Re: [cas-user] log4j vulnerability remediation

2021-12-14 Thread Robert Oschwald
We had the same problem and we did the following: 1. Overwrite BOM defined version in gradle.properties # BOM overwritten versions # CVE-2021-44228 critical fix in 2.15.0. # 2.16.0 further secures. # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 log4j2.version=2.16.0 2.

Re: [cas-user] log4j2 vulnerability

2021-12-12 Thread Robert Oschwald
in Apache Tomcat. There will be more that are found. Update Log4j or put the environment variable in. From: cas-user@apereo.org on behalf of Robert Oschwald Sent: Saturday, December 11, 2021 09:24 To: cas-user@apereo.org Subject: Re: [cas-user] log4j2 vulnerability

Re: [cas-user] log4j2 vulnerability

2021-12-11 Thread Robert Oschwald
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as JNDI lookups are disabled there by default. https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 Sent while mobile. > Am 11.12.2021 um 13:44 schrieb

Re: [cas-user] Sample Java Web Application to test the login

2019-11-05 Thread Robert Oschwald
https://www.baeldung.com/spring-security-cas-sso Sent while mobile. > Am 06.11.2019 um 08:37 schrieb Steve Cheung : > >  > Hi all, > > I have setup and run a overlay cas war 6.2.0 in my local environment with > simple configuration. > > The next step I would like to setup a sample web

Re: [cas-user] CAS 5.3, where is LOGGER defined with @Slf4j?

2018-10-08 Thread Robert Oschwald
https://github.com/apereo/cas/blob/5.3.x/lombok.config <https://github.com/apereo/cas/blob/5.3.x/lombok.config> > Am 08.10.2018 um 16:53 schrieb Robert Oschwald : > > https://projectlombok.org/features/log > <https://projectlombok.org/features/log> > > >

Re: [cas-user] CAS 5.3, where is LOGGER defined with @Slf4j?

2018-10-08 Thread Robert Oschwald
https://projectlombok.org/features/log See lombok.config file You need this file in your overlay project. > Am 08.10.2018 um 16:32 schrieb Yan Zhou : > > Hello, > > Looking at CAS 5.3 source code, I need to customize action class, so I > create a

Re: [cas-user] Creating custom JDBC authentication handler!

2017-12-21 Thread Robert Oschwald
you can introduce your own config keys in cas.properties and define your own Config bean. Access the properties with @Value annotation in the config bean like so: @Configuration(„myCustomApplicationConfiguration") @EnableConfigurationProperties(CasConfigurationProperties.class)

Re: [cas-user] CAS 5.2.0 How to configure cas in that way so that it listen to HTTP?

2017-12-13 Thread Robert Oschwald
I strongly recommend to not use the approach you try to configure. Connection between the LB and CAS Servers should be encrypted as well. > Am 14.12.2017 um 08:13 schrieb casuser : > > Thank you Cristina, > > Actually what I meant was lets say https://example.com

Re: [cas-user] Re: Creating custom JDBC authentication handler!

2017-12-11 Thread Robert Oschwald
By default, CAS scans only the org.apereo.cas.config package, so you config bean is not picked up. You can either move the config bean to the org.apereo.cas.config package, or you register your Config bean. See https://apereo.github.io/2017/02/21/cas-autocfg-strategy/

Re: [cas-user] How ticket cleanup works in clustered CAS environment

2017-07-26 Thread Robert Oschwald
Of course you can add tickets while cleaner is running, assuming you properly configured the cas.ticket.registry.jpa.dialect property (e.g. using org.hibernate.dialect.MySQL5InnoDBDialect). > Am 26.07.2017 um 13:52 schrieb shruti halgekar : > > Thank you for your

Re: [cas-user] CAS 5.0.5 how to release attributes with Protocol V 2.0

2017-05-15 Thread Robert Oschwald
You do not need to customize CasServiceValidationSuccess.html, if you just want to release attributes the same way as p3. For 5.0.5, you currently need to do the following things: 1. Overwrite the serviceValidateController bean definition, and wire in the cas3ServiceSuccessView, like so: @Bean

Re: [cas-user] Redirect to arbitrary URL after logout

2016-06-30 Thread Robert Oschwald
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet How to prevent that: - Register the redirect url as a service - check the redirect URL if the domain name is contained in any registered service (thats a custom extension you have to build on your own) - Separate

[cas-user] Re: 4.1.2: JpaTicketRegistry: No transactional EntityManager available

2015-12-01 Thread Robert Oschwald
As I use the JPA Ticket Registry and the JPA Service Registry in my CAS 4.1.2 Server, I assume I need to use the same transactionManager for TicketRegistry and ServiceRegistry. Therefore I set in the CAS-Server deployerConfigContext: and in the CAS-Server ticketRegistry.xml I added the

Re: [cas-user] 4.1.2: JpaTicketRegistry: No transactional EntityManager available

2015-12-01 Thread Robert Oschwald
schrieb Misagh Moayyed <mmoay...@unicon.net>: > > No you should not have to use the same transaction manager. > > - Misagh > >> On Dec 1, 2015, at 8:00 AM, Robert Oschwald <robertoschw...@gmail.com> wrote: >> >> >> As I use the JPA Ticket Registry