[cas-user] Re: Access Denied with CAS Service Management WebApp

[Brian Gibson]

To follow up on my last email, I enabled DEBUG mode and noticed in the 
logs where it was denying my access. Here is the snippet. I think it is 
because the "roles" value is empty (in bold below)


2017-08-09 12:28:29,675 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] 
- {wID=/my_AD_loginID/, isFromNewLogin=true, 
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York], 
affiliation=staff, authenticationMethod=LdapAuthenticationHandler, 
FullName=/my_Full_Name_From_AD/, 
successfulAuthenticationHandlers=LdapAuthenticationHandler, 
longTermAuthenticationRequestTokenUsed=false, sn=/my_Last_Name_From_AD/, 
cn=/my_AD_loginID/, EmailAddress=/my_AD_EmailAddress/} | *roles: []* | 
permissions: [] | isRemembered: false | clientName: CasClient | 
linkedId: null |]>


2017-08-09 12:28:29,675 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] 
- 


2017-08-09 12:28:29,691 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] 
- **


I thought the c:\etc\cas\config\users.properties file referenced from my 
management.properties file would list me as having the ROLE_ADMIN role?


If it helps, here is the .json file service entry used to allow the 
management app.



{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*;,
  "name" : "CASManagementService",
  "id" : 132457456798678,
  "description" : "Service entry to allow access to the CAS Management 
App",

  "attributeReleasePolicy" : {
"@class" : 
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "sn" : "sn",
  "cn" : "cn",
  "mail" : "EmailAddress",
  "displayname" : "FullName"
  "sAMAccountName" : "wID"
  "employeeType" : "affiliation"
}
  },
  "evaluationOrder" : 2
}


Thanks!!!









On 8/9/2017 10:44 AM, Brian Gibson wrote:

Hi All,

Be gentle, I'm a sys admin, not a Java expert ;-)

Running Tomcat 9 on Windows 2012 R2 Server.

Running CAS 5.1.2 using the War Overlay method and I have it 
authenticating against Active Directory and it recognizes services 
that I define in .json files.


I'm trying to get the CAS Services Management Webapp working so I can 
login with my Active Directory credentials. Here is where I am


1. I go to the /cas-management URL and if I am not already logged into 
CAS I get redirected to the CAS login page (good so far)


2. I log in with my Active Directory credentials and I am greeted with 
this error


/CAS Services Management   Access Denied   You are not authorized to 
access this resource. Contact your CAS Administrator for more info./


I put this entry in the c:\etc\cas\config\users.properties file (which 
is referenced below in my management.properties file)


/my_AD_loginID/=notused,ROLE_ADMIN,enabled

My management.properties file looks like this

 management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller 
ldaps://my_2nd_ad_controller

cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false

Thanks for any advice you can offer :-)



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu.

Re: [cas-user] Service registry initialisation using JSON files. Help needed

[David Curry]

You also have to add


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


to your pom.xml.

--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Wed, Aug 9, 2017 at 11:53 AM, Rémi Cocula  wrote:

>
> Hi,
>
> Using CAS 5.1
>
> I want to populate the service registry using individual JSON files for
> each service declaration.
>
> I added this property in my configuration :
>
> *cas.serviceRegistry.initFromJson=true*Hence, any file* myapp-123.json*
> will be scanned to register a service but it only works if such a file
> reside in a services directory inside the java classpath.
>
> I would like to externalize these files to a desired local directory.
>
> I tried to set that in my configuration :
>
>
> *cas.serviceRegistry.config.location=file://D:/entorno/ide/workspace/sso-cas/dist/etc/cas/services*But
> the D:/entorno/ide/workspace/sso-cas/dist/etc/cas/services does not seam
> to be scanned.
>
>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/d95f3bd0-fd74-43c4-b634-
> 7a92b6638ca0%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANAwcZw%3DkuGEYtNiCzE20Xzy5toXeK6_OgG2C_5fP%2BjcQ%40mail.gmail.com.

[cas-user] Service registry initialisation using JSON files. Help needed

[Rémi Cocula]

Hi,

Using CAS 5.1

I want to populate the service registry using individual JSON files for 
each service declaration. 

I added this property in my configuration : 

*cas.serviceRegistry.initFromJson=true*Hence, any file* myapp-123.json* 
will be scanned to register a service but it only works if such a file 
reside in a services directory inside the java classpath. 

I would like to externalize these files to a desired local directory. 

I tried to set that in my configuration : 

*cas.serviceRegistry.config.location=file://D:/entorno/ide/workspace/sso-cas/dist/etc/cas/services*But
 
the D:/entorno/ide/workspace/sso-cas/dist/etc/cas/services does not seam to 
be scanned.



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d95f3bd0-fd74-43c4-b634-7a92b6638ca0%40apereo.org.

[cas-user] Access Denied with CAS Service Management WebApp

[Brian Gibson]

Hi All,

Be gentle, I'm a sys admin, not a Java expert ;-)

Running Tomcat 9 on Windows 2012 R2 Server.

Running CAS 5.1.2 using the War Overlay method and I have it 
authenticating against Active Directory and it recognizes services that 
I define in .json files.


I'm trying to get the CAS Services Management Webapp working so I can 
login with my Active Directory credentials. Here is where I am


1. I go to the /cas-management URL and if I am not already logged into 
CAS I get redirected to the CAS login page (good so far)


2. I log in with my Active Directory credentials and I am greeted with 
this error


/CAS Services Management   Access Denied   You are not authorized to 
access this resource. Contact your CAS Administrator for more info./


I put this entry in the c:\etc\cas\config\users.properties file (which 
is referenced below in my management.properties file)


/my_AD_loginID/=notused,ROLE_ADMIN,enabled

My c:\etc\cas\config\management.properties file looks like this

 management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller 
ldaps://my_2nd_ad_controller

cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false

Thanks for any advice you can offer :-)

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3a09cf4-8e29-8b4b-049e-25281064f0eb%40wheatoncollege.edu.

[cas-user] Re: Create a separate webflow in CAS4

[yann]

Hello,

I have the same problem.
Did you manageto solve it a the end?

Thank you,
Yann

Le lundi 22 février 2016 20:27:58 UTC+1, Yan Zhou a écrit :
>
> Hi there, 
>
>  
>
> With CAS4 + Overlay, I want to create a separate webflow when user wants 
> to reset password (without going through login flow).  Such as  
> https:///cas/resetpassword.
>
>  
>
> I am having trouble mapping URL /resetpassword to this new flow.  This 
> could be a spring web flow issue, since I am new to it.
>
>  
>
> Registration is successful, but when I type the URL, it goes to /login 
> page.  There is not anything in the log indicating that it attempts to map 
> the request to my new flow.
>
>  
>
> Did I miss something?
>
> Yan
>
>  
>
> 2016-02-22 14:12:55,763 DEBUG 
> [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] 
> - Registering flow definition 'ServletContext resource 
> [/WEB-INF/webflow/resetpassword/resetpassword-webflow.xml]' under id 
> 'resetpassword'
>
>  
>
> I created a cas-servlet-extension.xml and have content like this.  It is 
> loaded successfully but does not do anything.
>
>  
>
>   class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping"
>
>p:flowRegistry-ref="resetPasswordFlowRegistry" 
> p:order="3">
>
>  
>
>   value-type="org.springframework.web.servlet.HandlerInterceptor">
>
>  
>
>  
>
>  
>
>  
>
>   
>
>   flow-registry="resetPasswordFlowRegistry">
>
>   
>
>  
>
>  
>
>
>
>  
>
>
>
>   flow-builder-services="builder" base-path="/WEB-INF/webflow">
>
> value="/resetpassword/*-webflow.xml"/>
>
>  
>
> 
>
>   class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter"
>
> p:flowExecutor-ref="resetPasswordFlowExecutor"  
> />
>
>  
>
>  
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4baf553f-ed79-4ca2-b8c1-6bdd66a2e43f%40apereo.org.

RE: [cas-user] CAS 5.0 & Resource Owner Grant

[Misagh Moayyed]

Cool. I feel uneasy about the spec saying “For example” :) but that’s 
neither here nor there.



The mechanics of how one should proceed to patch this are fairly simple: 
find the spot that handles the GET request in the OAuth module, tune it to 
also accept POST and use that method/handler when dealing with the 
particular grant type. (This I think is the easiest approach; the 
possibly-better alternative to ensure that grant type can only respond to 
POST requires other [breaking] changes that would be outside the scope of 
5.1) Start with OAuth20AuthorizeEndpointController and work your way up. 
Post a pull request when ready, or better yet, when not ready as a WIP so 
others see what you’re working on and can provide early feedback.



More here: https://apereo.github.io/2017/07/05/cas-contribution-guide/



--Misagh



From: Tom Andersson [mailto:tjande...@gmail.com]
Sent: Wednesday, August 9, 2017 12:22 AM
To: CAS Community 
Cc: mmoay...@unicon.net
Subject: Re: [cas-user] CAS 5.0 & Resource Owner Grant



Hi Misagh!



Not sure about hard rule, but:



"The client makes a request to the token endpoint by adding the following 
parameters using the 'application/x-www-form-urlencoded' format per 
 Appendix B with a character 
encoding of UTF-8 in the HTTP request entity-body"



and



"For example, the client makes the following HTTP request using 
transport-layer security (with extra line breaks for display purposes 
only):"

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=password=johndoe=A3ddj3w





Referencing https://tools.ietf.org/html/rfc6749#section-4.3.2.



Do you think it would be relatively simple to patch this feature, or how 
should one proceed with such a change request?



Cheers,

Tom






On Wednesday, 9 August 2017 09:33:27 UTC+3, Misagh Moayyed wrote:

I don’t remember if the spec makes a hard and fast rule on this, strictly 
speaking, but you’re certainly right that if it’s done via a GET it would be 
better for it to switch to POST.



--Misagh



From: cas-...@apereo.org   [mailto:cas-...@apereo.org 
 ] On Behalf Of Tom Andersson
Sent: Tuesday, August 8, 2017 12:32 AM
To: CAS Community 
Subject: [cas-user] CAS 5.0 & Resource Owner Grant



Hello,



I have the need to provide an authentication mechanism using the oAuth2 
Resource Owner Grant type. However if I've understood correctly, the 
implementation expects the user to authenticatite using GET and passing the 
credentials in the query parameters? To me this seems quite insecure as the 
credentials will then stick in access logs etc. I'm wondering why it's been 
implemented in this way instead of POSTing the credentials or if I have 
misunderstood something. Or would it be better to rely on the tickets REST 
api?



Thank you!

Tom

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+u...@apereo.org  .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/59d21bfd-052c-4311-acb6-ee47102ceaa1%40apereo.org
 

 
.





  _

This email has been scanned for spam and viruses by Proofpoint Essentials. 
Click here 

 
to report this email as spam.


=

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2401d310f3%244597f400%24d0c7dc00%24%40unicon.net.

[cas-user] CAS 5.1.2 implementation

[satheesh k]

Hi,

We have been trying to implement CAS 5.1.2 in our project through overlay 
approach. (https://github.com/apereo/cas-overlay-template). on successful 
build we deployed CAS.war in tomcat v8. However, it failed due to below 
mentioned error. please assist us to resolve this issue. Thanks.


Caused by: org.springframework.beans.BeanInstantiationException: Failed to 
instantiate 
[org.apereo.cas.web.flow.resolver.InitialAuthenticationAttemptWebflowEventResolver]:
 
Constructor threw exception; nested exception is 
java.lang.NoSuchMethodError: 
org.apereo.cas.authentication.DefaultAuthenticationSystemSupport: method 
()V not found
at 
org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154) 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:89)
 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1147)
 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
... 44 more
Caused by: java.lang.NoSuchMethodError: 
org.apereo.cas.authentication.DefaultAuthenticationSystemSupport: method 
()V not found
at 
org.apereo.cas.web.flow.resolver.AbstractCasWebflowEventResolver.(AbstractCasWebflowEventResolver.java:81)
 
~[cas-server-core-webflow-5.0.0.M1.jar:5.1.2]
at 
org.apereo.cas.web.flow.resolver.InitialAuthenticationAttemptWebflowEventResolver.(InitialAuthenticationAttemptWebflowEventResolver.java:38)
 
~[classes/:5.1.2]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method) ~[?:1.8.0_131]
at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
 
~[?:1.8.0_131]
at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 
~[?:1.8.0_131]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
~[?:1.8.0_131]
at 
org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:142) 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:89)
 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1147)
 
~[spring-beans-4.3.8.RELEASE.jar:4.3.8.RELEASE]
... 44 more

Regards,
Satheesh.K


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fb2217f-25be-417f-a825-f0503e170544%40apereo.org.

Re: [cas-user] CAS 5.0 & Resource Owner Grant

[Tom Andersson]

Hi Misagh!

Not sure about hard rule, but:

*"The client makes a request to the token endpoint by adding the following 
parameters using the 'application/x-www-form-urlencoded' format per 
Appendix B  with a 
character encoding of UTF-8 in the HTTP request entity-body"*

and

*"For example, the client makes the following HTTP request using 
transport-layer security (with extra line breaks for display purposes only):"

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=password=johndoe=A3ddj3w
*



Referencing https://tools.ietf.org/html/rfc6749#section-4.3.2.

Do you think it would be relatively simple to patch this feature, or how 
should one proceed with such a change request?

Cheers,
Tom



On Wednesday, 9 August 2017 09:33:27 UTC+3, Misagh Moayyed wrote:
>
> I don’t remember if the spec makes a hard and fast rule on this, strictly 
> speaking, but you’re certainly right that if it’s done via a GET it would 
> be better for it to switch to POST. 
>
>  
>
> --Misagh
>
>  
>
> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
> ] *On Behalf Of *Tom Andersson
> *Sent:* Tuesday, August 8, 2017 12:32 AM
> *To:* CAS Community 
> *Subject:* [cas-user] CAS 5.0 & Resource Owner Grant
>
>  
>
> Hello,
>
>  
>
> I have the need to provide an authentication mechanism using the oAuth2 
> Resource Owner Grant type. However if I've understood correctly, the 
> implementation expects the user to authenticatite using GET and passing the 
> credentials in the query parameters? To me this seems quite insecure as the 
> credentials will then stick in access logs etc. I'm wondering why it's been 
> implemented in this way instead of POSTing the credentials or if I have 
> misunderstood something. Or would it be better to rely on the tickets REST 
> api?
>
>  
>
> Thank you!
>
> Tom
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/59d21bfd-052c-4311-acb6-ee47102ceaa1%40apereo.org
>  
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f05b4530-8f78-4faa-92c5-a9d2f2ae178c%40apereo.org.

RE: [cas-user] CAS 5.0 & Resource Owner Grant

[Misagh Moayyed]

I don’t remember if the spec makes a hard and fast rule on this, strictly 
speaking, but you’re certainly right that if it’s done via a GET it would be 
better for it to switch to POST.



--Misagh



From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Tom 
Andersson
Sent: Tuesday, August 8, 2017 12:32 AM
To: CAS Community 
Subject: [cas-user] CAS 5.0 & Resource Owner Grant



Hello,



I have the need to provide an authentication mechanism using the oAuth2 
Resource Owner Grant type. However if I've understood correctly, the 
implementation expects the user to authenticatite using GET and passing the 
credentials in the query parameters? To me this seems quite insecure as the 
credentials will then stick in access logs etc. I'm wondering why it's been 
implemented in this way instead of POSTing the credentials or if I have 
misunderstood something. Or would it be better to rely on the tickets REST 
api?



Thank you!

Tom

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org 
 .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/59d21bfd-052c-4311-acb6-ee47102ceaa1%40apereo.org
 

 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/086f01d310d9%245cd077b0%2416716710%24%40unicon.net.