Re: [cas-user] oAuth authentification and tomcat preventing encoded slashes

[Jérôme LELEU]

Hi,

When the cas-server-support-oauth jar is added to the classpath, the
/oauth2.0 URL mapping is automatically added to the CAS servlet regardless
of the HTTP method. So the /authorize call should be caught for GET or POST
requests.

Which version of Tomcat do you use? I remember doing several successful
tests which Tomcat 7/8 with slashes in the redirection URL. Here is the
demo I used: https://github.com/leleuj/cas-pac4j-oauth-demo/tree/4.2.x

Thanks.
Best regards,
Jérôme


2017-02-26 10:09 GMT+01:00 Emmanuel Cervetti :

> After forward debuging it's seems to me that oAuth server support in
> cas4.2 cannot handle url GET data.
> All is done to catch the POST parameters in autorize route.
> But documentation (both cas and oAuth) tell to use GET parameters for
> authorization.
>
>
> 2017-02-25 22:19 GMT+01:00 Emmanuel Cervetti 
> :
>
>> Hello
>> Tomcat prevent using encoded slashes in url. It was a blank page when try
>> to use the oAuth server:
>>
>> https://globalsso.orupaca.fr:8443/oauth2.0/authorize
>> e_type=code_id=leclient_uri=http%3A%2F%2F10.211.55.3
>> =>blank page
>>
>> So I set the tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true , the
>> only answer I could find for such a problem.
>>
>> Then the issue is different.
>> https://globalsso.orupaca.fr:8443/oauth2.0/authorize
>> e_type=code_id=leclient_uri=http%3A%2F%2F10.211.55.3
>> =>Redirection to the cas login page (without the oAuth context
>> pararmeters)
>>
>> I've set a breakpoint in OAuth20WrapperController to see if it was a CAS
>> installation problem, and I have the folowing behaviour :
>>
>> https://globalsso.orupaca.fr:8443/oauth2.0/authorize
>> e_type=code_id=leclient_uri=http%3A%2F%2F10.211.55.3
>> =>no breakpoint stops, it go straight forward the cas home page
>>
>> https://globalsso.orupaca.fr:8443/oauth2.0/authorize
>> e_type=code_id=leclient_uri=*hereAUnselessString*
>> =>breakpoint stops in OAuth20WrapperController, so it seems ok
>>
>> What could I do to the oAuth client request be handled by cas server ?
>>
>> My tomcat is 8.5.11
>> Thank you very much for your answer
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/93143320-debe-4892-bbe4-e3b9cc0f69
>> fa%40apereo.org
>> 
>> .
>>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CA%2BnfJqOM8QR7LhP67KHSioLwGPSVAD
> Nbh-8CcGwf04QFbUNy_Q%40mail.gmail.com
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LzVRQfkmFQWucj4S3bvKjzcHT68qshJ71u_CMdhS2X7WA%40mail.gmail.com.

Re: [cas-user] oAuth authentification and tomcat preventing encoded slashes

[Emmanuel Cervetti]

After forward debuging it's seems to me that oAuth server support in cas4.2
cannot handle url GET data.
All is done to catch the POST parameters in autorize route.
But documentation (both cas and oAuth) tell to use GET parameters for
authorization.


2017-02-25 22:19 GMT+01:00 Emmanuel Cervetti :

> Hello
> Tomcat prevent using encoded slashes in url. It was a blank page when try
> to use the oAuth server:
>
> https://globalsso.orupaca.fr:8443/oauth2.0/authorize;
> response_type=code_id=leclient_uri=http%3A%
> 2F%2F10.211.55.3
> =>blank page
>
> So I set the tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true , the only
> answer I could find for such a problem.
>
> Then the issue is different.
> https://globalsso.orupaca.fr:8443/oauth2.0/authorize;
> response_type=code_id=leclient_uri=http%3A%
> 2F%2F10.211.55.3
> =>Redirection to the cas login page (without the oAuth context pararmeters)
>
> I've set a breakpoint in OAuth20WrapperController to see if it was a CAS
> installation problem, and I have the folowing behaviour :
>
> https://globalsso.orupaca.fr:8443/oauth2.0/authorize;
> response_type=code_id=leclient_uri=http%3A%
> 2F%2F10.211.55.3
> =>no breakpoint stops, it go straight forward the cas home page
>
> https://globalsso.orupaca.fr:8443/oauth2.0/authorize;
> response_type=code_id=leclient_uri=*hereAUnselessString*
> =>breakpoint stops in OAuth20WrapperController, so it seems ok
>
> What could I do to the oAuth client request be handled by cas server ?
>
> My tomcat is 8.5.11
> Thank you very much for your answer
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/93143320-debe-4892-bbe4-
> e3b9cc0f69fa%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BnfJqOM8QR7LhP67KHSioLwGPSVADNbh-8CcGwf04QFbUNy_Q%40mail.gmail.com.

Re: [cas-user] Re: Cas 5 and problem with jdbc authentication integration

[Jihad Talic]

No problem, Mohamad! Glad I could help.

On Saturday, February 25, 2017 at 1:31:15 AM UTC+8, Mohamad Anbari wrote:
>
> Thanks Jihad , I added your extra configuration in application.properties 
> and it works well.
>
> Thanks a lot for your help
>
> On Fri, Feb 24, 2017 at 8:55 AM, Jihad Talic  > wrote:
>
> Thanks, Mohamad. I think you just need to add some required properties in 
> your application.properties file. I am no expert with all these properties 
> but I think it should fix the issue. You can check the default properties 
> in the application.properties of the CAS overlay file at the 
> target/cas/WEB-INF/classes inside you CAS overlay directory,  if you didn't 
> include the application.properties file in the src/main. You can copy them 
> to your current applications.properties file. Or you could just copy this:
>
> ##
> # CAS Server Context Configuration
> #
> server.context-path=/cas
> server.port=8443
>
> server.ssl.key-store=file:/etc/cas/thekeystore
> server.ssl.key-store-password=changeit
> server.ssl.key-password=changeit
> server.max-http-header-size=2097152
> server.max-http-post-size=2097152
> server.use-forward-headers=true
>
> # server.ssl.ciphers=
> # server.ssl.client-auth=
> # server.ssl.enabled=
> # server.ssl.key-alias=
> # server.ssl.key-store-provider=
> # server.ssl.key-store-type=
> # server.ssl.protocol=
> # server.ssl.trust-store=
> # server.ssl.trust-store-password=
> # server.ssl.trust-store-provider=
> # server.ssl.trust-store-type=
> 
> server.tomcat.basedir=build/tomcat
> server.tomcat.accesslog.enabled=true
> server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
> server.tomcat.accesslog.suffix=.log
> server.tomcat.max-threads=5
> server.tomcat.port-header=X-Forwarded-Port
> server.tomcat.protocol-header=X-Forwarded-Proto
> server.tomcat.protocol-header-https-value=https
> server.tomcat.remote-ip-header=X-FORWARDED-FOR
> server.tomcat.uri-encoding=UTF-8
> server.error.include-stacktrace=ALWAYS
> 
> spring.http.encoding.charset=UTF-8
> spring.http.encoding.enabled=true
> spring.http.encoding.force=true
>
> ##
> # CAS Cloud Bus Configuration
> #
> spring.cloud.bus.enabled=false
> # spring.cloud.bus.refresh.enabled=true
> # spring.cloud.bus.env.enabled=true
> # spring.cloud.bus.destination=CasCloudBus
> # spring.cloud.bus.ack.enabled=true
>
> endpoints.enabled=true
> endpoints.sensitive=true
> management.context-path=/status
> endpoints.restart.enabled=false
> endpoints.shutdown.enabled=false
>
>
> ##
> # CAS Web Application Session Configuration
> #
> server.session.timeout=300
> server.session.cookie.http-only=true
> server.session.tracking-modes=COOKIE
>
> ##
> # CAS Thymeleaf View Configuration
> #
> spring.thymeleaf.encoding=UTF-8
> spring.thymeleaf.cache=false
> spring.thymeleaf.mode=HTML
> ##
> # CAS Log4j Configuration
> #
> # logging.config=file:/etc/cas/log4j2.xml
> server.context-parameters.isLog4jAutoInitializationDisabled=true
>
> ##
> # CAS AspectJ Configuration
> #
> spring.aop.auto=true
> spring.aop.proxy-target-class=true
>
> ##
> # CAS Authentication Credentials
> #
> cas.authn.accept.users=casuser::Mellon
>
> That is the default content of the application.properties. Also, don't 
> forget to leave the "cas.authn.accept.users=" blank. Hope this helps!
>
> Cheers,
> Jihad
>
>
> On Friday, February 24, 2017 at 12:14:46 AM UTC+8, Mohamad Anbari wrote:
>
> Hi
>  I have created application.properties in src/main/resources of cas maven 
> overlay template project( i am using cas 5 ) this is my 
> application.properties : 
>
> cas.server.name: https://localhost:8443
> cas.server.prefix: https://localhost:8443/cas
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>
> # cas.serviceRegistry.config.location: classpath:/services
>
>
> #database connection credentials
>  
> cas.authn.jdbc.query[0].sql=SELECT password FROM MOB_LOGIN WHERE username=?
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM dev.MOB_LOGIN
> cas.authn.jdbc.query[0].isolateInternalQueries=false
> cas.authn.jdbc.query[0].url=jdbc:oracle:thin:@localhost:1521:orcl
> cas.authn.jdbc.query[0].failFast=true
> cas.authn.jdbc.query[0].isolationLevelName=ISOLATION_READ_COMMITTED
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.OracleDialect
> cas.authn.jdbc.query[0].leakThreshold=10
> cas.authn.jdbc.query[0].propagationBehaviorName=PROPAGATION_REQUIRED
> cas.authn.jdbc.query[0].batchSize=1
> cas.authn.jdbc.query[0].user=dev
> #cas.authn.jdbc.query[0].ddlAuto=create-drop
> cas.authn.jdbc.query[0].maxAgeDays=180
> cas.authn.jdbc.query[0].password=dev
> cas.authn.jdbc.query[0].autocommit=false
> cas.authn.jdbc.query[0].driverClass=oracle.jdbc.OracleDriver
> cas.authn.jdbc.query[0].idleTimeout=5000
> cas.authn.jdbc.query[0].credentialCriteria=
>
> cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
>