date:20171204

[cas-user] Migrate From Cas 5.1.6 to Cas 5.2.0 and JWT Problem

2017-12-04 Thread hadi

Hi 

when i download Cas 5.2.0 maven overlay and add my recent dependencies 
the cas-server-support-token jar file does not resolve for 5.2.0 version
I added below dependencies : 



org.apereo.cas
cas-server-webapp${app.server}
${cas.version}
war
runtime


org.apereo.cas
cas-server-support-json-service-registry
${cas.version}


org.apereo.cas
cas-server-support-ldap
${cas.version}


org.apereo.cas
cas-server-support-hazelcast-ticket-registry
${cas.version}
 

org.apereo.cas
cas-server-core-logout
${cas.version}



org.apereo.cas
cas-server-support-token
${cas.version}



I want to use jwt service ticket and because of that i added 
cas-server-support-token as cas document but i think there is no specified 
version for that 
anybody knows what happend ?
thanks
 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f513bd9-3e5e-478a-94b3-f86970a59906%40apereo.org.

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread noumann.f

Solved ...
Removing the grave accent ` characters in the fieldPassword value solved 
the problem.
Best regards

On Monday, December 4, 2017 at 5:30:13 PM UTC+2, noumann.f wrote:
>
> Hi,
> I'm trying to deploy the *CAS 5.1.x* using *Maven overlay* from here: 
> https://github.com/apereo/cas-overlay-template/tree/5.1
>
> I want to activate the Database authentication from *MySql database 
> *following 
> up the formal documentation.
>
> *It fails to authenticate me with the following WARN in the log:*
>
>>
>> *WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports [user1] of type 
>> [UsernamePasswordCredential], which suggests a configuration problem.>*
>
>
> Here is the modifications in the POM file:
> 
> org.jasig.cas
> cas-server-support-jdbc
> 
> 4.2.7
> runtime
> 
> 
> org.apache.logging.log4j
> log4j-slf4j-impl
> 
> 
> org.codehaus.groovy
> groovy-jsr223
> 
>  
> 
> 
>org.apereo.cas
>cas-server-support-jdbc-drivers
>${cas.version}
> 
>
>
>1. It didn't work with the ${cas.version} for the 
>*cas-server**-support-jdbc* dependency! I used the latest version on 
>the repository.
>2. It didn't work without excluding the org.apache.logging.log4j and 
>org.codehaus.groovy from the* cas-server-support-jdbc* dependency!
>
> Here is the cas.properties file:
> DEFAULT SETTINGS HERE
> .
> .
> .
>
> cas.tgc.crypto.enabled=true
> cas.tgc.crypto.encryption.key=W7t ... DHg
> cas.tgc.crypto.signing.key=fa6 ... jrQ
> cas.webflow.crypto.signing.key=Du_ ... sow
> cas.webflow.crypto.encryption.key=IQv ... 6Sw
>
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE `username`
> =?
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
> cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
> cas.authn.jdbc.query[0].user=root
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
> cas.authn.jdbc.query[0].fieldPassword=`password-plain`
>
> # cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> # cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
> # cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>
>
> logging.level.org.apereo=DEBUG
> cas.authn.accept.users=
>
> In the log I still find these WARNs:
> 2017-12-04 17:10:43,352 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  will attempt to auto-generate the signing key>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  512]. The generated key MUST be added to CAS settings.>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  attempt to auto-generate keys>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  size [16]. The generated key MUST be added to CAS settings.>
>
>
>
> *What are the keys in the cas.properties file should I assign these cipher 
> keys to?*
>
> Is there anyway to debug more what's happening after entering the username 
> and password in the form? I'd  >debug in the *log4j2.xml* file!!!
>
> any help is appreciated!!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73e05b5f-f142-412e-a6ae-89af2259923e%40apereo.org.

[cas-user] Re: How to specify landing page (url) in json file for a service when accessStrategy requiredAttributes results in "Service Access Denied"

2017-12-04 Thread crdaudt

 Thanks Andy and Jeremy.  I will upgrade to v5.2 and test the 
"unauthorizedRedirectUrl" property to see if it is working.

On Sunday, December 3, 2017 at 10:41:32 PM UTC-5, Jeremy Rosenberg wrote:
>
> This was broken, I think it’s fixed in 5.2.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/60334cd2-5bcc-43ec-b421-d67881e268de%40apereo.org.

Re: [cas-user] Service Registry

2017-12-04 Thread Jeffrey Ramsay

Well, I had that turned on but didn't notice that option so, I'll redeploy.

Thank you,
-Jeff

On Mon, Dec 4, 2017 at 2:51 PM, David Curry 
wrote:

>
> I don't have a specific MySQL-ish answer, but if you've configured the
> dashboard ("admin pages"), the "Registered Services" button will give you a
> JSON document that contains the entire registry.
>
>  It's just a REST endpoint (https://your.server.name/cas/status/services),
> so depending on how you've secured the admin pages, you could probably get
> the results with curl or whatever instead of a browser.
>
> --Dave
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 <(212)%20229-5300> • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Mon, Dec 4, 2017 at 1:03 PM, Jeffrey Ramsay 
> wrote:
>
>> Is there a way to export the service registry? MySQL CAS 5.x.
>>
>> -Jeff
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/CA%2BTBYORysDQmBYto0Pvr1MgNkhu4FYX
>> dbD2cCvS4yGrGQbdAvw%40mail.gmail.com
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CA%2Bd9XANie1bHW%2BA3Maq7_
> ezXKku%2B_eaATJExMMugXYti9%2Bd2gQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTByJ6%2BnQzaQf6PdDavOHfB0L%3D8zkLAZgsc%3DdGX6vngQw%40mail.gmail.com.

Re: [cas-user] CAS 5.2.0

2017-12-04 Thread David Curry

Two dumb questions (but I've gotten caught by both):

   1. Did you pull down a new copy (or do a git pull) from the Github repo
   for cas-maven-overlay? It is not (or at least not always) sufficient to
   just update the ${cas.version}, because other information in pom.xml
   changes sometimes.
   2. Did you run "mvnw clean" before running "mvn package" after doing (1)?

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Dec 4, 2017 at 12:26 PM, David Rodriguez Gonzalez <
davidrg131...@gmail.com> wrote:

> Hi everyone,
>
> We are trying to migrate to CAS 5.2.0 from 5.1.6 but we the app is not
> starting because it fails to start the eventPublisher.
>
> Anyone else with this issue?
>
> Thank you
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAFGxCivBB7soPFw6TN0NHWJN%
> 2BtYEUdau0kTOWx6iO%2BvuCLmxsA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMz4GzkAovbUAJuZ8_tH2UcT2bjRxGdh6nGXEy1xKyNuw%40mail.gmail.com.

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread noumann.f

Thanks jm,
I did set this to none but still can't authenticate to the DB and a warning 
appears:
WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <
Authentication has failed. Credentials may be incorrect or CAS cannot find 
authentication handler that supports [user1] of type [
UsernamePasswordCredential], which suggests a configuration problem.>


Here is the cas.properties I'm using:
#Query Database Authentication
##
cas.authn.jdbc.query[0].sql=SELECT * FROM credentials WHERE `username`=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials

cas.authn.jdbc.query[0].url=jdbc:mysql:
//localhost:3306/cas?serverTimezone=UTC
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect

cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].password=*
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=`password-plain`
cas.authn.jdbc.query[0].passwordEncoder.type=NONE


On Monday, December 4, 2017 at 7:56:55 PM UTC+2, jm t wrote:
>
> Hi,
>
> You should explicit the value of:
> # 
> cas.authn.jdbc.query[0].passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT|SCRYPT|PBKDF2|com.example.CustomPasswordEncoder
>
> In your cause set it to none. That's a synonym of plain text.
>
> cas.authn.jdbc.query[0].passwordEncoder.type=NONE
>
> jm
>
>
> On Monday, December 4, 2017 at 4:30:13 PM UTC+1, noumann.f wrote:
>>
>> Hi,
>> I'm trying to deploy the *CAS 5.1.x* using *Maven overlay* from here: 
>> https://github.com/apereo/cas-overlay-template/tree/5.1
>>
>> I want to activate the Database authentication from *MySql database 
>> *following 
>> up the formal documentation.
>>
>> *It fails to authenticate me with the following WARN in the log:*
>>
>>>
>>> *WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>>> >> authentication handler that supports [user1] of type 
>>> [UsernamePasswordCredential], which suggests a configuration problem.>*
>>
>>
>> Here is the modifications in the POM file:
>> 
>> org.jasig.cas
>> cas-server-support-jdbc
>> 
>> 4.2.7
>> runtime
>> 
>> 
>> org.apache.logging.log4j
>> log4j-slf4j-impl
>> 
>> 
>> org.codehaus.groovy
>> groovy-jsr223
>> 
>>  
>> 
>> 
>>org.apereo.cas
>>cas-server-support-jdbc-drivers
>>${cas.version}
>> 
>>
>>
>>1. It didn't work with the ${cas.version} for the 
>>*cas-server**-support-jdbc* dependency! I used the latest version on 
>>the repository.
>>2. It didn't work without excluding the org.apache.logging.log4j and 
>>org.codehaus.groovy from the* cas-server-support-jdbc* dependency!
>>
>> Here is the cas.properties file:
>> DEFAULT SETTINGS HERE
>> .
>> .
>> .
>>
>> cas.tgc.crypto.enabled=true
>> cas.tgc.crypto.encryption.key=W7t ... DHg
>> cas.tgc.crypto.signing.key=fa6 ... jrQ
>> cas.webflow.crypto.signing.key=Du_ ... sow
>> cas.webflow.crypto.encryption.key=IQv ... 6Sw
>>
>>
>> cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE 
>> `username`=?
>> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
>> cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
>> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
>> cas.authn.jdbc.query[0].user=root
>> cas.authn.jdbc.query[0].password=
>> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
>> cas.authn.jdbc.query[0].fieldPassword=`password-plain`
>>
>> # cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
>> # cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
>> # cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>>
>>
>> logging.level.org.apereo=DEBUG
>> cas.authn.accept.users=
>>
>> In the log I still find these WARNs:
>> 2017-12-04 17:10:43,352 WARN [org.apereo.cas.util.cipher.
>> BaseBinaryCipherExecutor] - > will attempt to auto-generate the signing key>
>> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
>> BaseBinaryCipherExecutor] - > [512]. The generated key MUST be added to CAS settings.>
>> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
>> BaseBinaryCipherExecutor] - > attempt to auto-generate keys>
>> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
>> BaseBinaryCipherExecutor] - > size [16]. The generated key MUST be added to CAS settings.>
>>
>>
>>
>> *What are the keys in the cas.properties file should I assign these 
>> cipher keys to?*
>>
>> Is there anyway to debug more what's happening after entering the 
>> username and password in the form? I'd > >debug in the *log4j2.xml* file!!!
>>
>> any help is appreciated!!
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas

Re: [cas-user] CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread noumann.f

Thanks Ray,
- Bringing in new fresh version from the overlay template solved the JDBC 
issues,
- and setting v 5.1.x fields names in the cas.properties files solved the 
encryption issues,
- BUT still not authenticating correct against the DB ! the following 
warning appears in the log:
WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <
Authentication has failed. Credentials may be incorrect or CAS cannot find 
authentication handler that supports [user1] of type [
UsernamePasswordCredential], which suggests a configuration problem.>


How can I debug it?

On Monday, December 4, 2017 at 7:46:31 PM UTC+2, rbon wrote:
>
> There are two questions here, MySql and encryption key warnings.
> For MySql, use cas version in the pom and report on the errors for that 
> config.
> For encryption key warnings, your field names for cas.tgc... and 
> cas.webflow... are different than what is in the docs, 
> https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#.
>  
> Perhaps you are using values from CAS 4.x?
>
> Ray
>
> On Mon, 2017-12-04 at 07:30 -0800, noumann.f wrote:
>
> Hi, 
> I'm trying to deploy the *CAS 5.1.x* using *Maven overlay* from here: 
> https://github.com/apereo/cas-overlay-template/tree/5.1
>
> I want to activate the Database authentication from *MySql database 
> *following 
> up the formal documentation.
>
> *It fails to authenticate me with the following WARN in the log:*
>
>
> *WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication handler that supports [user1] of type 
> [UsernamePasswordCredential], which suggests a configuration problem.>*
>
>
> Here is the modifications in the POM file:
> 
> org.jasig.cas
> cas-server-support-jdbc
> 
> 4.2.7
> runtime
> 
> 
> org.apache.logging.log4j
> log4j-slf4j-impl
> 
> 
> org.codehaus.groovy
> groovy-jsr223
> 
>  
> 
> 
>org.apereo.cas
>cas-server-support-jdbc-drivers
>${cas.version}
> 
>
>
>1. It didn't work with the ${cas.version} for the 
>*cas-server**-support-jdbc* dependency! I used the latest version on 
>the repository.
>2. It didn't work without excluding the org.apache.logging.log4j and 
>org.codehaus.groovy from the* cas-server-support-jdbc* dependency!
>
> Here is the cas.properties file:
> DEFAULT SETTINGS HERE
> .
> .
> .
>
> cas.tgc.crypto.enabled=true
> cas.tgc.crypto.encryption.key=W7t ... DHg
> cas.tgc.crypto.signing.key=fa6 ... jrQ
> cas.webflow.crypto.signing.key=Du_ ... sow
> cas.webflow.crypto.encryption.key=IQv ... 6Sw
>
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE `username`
> =?
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
> cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
> cas.authn.jdbc.query[0].user=root
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
> cas.authn.jdbc.query[0].fieldPassword=`password-plain`
>
> # cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> # cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
> # cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>
>
> logging.level.org.apereo=DEBUG
> cas.authn.accept.users=
>
> In the log I still find these WARNs:
> 2017-12-04 17:10:43,352 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  will attempt to auto-generate the signing key>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  512]. The generated key MUST be added to CAS settings.>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  attempt to auto-generate keys>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  size [16]. The generated key MUST be added to CAS settings.>
>
>
>
> *What are the keys in the cas.properties file should I assign these cipher 
> keys to? *
>
> Is there anyway to debug more what's happening after entering the username 
> and password in the form? I'd  >debug in the *log4j2.xml* file!!!
>
> any help is appreciated!!
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the

Re: [cas-user] Service Registry

2017-12-04 Thread David Curry

I don't have a specific MySQL-ish answer, but if you've configured the
dashboard ("admin pages"), the "Registered Services" button will give you a
JSON document that contains the entire registry.

 It's just a REST endpoint (https://your.server.name/cas/status/services),
so depending on how you've secured the admin pages, you could probably get
the results with curl or whatever instead of a browser.

--Dave



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Dec 4, 2017 at 1:03 PM, Jeffrey Ramsay 
wrote:

> Is there a way to export the service registry? MySQL CAS 5.x.
>
> -Jeff
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CA%2BTBYORysDQmBYto0Pvr1MgNkhu4FY
> XdbD2cCvS4yGrGQbdAvw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANie1bHW%2BA3Maq7_ezXKku%2B_eaATJExMMugXYti9%2Bd2gQ%40mail.gmail.com.

[cas-user] Twilio

2017-12-04 Thread Jeffrey Ramsay

Anyone using twilio with CAS for SMS; I have it configured but not sure how
we are supposed to use it.

-Jeff

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTRZoWHZRYk0-GCR9ev9nAYJoJm4dH4kS-bhi_Erm04zg%40mail.gmail.com.

[cas-user] Turn off passwordPolicy warning messages in CAS 5.1

2017-12-04 Thread Adam Causey

I would like to use the passwordPolicy in order to have more detailed error
messages displayed when a user logs in, such as to show that their account
has expired or they are locked out, etc.

However, I would not like to show the user the message that their password
is about to expire.  Is there a way to turn off this message but still use
the other password policy features?

I have tried setting these properties, but still get the warning message:

cas.authn.ldap[0].passwordPolicy.warnAll=false
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=false

I would expect these to turn off the warning, but they don't work as
expected (or maybe I'm misinterpreting what they do).

I'm running CAS 5.1.14


thanks,
Adam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5P%3DXSxzM2wO%2BVjKuphEgh3Y%2BSaxLUbxihufVO4X24Pyww%40mail.gmail.com.

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread jm t

Hi,

You should explicit the value of:
# 
cas.authn.jdbc.query[0].passwordEncoder.type=NONE|DEFAULT|STANDARD|BCRYPT|SCRYPT|PBKDF2|com.example.CustomPasswordEncoder

In your cause set it to none. That's a synonym of plain text.

cas.authn.jdbc.query[0].passwordEncoder.type=NONE

jm


On Monday, December 4, 2017 at 4:30:13 PM UTC+1, noumann.f wrote:
>
> Hi,
> I'm trying to deploy the *CAS 5.1.x* using *Maven overlay* from here: 
> https://github.com/apereo/cas-overlay-template/tree/5.1
>
> I want to activate the Database authentication from *MySql database 
> *following 
> up the formal documentation.
>
> *It fails to authenticate me with the following WARN in the log:*
>
>>
>> *WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication handler that supports [user1] of type 
>> [UsernamePasswordCredential], which suggests a configuration problem.>*
>
>
> Here is the modifications in the POM file:
> 
> org.jasig.cas
> cas-server-support-jdbc
> 
> 4.2.7
> runtime
> 
> 
> org.apache.logging.log4j
> log4j-slf4j-impl
> 
> 
> org.codehaus.groovy
> groovy-jsr223
> 
>  
> 
> 
>org.apereo.cas
>cas-server-support-jdbc-drivers
>${cas.version}
> 
>
>
>1. It didn't work with the ${cas.version} for the 
>*cas-server**-support-jdbc* dependency! I used the latest version on 
>the repository.
>2. It didn't work without excluding the org.apache.logging.log4j and 
>org.codehaus.groovy from the* cas-server-support-jdbc* dependency!
>
> Here is the cas.properties file:
> DEFAULT SETTINGS HERE
> .
> .
> .
>
> cas.tgc.crypto.enabled=true
> cas.tgc.crypto.encryption.key=W7t ... DHg
> cas.tgc.crypto.signing.key=fa6 ... jrQ
> cas.webflow.crypto.signing.key=Du_ ... sow
> cas.webflow.crypto.encryption.key=IQv ... 6Sw
>
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE `username`
> =?
> cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
> cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
> cas.authn.jdbc.query[0].user=root
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
> cas.authn.jdbc.query[0].fieldPassword=`password-plain`
>
> # cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> # cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
> # cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
>
>
> logging.level.org.apereo=DEBUG
> cas.authn.accept.users=
>
> In the log I still find these WARNs:
> 2017-12-04 17:10:43,352 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  will attempt to auto-generate the signing key>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  512]. The generated key MUST be added to CAS settings.>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  attempt to auto-generate keys>
> 2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
> BaseBinaryCipherExecutor] -  size [16]. The generated key MUST be added to CAS settings.>
>
>
>
> *What are the keys in the cas.properties file should I assign these cipher 
> keys to?*
>
> Is there anyway to debug more what's happening after entering the username 
> and password in the form? I'd  >debug in the *log4j2.xml* file!!!
>
> any help is appreciated!!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bdc3276-c97e-4e37-a819-9ce788e39cac%40apereo.org.

Re: [cas-user] CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread Ray Bon

There are two questions here, MySql and encryption key warnings.
For MySql, use cas version in the pom and report on the errors for that config.
For encryption key warnings, your field names for cas.tgc... and cas.webflow... 
are different than what is in the docs, 
https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#. 
Perhaps you are using values from CAS 4.x?

Ray

On Mon, 2017-12-04 at 07:30 -0800, noumann.f wrote:
Hi,
I'm trying to deploy the CAS 5.1.x using Maven overlay from here: 
https://github.com/apereo/cas-overlay-template/tree/5.1

I want to activate the Database authentication from MySql database following up 
the formal documentation.

It fails to authenticate me with the following WARN in the log:

WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


Here is the modifications in the POM file:

org.jasig.cas
cas-server-support-jdbc

4.2.7
runtime


org.apache.logging.log4j
log4j-slf4j-impl


org.codehaus.groovy
groovy-jsr223




   org.apereo.cas
   cas-server-support-jdbc-drivers
   ${cas.version}



  1.  It didn't work with the ${cas.version} for the 
cas-server-support-jdbc dependency! I used the latest version on the repository.
  2.  It didn't work without excluding the org.apache.logging.log4j and 
org.codehaus.groovy from the cas-server-support-jdbc dependency!

Here is the cas.properties file:
DEFAULT SETTINGS HERE
.
.
.

cas.tgc.crypto.enabled=true
cas.tgc.crypto.encryption.key=W7t ... DHg
cas.tgc.crypto.signing.key=fa6 ... jrQ
cas.webflow.crypto.signing.key=Du_ ... sow
cas.webflow.crypto.encryption.key=IQv ... 6Sw


cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE `username`=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].password=
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=`password-plain`

# cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
# cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
# cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8


logging.level.org.apereo=DEBUG
cas.authn.accept.users=

In the log I still find these WARNs:
2017-12-04 17:10:43,352 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN 
[org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - 


What are the keys in the cas.properties file should I assign these cipher keys 
to?

Is there anyway to debug more what's happening after entering the username and 
password in the form? I'd debug in 
the log4j2.xml file!!!

any help is appreciated!!

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1512409584.1769.12.camel%40uvic.ca.

Re: [cas-user] Unknown encryption/secret key WARN message at startup

2017-12-04 Thread Ray Bon

Adam,

Check these parameters:
cas.webflow.signing.key
cas.webflow.encryption.key

Ray

On Mon, 2017-12-04 at 08:48 -0500, Adam Causey wrote:
I am receiving the WARN messages below during CAS 5.1 startup. I have set the 
tgc and clearPass encryptionKeys and secretKeys This message does not specify a 
module for the encryption/secret key, so I'm not sure where to put the 
generated values.


2017-12-04 08:34:52,049 [main] WARN  
org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Secret key for signing is 
not defined. CAS will attempt to auto-generate the signing key

2017-12-04 08:34:52,054 [main] WARN  
org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Generated signing key [
ABC]
 of size [512]. The generated key MUST be added to CAS settings.

2017-12-04 08:34:52,054 [main] WARN  
org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - No encryption key is 
defined. CAS will attempt to auto-generate keys

2017-12-04 08:34:52,054 [main] WARN  
org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Generated encryption key [
123
] of size [16]. The generated key MUST be added to CAS settings.


Thanks!

-Adam


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1512408687.1769.6.camel%40uvic.ca.

[cas-user] CAS 5.2.0

2017-12-04 Thread David Rodriguez Gonzalez

Hi everyone,

We are trying to migrate to CAS 5.2.0 from 5.1.6 but we the app is not
starting because it fails to start the eventPublisher.

Anyone else with this issue?

Thank you

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFGxCivBB7soPFw6TN0NHWJN%2BtYEUdau0kTOWx6iO%2BvuCLmxsA%40mail.gmail.com.

Re: [cas-user] Single Logout & OAuth

2017-12-04 Thread Ray Bon

Tom,

In CAS 5.1 there are some additional logout features, 
https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#logout.
 Although it is not exactly what you are asking, it may provide some additional 
insight. See also, 
https://apereo.github.io/cas/5.1.x/installation/Logout-Single-Signout.html.

Ray

On Mon, 2017-12-04 at 01:21 -0800, Tom Andersson wrote:
Hello all,

We a struggling with some logout / session management related issues with our 
CAS OAuth clients. We are using CAS 5.0 and have use cases, where on CAS 
logout, the OAuth access tokens of a user would need to be removed, but only 
tokens granted for that specific SSO session. The current use case is related 
to a service which uses the implicit grant flow to authenticate users.
Technically, as far as I understand, we would need to link access tokens to SSO 
sessions (CAS doesn't seem to link the tokens in such a way), so that on SLO, 
the access tokens granted for the SSO session could be revoked.

I understood that the SLO functionality is really not supported for the OAuth 
protocol and I haven't found a way to handle this in CAS. Thus, we are thinking 
about creating some external service, which could keep track of SSO sessions 
and related access tokens, and then revoke the access tokens when receiving SLO 
notification from CAS. So I looked into the SLO notification functionality 
(back-channel), and seems like at least in the implicit grant case, the 
notification contains the Service Ticket ID that was granted as part of the 
authentication flow. Next problem is, that of course our external service has 
not received such identifier in the login process and possibly the flow would 
need to be changed to transmit this ID to the client (possible in the same 
redirect request with the access token?).

Hopefully you get the picture of what we're attempting. The goal would be to 
invalidate access tokens for a specific SSO session, but still keep access 
tokens for possible other sessions of the same user (otherwise we could just 
remove all tokens).

A few questions:
* Are we doing something completely wrong here? Maybe this is not the way to 
handle SSO sessions and OAuth access at all? Could there be some other ways of 
looking at the problem at hand?
* Is the approach of modifying the authentication flows (authorization code 
grant or implicit grant) in such a way that our external service would have 
some handle to the SSO session, meaningful at all? The service would then hold 
a list: "ST-123": ["AT-1", "AT-2", "AT-3"...]. Or is it actually the TGT that 
we should be able to transfer to the service on login, and also deliver the 
same TGT on SLO notification? Somehow this feels wrong.

There are also a few issues, which may be bugs, related to this:
* The logoutUrl setting of a service configuration doesn't seem to propagate, 
we always have logoutUrl pointing to the service URL of the callbackAuthorize 
service.
* All access tokens seem to have a service mapping to the callbackAuthorize 
-service. Is this by design? So we can not know which service an access token 
has actually been granted for (unless searching for it based on the client ID 
in the callbackAuthorize service URL)


Thanks for any ideas!
Tom

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1512408048.1769.4.camel%40uvic.ca.

[cas-user] CAS 5.1.x MySql authentication problem !!

2017-12-04 Thread noumann.f

Hi,
I'm trying to deploy the *CAS 5.1.x* using *Maven overlay* from 
here: https://github.com/apereo/cas-overlay-template/tree/5.1

I want to activate the Database authentication from *MySql database *following 
up the formal documentation.

*It fails to authenticate me with the following WARN in the log:*

>
> *WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication handler that supports [user1] of type 
> [UsernamePasswordCredential], which suggests a configuration problem.>*


Here is the modifications in the POM file:

org.jasig.cas
cas-server-support-jdbc

4.2.7
runtime


org.apache.logging.log4j
log4j-slf4j-impl


org.codehaus.groovy
groovy-jsr223

 


   org.apereo.cas
   cas-server-support-jdbc-drivers
   ${cas.version}



   1. It didn't work with the ${cas.version} for the 
   *cas-server**-support-jdbc* dependency! I used the latest version on the 
   repository.
   2. It didn't work without excluding the org.apache.logging.log4j and 
   org.codehaus.groovy from the* cas-server-support-jdbc* dependency!

Here is the cas.properties file:
DEFAULT SETTINGS HERE
.
.
.

cas.tgc.crypto.enabled=true
cas.tgc.crypto.encryption.key=W7t ... DHg
cas.tgc.crypto.signing.key=fa6 ... jrQ
cas.webflow.crypto.signing.key=Du_ ... sow
cas.webflow.crypto.encryption.key=IQv ... 6Sw


cas.authn.jdbc.query[0].sql=SELECT * FROM cas.credentials WHERE `username`=?
cas.authn.jdbc.query[0].healthQuery=SELECT 1 FROM cas.credentials
cas.authn.jdbc.query[0].url=jdbc:mysql://localhost:3306/cas
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQL5InnoDBDialect
cas.authn.jdbc.query[0].user=root
cas.authn.jdbc.query[0].password=
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=`password-plain`

# cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
# cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5
# cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8


logging.level.org.apereo=DEBUG
cas.authn.accept.users=

In the log I still find these WARNs:
2017-12-04 17:10:43,352 WARN [org.apereo.cas.util.cipher.
BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
BaseBinaryCipherExecutor] - 
2017-12-04 17:10:43,353 WARN [org.apereo.cas.util.cipher.
BaseBinaryCipherExecutor] - 



*What are the keys in the cas.properties file should I assign these cipher 
keys to?*

Is there anyway to debug more what's happening after entering the username 
and password in the form? I'd debug in the *log4j2.xml* file!!!

any help is appreciated!!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/08bc61a3-0bf3-43c4-b0ee-5662c7258541%40apereo.org.

Re: [cas-user] Problem with 5.1.6 - LDAP derefAlias

2017-12-04 Thread Marc K.

Hi and thanks for your response. 
I searched for several hours but didn't find any way to file a feature 
request. Can you provide me with a link  or something?

regards

Am Donnerstag, 30. November 2017 16:42:56 UTC+1 schrieb dfisher:
>
> Inspection of the code seems to indicate that this is not supported:
>
> https://github.com/apereo/cas/blob/v5.1.6/core/cas-server-core-configuration/src/main/java/org/apereo/cas/configuration/support/Beans.java#L1041
>
> I recommend you file a feature request, adding a new property shouldn't be 
> a big deal.
>
> --Daniel Fisher
>
> On Thu, Nov 30, 2017 at 12:40 AM, Marc K.  > wrote:
>
>> Hi,
>>
>> i recently updated our CAS 3.x with some modifications to the new Apereo 
>> CAS 5.1.6. After messing around with tons of property i'm currently facing 
>> the problem of users not able to login due to aliased LDAP entries. Is it 
>> possible to set the ldaptive "derefAliases" via cas.properties? 
>>
>> thx and regards
>>
>> Marc
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/42a5d1f4-6b2a-45fb-b6e0-e757cf3b637b%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f86e9d8-ffbf-4344-b38f-508feeb50316%40apereo.org.

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

2017-12-04 Thread Sandor Juhasz

We are on https. For a while it works and at some point - somehow related 
to existing/expired session it goes to location /.

On Monday, December 4, 2017 at 12:51:03 PM UTC+1, Fei Wang wrote:
>
> When I use HTTPS , the issue gone.  What's the trick here?
>
> On Mon, Dec 4, 2017 at 7:27 PM, Sandor Juhasz  > wrote:
>
>> Happening to us with 5.1.6, using openid connect webflow. Same symptoms, 
>> only thing making it 
>> interesting is that it does not happen every time.
>>
>> See threads:
>> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/TDh7Zz7g5TY
>>  
>>
>> --
>> *Sándor Juhász*
>> System Administrator
>> *ChemAxon* *Ltd*.
>> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
>> Cell: +36704258964
>>
>> On Mon, Dec 4, 2017 at 11:45 AM, Fei Wang > > wrote:
>>
>>> I met the exactly same problem . Have you resolve it ? 
>>>
>>>
>>> On Wednesday, September 6, 2017 at 11:13:56 AM UTC+8, Zhang Yu wrote:

 env:
 Java 8, CAS 5.1.3, Tomcat 8.5 (standalone), IntelliJ, macOS Sierra.

 pom.xml:

 
 5.1.3
 

 
 
 org.apereo.cas
 cas-server-webapp
 ${cas.version}
 war
 runtime
 
 
 org.apereo.cas
 cas-server-support-jdbc
 ${cas.version}
 
 
 org.apereo.cas
 
 cas-server-support-json-service-registry
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-webapp-config-security
 ${cas.version}
 
 
 org.apereo.cas
 cas-server-support-oauth-webflow
 ${cas.version}
 

 
 com.oracle
 ojdbc8
 12.2.0.1
 
 


 CAS runs fine at http://127.0.0.1:8080.

 Registered a JSON service with CAS to act as a demo OAuth client:

 {
   "@class": 
 "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
   "serviceId": "http://(127.0.0.1|localhost):8081/login/oauth2/cas",
   "clientId": "clientid",
   "clientSecret": "clientSecret",
   "name": "OAuth20ClientDemo",
   "id": 1002,
   "description": "",
   "evaluationOrder": 0,
   "attributeReleasePolicy": {
 "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
   }
 }

 When CAS starts, it automatically generate another JSON service (which 
 seems a bit weird, however I cannot tell whether it is normal or not):

 {
   @class: org.apereo.cas.services.RegexRegisteredService
   serviceId: http://localhost:8080/oauth2.0/callbackAuthorize.*
   name: RegexRegisteredService
   id: 103356745490349536
   description: OAuth Authentication Callback Request URL
   proxyPolicy:
   {
 @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
   }
   evaluationOrder: 0
   usernameAttributeProvider:
   {
 @class: 
 org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
 canonicalizationMode: NONE
 encryptUsername: false
   }
   attributeReleasePolicy:
   {
 @class: org.apereo.cas.services.DenyAllAttributeReleasePolicy
 principalAttributesRepository:
 {
   @class: 
 org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
   expiration: 2
   timeUnit: HOURS
 }
 authorizedToReleaseCredentialPassword: false
 authorizedToReleaseProxyGrantingTicket: false
 excludeDefaultAttributes: true
   }
   multifactorPolicy:
   {
 @class: 
 org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
 failureMode: CLOSED
 bypassEnabled: false
   }
   accessStrategy:
   {
 @class: 
 org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
 enabled: true
 ssoEnabled: true
 requireAllAttributes: true
 caseInsensitive: false
   }
 }

 The demo client runs as another standalone Tomcat app at 
 http://127.0.0.1:8081.

 Now comes the testing process.

 The first steps of the process look good:

 http://localhost:8081/login/oauth2/cas
 302 ->

 http://127.0.0.1:8080/oauth2.0/authorize?client_id=clientid_uri=http://localhost:8081/login/oauth2/cas_type=code=2YqY0c
 302 ->

 http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas

 After inputing correct username/password in the form and press LOGIN, A 
 POST is submitted to:

Re: [cas-user] Unknown encryption/secret key WARN message at startup

2017-12-04 Thread David Curry

Those are probably referring to missing signing/encryption keys for Spring
Webflow encryption, since you say you have the tgc properties configured.
(Although you should also check the properties you have set for tgc
encryption; all the sigining/encryption key properties were "rationalized"
in one of the point releases, and if you're using the old names, it won't
work.)

You configure the Spring Webflow signing key pretty much the same way (it's
a JSON web key), but the encryption key is not a JWK, so it's a little
different.

See this:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_configure-server-properties.html#configure-spring-webflow-encryption
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_configure-server-properties.html#configure-ticket-granting-cookie-encryption

--Dave




--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Dec 4, 2017 at 8:48 AM, Adam Causey  wrote:

> I am receiving the WARN messages below during CAS 5.1 startup. I have set
> the tgc and clearPass encryptionKeys and secretKeys This message does not
> specify a module for the encryption/secret key, so I'm not sure where to
> put the generated values.
>
>
> 2017-12-04 08:34:52,049 [main] WARN  
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor
> - Secret key for signing is not defined. CAS will attempt to auto-generate
> the signing key
>
> 2017-12-04 08:34:52,054 [main] WARN  
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor
> - Generated signing key [
> ABC]
>  of size [512]. The generated key MUST be added to CAS settings.
>
> 2017-12-04 08:34:52,054 [main] WARN  
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor
> - No encryption key is defined. CAS will attempt to auto-generate keys
>
> 2017-12-04 08:34:52,054 [main] WARN  
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor
> - Generated encryption key [
> 123
> ] of size [16]. The generated key MUST be added to CAS settings.
>
>
> Thanks!
>
> -Adam
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAN6MV5MBNTfts9Et9_osuxpEffe-
> R0XGdcF6LBNhrD3pPj8WbA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPHUSkckp71kFU_3g6pBLq88qORuHXtwqOnPfwTP558kw%40mail.gmail.com.

[cas-user] Unknown encryption/secret key WARN message at startup

2017-12-04 Thread Adam Causey

I am receiving the WARN messages below during CAS 5.1 startup. I have set
the tgc and clearPass encryptionKeys and secretKeys This message does not
specify a module for the encryption/secret key, so I'm not sure where to
put the generated values.


2017-12-04 08:34:52,049 [main] WARN
 org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Secret key for
signing is not defined. CAS will attempt to auto-generate the signing key

2017-12-04 08:34:52,054 [main] WARN
 org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Generated signing
key [
ABC]
 of size [512]. The generated key MUST be added to CAS settings.

2017-12-04 08:34:52,054 [main] WARN
 org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - No encryption key is
defined. CAS will attempt to auto-generate keys

2017-12-04 08:34:52,054 [main] WARN
 org.apereo.cas.util.cipher.BaseBinaryCipherExecutor - Generated encryption
key [
123
] of size [16]. The generated key MUST be added to CAS settings.


Thanks!

-Adam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5MBNTfts9Et9_osuxpEffe-R0XGdcF6LBNhrD3pPj8WbA%40mail.gmail.com.

[cas-user] Temporary MFA bypass in CAS 5.1

2017-12-04 Thread Adam Causey

Is there a way to programmatically temporarily disable MFA in CAS 5.1?

We need to write a custom module that decides if the user should see the
MFA prompt.  We have tried adding a Groovy script to set a user attribute
of 'bypass=true' and then filtering, however since the user attributes are
cached we are running into roadblocks.

Is there a way to clear the attributes cache and/or some other way to
temporarily bypass the MFA webflow?

Thanks,
Adam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5NOpYHx_00-K%2BQfPxsPTdQJ_SP_y622qxqgMMq8qEJodw%40mail.gmail.com.

Re: [cas-user] Custom License Validator Implementaion

2017-12-04 Thread David Curry

I'm not completely sure I understand what you want to do, but could you use
the Acceptable Use Policy piece of the workflow, and just replace the text
of the AUP (which you have to put into it anyway) with whatever license you
need?

https://apereo.github.io/cas/5.1.x/installation/Webflow-Customization-AUP.html

The 5.2.x support for it seems to be a little more robust than what was in
5.1.x. (I haven't tried it out yet, although it's on my to-do list.)

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Dec 4, 2017 at 6:05 AM, Soumya Tripathy 
wrote:

> We are using CAS 5.1.0 in our application. A new requirement of License
> Validation is required, which will prevent user to login to cas if the
> Server License Expired.
> I tried to hack into the CAS webflow but till now luck. Any insights will
> be helpful.
>
> Thanks,
> Soumya
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/2dc82d15-904c-4fe5-98c6-
> 50dc3d0183de%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMKFbAiuv4%3DiOOpssg3dtAHHgSHMv99%2BL2CUABiwkVz8A%40mail.gmail.com.

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

2017-12-04 Thread Tommy

When I use HTTPS , the issue gone.  What's the trick here?

On Mon, Dec 4, 2017 at 7:27 PM, Sandor Juhasz  wrote:

> Happening to us with 5.1.6, using openid connect webflow. Same symptoms,
> only thing making it
> interesting is that it does not happen every time.
>
> See threads:
> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/TDh7Zz7g5TY
>
>
> --
> *Sándor Juhász*
> System Administrator
> *ChemAxon* *Ltd*.
> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
> Cell: +36704258964 <+36%2070%20425%208964>
>
> On Mon, Dec 4, 2017 at 11:45 AM, Fei Wang  wrote:
>
>> I met the exactly same problem . Have you resolve it ?
>>
>>
>> On Wednesday, September 6, 2017 at 11:13:56 AM UTC+8, Zhang Yu wrote:
>>>
>>> env:
>>> Java 8, CAS 5.1.3, Tomcat 8.5 (standalone), IntelliJ, macOS Sierra.
>>>
>>> pom.xml:
>>>
>>> 
>>> 5.1.3
>>> 
>>>
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp
>>> ${cas.version}
>>> war
>>> runtime
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-jdbc
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-json-service-registry>> ctId>
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-webapp-config-security
>>> ${cas.version}
>>> 
>>> 
>>> org.apereo.cas
>>> cas-server-support-oauth-webflow
>>> ${cas.version}
>>> 
>>>
>>> 
>>> com.oracle
>>> ojdbc8
>>> 12.2.0.1
>>> 
>>> 
>>>
>>>
>>> CAS runs fine at http://127.0.0.1:8080.
>>>
>>> Registered a JSON service with CAS to act as a demo OAuth client:
>>>
>>> {
>>>   "@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredServic
>>> e",
>>>   "serviceId": "http://(127.0.0.1|localhost):8081/login/oauth2/cas",
>>>   "clientId": "clientid",
>>>   "clientSecret": "clientSecret",
>>>   "name": "OAuth20ClientDemo",
>>>   "id": 1002,
>>>   "description": "",
>>>   "evaluationOrder": 0,
>>>   "attributeReleasePolicy": {
>>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>   }
>>> }
>>>
>>> When CAS starts, it automatically generate another JSON service (which
>>> seems a bit weird, however I cannot tell whether it is normal or not):
>>>
>>> {
>>>   @class: org.apereo.cas.services.RegexRegisteredService
>>>   serviceId: http://localhost:8080/oauth2.0/callbackAuthorize.*
>>>   name: RegexRegisteredService
>>>   id: 103356745490349536
>>>   description: OAuth Authentication Callback Request URL
>>>   proxyPolicy:
>>>   {
>>> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
>>>   }
>>>   evaluationOrder: 0
>>>   usernameAttributeProvider:
>>>   {
>>> @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProv
>>> ider
>>> canonicalizationMode: NONE
>>> encryptUsername: false
>>>   }
>>>   attributeReleasePolicy:
>>>   {
>>> @class: org.apereo.cas.services.DenyAllAttributeReleasePolicy
>>> principalAttributesRepository:
>>> {
>>>   @class: org.apereo.cas.authentication.
>>> principal.DefaultPrincipalAttributesRepository
>>>   expiration: 2
>>>   timeUnit: HOURS
>>> }
>>> authorizedToReleaseCredentialPassword: false
>>> authorizedToReleaseProxyGrantingTicket: false
>>> excludeDefaultAttributes: true
>>>   }
>>>   multifactorPolicy:
>>>   {
>>> @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorP
>>> olicy
>>> failureMode: CLOSED
>>> bypassEnabled: false
>>>   }
>>>   accessStrategy:
>>>   {
>>> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrate
>>> gy
>>> enabled: true
>>> ssoEnabled: true
>>> requireAllAttributes: true
>>> caseInsensitive: false
>>>   }
>>> }
>>>
>>> The demo client runs as another standalone Tomcat app at
>>> http://127.0.0.1:8081.
>>>
>>> Now comes the testing process.
>>>
>>> The first steps of the process look good:
>>>
>>> http://localhost:8081/login/oauth2/cas
>>> 302 ->
>>> http://127.0.0.1:8080/oauth2.0/authorize?client_id=clientid;
>>> redirect_uri=http://localhost:8081/login/oauth2/cas
>>> _type=code=2YqY0c
>>> 302 ->
>>> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3
>>> A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAut
>>> hClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%
>>> 2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>>>
>>> After inputing correct username/password in the form and press LOGIN, A
>>> POST is submitted to:
>>> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3
>>> A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAut
>>> hClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%
>>> 2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>>>
>>> The response is a 302 to the following url:
>>>
>>> http://localhost:8080/oauth2.0/callbackAuthorize?client_name
>>>

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

2017-12-04 Thread Sandor Juhasz

Happening to us with 5.1.6, using openid connect webflow. Same symptoms,
only thing making it
interesting is that it does not happen every time.

See threads:
https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/TDh7Zz7g5TY


--
*Sándor Juhász*
System Administrator
*ChemAxon* *Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964

On Mon, Dec 4, 2017 at 11:45 AM, Fei Wang  wrote:

> I met the exactly same problem . Have you resolve it ?
>
>
> On Wednesday, September 6, 2017 at 11:13:56 AM UTC+8, Zhang Yu wrote:
>>
>> env:
>> Java 8, CAS 5.1.3, Tomcat 8.5 (standalone), IntelliJ, macOS Sierra.
>>
>> pom.xml:
>>
>> 
>> 5.1.3
>> 
>>
>> 
>> 
>> org.apereo.cas
>> cas-server-webapp
>> ${cas.version}
>> war
>> runtime
>> 
>> 
>> org.apereo.cas
>> cas-server-support-jdbc
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-json-service-registry
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-webapp-config-security
>> ${cas.version}
>> 
>> 
>> org.apereo.cas
>> cas-server-support-oauth-webflow
>> ${cas.version}
>> 
>>
>> 
>> com.oracle
>> ojdbc8
>> 12.2.0.1
>> 
>> 
>>
>>
>> CAS runs fine at http://127.0.0.1:8080.
>>
>> Registered a JSON service with CAS to act as a demo OAuth client:
>>
>> {
>>   "@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredServic
>> e",
>>   "serviceId": "http://(127.0.0.1|localhost):8081/login/oauth2/cas",
>>   "clientId": "clientid",
>>   "clientSecret": "clientSecret",
>>   "name": "OAuth20ClientDemo",
>>   "id": 1002,
>>   "description": "",
>>   "evaluationOrder": 0,
>>   "attributeReleasePolicy": {
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>   }
>> }
>>
>> When CAS starts, it automatically generate another JSON service (which
>> seems a bit weird, however I cannot tell whether it is normal or not):
>>
>> {
>>   @class: org.apereo.cas.services.RegexRegisteredService
>>   serviceId: http://localhost:8080/oauth2.0/callbackAuthorize.*
>>   name: RegexRegisteredService
>>   id: 103356745490349536
>>   description: OAuth Authentication Callback Request URL
>>   proxyPolicy:
>>   {
>> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
>>   }
>>   evaluationOrder: 0
>>   usernameAttributeProvider:
>>   {
>> @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProv
>> ider
>> canonicalizationMode: NONE
>> encryptUsername: false
>>   }
>>   attributeReleasePolicy:
>>   {
>> @class: org.apereo.cas.services.DenyAllAttributeReleasePolicy
>> principalAttributesRepository:
>> {
>>   @class: org.apereo.cas.authentication.
>> principal.DefaultPrincipalAttributesRepository
>>   expiration: 2
>>   timeUnit: HOURS
>> }
>> authorizedToReleaseCredentialPassword: false
>> authorizedToReleaseProxyGrantingTicket: false
>> excludeDefaultAttributes: true
>>   }
>>   multifactorPolicy:
>>   {
>> @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorP
>> olicy
>> failureMode: CLOSED
>> bypassEnabled: false
>>   }
>>   accessStrategy:
>>   {
>> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrate
>> gy
>> enabled: true
>> ssoEnabled: true
>> requireAllAttributes: true
>> caseInsensitive: false
>>   }
>> }
>>
>> The demo client runs as another standalone Tomcat app at
>> http://127.0.0.1:8081.
>>
>> Now comes the testing process.
>>
>> The first steps of the process look good:
>>
>> http://localhost:8081/login/oauth2/cas
>> 302 ->
>> http://127.0.0.1:8080/oauth2.0/authorize?client_id=clientid;
>> redirect_uri=http://localhost:8081/login/oauth2/cas;
>> response_type=code=2YqY0c
>> 302 ->
>> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%
>> 3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%
>> 3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%
>> 3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>>
>> After inputing correct username/password in the form and press LOGIN, A
>> POST is submitted to:
>> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%
>> 3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%
>> 3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%
>> 3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>>
>> The response is a 302 to the following url:
>>
>> http://localhost:8080/oauth2.0/callbackAuthorize?client_name
>> =CasOAuthClient_id=clientid_uri=http://local
>> host:8081/login/oauth2/cas=ST-6-T71F2TDPjCsPF9d3Shby-localhost
>>
>> *Here comes the problem: The response of the above url
>> (/callbackAuthorize) is a 302 redirection to '/' (root path of CAS), which
>> then redirects to the login page (/login). *
>>
>> I think the expected behavior of /callbackAuthorize should be

[cas-user] Custom License Validator Implementaion

2017-12-04 Thread Soumya Tripathy

We are using CAS 5.1.0 in our application. A new requirement of License 
Validation is required, which will prevent user to login to cas if the 
Server License Expired.
I tried to hack into the CAS webflow but till now luck. Any insights will 
be helpful.

Thanks,
Soumya

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dc82d15-904c-4fe5-98c6-50dc3d0183de%40apereo.org.

[cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

2017-12-04 Thread Fei Wang

I met the exactly same problem . Have you resolve it ? 

On Wednesday, September 6, 2017 at 11:13:56 AM UTC+8, Zhang Yu wrote:
>
> env:
> Java 8, CAS 5.1.3, Tomcat 8.5 (standalone), IntelliJ, macOS Sierra.
>
> pom.xml:
>
> 
> 5.1.3
> 
>
> 
> 
> org.apereo.cas
> cas-server-webapp
> ${cas.version}
> war
> runtime
> 
> 
> org.apereo.cas
> cas-server-support-jdbc
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-webapp-config-security
> ${cas.version}
> 
> 
> org.apereo.cas
> cas-server-support-oauth-webflow
> ${cas.version}
> 
>
> 
> com.oracle
> ojdbc8
> 12.2.0.1
> 
> 
>
>
> CAS runs fine at http://127.0.0.1:8080.
>
> Registered a JSON service with CAS to act as a demo OAuth client:
>
> {
>   "@class": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
>   "serviceId": "http://(127.0.0.1|localhost):8081/login/oauth2/cas",
>   "clientId": "clientid",
>   "clientSecret": "clientSecret",
>   "name": "OAuth20ClientDemo",
>   "id": 1002,
>   "description": "",
>   "evaluationOrder": 0,
>   "attributeReleasePolicy": {
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>   }
> }
>
> When CAS starts, it automatically generate another JSON service (which 
> seems a bit weird, however I cannot tell whether it is normal or not):
>
> {
>   @class: org.apereo.cas.services.RegexRegisteredService
>   serviceId: http://localhost:8080/oauth2.0/callbackAuthorize.*
>   name: RegexRegisteredService
>   id: 103356745490349536
>   description: OAuth Authentication Callback Request URL
>   proxyPolicy:
>   {
> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
>   }
>   evaluationOrder: 0
>   usernameAttributeProvider:
>   {
> @class: 
> org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider
> canonicalizationMode: NONE
> encryptUsername: false
>   }
>   attributeReleasePolicy:
>   {
> @class: org.apereo.cas.services.DenyAllAttributeReleasePolicy
> principalAttributesRepository:
> {
>   @class: 
> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
>   expiration: 2
>   timeUnit: HOURS
> }
> authorizedToReleaseCredentialPassword: false
> authorizedToReleaseProxyGrantingTicket: false
> excludeDefaultAttributes: true
>   }
>   multifactorPolicy:
>   {
> @class: 
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> failureMode: CLOSED
> bypassEnabled: false
>   }
>   accessStrategy:
>   {
> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
> enabled: true
> ssoEnabled: true
> requireAllAttributes: true
> caseInsensitive: false
>   }
> }
>
> The demo client runs as another standalone Tomcat app at 
> http://127.0.0.1:8081.
>
> Now comes the testing process.
>
> The first steps of the process look good:
>
> http://localhost:8081/login/oauth2/cas
> 302 ->
>
> http://127.0.0.1:8080/oauth2.0/authorize?client_id=clientid_uri=http://localhost:8081/login/oauth2/cas_type=code=2YqY0c
> 302 ->
>
> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>
> After inputing correct username/password in the form and press LOGIN, A 
> POST is submitted to:
>
> http://localhost:8080/login?service=http%3A%2F%2Flocalhost%3A8080%2Foauth2.0%2FcallbackAuthorize%3Fclient_name%3DCasOAuthClient%26client_id%3Dclientid%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A8081%2Flogin%2Foauth2%2Fcas
>
> The response is a 302 to the following url:
>
>
> http://localhost:8080/oauth2.0/callbackAuthorize?client_name=CasOAuthClient_id=clientid_uri=http://localhost:8081/login/oauth2/cas=ST-6-T71F2TDPjCsPF9d3Shby-localhost
>
> *Here comes the problem: The response of the above url 
> (/callbackAuthorize) is a 302 redirection to '/' (root path of CAS), which 
> then redirects to the login page (/login). *
>
> I think the expected behavior of /callbackAuthorize should be a 
> redirection back to the client app at 
> http://localhost:8081/login/oauth2/cas with the OAuth token issued.
>
> Did I get anything wrong or miss any configurations?
>
> Thanks.
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

[cas-user] Single Logout & OAuth

2017-12-04 Thread Tom Andersson

Hello all,

We a struggling with some logout / session management related issues with 
our CAS OAuth clients. We are using CAS 5.0 and have use cases, where on 
CAS logout, the OAuth access tokens of a user would need to be removed, but 
only tokens granted for that specific SSO session. The current use case is 
related to a service which uses the implicit grant flow to authenticate 
users. 
Technically, as far as I understand, we would need to link access tokens to 
SSO sessions (CAS doesn't seem to link the tokens in such a way), so that 
on SLO, the access tokens granted for the SSO session could be revoked. 

I understood that the SLO functionality is really not supported for the 
OAuth protocol and I haven't found a way to handle this in CAS. Thus, we 
are thinking about creating some external service, which could keep track 
of SSO sessions and related access tokens, and then revoke the access 
tokens when receiving SLO notification from CAS. So I looked into the SLO 
notification functionality (back-channel), and seems like at least in the 
implicit grant case, the notification contains the Service Ticket ID that 
was granted as part of the authentication flow. Next problem is, that of 
course our external service has not received such identifier in the login 
process and possibly the flow would need to be changed to transmit this ID 
to the client (possible in the same redirect request with the access 
token?).

Hopefully you get the picture of what we're attempting. The goal would be 
to invalidate access tokens for a specific SSO session, but still keep 
access tokens for possible other sessions of the same user (otherwise we 
could just remove all tokens).

A few questions:
* Are we doing something completely wrong here? Maybe this is not the way 
to handle SSO sessions and OAuth access at all? Could there be some other 
ways of looking at the problem at hand?
* Is the approach of modifying the authentication flows (authorization code 
grant or implicit grant) in such a way that our external service would have 
some handle to the SSO session, meaningful at all? The service would then 
hold a list: "ST-123": ["AT-1", "AT-2", "AT-3"...]. Or is it actually the 
TGT that we should be able to transfer to the service on login, and also 
deliver the same TGT on SLO notification? Somehow this feels wrong.

There are also a few issues, which may be bugs, related to this:
* The logoutUrl setting of a service configuration doesn't seem to 
propagate, we always have logoutUrl pointing to the service URL of the 
callbackAuthorize service. 
* All access tokens seem to have a service mapping to the callbackAuthorize 
-service. Is this by design? So we can not know which service an access 
token has actually been granted for (unless searching for it based on the 
client ID in the callbackAuthorize service URL)


Thanks for any ideas!
Tom

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ca8c5c5f-dfff-4f16-8086-e1f10c2d3f0e%40apereo.org.

[cas-user] Migrate From Cas 5.1.6 to Cas 5.2.0 and JWT Problem

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

[cas-user] Re: How to specify landing page (url) in json file for a service when accessStrategy requiredAttributes results in "Service Access Denied"

Re: [cas-user] Service Registry

Re: [cas-user] CAS 5.2.0

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

Re: [cas-user] CAS 5.1.x MySql authentication problem !!

Re: [cas-user] Service Registry

[cas-user] Twilio

[cas-user] Turn off passwordPolicy warning messages in CAS 5.1

[cas-user] Re: CAS 5.1.x MySql authentication problem !!

Re: [cas-user] CAS 5.1.x MySql authentication problem !!

Re: [cas-user] Unknown encryption/secret key WARN message at startup

[cas-user] CAS 5.2.0

Re: [cas-user] Single Logout & OAuth

[cas-user] CAS 5.1.x MySql authentication problem !!

Re: [cas-user] Problem with 5.1.6 - LDAP derefAlias

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

Re: [cas-user] Unknown encryption/secret key WARN message at startup

[cas-user] Unknown encryption/secret key WARN message at startup

[cas-user] Temporary MFA bypass in CAS 5.1

Re: [cas-user] Custom License Validator Implementaion

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

Re: [cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

[cas-user] Custom License Validator Implementaion

[cas-user] Re: Unsuccessful in configuring CAS 5.1.3 as a OAuth server ("/callbackAuthorize" redirects to "/" instead of client app)

[cas-user] Single Logout & OAuth

27 matches

Site Navigation

Mail list logo

Footer information