[cas-user] Re: CAS 6.4

2021-12-12 Thread Jeffrey Ramsay 
Can anyone help me resolve this?

2021-12-12 09:11:49,787 ERROR
[org.springframework.boot.web.servlet.support.ErrorPageFilter] -

java.lang.NoClassDefFoundError: org/bouncycastle/asn1/DERObjectIdentifier
at java.lang.Class.forName0(Native Method) ~[?:?]
at java.lang.Class.forName(Class.java:315) ~[?:?]
at
net.jradius.client.RadiusClient.registerAuthenticator(RadiusClient.java:189)
~[jradius-core-1.1.5.jar:?]
at net.jradius.client.RadiusClient.(RadiusClient.java:82)
~[jradius-core-1.1.5.jar:?]
at
org.apereo.cas.adaptors.radius.RadiusClientFactory.newInstance(RadiusClientFactory.java:69)
~[cas-server-support-radius-core-6.4.4.jar:6.4.4]
at
org.apereo.cas.adaptors.radius.server.AbstractRadiusServer.authenticate(AbstractRadiusServer.java:111)
~[cas-server-support-radius-core-6.4.4.jar:6.4.4]
at
org.apereo.cas.adaptors.radius.RadiusServer.authenticate(RadiusServer.java:39)
~[cas-server-support-radius-core-6.4.4.jar:6.4.4]
at
org.apereo.cas.adaptors.radius.authentication.RadiusMultifactorAuthenticationProvider.canPing(RadiusMultifactorAuthenticationProvider.java:59)
~[cas-server-support-radius-core-mfa-6.4.4.jar:6.4.4]
at
org.apereo.cas.adaptors.radius.authentication.RadiusMultifactorAuthenticationProvider.isAvailable(RadiusMultifactorAuthenticationProvider.java:40)
~[cas-server-support-radius-core-mfa-6.4.4.jar:6.4.4]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.3.9.jar:5.3.9]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
~[spring-cloud-context-3.0.3.jar:3.0.3]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
~[spring-aop-5.3.9.jar:5.3.9]
at com.sun.proxy.$Proxy357.isAvailable(Unknown Source) ~[?:?]
at
org.apereo.cas.web.flow.actions.MultifactorAuthenticationAvailableAction.doExecute(MultifactorAuthenticationAvailableAction.java:21)
~[cas-server-core-webflow-mfa-api-6.4.4.jar:6.4.4]
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]

Thanks,
-Jeff

On Sat, Dec 11, 2021 at 11:30 AM Jeffrey Ramsay 
wrote:

> I added some additional repositories and that solved the problem.
>
> maven {
> url "https://maven.repository.redhat.com/ga/;
> }
> maven {
> url "https://repo1.maven.org/maven2/;
> }
>
> -Jeff
>
> On Sat, Dec 11, 2021 at 10:54 AM Jeffrey Ramsay 
> wrote:
>
>> Hello -
>>
>> I need some help to resolve the following in a new build. The problem is
>> only occurring when I try to add support for the "implementation
>> "org.apereo.cas:cas-server-support-radius-mfa"" module. What do I need to
>> do to add the missing library?
>>
>> Execution failed for task ':bootWarMainClassName'.
>> > Could not resolve all files for configuration ':runtimeClasspath'.
>>> Could not find gnu-getopt:getopt:1.0.13.
>>  Required by:
>>  project : >  org.apereo.cas:cas-server-support-radius-core:6.4.4
>> > net.jradius:jradius-apps:1.1.5
>>
>> ---
>>
>> My current setup ...
>>
>> build.gradle:
>> -
>> dependencies {
>> /**
>>  * CAS dependencies and modules may be listed here.
>>  *
>>  * There is no need to specify the version number for each dependency
>>  * since versions are all resolved and controlled by the dependency
>> management
>>  * plugin via the CAS bom.
>>  **/
>>
>> implementation
>> "org.apereo.cas:cas-server-core-api-configuration-model"
>> implementation "org.apereo.cas:cas-server-webapp-init"
>>
>> implementation "org.apereo.cas:cas-server-support-jdbc"
>> implementation "org.apereo.cas:cas-server-support-jdbc-drivers"
>> implementation "org.apereo.cas:cas-server-support-ldap"
>> implementation "org.apereo.cas:cas-server-support-saml"
>> implementation "org.apereo.cas:cas-server-support-saml-idp"
>> implementation
>> "org.apereo.cas:cas-server-support-jpa-service-registry"
>>

Re: [cas-user] log4j2 vulnerability

2021-12-12 Thread Robert Oschwald 
Thanks for clarification.

Sent while mobile

Von: 'Richard Frovarp' via CAS Community 
Gesendet: Sunday, December 12, 2021 6:10:15 PM
An: cas-user@apereo.org 
Betreff: Re: [cas-user] log4j2 vulnerability

Newer version of the JDK are still affected. The newer JDK versions stop JNDI 
from running remote code, it doesn't stop JNDI lookup. An attacker can still 
exfil data through the DNS lookup. Also, there are other paths to exploit with 
this attack. It was first found via JNDI LDAP to execute remote code. There is 
now a known path using classes present in Apache Tomcat. There will be more 
that are found. Update Log4j or put the environment variable in.

From: cas-user@apereo.org  on behalf of Robert Oschwald 

Sent: Saturday, December 11, 2021 09:24
To: cas-user@apereo.org 
Subject: Re: [cas-user] log4j2 vulnerability

Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

Am 11.12.2021 um 13:44 schrieb Anders Collstrup :


My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones 
mailto:manuelco...@gmail.com>> wrote:
Hello, due the recent discovered log4j2 vulnerability, whats the way to 
mitigate it?


should i add log4j2.formatMsgNoLookups=true to the cas.properties file?

Thanks in Advance,
Manuel.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
-

Re: [cas-user] log4j2 vulnerability

2021-12-12 Thread 'Richard Frovarp' via CAS Community 
Newer version of the JDK are still affected. The newer JDK versions stop JNDI 
from running remote code, it doesn't stop JNDI lookup. An attacker can still 
exfil data through the DNS lookup. Also, there are other paths to exploit with 
this attack. It was first found via JNDI LDAP to execute remote code. There is 
now a known path using classes present in Apache Tomcat. There will be more 
that are found. Update Log4j or put the environment variable in.

From: cas-user@apereo.org  on behalf of Robert Oschwald 

Sent: Saturday, December 11, 2021 09:24
To: cas-user@apereo.org 
Subject: Re: [cas-user] log4j2 vulnerability

Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

Am 11.12.2021 um 13:44 schrieb Anders Collstrup :


My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones 
mailto:manuelco...@gmail.com>> wrote:
Hello, due the recent discovered log4j2 vulnerability, whats the way to 
mitigate it?


should i add log4j2.formatMsgNoLookups=true to the cas.properties file?

Thanks in Advance,
Manuel.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com.

[cas-user] cas interrupt question

2021-12-12 Thread Nathan Lewan 
I have been using the cas interrupt REST feature for a while now, utilizing 
a nodejs api that was created to take in these interrupt requests and make 
decisions about what to do from there.

I have this interesting thing that happens where the interrupt always gets 
called twice, and without going too in depth in this first post, I was 
wondering if anyone has seen anything similar.

I DO have a round-robin load balanced CAS deployment, with two servers, 
using hazelcast for ticketing sync, and rsync to sync the json service 
definitions. I am on 6.1.4.

the nodejs api is running locally on each  cas server, and each cas server 
sends its interrupts to the nodejs api located on its own cas server via 
https://localhost:.

my initial thoughts were that it may have to do with the load balancing, 
but the interesting thing is, if cas server1 gets hit, then nodejs 
localhost1 gets hit twice. if cas server2 gets hit, nodejs localhost2 gets 
hit twice. sometimes if one cas server gets hit, the OTHER cas server 
nodejs logs twice.

this could certainly be something on my end with the API. just fishing to 
see if anyone has anything similar happening.

thanks for everything you all do in this community!



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfa4dc3f-386f-4249-bf02-75d8a950cb1an%40apereo.org.