RE: [cas-user] upgrading cas from 4.2.x to 5.0.x and getting Logging config file location '-Djava.util.logging.config.file' not found error

2016-11-15 Thread Misagh Moayyed 
Guess: start using file: in front of the path and try to avoid using back 
slashes. They have cost humanity many lives.



--Misagh



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of satnam
Sent: Tuesday, November 15, 2016 3:30 PM
To: CAS Community 
Subject: [cas-user] upgrading cas from 4.2.x to 5.0.x and getting Logging 
config file location '-Djava.util.logging.config.file' not found error



Hello,

we are trying to upgrade cas from 4.2.x to 5.0.x and getting error 
that 
-Djava.util.logging.config.file=C:\Projects\PASS5\trunk\test\apache-tomcat\cat_base\conf\logging.properties
 
file not found.  The logging.properties file does exist at location. Is 
there something we need to include?



2016-11-15 14:21:40,329 WARN 
[org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration]
 
 - 

Caused by: java.lang.RuntimeException: java.io.FileNotFoundException: 
ServletContext resource 
[/-Djava.util.logging.config.file="C:/Projects/PASS5/trunk/test/apache-tomcat/cat_base/conf/logging.properties"]
 
cannot be resolved to URL because it does not exist
at com.google.common.base.Throwables.propagate(Throwables.java:160)
at 
org.apereo.cas.web.report.LoggingConfigController.initialize(LoggingConfigController.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:365)
at 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:310)
at 
org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:133)
... 45 more
Caused by: java.io.FileNotFoundException: ServletContext resource 
[/-Djava.util.logging.config.file="C:/Projects/PASS5/trunk/test/apache-tomcat/cat_base/conf/logging.properties"]
 
cannot be resolved to URL because it does not exist
at 
org.springframework.web.context.support.ServletContextResource.getURL(ServletContextResource.java:156)
at 
org.springframework.core.io.AbstractResource.getURI(AbstractResource.java:99)
at 
org.apereo.cas.web.report.LoggingConfigController.initialize(LoggingConfigController.java:81)


Thanks for help

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/630d656c-26ed-4398-8e24-fd4ca16ac653%40apereo.org
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/027601d23f90%24753c43d0%245fb4cb70%24%40unicon.net.

Re: [cas-user] Re: CAS and OAuth interoperability

2016-11-15 Thread Lewis Henderson 
Probably the cleanest way of doing this is to create RunAsManagers. One to 
convert an OAuth2Authentication to a CasAuthenticationToken and one to do 
the opposite.

Does anyone think that this is the correct method? 

On Tuesday, 15 November 2016 16:11:02 UTC, Dmitriy Kopylenko wrote:
>
> That would probably be a question for Jérôme
>
> D.
>
>
> From: Lewis Henderson  
> Reply: cas-...@apereo.org   
> Date: November 15, 2016 at 10:04:13 AM
> To: CAS Community  
> Cc: lewis.h...@cobraflow.com   
> , dkopy...@unicon.net   
> 
> Subject:  Re: [cas-user] Re: CAS and OAuth interoperability 
>
> Hi Dimitriy, 
>
> I'm not sure how that will help me.
>
> I'm in an application that has currently authenticated and the 
> SecurityContextHolder contains a CasAuthenticationToken.
>
> The application is also 'wired' for OAuth.
>
> I would like to forward the current request on to an OAuth2 resource 
> service. I assume that I need to remove the ticket parameter and add a 
> Bearer authorization header. It is the value of this header that I need to 
> retrieve.
>
> It would be nice if I could do it in a similar way to the 
> CasAuthenticationToken.getAssertion().getPrincipal().getProxyTicketFor("xxx")
>  
> does for cas proxy tickets...
>
>
> Cheers
>
> On Tuesday, 15 November 2016 14:23:50 UTC, Dmitriy Kopylenko wrote: 
>>
>> There’s this factory API you could try: 
>> https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/ticket/accesstoken/AccessTokenFactory.java
>>
>> D.
>>
>>
>> From: Lewis Henderson 
>> Reply: cas-...@apereo.org 
>> Date: November 15, 2016 at 9:11:06 AM
>> To: CAS Community 
>> Subject:  [cas-user] Re: CAS and OAuth interoperability
>>
>> Ok, 
>>
>> So after trying with a new proxyTicket, it fails with 
>>
>> 2016-11-15T13:54:11.561707727Z java.lang.ClassCastException: Ticket 
>> [PT-74-1LaIaLLzAZaJBte9SXzU-f63a5c259f31 is of type class 
>> org.apereo.cas.ticket.ProxyTicketImpl when we were expecting interface 
>> org.apereo.cas.ticket.accesstoken.AccessToken
>>
>> understandably!
>>
>> So, now the question is, how do I swap a CAS ticket for a OAuth token?
>>
>>
>> Cheers
>>
>>
>>
>> On Tuesday, 15 November 2016 12:31:45 UTC, Lewis Henderson wrote: 
>>>
>>> Everything is Spring Cloud based.
>>>
>>> I have a CAS 5.0.0 service sitting behind a Zuul Gateway. 
>>>
>>> All the OAuth secured applications work properly!
>>>
>>>
>>> I have an external CAS client that needs to talk to an OAuth resource 
>>> server behind Zuul via a proxyTicket.
>>>
>>> The CAS client successfully authenticates against the Gateway and 
>>> receives it's proxyTicket and needs to now get a Bearer token to talk to 
>>> the resource server.
>>>
>>> How do I go about this? Is the proxyTicket equivalent to the Bearer 
>>> token, can I just pass that on?
>>>
>>> I'm so close
>>>
>>>
>>>
>>> Cheers
>>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: 
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b7a656-07e7-41f4-8088-098b4815b245%40apereo.org
>>  
>> 
>> .
>>
>> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3ee8599-61ad-4bbf-8cb3-3b7d47d90e38%40apereo.org
>  
> 
> .
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To

Re: [cas-user] Re: CAS and OAuth interoperability

2016-11-15 Thread Dmitriy Kopylenko 
That would probably be a question for Jérôme

D.


From: Lewis Henderson 
Reply: cas-user@apereo.org 
Date: November 15, 2016 at 10:04:13 AM
To: CAS Community 
Cc: lewis.hender...@cobraflow.com , 
dkopyle...@unicon.net 
Subject:  Re: [cas-user] Re: CAS and OAuth interoperability  

Hi Dimitriy,

I'm not sure how that will help me.

I'm in an application that has currently authenticated and the 
SecurityContextHolder contains a CasAuthenticationToken.

The application is also 'wired' for OAuth.

I would like to forward the current request on to an OAuth2 resource service. I 
assume that I need to remove the ticket parameter and add a Bearer 
authorization header. It is the value of this header that I need to retrieve.

It would be nice if I could do it in a similar way to the 
CasAuthenticationToken.getAssertion().getPrincipal().getProxyTicketFor("xxx")
 does for cas proxy tickets...


Cheers

On Tuesday, 15 November 2016 14:23:50 UTC, Dmitriy Kopylenko wrote:
There’s this factory API you could try: 
https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/ticket/accesstoken/AccessTokenFactory.java

D.


From: Lewis Henderson 
Reply: cas-...@apereo.org 
Date: November 15, 2016 at 9:11:06 AM
To: CAS Community 
Subject:  [cas-user] Re: CAS and OAuth interoperability

Ok,

So after trying with a new proxyTicket, it fails with 

2016-11-15T13:54:11.561707727Z java.lang.ClassCastException: Ticket 
[PT-74-1LaIaLLzAZaJBte9SXzU-f63a5c259f31 is of type class 
org.apereo.cas.ticket.ProxyTicketImpl when we were expecting interface 
org.apereo.cas.ticket.accesstoken.AccessToken

understandably!

So, now the question is, how do I swap a CAS ticket for a OAuth token?


Cheers



On Tuesday, 15 November 2016 12:31:45 UTC, Lewis Henderson wrote:
Everything is Spring Cloud based.

I have a CAS 5.0.0 service sitting behind a Zuul Gateway.

All the OAuth secured applications work properly!


I have an external CAS client that needs to talk to an OAuth resource server 
behind Zuul via a proxyTicket.

The CAS client successfully authenticates against the Gateway and receives it's 
proxyTicket and needs to now get a Bearer token to talk to the resource server.

How do I go about this? Is the proxyTicket equivalent to the Bearer token, can 
I just pass that on?

I'm so close



Cheers
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b7a656-07e7-41f4-8088-098b4815b245%40apereo.org.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3ee8599-61ad-4bbf-8cb3-3b7d47d90e38%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.582b338e.c7a24a3.9b2%40unicon.net.

RE: [cas-user] SAML IdP - encrypt assertions

2016-11-15 Thread Misagh Moayyed 
This is probably the least tested bit of the saml2 feature. Do open up an 
issue, and provide your config and CAS logs so we can better diagnose this.



--Misagh



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Robert 
Kornmesser
Sent: Tuesday, November 15, 2016 3:17 AM
To: CAS Community 
Subject: [cas-user] SAML IdP - encrypt assertions



Hi all,



I am successfully running a CAS 5.0.0 with SAML IdP. I can authenticate 
against shibbolized service providers as long as i am not encrypting 
assertions. When i activate "encryptAssertions" in my service i get this 
error:



A valid authentication statement was not found in the incoming message.


Using a shibboleth 3 IDP worked before.



Here are some Logs:



shibd.log

2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:
- BEGIN SIGNATURE DEBUG -



2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#;>

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512;>





http://www.w3.org/2000/09/xmldsig#enveloped-signature;>

http://www.w3.org/2001/10/xml-exc-c14n#;>



http://www.w3.org/2001/04/xmlenc#sha512;>

zfQy3P72YVRFnpL92vmedxCZ/cmetKLLKS46qohlIBpg28d6D5uYX8jBvFqzRy3/qxhoo49Ew4R4

gC0lwBhS/Q==





2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:
2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:
- END SIGNATURE DEBUG -



2016-11-15 11:12:41 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature 
validated with credential

2016-11-15 11:12:41 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: 
signature verified against message issuer

2016-11-15 11:12:41 DEBUG Shibboleth.SSO.SAML2 [1]: processing message 
against SAML 2.0 SSO profile

2016-11-15 11:12:41 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 
certificate(s)

2016-11-15 11:12:41 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm 
didn't match ('AES' != 'RSA')

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: XMLSecurity exception 
while decrypting key: OpenSSL:RSA privateKeyDecrypt - Error removing 
OAEPadding

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: unable to decrypt key, 
generating random key for defensive purposes

2016-11-15 11:12:41 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt 
assertion: XMLSecurity exception while decrypting: Errors occured during 
de-serialisation of decrypted element content


If you need more logs, please tell me.



Any one else having problems with encrypted assertions?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00b601d23f5a%24ac3867f0%2404a937d0%24%40unicon.net.

Re: [cas-user] Re: CAS and OAuth interoperability

2016-11-15 Thread Dmitriy Kopylenko 
There’s this factory API you could try: 
https://github.com/apereo/cas/blob/master/support/cas-server-support-oauth/src/main/java/org/apereo/cas/ticket/accesstoken/AccessTokenFactory.java

D.


From: Lewis Henderson 
Reply: cas-user@apereo.org 
Date: November 15, 2016 at 9:11:06 AM
To: CAS Community 
Subject:  [cas-user] Re: CAS and OAuth interoperability  

Ok,

So after trying with a new proxyTicket, it fails with 

2016-11-15T13:54:11.561707727Z java.lang.ClassCastException: Ticket 
[PT-74-1LaIaLLzAZaJBte9SXzU-f63a5c259f31 is of type class 
org.apereo.cas.ticket.ProxyTicketImpl when we were expecting interface 
org.apereo.cas.ticket.accesstoken.AccessToken

understandably!

So, now the question is, how do I swap a CAS ticket for a OAuth token?


Cheers



On Tuesday, 15 November 2016 12:31:45 UTC, Lewis Henderson wrote:
Everything is Spring Cloud based.

I have a CAS 5.0.0 service sitting behind a Zuul Gateway.

All the OAuth secured applications work properly!


I have an external CAS client that needs to talk to an OAuth resource server 
behind Zuul via a proxyTicket.

The CAS client successfully authenticates against the Gateway and receives it's 
proxyTicket and needs to now get a Bearer token to talk to the resource server.

How do I go about this? Is the proxyTicket equivalent to the Bearer token, can 
I just pass that on?

I'm so close



Cheers
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b7a656-07e7-41f4-8088-098b4815b245%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.582b1a70.244c528d.284%40unicon.net.

Re: [cas-user] Custom Authentication Handler in version 5.0.0

2016-11-15 Thread Gokhan Mansuroglu 
When I declare it as below, CAS still use its UsernamePasswordCredential.



I could use MyUsernamePasswordCredential only if  I change the var name in 
the login-webflow and loginform as below :





However this lead me to another problems like :

java.lang.IllegalArgumentException: No authentication result builder can be 
located in the context
at org.apereo.cas.web.flow.resolver.impl.
InitialAuthenticationAttemptWebflowEventResolver.resolveInternal(
InitialAuthenticationAttemptWebflowEventResolver.java:71) ~[cas-server-core-
webflow-5.0.0.RC1.jar:5.0.0.RC1]
at org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver
.resolve(AbstractCasWebflowEventResolver.java:427) ~[cas-server-core-webflow
-5.0.0.RC1.jar:5.0.0.RC1]



Do I have to change the var name ? What do you suggest ?

Thank you.

10 Kasım 2016 Perşembe 12:33:00 UTC+3 tarihinde john c yazdı:
>
> 1. declare MyUsernamePasswordCredential in  your webflow.xml
> 2. support MyUsernamePasswordCredential in  your authentication handler
> 3. you need a configer class to reg your handler into cas, load configer 
> info etc...
>
> take a look :
>
> https://github.com/apereo/cas/tree/v5.0.0/support/cas-server-support-yubikey
>
>
> 在 2016年9月20日星期二 UTC+8下午10:08:53,Gokhan Mansuroglu写道:
>>
>> I have a problem with this configuration. I have a 
>> MyUsernamePasswordCredential that extends UsernamePasswordCredential, but 
>> unfortunately I can't bind this model in the flow. How is that possible ?
>>
>> Thank you.
>>
>> 9 Eylül 2016 Cuma 15:18:03 UTC+3 tarihinde Gokhan Mansuroglu yazdı:
>>>
>>> Hi Misagh,
>>>
>>> Thank you for your link, I am trying to figure it out. However there is 
>>> definetely a need for a step by step guide.
>>>
>>> 8 Eylül 2016 Perşembe 12:17:03 UTC+3 tarihinde Misagh Moayyed yazdı:

 Example: 
 https://github.com/apereo/cas/blob/master/cas-server-support-digest-authentication/src/main/java/org/apereo/cas/digest/config/DigestAuthenticationConfiguration.java#L128

 -- 
 Misagh

 From: Gokhan Mansuroglu 
 Reply: Gokhan Mansuroglu 
 Date: September 8, 2016 at 1:17:32 PM
 To: CAS Community 
 Subject:  [cas-user] Custom Authentication Handler in version 5.0.0 

 Hi,

 Let's say I have a custom AbcAuthencticationHandler and AbcCredentials. 
 How can i configure this custom auhtentication handler ? In previous 
 versions this can be handled in deployerConfigContext.xml, but how it is 
 done in version 5.0.0 ?

 Thanks.
 --
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To post to this group, send email to cas-...@apereo.org.
 Visit this group at 
 https://groups.google.com/a/apereo.org/group/cas-user/.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a0ba25b-2dff-4cae-aa1b-a639cd629bc9%40apereo.org
  
 
 .
 For more options, visit https://groups.google.com/a/apereo.org/d/optout
 .

 -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>> To post to this group, send email to cas-...@apereo.org.
>>> Visit this group at 
>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9a92aede-f879-4387-ad16-cdecbfffbd8b%40apereo.org
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>>
>>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/aad1c5cc-1652-4fdf-bcb4-9e0a971b04ec%40googlegroups.com.

[cas-user] CAS and OAuth interoperability

2016-11-15 Thread Lewis Henderson 
Everything is Spring Cloud based.

I have a CAS 5.0.0 service sitting behind a Zuul Gateway.

All the OAuth secured applications work properly!


I have an external CAS client that needs to talk to an OAuth resource 
server behind Zuul via a proxyTicket.

The CAS client successfully authenticates against the Gateway and receives 
it's proxyTicket and needs to now get a Bearer token to talk to the 
resource server.

How do I go about this? Is the proxyTicket equivalent to the Bearer token, 
can I just pass that on?

I'm so close



Cheers

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/092a93ec-8a05-4bf3-aba5-4e423e8582cf%40apereo.org.

[cas-user] CAS 3.5.2 -> 4.2.5 migration with ClearPass Proxy Authentication

2016-11-15 Thread Sam 
Hi,

First off thanks to Dmitriy and Travis for your help with my Duo question; 
moving to version 5.0.0 would be what I would want to do but I think I have 
a legacy dependency problem that I need to sort out before I can.

Currently I'm working to migrate an old CAS 3.5.2 installation to something 
that is at least getting security updates. One feature of the 3.5.2 
installation is that it uses the original proxy style ClearPass described 
here: 
https://apereo.github.io/cas/4.2.x/integration/ClearPass-Proxy-Authentication.html
 
.

I can see this is deprecated (and rightly so) and that there is an 
alternative that uses public key encryption, however thinking about our 
specific context I know there is a dependant service that uses ClearPass by 
proxy. I suspect that it'd be about as much work to change that to 
ClearPass by encryption as it would be to remove ClearPass entirely, and I 
think a change to encrypted ClearPass would mean we'd have to synchronise 
the changes to the authentication stack to coincide with the changes to the 
dependant service (removing ClearPass doesn't have this issue). I don't 
think changing the dependant service is going to be trivial but long term 
it obviously needs to happen. So I'm left with what I can do short term.

So after quite a lot of preamble/disclaimer here is the problem I've been 
working on:

I followed these instructions 
(https://apereo.github.io/cas/4.2.x/integration/ClearPass-Proxy-Authentication.html)
 
and on starting Tomcat got an exception:

2016-11-07 12:00:08,802 ERROR 
[org.springframework.web.context.ContextLoader] - 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'singleSignOnSessionsReportController': Injection of 
autowired dependencies failed; nested exception is 
org.springframework.beans.factory.BeanCreationException: Could not autowire 
field
: private org.jasig.cas.authentication.AuthenticationSystemSupport 
org.jasig.cas.web.report.SingleSignOnSessionsReportController.authenticationSystemSupport;
 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'defaul
tAuthenticationSystemSupport': Injection of autowired dependencies failed; 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Could not autowire 
field: private 
org.jasig.cas.authentication.AuthenticationTransactionManager 
org.jasig.cas.authentica
tion.DefaultAuthenticationSystemSupport.authenticationTransactionManager; 
nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'defaultAuthenticationTransactionManager': Injection of 
autowired dependencies failed; nest
ed exception is org.springframework.beans.factory.BeanCreationException: 
Could not autowire field: private 
org.jasig.cas.authentication.AuthenticationManager 
org.jasig.cas.authentication.DefaultAuthenticationTransactionManager.authenticationManager;
 
nested exception is or
g.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'authenticationManager': Injection of resource dependencies 
failed; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'authenticat
ionMetadataPopulators': Cannot create inner bean 
'org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator#38b9242e' 
of type 
[org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator] while 
setting bean property 'sourceList' with key [2]; nested exce
ption is org.springframework.beans.factory.BeanCreationException: Error 
creating bean with name 
'org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator#38b9242e' 
defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: 
Cannot resolve reference
 to bean 'encryptedMap' while setting constructor argument; nested 
exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean 
named 'encryptedMap' is defined

I've taken the liberty of trimming it to that point for brevity sake; there 
wasn't a bean called encryptedMap so the initialisation of the ClearPass 
CacheCredentialsMetaDataPopulator failed and in turn the overall context 
failed to start.

After sometime I managed to get past this point by defining a bean like the 
one below:


This seems to allow the beans to start, and the overall CAS webapp seems to 
run and allow logins. I still need to find a way to functionally test the 
ClearPass part however so I don't know if it actually works!

My question is two fold:
1) Is the use of HashMap suitable here?
2) Is this the right way to configure this style of ClearPass on this 
version of CAS (4.2.x)?

All the best,

Sam Jones

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---

[cas-user] SAML IdP - encrypt assertions

2016-11-15 Thread Robert Kornmesser 
Hi all,

I am successfully running a CAS 5.0.0 with SAML IdP. I can authenticate 
against shibbolized service providers as long as i am not encrypting 
assertions. When i activate "encryptAssertions" in my service i get this 
error:

A valid authentication statement was not found in the incoming message.

Using a shibboleth 3 IDP worked before.

Here are some Logs:

shibd.log
2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
- BEGIN SIGNATURE DEBUG -



2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]: http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#;>

http://www.w3.org/2001/04/xmldsig-more#rsa-sha512;>





http://www.w3.org/2000/09/xmldsig#enveloped-signature;>

http://www.w3.org/2001/10/xml-exc-c14n#;>



http://www.w3.org/2001/04/xmlenc
#sha512">

zfQy3P72YVRFnpL92vmedxCZ/
cmetKLLKS46qohlIBpg28d6D5uYX8jBvFqzRy3/qxhoo49Ew4R4

gC0lwBhS/Q==





2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
2016-11-15 11:12:41 DEBUG XMLTooling.Signature.Debugger [1]:  
- END SIGNATURE DEBUG -



2016-11-15 11:12:41 DEBUG XMLTooling.TrustEngine.ExplicitKey [1]: signature 
validated with credential

2016-11-15 11:12:41 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [1]: 
signature verified against message issuer

2016-11-15 11:12:41 DEBUG Shibboleth.SSO.SAML2 [1]: processing message 
against SAML 2.0 SSO profile

2016-11-15 11:12:41 DEBUG XMLTooling.KeyInfoResolver.Inline [1]: resolved 0 
certificate(s)

2016-11-15 11:12:41 DEBUG XMLTooling.CredentialCriteria [1]: key algorithm 
didn't match ('AES' != 'RSA')

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: XMLSecurity exception 
while decrypting key: OpenSSL:RSA privateKeyDecrypt - Error removing 
OAEPadding

2016-11-15 11:12:41 WARN XMLTooling.Decrypter [1]: unable to decrypt key, 
generating random key for defensive purposes

2016-11-15 11:12:41 ERROR Shibboleth.SSO.SAML2 [1]: failed to decrypt 
assertion: XMLSecurity exception while decrypting: Errors occured during 
de-serialisation of decrypted element content

If you need more logs, please tell me.

Any one else having problems with encrypted assertions?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/edb2535a-c79b-49bc-8949-3f95193374fe%40apereo.org.