is what we have been asked to do. What do you suggest? Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebccddb0-b9da-454d-a28f-6693e5a0cc19%40apereo.org.
[cas-user] CAS 4.1.x, how to override class in cas-server-core?
Hello, CAS 4.1.x, I want to override org.jasig.cas.authentication.UsernamePasswordCredential so that I can customize the validation logic. This class is part of cas-server-core jar, If I simply recreate this class in my overlay, I end up with two classes, one in WEB-INF/classes and the other WEB-INF/lib/cas-server-core.jar. On tomcat8, it is the one in cas-server-core.jar that is loaded, so that does not work for me. If I create a derived class extending org.jasig.cas.authentication.UsernamePasswordCredential, it is a bit odd, because the data fields username and password are private members. Any idea? Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/242af795-914e-4569-8246-3ca4aaa76c35%40apereo.org.
[cas-user] CAS5, openid connect logout?
Hello, CAS5.3.X, one client uses CAS protocol and the other uses OpenId Connect. Both Clients are SSO. The openID connect client does not want to call /cas/logout, because they prefer an OpenId Connect approach. Does CAS provide logout for OpenId Connect clients? I do not see it, implementing the spec for that seems non-trivial on my end. Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dfe38ab9-8ecc-45a1-afbc-8158602f11a1%40apereo.org.
Re: [cas-user] CAS5, Hazelcast clustering question?
Hi, I am saying, in order for Hazelcast instance to auto-join cluster, it seems that the property file must specify the same port#. So, first instance running takes 5701, and 2nd instance tries to bind 5701, it cannot, so it goes to 5702, this process tells that the two instances are two members of the same cluster. If I specify two different ports 5701 and 5702 for two instances, to begin with, the two instances are still binding to 5701 and 5702 respectively, but they are not in the same cluster, there would be two hazelcast clusters (each with only one member in it). I see that in "Members" log output. Do I have that right? That seems to be our problem. Because we have ticket from one instance that cannot be validated in the other instance. My correction is Not to specify different port# in cas.properties. Thx! On Thursday, July 11, 2019 at 11:45:02 AM UTC-4, rbon wrote: > > Yan, > > Do you mean they both try to come up with 5701 or the second one complains > the port is already taken? > > Perhaps hazelcast tries to grab selection of ports. Maybe set one to 4701. > > Ray > > On Thu, 2019-07-11 at 07:26 -0700, Yan Zhou wrote: > > Hello, > > CAS 5.3.x, using Hazelcast for ticket registry. Two CAS instances on the > same server A. > > I was trying to avoid port conflict in cas.properties, so, one instances' > cas.properties look like this > cas.ticket.registry.hazelcast.cluster.members=A > cas.ticket.registry.hazelcast.cluster.instanceName=A > cas.ticket.registry.hazelcast.cluster.port=5701 > > the other one look like this (note the port# difference): > cas.ticket.registry.hazelcast.cluster.members=A > cas.ticket.registry.hazelcast.cluster.instanceName=A > cas.ticket.registry.hazelcast.cluster.port=5703 > > Would these two hazelcast form a cluster? My experiment says they do not, > as shown in "Members" output seen in the log. > > Obviously, both hazelcast cannot bind on port 5701 at the same time, the > right way to specify cluster members is to use SAME port and let Hazelcast > auto-increment feature to take place? > In other words, cas.properties on both instances should read like this: > > cas.ticket.registry.hazelcast.cluster.members=A > cas.ticket.registry.hazelcast.cluster.instanceName=A > # > ## or simply comment this line out > # > cas.ticket.registry.hazelcast.cluster.port=5701 > > > Thx! > Yan > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7219fba-d7fa-47b1-817f-5b801280e078%40apereo.org.
[cas-user] CAS5, Hazelcast clustering question?
Hello, CAS 5.3.x, using Hazelcast for ticket registry. Two CAS instances on the same server A. I was trying to avoid port conflict in cas.properties, so, one instances' cas.properties look like this cas.ticket.registry.hazelcast.cluster.members=A cas.ticket.registry.hazelcast.cluster.instanceName=A cas.ticket.registry.hazelcast.cluster.port=5701 the other one look like this (note the port# difference): cas.ticket.registry.hazelcast.cluster.members=A cas.ticket.registry.hazelcast.cluster.instanceName=A cas.ticket.registry.hazelcast.cluster.port=5703 Would these two hazelcast form a cluster? My experiment says they do not, as shown in "Members" output seen in the log. Obviously, both hazelcast cannot bind on port 5701 at the same time, the right way to specify cluster members is to use SAME port and let Hazelcast auto-increment feature to take place? In other words, cas.properties on both instances should read like this: cas.ticket.registry.hazelcast.cluster.members=A cas.ticket.registry.hazelcast.cluster.instanceName=A # ## or simply comment this line out # cas.ticket.registry.hazelcast.cluster.port=5701 Thx! Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/17b3ab65-1563-45a6-9599-a2d13c7baa55%40apereo.org.
Re: [cas-user] CAS5 Protocol diagram with OpenID Connect and CAS protocol mixed clients
Yes, I know TGC, and it is in the cookie. How do two clients (native Mobile Apps) using Open ID Connect talk to CAS, and achieve SSO? Where is TGC stored? There is no cookie in native apps. In other words, when user is authenticated in CAS via the first client, and he goes to the 2nd client app., what is the protocol look like that SSO is achieved? Yan On Thursday, May 2, 2019 at 6:54:48 PM UTC-4, rbon wrote: > > Yan, > > CAS creates a TGC (ticket granting cookie) that it uses to look up the SSO > session. It is (typically) not available to client application. > > Ray > > On Thu, 2019-05-02 at 15:38 -0700, Yan Zhou wrote: > > Hello, > > CAS has a nice diagram explains CAS protocol, how it achieves SSO, by > using cookie. > > With CAS5, I can achieve SSO with two clients, one speaking CAS protocol, > the other speaking OpenID Connect. > > How did CAS do that, is that by the use of cookie as well? I do not think > OpenID Connect itself uses cookie. Any idea? > > Similarly, if two clients both speak OpenID Connect, is cookie support > still required for CAS to support SSO between them? > > Thx! > Yan > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1c37a5e-0405-4b60-bacf-0bf892cccfd0%40apereo.org.