Re: [cas-user] Attribute not receiving inconsistant on serviceValidate request

[Man H]

Dont do redirect only gather your attributes

El martes, 27 de febrero de 2018, Sreekanth Mohan 
escribió:

> I have successfully integrated CAS for our different clients. But this
> time 'samlValidate' response is not consistently supplying the required
> attribute. Login is failing randomly because of the missing attribute in
> the ticket validation response. Sometimes when I clear browser history,
> it's receiving the attribute in the response.
>
>
> Expected response:
>
>
> 
>
> 
>
> x
>
> 
>
>   1234567
>
> 
>
> 
>
> 
>
>
> Response receiving randomly:
>
>
> 
>
> 
>
> xx
>
>
>
>
>
> 
>
> 
>
>
> Please note: We have created a custom code to integrate CAS with our
> Asp.Net webforms application.
>
>
> string userId = string.Empty;
>
> // Look for the "ticket=" after the "?" in the URL
>
> string tkt = HttpContext.Current.Request.
> QueryString["ticket"];
>
> // Service url is the url of the Researcher Portal
>
> string service ="www.xyz.com";
>
> string CASHOST="https://cas.xyz.ca:8443/cas;
>
> // First time through there is no ticket=, so redirect to
> CAS login
>
> if (tkt == null || tkt.Length == 0)
>
> {
>
> string redir = CASHOST + "login?" +
>
>   "service=" + service;
>
> HttpContext.Current.Response.Redirect(redir);
>
> }
>
> // Second time (back from CAS) there is a ticket= to
> validate
>
> string validateurl = CASHOST + "serviceValidate?" +
>
>   "ticket=" + tkt +
>
>   "=" + service;
>
> StreamReader Reader = new StreamReader(new
> WebClient().OpenRead(validateurl));
>
> string resp = Reader.ReadToEnd();
>
>
>
> if (isDebuggingMode)
>
> sbDebugString.Append("Response  \n  " + resp);
>
> // Some boilerplate to set up the parse.
>
> NameTable nt = new NameTable();
>
> XmlNamespaceManager nsmgr = new XmlNamespaceManager(nt);
>
> XmlParserContext context = new XmlParserContext(null,
> nsmgr, null, XmlSpace.None);
>
> XmlTextReader reader = new XmlTextReader(resp,
> XmlNodeType.Element, context);
>
>
>
> string userNumber = null;
>
>
>
> // A very dumb use of XML. Just scan for the "userNumber".
> If it isn't there, it will return an empty string.
>
> while (reader.Read())
>
> {
>
> if (reader.IsStartElement())
>
> {
>
> string tag = reader.LocalName;
>
> if (isDebuggingMode)
>
> sbDebugString.Append("tag : " + tag + "\n");
>
> if (tag == "userNumber")
>
> {
>
> userNumber = reader.ReadString();
>
> if (isDebuggingMode)
>
> sbDebugString.Append("userNumber : " +
> userNumber + "\n");
>
> }
>
> }
>
> }
>
>
> Where "userNumber" attribute is not receiving always so that login fails
> randomly.
>
> Please share your thoughts to resolve this issue.
>
> Thank you in advance.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e2605d0d-4f6e-4949-8df4-
> 54e24883e158%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5miecALJa%3DYfo6Tj0gFD2ahaaeSVn0ve%3DJQQu29sivTjx1Q%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.1.x and 5.2.x failing when authenticating agains MySQL DB

[Man H]

Use support-jdbc instead of
Jdbc-driver

El jueves, 1 de marzo de 2018, S  escribió:

> Hi
>
> I am also getting the same error. Any solutions?
>
> Thanks
>
> On Saturday, September 16, 2017 at 1:55:45 AM UTC+5:30, Nona M wrote:
>>
>> Hi,
>>
>> Were you able to solve this? I am getting the same error.
>>
>> Thx
>>
>>
>> On Thursday, August 17, 2017 at 9:31:04 AM UTC-4, Szymon Stuglik wrote:
>>>
>>> Hello everybody,
>>>
>>> Since 4 days I'm trying to configure CAS to work with MySQL DB for
>>> authentication.
>>> I've added required dependencies (jdbc driver support) to the POM, but
>>> I'm getting errors below (version 5.0.7 works btw):
>>> Any hints?
>>>
>>> 2017-08-17 13:28:16,335 ERROR [org.springframework.boot.SpringApplication]
>>> - 
>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>> creating bean with name 'authenticationTransactionManager' defined in
>>> class path resource [org/apereo/cas/config/CasCore
>>> AuthenticationConfiguration.class]: Unsatisfied dependency expressed
>>> through method 'authenticationTransactionManager' parameter 0; nested
>>> exception is org.springframework.beans.fact
>>> ory.UnsatisfiedDependencyException: Error creating bean with name
>>> 'casAuthenticationManager' defined in class path resource
>>> [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]:
>>> Unsatisfied dependency expressed through method 'casAuthenticationManager'
>>> parameter 2; nested exception is 
>>> org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name 'authenticationEventExecutionPlan'
>>> defined in class path resource [org/apereo/cas/config/CasCore
>>> AuthenticationConfiguration.class]: Bean instantiation via factory
>>> method failed; nested exception is 
>>> org.springframework.beans.BeanInstantiationException:
>>> Failed to instantiate [org.apereo.cas.authentication
>>> .AuthenticationEventExecutionPlan]: Factory method
>>> 'authenticationEventExecutionPlan' threw exception; nested exception is
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'scopedTarget.jdbcAuthenticationHandlers' defined in
>>> class path resource [org/apereo/cas/adaptors/jdbc/
>>> config/CasJdbcAuthenticationConfiguration.class]: Bean instantiation
>>> via factory method failed; nested exception is
>>> org.springframework.beans.BeanInstantiationException: Failed to
>>> instantiate [java.util.Collection]: Factory method
>>> 'jdbcAuthenticationHandlers' threw exception; nested exception is
>>> java.lang.IllegalArgumentException: java.lang.RuntimeException: Failed
>>> to load class of driverClassName [com.mysql.jdbc.Driver] in either of
>>> HikariConfig class loader or Thread context classloader
>>> at org.springframework.beans.factory.support.ConstructorResolve
>>> r.createArgumentArray(ConstructorResolver.java:749)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.ConstructorResolve
>>> r.instantiateUsingFactoryMethod(ConstructorResolver.java:467)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>> pableBeanFactory.instantiateUsingFactoryMethod(AbstractAutow
>>> ireCapableBeanFactory.java:1173) ~[spring-beans-4.3.10.RELEASE.
>>> jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>> pableBeanFactory.createBeanInstance(AbstractAut
>>> owireCapableBeanFactory.java:1067) ~[spring-beans-4.3.10.RELEASE.
>>> jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>> pableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractAutowireCa
>>> pableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>> y$1.getObject(AbstractBeanFactory.java:306)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.DefaultSingletonBe
>>> anRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>> y.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.10.RELEASE.
>>> jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.AbstractBeanFactor
>>> y.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.10.RELEASE.
>>> jar:4.3.10.RELEASE]
>>> at org.springframework.beans.factory.support.DefaultListableBea
>>> nFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
>>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>>> at org.springframework.context.support.AbstractApplicationConte
>>> 

[cas-user] CAS SSO for Asp.Net website, attributes not receiving on serviceValidate request

[Sreekanth Mohan]

I have successfully integrated CAS for our different clients. But this time 
'samlValidate' response is not consistently supplying the required 
attribute. Login is failing randomly because of the missing attribute in 
the ticket validation response. Sometimes when I clear browser history, 
it's receiving the attribute in the response.

Expected response:



x

  1234567 



Response receiving randomly:



xx




I have posted the same question in 
Stackoverflow(https://stackoverflow.com/questions/48994848/cas-sso-for-asp-net-website-attributes-not-receiving-on-servicevalidate-request)
 
as well but no response. Please help.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff11d8e6-ceaf-4ff7-8d4d-2e757aa8cd12%40apereo.org.

[cas-user] Attribute not receiving inconsistant on serviceValidate request

[Sreekanth Mohan]

I have successfully integrated CAS for our different clients. But this time 
'samlValidate' response is not consistently supplying the required 
attribute. Login is failing randomly because of the missing attribute in 
the ticket validation response. Sometimes when I clear browser history, 
it's receiving the attribute in the response.


Expected response:






x



  1234567 








Response receiving randomly:






xx










Please note: We have created a custom code to integrate CAS with our 
Asp.Net webforms application.


string userId = string.Empty;

// Look for the "ticket=" after the "?" in the URL

string tkt = 
HttpContext.Current.Request.QueryString["ticket"];

// Service url is the url of the Researcher Portal

string service ="www.xyz.com";

string CASHOST="https://cas.xyz.ca:8443/cas;

// First time through there is no ticket=, so redirect to 
CAS login

if (tkt == null || tkt.Length == 0)

{

string redir = CASHOST + "login?" +

  "service=" + service; 

HttpContext.Current.Response.Redirect(redir);

}

// Second time (back from CAS) there is a ticket= to 
validate

string validateurl = CASHOST + "serviceValidate?" +

  "ticket=" + tkt + 

  "=" + service;

StreamReader Reader = new StreamReader(new 
WebClient().OpenRead(validateurl));

string resp = Reader.ReadToEnd();



if (isDebuggingMode)

sbDebugString.Append("Response  \n  " + resp);

// Some boilerplate to set up the parse.

NameTable nt = new NameTable();

XmlNamespaceManager nsmgr = new XmlNamespaceManager(nt);

XmlParserContext context = new XmlParserContext(null, 
nsmgr, null, XmlSpace.None);

XmlTextReader reader = new XmlTextReader(resp, 
XmlNodeType.Element, context);



string userNumber = null;



// A very dumb use of XML. Just scan for the "userNumber". 
If it isn't there, it will return an empty string.

while (reader.Read())

{

if (reader.IsStartElement())

{

string tag = reader.LocalName;

if (isDebuggingMode)

sbDebugString.Append("tag : " + tag + "\n");

if (tag == "userNumber")

{

userNumber = reader.ReadString();

if (isDebuggingMode)

sbDebugString.Append("userNumber : " + 
userNumber + "\n");

}

}   

}  


Where "userNumber" attribute is not receiving always so that login fails 
randomly.

Please share your thoughts to resolve this issue.

Thank you in advance.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2605d0d-4f6e-4949-8df4-54e24883e158%40apereo.org.

[cas-user] Re: CAS 5.1.x and 5.2.x failing when authenticating agains MySQL DB

[S]

Hi

I am also getting the same error. Any solutions?

Thanks

On Saturday, September 16, 2017 at 1:55:45 AM UTC+5:30, Nona M wrote:
>
> Hi,
>
> Were you able to solve this? I am getting the same error.
>
> Thx
>
>
> On Thursday, August 17, 2017 at 9:31:04 AM UTC-4, Szymon Stuglik wrote:
>>
>> Hello everybody,
>>
>> Since 4 days I'm trying to configure CAS to work with MySQL DB for 
>> authentication.
>> I've added required dependencies (jdbc driver support) to the POM, but 
>> I'm getting errors below (version 5.0.7 works btw):
>> Any hints?
>>
>> 2017-08-17 13:28:16,335 ERROR 
>> [org.springframework.boot.SpringApplication] - 
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
>> creating bean with name 'authenticationTransactionManager' defined in class 
>> path resource 
>> [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Unsatisfied dependency expressed through method 
>> 'authenticationTransactionManager' parameter 0; nested exception is 
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
>> creating bean with name 'casAuthenticationManager' defined in class path 
>> resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Unsatisfied dependency expressed through method 'casAuthenticationManager' 
>> parameter 2; nested exception is 
>> org.springframework.beans.factory.BeanCreationException: Error creating 
>> bean with name 'authenticationEventExecutionPlan' defined in class path 
>> resource [org/apereo/cas/config/CasCoreAuthenticationConfiguration.class]: 
>> Bean instantiation via factory method failed; nested exception is 
>> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>> [org.apereo.cas.authentication.AuthenticationEventExecutionPlan]: Factory 
>> method 'authenticationEventExecutionPlan' threw exception; nested exception 
>> is org.springframework.beans.factory.BeanCreationException: Error creating 
>> bean with name 'scopedTarget.jdbcAuthenticationHandlers' defined in class 
>> path resource 
>> [org/apereo/cas/adaptors/jdbc/config/CasJdbcAuthenticationConfiguration.class]:
>>  
>> Bean instantiation via factory method failed; nested exception is 
>> org.springframework.beans.BeanInstantiationException: Failed to instantiate 
>> [java.util.Collection]: Factory method 'jdbcAuthenticationHandlers' threw 
>> exception; nested exception is java.lang.IllegalArgumentException: 
>> java.lang.RuntimeException: Failed to load class of driverClassName 
>> [com.mysql.jdbc.Driver] in either of HikariConfig class loader or Thread 
>> context classloader
>> at 
>> org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:467)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
>>  
>> ~[spring-beans-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
>>  
>> ~[spring-context-4.3.10.RELEASE.jar:4.3.10.RELEASE]
>> at 
>> 

Re: [cas-user] Re: CAS 5.2 Password Variable

[Man H]

Lets see what the security people say!

2018-02-28 19:06 GMT-03:00 Ray Bon :

> There is https://github.com/apereo/cas-configserver-overlay which we have
> deployed. It reads our config from a local git repo. In the repo the
> credentials are encrypted. The config server decrypts them before sending
> to CAS.
> But there is still a password for access to the config server.
>
> Ray
>
> On Wed, 2018-02-28 at 16:46 -0500, David Curry wrote:
>
> Note that Jasypt is just a wrapper around Java's symmetric encryption
> algorithms.
>
> Yeah, you've encrypted the passwords in the cas.properties file, but the
> Jasypt key to decrypt them has to exist in plaintext in the startup script
> (systemd service file, /etc/init.d script, etc.) for the server (unless you
> want to enter it by hand whenever the system reboots)... so all you've
> really accomplished is moving the plaintext from one file to another.
>
> Plus Jasypt seems to be kind of dead (it hasn't been updated since 2014
> and doesn't work with some of Java's newer crypto algorithms).
>
> If you're really concerned about it, you probably want to look at storing
> your configuration info in a heavily-fortified Spring Cloud Configuration
> server somewhere. But unless you're already drinking the Spring Cloud
> Kool-Aid in your organization and have such a framework rolled out, that's
> a WHOLE LOT of work for very little gain.
>
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> 
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
> On Wed, Feb 28, 2018 at 4:35 PM, Man H  wrote:
>
> How do you get to password
>
> 2018-02-28 18:34 GMT-03:00 Kevin Liu :
>
> I guess the easiest would be physical access. There are other various
> intrusion methods too.
>
> On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
>
> How should the server be compromised.
>
> 2018-02-28 18:12 GMT-03:00 Kevin Liu :
>
> Should the server be compromised, attackers can grab AD credentials and
> then verify all accounts with compromised credentials.
>
> My solution to this is to not have clear text (seems genius right? ;) ).
> According to one of CAS's blogs, https://apereo.github.i
> o/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to use.
>
> On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:
>
> What would be the problem to have it cleartext in server.
>
> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>
> I'd like to do this because this ways, I won't have bindCredentials in
> cleartext.
>
> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>
> Does anyone know how to reference the login page password in
> cas.properties? I know for username, you use %s but what about the password?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0
> a0%40apereo.org
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fcc
> c1%40apereo.org
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3
> 

Re: [cas-user] Re: CAS 5.2 Password Variable

[Ray Bon]

There is https://github.com/apereo/cas-configserver-overlay which we have 
deployed. It reads our config from a local git repo. In the repo the 
credentials are encrypted. The config server decrypts them before sending to 
CAS.
But there is still a password for access to the config server.

Ray

On Wed, 2018-02-28 at 16:46 -0500, David Curry wrote:
Note that Jasypt is just a wrapper around Java's symmetric encryption 
algorithms.

Yeah, you've encrypted the passwords in the cas.properties file, but the Jasypt 
key to decrypt them has to exist in plaintext in the startup script (systemd 
service file, /etc/init.d script, etc.) for the server (unless you want to 
enter it by hand whenever the system reboots)... so all you've really 
accomplished is moving the plaintext from one file to another.

Plus Jasypt seems to be kind of dead (it hasn't been updated since 2014 and 
doesn't work with some of Java's newer crypto algorithms).

If you're really concerned about it, you probably want to look at storing your 
configuration info in a heavily-fortified Spring Cloud Configuration server 
somewhere. But unless you're already drinking the Spring Cloud Kool-Aid in your 
organization and have such a framework rolled out, that's a WHOLE LOT of work 
for very little gain.




--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • 
david.cu...@newschool.edu

[The New School]

On Wed, Feb 28, 2018 at 4:35 PM, Man H 
> wrote:
How do you get to password

2018-02-28 18:34 GMT-03:00 Kevin Liu 
>:
I guess the easiest would be physical access. There are other various intrusion 
methods too.

On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
How should the server be compromised.

2018-02-28 18:12 GMT-03:00 Kevin Liu :
Should the server be compromised, attackers can grab AD credentials and then 
verify all accounts with compromised credentials.

My solution to this is to not have clear text (seems genius right? ;) ). 
According to one of CAS's blogs, 
https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is 
the method to use.

On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:
What would be the problem to have it cleartext in server.

2018-02-28 17:02 GMT-03:00 Kevin Liu :
I'd like to do this because this ways, I won't have bindCredentials in 
cleartext.

On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
Does anyone know how to reference the login page password in cas.properties? I 
know for username, you use %s but what about the password?


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org.




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+u...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org.




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List 

Re: [cas-user] cas 5.1.x setting cas:user value

[Toby Archer]

Thank you. Classic problem of knowing what I want but not sure how to 
google for it. Got it working. Cheers.

On Tuesday, February 27, 2018 at 9:13:37 PM UTC-6, Manfredo Hopp wrote:
>
> See
>
>
> https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-PrincipalId.html
>
> El martes, 27 de febrero de 2018, Toby Archer  > escribió:
>
>> I had previously asked a near identical question here: 
>> https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/3xOdHIgj9x8
>>
>> That ended with an unknown and I left it with the belief that if it is 
>> possible to do what I want in CAS 3.5.2, it would probably be more trouble 
>> than it's worth since we will hopefully be moving to CAS 5.1 some time this 
>> year. But now I come back to the same question with CAS 5. Right now I'm 
>> receiving this from CAS:
>>
>> 
>> 
>> *toben.archer*
>> 
>> toben.archer
>> toben@usd.edu 
>> 
>> 
>> 
>>
>> I would like to receive this:
>>
>> 
>> 
>> *toben@usd.edu *
>> 
>> toben.archer
>> toben@usd.edu 
>> 
>> 
>> 
>>
>> For clarity, I want the cas:user element of the response to be my mail 
>> attribute that it received from LDAP (who is managing the authentication). 
>> One of our applications needs this, so I also need to be able to do it in a 
>> way that works for one application but leaves the others uneffected. Is 
>> this possible? If so how would I go about it?
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c28b398f-870f-4ded-8c24-500e714447c1%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a7c045f-9838-4228-9004-7c5ba02954ed%40apereo.org.

Re: [cas-user] Re: CAS 5.2 Password Variable

[Kevin Liu]

Password of what? The server or the AD credentials? I'm assuming you're
refering to the server which if you have physical access, you can boot
using GRUB and mount the filesystem bypassing any password. Then it's just
a matter of looking up AD/LDAP credentials.

David, thank you for pointing that out. I was wondering about that cause
the password has to exist somewhere on the server. I'll have to check with
my security team to see what would make them happy then. I know in previous
iterations, they used a jbvault to store credentials. I'd rather not go
down that route though.

On Wed, Feb 28, 2018 at 3:35 PM, Man H  wrote:

> How do you get to password
>
> 2018-02-28 18:34 GMT-03:00 Kevin Liu :
>
>> I guess the easiest would be physical access. There are other various
>> intrusion methods too.
>>
>> On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
>>>
>>> How should the server be compromised.
>>>
>>> 2018-02-28 18:12 GMT-03:00 Kevin Liu :
>>>
 Should the server be compromised, attackers can grab AD credentials and
 then verify all accounts with compromised credentials.

 My solution to this is to not have clear text (seems genius right? ;)
 ). According to one of CAS's blogs, https://apereo.github.i
 o/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to
 use.

 On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp
 wrote:
>
> What would be the problem to have it cleartext in server.
>
> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>
>> I'd like to do this because this ways, I won't have bindCredentials
>> in cleartext.
>>
>> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>>>
>>> Does anyone know how to reference the login page password in
>>> cas.properties? I know for username, you use %s but what about the 
>>> password?
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e
>> 508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org
>> 
>> .
>>
>
> --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/ap
 ereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fcc
 c1%40apereo.org
 
 .

>>>
>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3
>> f3%40apereo.org
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit https://groups.google.com/a/
> apereo.org/d/topic/cas-user/6DMI8chlzJo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-
> VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com
> 

Re: [cas-user] Re: CAS 5.2 Password Variable

[David Curry]

Note that Jasypt is just a wrapper around Java's symmetric encryption
algorithms.

Yeah, you've encrypted the passwords in the cas.properties file, but the
Jasypt key to decrypt them has to exist in plaintext in the startup script
(systemd service file, /etc/init.d script, etc.) for the server (unless you
want to enter it by hand whenever the system reboots)... so all you've
really accomplished is moving the plaintext from one file to another.

Plus Jasypt seems to be kind of dead (it hasn't been updated since 2014 and
doesn't work with some of Java's newer crypto algorithms).

If you're really concerned about it, you probably want to look at storing
your configuration info in a heavily-fortified Spring Cloud Configuration
server somewhere. But unless you're already drinking the Spring Cloud
Kool-Aid in your organization and have such a framework rolled out, that's
a WHOLE LOT of work for very little gain.



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Wed, Feb 28, 2018 at 4:35 PM, Man H  wrote:

> How do you get to password
>
> 2018-02-28 18:34 GMT-03:00 Kevin Liu :
>
>> I guess the easiest would be physical access. There are other various
>> intrusion methods too.
>>
>> On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
>>>
>>> How should the server be compromised.
>>>
>>> 2018-02-28 18:12 GMT-03:00 Kevin Liu :
>>>
 Should the server be compromised, attackers can grab AD credentials and
 then verify all accounts with compromised credentials.

 My solution to this is to not have clear text (seems genius right? ;)
 ). According to one of CAS's blogs, https://apereo.github.i
 o/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to
 use.

 On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp
 wrote:
>
> What would be the problem to have it cleartext in server.
>
> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>
>> I'd like to do this because this ways, I won't have bindCredentials
>> in cleartext.
>>
>> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>>>
>>> Does anyone know how to reference the login page password in
>>> cas.properties? I know for username, you use %s but what about the 
>>> password?
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e
>> 508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org
>> 
>> .
>>
>
> --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/ap
 ereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fcc
 c1%40apereo.org
 
 .

>>>
>>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3
>> f3%40apereo.org
>> 
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: 

Re: [cas-user] Re: CAS 5.2 Password Variable

[Man H]

How do you get to password

2018-02-28 18:34 GMT-03:00 Kevin Liu :

> I guess the easiest would be physical access. There are other various
> intrusion methods too.
>
> On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
>>
>> How should the server be compromised.
>>
>> 2018-02-28 18:12 GMT-03:00 Kevin Liu :
>>
>>> Should the server be compromised, attackers can grab AD credentials and
>>> then verify all accounts with compromised credentials.
>>>
>>> My solution to this is to not have clear text (seems genius right? ;) ).
>>> According to one of CAS's blogs, https://apereo.github.i
>>> o/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to
>>> use.
>>>
>>> On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:

 What would be the problem to have it cleartext in server.

 2018-02-28 17:02 GMT-03:00 Kevin Liu :

> I'd like to do this because this ways, I won't have bindCredentials in
> cleartext.
>
> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>>
>> Does anyone know how to reference the login page password in
>> cas.properties? I know for username, you use %s but what about the 
>> password?
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e
> 508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org
> 
> .
>

 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fcc
>>> c1%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-
> 26d47463d3f3%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.2 Password Variable

[Kevin Liu]

I guess the easiest would be physical access. There are other various 
intrusion methods too.

On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote:
>
> How should the server be compromised.
>
> 2018-02-28 18:12 GMT-03:00 Kevin Liu :
>
>> Should the server be compromised, attackers can grab AD credentials and 
>> then verify all accounts with compromised credentials.
>>
>> My solution to this is to not have clear text (seems genius right? ;) ). 
>> According to one of CAS's blogs, 
>> https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/, 
>> jasypt is the method to use.
>>
>> On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:
>>>
>>> What would be the problem to have it cleartext in server.
>>>
>>> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>>>
 I'd like to do this because this ways, I won't have bindCredentials in 
 cleartext.

 On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>
> Does anyone know how to reference the login page password in 
> cas.properties? I know for username, you use %s but what about the 
> password?
>
 -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org
  
 
 .

>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org.

Re: [cas-user] Re: CAS 5.2 Password Variable

[Man H]

How should the server be compromised.

2018-02-28 18:12 GMT-03:00 Kevin Liu :

> Should the server be compromised, attackers can grab AD credentials and
> then verify all accounts with compromised credentials.
>
> My solution to this is to not have clear text (seems genius right? ;) ).
> According to one of CAS's blogs, https://apereo.github.
> io/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to
> use.
>
> On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:
>>
>> What would be the problem to have it cleartext in server.
>>
>> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>>
>>> I'd like to do this because this ways, I won't have bindCredentials in
>>> cleartext.
>>>
>>> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:

 Does anyone know how to reference the login page password in
 cas.properties? I know for username, you use %s but what about the 
 password?

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0
>>> a0%40apereo.org
>>> 
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-
> 028a625fccc1%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifFXkZRKDZq7mJ7adh%2B7Nieh%3DxYRPNsY2OYsJosvTz2Qw%40mail.gmail.com.

Re: [cas-user] Re: CAS 5.2 Password Variable

[Kevin Liu]

Should the server be compromised, attackers can grab AD credentials and 
then verify all accounts with compromised credentials.

My solution to this is to not have clear text (seems genius right? ;) ). 
According to one of CAS's 
blogs, https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/, 
jasypt is the method to use.

On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:
>
> What would be the problem to have it cleartext in server.
>
> 2018-02-28 17:02 GMT-03:00 Kevin Liu :
>
>> I'd like to do this because this ways, I won't have bindCredentials in 
>> cleartext.
>>
>> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>>>
>>> Does anyone know how to reference the login page password in 
>>> cas.properties? I know for username, you use %s but what about the password?
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org
>>  
>> 
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org.

Re: [cas-user] Re: CAS 5.2 Password Variable

[Man H]

What would be the problem to have it cleartext in server.

2018-02-28 17:02 GMT-03:00 Kevin Liu :

> I'd like to do this because this ways, I won't have bindCredentials in
> cleartext.
>
> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>>
>> Does anyone know how to reference the login page password in
>> cas.properties? I know for username, you use %s but what about the password?
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-
> 9125f629b0a0%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midw_LuEoqELaUsnH1tv1x1qJFf2b8bHHmSf8yEUq5r_gA%40mail.gmail.com.

Re: [cas-user] SAML and Jenzabar JICS

[Man H]

read point 2 of previously attached flow.

2018-02-28 14:06 GMT-03:00 Tim Tyler :

> Should both the IdP and SP need each other’s SAML metadata content?  I ask
> because I am suspicious that the Jenzabar JICS side has no configuration
> pointing to the CAS metadata.xml content.  They point to the CAS login, but
> I don’t think they have a configuration pointing to the CAS metadata.  I am
> also very concerned about the content in idp-metadat.xml, but that might be
> a moot point at the moment if the content is not begin accessed by the SP.
>
>
>
> Tim
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Man
> H
> *Sent:* Wednesday, February 28, 2018 10:24 AM
> *To:* cas-user@apereo.org
> *Subject:* Re: [cas-user] SAML and Jenzabar JICS
>
>
>
>
>
> I suggest:
>
> - look int  cas metadata idp-metadata.xml
>
> - enable saml debug
>
> 
>
> 
>
> 
>
> 
>
>
>
> Assuming cas is your idp and Jenzabar your SP.
>
> The processing is as follows:
>
> 1.  The user attempts to access a resource on sp.example.com. The
> user does not have a valid logon session (i.e. security context) on this
> site. The SP saves the requested resource URL in local state information
> that can be saved across the web SSO exchange.
>
> 2.  The SP sends an HTML form back to the browser in the HTTP
> response (HTTP status 200). The HTML FORM contains a SAML 
> message encoded as the value of a hidden form control named SAMLRequest.
>
> https://idp.example.org/SAML2/SSO/POST; ...>
>
> 
>
> 
>
> ...
>
> 
>
> 
>
> The RelayState token is an opaque reference to state information
> maintained at the service provider. (The RelayState mechanism can leak
> details of the user's activities at the SP to the IdP and so the SP should
> take care in its implementation to protect the user's privacy.) The value
> of the SAMLRequest parameter is the base64 encoding of the following
>  element:
>
> 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
> ID="identifier_1"
>
> Version="2.0"
>
> IssueInstant="2004-12-05T09:21:59Z"
>
> AssertionConsumerServiceIndex="1">
>
> https://sp.example.com/SAML2
>
> 
> AllowCreate="true"
>
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
>
> 
>
> 1.  For ease-of-use purposes, the HTML FORM typically will be
> accompanied by script code that will automatically post the form to the
> destination site (which is the IdP in this case). The browser, due either
> to a user action or execution of an “auto-submit” script, issues an HTTP
> POST request to send the form to the identity provider's Single Sign-On
> Service.
>
> POST /SAML2/SSO/POST HTTP/1.1
>
> Host: idp.example.org
>
> Content-Type: application/x-www-form-urlencoded
>
> Content-Length: nnn
>
> SAMLRequest=request=token
>
> 3.  The Single Sign-On Service determines whether the user has an
> existing logon security context at the identity provider that meets the
> default or requested authentication policy requirements. If not, the IdP
> interacts with the browser to challenge the user to provide valid
> credentials.
>
> 4.  The user provides valid credentials and a local logon security
> context is created for the user at the IdP.
>
> 5.  The IdP Single Sign-On Service issues a SAML assertion
> representing the user's logon security context and places the assertion
> within a SAML  message. Since the HTTP Artifact binding will be
> used to deliver the SAML Response message, it is not mandated that the
> assertion be digitally signed. The IdP creates an artifact containing the
> source ID for the idp.example.org site and a reference to the  
> message
> (the MessageHandle). The HTTP Artifact binding allows the choice of
> either HTTP redirection or an HTML form POST as the mechanism to deliver
> the artifact to the partner. The figure shows the use of redirection.
>
> 6.  The SP's Assertion Consumer Service now sends a SAML
>  message containing the artifact to the IdP's Artifact
> Resolution Service endpoint. This exchange is performed using a
> synchronous SOAP message exchange.
>
> 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
> ID="identifier_2"
>
> Version="2.0"
>
> IssueInstant="2004-12-05T09:22:04Z"
>
> Destination="https://idp.example.org/SAML2/ArtifactResolution;>
>
> https://sp.example.com/SAML2
>
> 
>
> 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> ">...
>
> artifact
>
> 
>
> 7.  The IdP's Artifact Resolution Service extracts the MessageHandle
> from the artifact and locates the original SAML  message
> associated with it. This message is then placed inside a SAML
>  message, which is returned to the SP over the SOAP
> channel.
>
> 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
> ID="identifier_3"
>
> InResponseTo="identifier_2"
>
> Version="2.0"
>
> IssueInstant="2004-12-05T09:22:05Z">
>
> 

Re: [cas-user] Inspektr

[Man H]

yes

2018-02-28 17:02 GMT-03:00 Cheltenham, Chris :

> Does anyone use inspektr ?
>
>
>
> I simply changed error to info this entry in log4j2
>
>
>
>  includeLocation="true">
>
> 
>
> 
>
> 
>
>
>
> From what I read this is supposed to log into cas_audit.log.
>
>
>
> Is that all that I am to do?
>
>
>
>
>
>
>
> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/014d01d3b0cf%24014a4600%
> 2403ded200%24%40philasd.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5miedJoW-Vw7ZGoQJyvYjWJw_JHv3t4gRKUCF4jdSGPJVqw%40mail.gmail.com.

[cas-user] Re: CAS 5.2 Password Variable

[Kevin Liu]

I'd like to do this because this ways, I won't have bindCredentials in 
cleartext.

On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:
>
> Does anyone know how to reference the login page password in 
> cas.properties? I know for username, you use %s but what about the password?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org.

[cas-user] Inspektr

[Cheltenham, Chris]

Does anyone use inspektr ?

 

I simply changed error to info this entry in log4j2

 









 

>From what I read this is supposed to log into cas_audit.log.

 

Is that all that I am to do?

 

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/014d01d3b0cf%24014a4600%2403ded200%24%40philasd.org.

Re: [cas-user] Verifying data in Hazelcast

[Ray Bon]

Jono,

Try this log4j2 item,




Ray

On Wed, 2018-02-28 at 09:44 -0800, Jono wrote:
I have done that. The log shows when I authenticate. And it shows stuff about 
hazelcast's heartbeat. But it does not say anything about how the key is store 
or where I can find it.
Should I see something particular?

On Wed, Feb 28, 2018 at 9:15 AM, Ray Bon > 
wrote:
Jono,

Try setting hazelcast to debug in log4j2.xml.

Ray

On Tue, 2018-02-27 at 14:44 -0800, Jono Jono wrote:

I'm using CAS 4.2 with Hazelcast, but I'm unable to verify that CAS is writting 
to Hazelcast. Can you point me to how I would determine the data that CAS is 
writing to the cache?

Here is the hazelcast part of my properties file:

hz.mapname=tickets
hz.cluster.logging.type=slf4j
hz.cluster.members=cas1,hazelcastmaster


I am able to authenticate to CAS, but I cant see where this data is stored. I 
have tried using the hazelcast management center as well as the console app 
(see below), but all the datasets look empty.


$ cd webapps/cas/WEB-INF/lib && java -cp hazelcast-3.7.1.jar 
com.hazelcast.console.ConsoleApp
Feb 27, 2018 7:27:54 PM com.hazelcast.config.FileSystemXmlConfig
INFO: Configuring Hazelcast from 
'/usr/local/tomcat/webapps/cas/WEB-INF/lib/hazelcast.xml'.
Feb 27, 2018 7:27:54 PM com.hazelcast.instance.DefaultAddressPicker
INFO: [LOCAL] [dev] [3.7.1] Prefer IPv4 stack is true.
Feb 27, 2018 7:27:54 PM com.hazelcast.instance.DefaultAddressPicker
INFO: [LOCAL] [dev] [3.7.1] Picked [172.20.0.6]:5702, using socket 
ServerSocket[addr=/0.0.0.0,localport=5702], bind any local is true
Feb 27, 2018 7:27:54 PM com.hazelcast.system
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Hazelcast 3.7.1 (20160905 - 1f47990) 
starting at [172.20.0.6]:5702
Feb 27, 2018 7:27:54 PM com.hazelcast.system
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Copyright (c) 2008-2016, Hazelcast, Inc. 
All Rights Reserved.
Feb 27, 2018 7:27:54 PM com.hazelcast.system
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Configured Hazelcast Serialization 
version : 1
Feb 27, 2018 7:27:54 PM 
com.hazelcast.spi.impl.operationservice.impl.BackpressureRegulator
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Backpressure is disabled
Feb 27, 2018 7:27:54 PM com.hazelcast.instance.Node
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Creating MulticastJoiner
Feb 27, 2018 7:27:54 PM com.hazelcast.core.LifecycleService
INFO: [172.20.0.6]:5702 [dev] [3.7.1] [172.20.0.6]:5702 is STARTING
Feb 27, 2018 7:27:54 PM 
com.hazelcast.spi.impl.operationexecutor.impl.OperationExecutorImpl
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Starting 8 partition threads
Feb 27, 2018 7:27:54 PM 
com.hazelcast.spi.impl.operationexecutor.impl.OperationExecutorImpl
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Starting 5 generic threads (1 dedicated 
for priority tasks)
Feb 27, 2018 7:27:54 PM 
com.hazelcast.nio.tcp.nonblocking.NonBlockingIOThreadingModel
INFO: [172.20.0.6]:5702 [dev] [3.7.1] TcpIpConnectionManager configured with 
Non Blocking IO-threading model: 3 input threads and 3 output threads
Feb 27, 2018 7:27:57 PM com.hazelcast.internal.cluster.impl.MulticastJoiner
INFO: [172.20.0.6]:5702 [dev] [3.7.1]


Members [1] {
Member [172.20.0.6]:5702 - c6927086-98ef-4ac5-b53a-9f465e346318 this
}

Feb 27, 2018 7:27:57 PM com.hazelcast.instance.Node
WARNING: [172.20.0.6]:5702 [dev] [3.7.1] Config seed port is 5701 and cluster 
size is 1. Some of the ports seem occupied!
Feb 27, 2018 7:27:57 PM com.hazelcast.core.LifecycleService
INFO: [172.20.0.6]:5702 [dev] [3.7.1] [172.20.0.6]:5702 is STARTED
Feb 27, 2018 7:27:58 PM 
com.hazelcast.internal.partition.impl.PartitionStateManager
INFO: [172.20.0.6]:5702 [dev] [3.7.1] Initializing cluster partition table 
arrangement...
hazelcast[default] > m.size
Size = 0
hazelcast[default] > ns tickets
namespace: tickets
hazelcast[tickets] > m.size
Size = 0




--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519838143.1801.32.camel%40uvic.ca.



--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this 

Re: [cas-user] Customizing webflows

[Ray Bon]

Yashwanth,

This log line will show details about the webflow configuration on server start:



Ray

On Wed, 2018-02-28 at 02:18 -0800, yashwanth chowdary wrote:
I want to use pswdreset-webflow in my cas5 overlay.I have added the 
dependencies and I have customized the login-webflow so that on click of 
changepassword button it show us the view that is configured in pswdreset 
webflow. I have added the the class 
"org.apereo.cas.pm.config.PasswordManagementWebflowConfiguration" in 
spring.factories file. I am facing an issue the below 
issue."NoSuchFlowFoundException"


Please refer to the attached files for the dependencies, customized login flow 
and html files .
Error log:


org.springframework.webflow.execution.FlowExecutionException: Exception thrown 
in state 'forceChangePassword' of flow 'login'
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy125.resumeExecution(Unknown Source)
at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:30)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:237)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 

[cas-user] HA Diagram

[Jono Jono]

I'm having trouble understanding caching ticket registries. This chart in 
particular:
https://apereo.github.io/cas/5.2.x/planning/High-Availability-Guide.html#recommended-architecture

shouldnt cas-2 be pointing at a cache? is the diagram incorrect?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/300a067c-3c29-4cfb-977f-97139c0f5f97%40apereo.org.

Re: [cas-user] Verifying data in Hazelcast

[Jono]

I have done that. The log shows when I authenticate. And it shows stuff
about hazelcast's heartbeat. But it does not say anything about how the key
is store or where I can find it.
Should I see something particular?

On Wed, Feb 28, 2018 at 9:15 AM, Ray Bon  wrote:

> Jono,
>
> Try setting hazelcast to debug in log4j2.xml.
>
> Ray
>
> On Tue, 2018-02-27 at 14:44 -0800, Jono Jono wrote:
>
>
> I'm using CAS 4.2 with Hazelcast, but I'm unable to verify that CAS is
> writting to Hazelcast. Can you point me to how I would determine the data
> that CAS is writing to the cache?
>
> Here is the hazelcast part of my properties file:
>
> hz.mapname=tickets
> hz.cluster.logging.type=slf4j
> hz.cluster.members=cas1,hazelcastmaster
>
>
> I am able to authenticate to CAS, but I cant see where this data is
> stored. I have tried using the hazelcast management center as well as the
> console app (see below), but all the datasets look empty.
>
>
> $ cd webapps/cas/WEB-INF/lib && java -cp hazelcast-3.7.1.jar com.hazelcast
> .console.ConsoleApp
> Feb 27, 2018 7:27:54 PM com.hazelcast.config.FileSystemXmlConfig
> INFO: Configuring Hazelcast from '/usr/local/tomcat/webapps/
> cas/WEB-INF/lib/hazelcast.xml'.
> Feb 27, 2018 7:27:54 PM com.hazelcast.instance.DefaultAddressPicker
> INFO: [LOCAL] [dev] [3.7.1] Prefer IPv4 stack is true.
> Feb 27, 2018 7:27:54 PM com.hazelcast.instance.DefaultAddressPicker
> INFO: [LOCAL] [dev] [3.7.1] Picked [172.20.0.6]:5702, using socket
> ServerSocket[addr=/0.0.0.0,localport=5702], bind any local is true
> Feb 27, 2018 7:27:54 PM com.hazelcast.system
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Hazelcast 3.7.1 (20160905 - 1f47990)
> starting at [172.20.0.6]:5702
> Feb 27, 2018 7:27:54 PM com.hazelcast.system
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Copyright (c) 2008-2016, Hazelcast,
> Inc. All Rights Reserved.
> Feb 27, 2018 7:27:54 PM com.hazelcast.system
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Configured Hazelcast Serialization
> version : 1
> Feb 27, 2018 7:27:54 PM com.hazelcast.spi.impl.operationservice.impl.
> BackpressureRegulator
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Backpressure is disabled
> Feb 27, 2018 7:27:54 PM com.hazelcast.instance.Node
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Creating MulticastJoiner
> Feb 27, 2018 7:27:54 PM com.hazelcast.core.LifecycleService
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] [172.20.0.6]:5702 is STARTING
> Feb 27, 2018 7:27:54 PM com.hazelcast.spi.impl.operationexecutor.impl.
> OperationExecutorImpl
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Starting 8 partition threads
> Feb 27, 2018 7:27:54 PM com.hazelcast.spi.impl.operationexecutor.impl.
> OperationExecutorImpl
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Starting 5 generic threads (1
> dedicated for priority tasks)
> Feb 27, 2018 7:27:54 PM com.hazelcast.nio.tcp.nonblocking.
> NonBlockingIOThreadingModel
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] TcpIpConnectionManager configured
> with Non Blocking IO-threading model: 3 input threads and 3 output threads
> Feb 27, 2018 7:27:57 PM com.hazelcast.internal.cluster.impl.
> MulticastJoiner
> INFO: [172.20.0.6]:5702 [dev] [3.7.1]
>
>
> Members [1] {
> Member [172.20.0.6]:5702 - c6927086-98ef-4ac5-b53a-9f465e346318 this
> }
>
> Feb 27, 2018 7:27:57 PM com.hazelcast.instance.Node
> WARNING: [172.20.0.6]:5702 [dev] [3.7.1] Config seed port is 5701 and
> cluster size is 1. Some of the ports seem occupied!
> Feb 27, 2018 7:27:57 PM com.hazelcast.core.LifecycleService
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] [172.20.0.6]:5702 is STARTED
> Feb 27, 2018 7:27:58 PM com.hazelcast.internal.partition.impl.
> PartitionStateManager
> INFO: [172.20.0.6]:5702 [dev] [3.7.1] Initializing cluster partition
> table arrangement...
> hazelcast[default] > m.size
> Size = 0
> hazelcast[default] > ns tickets
> namespace: tickets
> hazelcast[tickets] > m.size
> Size = 0
>
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems2507218831 <(250)%20721-8831> | CLE 
> 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1519838143.1801.32.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group 

Re: [cas-user] Dashboard Issue with Waterfox

[Ray Bon]

Chris,

Does this problem exist if you open a private window?

Ray

On Wed, 2018-02-28 at 11:23 -0500, Cheltenham, Chris wrote:

Hello Everyone.

Has anyone seen this problem.

I was finally able to set up the dashboard with some help.

However I found a strange anomaly.

Using Waterfox, the 64 bit firefox I get a 500 internal error.

ANY OTHER browser I used it works just fine.

Yes I dumped the cache and cleared history several times.

Also, it gives you a java stack trace in the CAS logs saying

2018-02-28 10:22:12,567 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
org.pac4j.core.exception.TechnicalException: cannot validate CAS ticket: 
ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5

Caused by: org.jasig.cas.client.validation.TicketValidationException: Ticket 
'ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5' not recognized

Always the same ticket # also.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519839483.1801.39.camel%40uvic.ca.

Re: [cas-user] What configuration for ticket 5.2 ?

[Ray Bon]

Romain,

You still need cas.tgc.maxAge=-1. No sure what the default is (may be a couple 
weeks) but setting a cookie maxAge to less than 0 will cause the cookie to be 
discarded by the browser when it closes. It will stay active in the browser as 
long as the browser is open, the lifetime of the CAS session can be managed 
with cas.ticket.tgt properties.

Ray

On Wed, 2018-02-28 at 00:27 -0800, vallee.romain wrote:
Thank you all for your response.
I'm surprised the TGC stays after the browser closes.

For me, if we didn't check "Remember Me", we had authentication per session and 
not a cookie.


cas.tgc.name=TGC
#cas.tgc.secure=false
#cas.tgc.rememberMeMaxAge=135
cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdNvNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
cas.tgc.cipherEnabled=true

# #remember me 31 days in seconds
# # Set to a negative value to never expire tickets
cas.ticket.tgt.maxTimeToLiveInSeconds=25200
#cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
#cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135


This is my new configuration.
but the TGC cookie still remains after the closing of the web browser.
In version 4.2 of jasig, if we closed the browser, the session was no longer 
maintained.



Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
Romain,

I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
If you want your session to end when browser is closed, leave out 
cas.tgc.rememberMeMaxAge.

Ray

On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
Hello,

i try to setup jasig TGC for this use case :

When i check rememberMe : 1 months without need to enter login.password

When i don't check rememberme : 7 hours unless i close the brother . If i close 
the brother, i would like to have login/password prompte at next login.


I think rememberMe if ok .

But when i try to closed/open the brother, the session is already up .

# cas.tgc.path=
cas.tgc.maxAge=-1
# cas.tgc.domain=
cas.tgc.name=TGC
cas.tgc.secure=false
cas.tgc.rememberMeMaxAge=135
cas.tgc.encryptionKey=xxx
cas.tgc.signingKey=x
cas.tgc.cipherEnabled=true

# #remember me 31 days in seconds
# # Set to a negative value to never expire tickets
cas.ticket.tgt.maxTimeToLiveInSeconds=135
cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
##
#Throttled Timeout
##
cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800



Have you got an idea ?

Best regards

Romain

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519838650.1801.37.camel%40uvic.ca.

RE: [cas-user] SAML and Jenzabar JICS

[Tim Tyler]

Should both the IdP and SP need each other’s SAML metadata content?  I ask
because I am suspicious that the Jenzabar JICS side has no configuration
pointing to the CAS metadata.xml content.  They point to the CAS login, but
I don’t think they have a configuration pointing to the CAS metadata.  I am
also very concerned about the content in idp-metadat.xml, but that might be
a moot point at the moment if the content is not begin accessed by the SP.



Tim



*From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Man
H
*Sent:* Wednesday, February 28, 2018 10:24 AM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] SAML and Jenzabar JICS





I suggest:

- look int  cas metadata idp-metadata.xml

- enable saml debug











Assuming cas is your idp and Jenzabar your SP.

The processing is as follows:

1.  The user attempts to access a resource on sp.example.com. The user
does not have a valid logon session (i.e. security context) on this site.
The SP saves the requested resource URL in local state information that can
be saved across the web SSO exchange.

2.  The SP sends an HTML form back to the browser in the HTTP response
(HTTP status 200). The HTML FORM contains a SAML  message
encoded as the value of a hidden form control named SAMLRequest.

https://idp.example.org/SAML2/SSO/POST; ...>





...





The RelayState token is an opaque reference to state information maintained
at the service provider. (The RelayState mechanism can leak details of the
user's activities at the SP to the IdP and so the SP should take care in
its implementation to protect the user's privacy.) The value of the
SAMLRequest parameter is the base64 encoding of the following
 element:



https://sp.example.com/SAML2





1.  For ease-of-use purposes, the HTML FORM typically will be
accompanied by script code that will automatically post the form to the
destination site (which is the IdP in this case). The browser, due either
to a user action or execution of an “auto-submit” script, issues an HTTP
POST request to send the form to the identity provider's Single Sign-On
Service.

POST /SAML2/SSO/POST HTTP/1.1

Host: idp.example.org

Content-Type: application/x-www-form-urlencoded

Content-Length: nnn

SAMLRequest=request=token

3.  The Single Sign-On Service determines whether the user has an
existing logon security context at the identity provider that meets the
default or requested authentication policy requirements. If not, the IdP
interacts with the browser to challenge the user to provide valid
credentials.

4.  The user provides valid credentials and a local logon security
context is created for the user at the IdP.

5.  The IdP Single Sign-On Service issues a SAML assertion representing
the user's logon security context and places the assertion within a SAML
 message. Since the HTTP Artifact binding will be used to deliver
the SAML Response message, it is not mandated that the assertion be
digitally signed. The IdP creates an artifact containing the source ID for
the idp.example.org site and a reference to the  message (the
MessageHandle). The HTTP Artifact binding allows the choice of either HTTP
redirection or an HTML form POST as the mechanism to deliver the artifact
to the partner. The figure shows the use of redirection.

6.  The SP's Assertion Consumer Service now sends a SAML
 message containing the artifact to the IdP's Artifact
Resolution Service endpoint. This exchange is performed using a synchronous
SOAP message exchange.

https://idp.example.org/SAML2/ArtifactResolution;>

https://sp.example.com/SAML2



http://www.w3.org/2000/09/xmldsig#
">...

artifact



7.  The IdP's Artifact Resolution Service extracts the MessageHandle
from the artifact and locates the original SAML  message
associated with it. This message is then placed inside a SAML
 message, which is returned to the SP over the SOAP
channel.





http://www.w3.org/2000/09/xmldsig#
">...







https://sp.example.com/SAML2/SSO/Artifact;>

https://idp.example.org/SAML2

http://www.w3.org/2000/09/xmldsig#
">...









https://idp.example.org/SAML2







u...@mail.example.org





https://sp.example.com/SAML2/SSO/Artifact;

NotOnOrAfter="2004-12-05T09:27:05Z"/>









https://sp.example.com/SAML2









estriction>

The processing is as follows:

1.  The user attempts to access a resource on sp.example.com. The user does
not have a valid logon session (i.e. security context) on this site. The SP
saves the requested resource URL in local state information that can be
saved across the web SSO exchange.

2.  The SP sends an HTML form back to the browser in the HTTP response
(HTTP status 200). The HTML FORM contains a SAML  message
encoded as the value of a hidden form control named SAMLRequest.

https://idp.example.org/SAML2/SSO/POST; ...>





...





The RelayState token is an 

[cas-user] Dashboard Issue with Waterfox

[Cheltenham, Chris]

Hello Everyone.

 

Has anyone seen this problem.

 

I was finally able to set up the dashboard with some help.

 

However I found a strange anomaly.

 

Using Waterfox, the 64 bit firefox I get a 500 internal error.

 

ANY OTHER browser I used it works just fine.

 

Yes I dumped the cache and cleared history several times.

 

Also, it gives you a java stack trace in the CAS logs saying 

 

2018-02-28 10:22:12,567 DEBUG
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 

org.pac4j.core.exception.TechnicalException: cannot validate CAS ticket:
ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5

 

Caused by: org.jasig.cas.client.validation.TicketValidationException:
Ticket 'ST-8-NW9hG5iesq69gE4h8cNehuDlKh0-devcas5' not recognized

 

Always the same ticket # also.

 

 

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00fa01d3b0b0%246c1674a0%235de0%24%40philasd.org.

[cas-user] SAML and Jenzabar JICS

[Tim Tyler]

CAS Experts,

Looking for any hints I can get.

  We are running CAS 5.2 on REdhat 7.   I am trying to get SAML to work
with our Jenzabar JICS portal.  Trying to Configure CAS as the Identity
Manager and Jenzabar as the Identity Provider.

When one goes to our Jenzabar url to login, they simply need to click the
login icon.  It redirects the user back to our CAS server.  After
authenticating into CAS successfully, it never takes the user back to
Jenzabar.  I am not sure what side to blame and I have never configured
SAML before.

When configuring SAML 2.0 in the CAS-management, we do have the meta path
entered from Jenzabar and it does provide the following:

https://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx;>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecifiedhttps://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx"/>https://bcportaldev.beloit.edu/ics/StaticPages/SAML/ServiceProvider/ACS.aspx
"/>



I have the following in cas.properties:

# CAS SAML2.0 IDP



cas.authn.samlIdp.entityId=https://cas.beloit.edu:8443/idp

cas.authn.samlIdp.scope=cas.beloit.edu

cas.authn.samlIdp.metadata.cacheExpirationMinutes=30

cas.authn.samlIdp.metadata.failFast=false

cas.authn.samlIdp.metadata.location=file:/etc/cas/saml/

cas.authn.samlIdp.metadata.privateKeyAlgName=RSA

cas.authn.samlIdp.metadata.requireValidMetadata=true

cas.authn.samlIdp.logout.forceSignedLogoutRequests=true

cas.authn.samlIdp.logout.singleLogoutCallbacksDisabled=false

cas.authn.samlIdp.response.skewAllowance=0

cas.authn.samlIdp.response.signError=false

cas.authn.samlIdp.response.useAttributeFriendlyName=true



I do see the following in /etc/cas/saml self created by CAS.

drwxr-xr-x 2 root root  128 Feb 20 10:40 id

-rw-r--r-- 1 root root 1135 Feb 27 15:45 idp-encryption.crt

-rw-r--r-- 1 root root 1679 Feb 27 15:45 idp-encryption.key

-rw-r--r-- 1 root root 6938 Feb 27 15:49 idp-metadata.xml

-rw-r--r-- 1 root root 1135 Feb 27 15:45 idp-signing.crt





The following relates to our SAML json service for Jenzabar:



[root@cas services]# more Jenzabar-1519156718058.json

{

  @class: org.apereo.cas.support.saml.services.SamlRegisteredService

  serviceId: https://bcportaldev.beloit.edu.*

  name: Jenzabar

  id: 1519156718058

  expirationPolicy:

  {

@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy

deleteWhenExpired: false

notifyWhenDeleted: false

  }

  proxyPolicy:

  {

   @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy

  }

  evaluationOrder: -1

  usernameAttributeProvider:

  {

@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider

canonicalizationMode: NONE

encryptUsername: false

  }

  logoutType: BACK_CHANNEL

  attributeReleasePolicy:

  {

@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy

principalAttributesRepository:

{

  @class:
org.apereo.cas.authentication.principal.DefaultPrincipalAttributes

Repository

  expiration: 2

  timeUnit: HOURS

}

consentPolicy:

{

  @class:
org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPol

icy

  enabled: true

}

authorizedToReleaseCredentialPassword: false

authorizedToReleaseProxyGrantingTicket: false

excludeDefaultAttributes: false

authorizedToReleaseAuthenticationAttributes: true

  }

  multifactorPolicy:

  {

@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy

failureMode: NOT_SET

bypassEnabled: false

  }

  accessStrategy:

  {

@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy

order: 0

enabled: true

ssoEnabled: true

requireAllAttributes: true

caseInsensitive: false

  }

  metadataLocation:
https://bcportaldev.beloit.edu/ICS/StaticPages/SAML/ServiceP

rovider/Metadata.ashx

  metadataMaxValidity: 0

  metadataExpirationDuration: PT60M

  signAssertions: true

  skipGeneratingAssertionNameId: false

  skipGeneratingSubjectConfirmationInResponseTo: false

  skipGeneratingSubjectConfirmationNotOnOrAfter: false

  skipGeneratingSubjectConfirmationRecipient: false

  skipGeneratingSubjectConfirmationNotBefore: true

  signResponses: true

  encryptAssertions: true

  metadataCriteriaRoles: SPSSODescriptor

  metadataCriteriaRemoveEmptyEntitiesDescriptors: true

  metadataCriteriaRemoveRolelessEntityDescriptors: true

  signingCredentialType: BASIC

}



So what reason(s) might I look for that might explain why CAS doesn't send
the user back to the Jenzabar portal?   Could this be a problem with the
metadata?  Missing something on CAS?







Tim Tyler

Network Engineer

Beloit College

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To 

Re: [cas-user] What configuration for ticket 5.2 ?

[Man H]

[image: Imágenes integradas 1]

its expires

2018-02-28 11:05 GMT-03:00 vallee.romain :

> i don't find maxage into the cookie
>
> Le mercredi 28 février 2018 14:56:24 UTC+1, Manfredo Hopp a écrit :
>>
>> Cookies hace maxage inside what says yours
>>
>> El miércoles, 28 de febrero de 2018, vallee.romain 
>> escribió:
>>
>>> Without check rememberme.
>>>
>>> the tgc cookie is present .
>>>
>>>
>>> 
>>>
>>>
>>>
>>> And for cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>>>
>>>
>>> I don't find documentation on tgt , tgc ... :(
>>>
>>>
>>>
>>> Le mercredi 28 février 2018 13:47:00 UTC+1, Manfredo Hopp a écrit :


 Check maxage within cookie

 El miércoles, 28 de febrero de 2018, vallee.romain 
 escribió:

> Thank you all for your response.
> I'm surprised the TGC stays after the browser closes.
>
> For me, if we didn't check "Remember Me", we had authentication per
> session and not a cookie.
>
>
> cas.tgc.name=TGC
> #cas.tgc.secure=false
> #cas.tgc.rememberMeMaxAge=135
> cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
> cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdN
> vNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
> cas.tgc.cipherEnabled=true
>
> # #remember me 31 days in seconds
> # # Set to a negative value to never expire tickets
> cas.ticket.tgt.maxTimeToLiveInSeconds=25200
> #cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
> #cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>
>
> This is my new configuration.
> but the TGC cookie still remains after the closing of the web browser.
> In version 4.2 of jasig, if we closed the browser, the session was no
> longer maintained.
>
>
>
> Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
>>
>> Romain,
>>
>> I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
>> If you want your session to end when browser is closed, leave out
>> cas.tgc.rememberMeMaxAge.
>>
>> Ray
>>
>> On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
>>
>> Hello,
>>
>> i try to setup jasig TGC for this use case :
>>
>> When i check rememberMe : 1 months without need to enter
>> login.password
>>
>> When i don't check rememberme : 7 hours unless i close the brother .
>> If i close the brother, i would like to have login/password prompte at 
>> next
>> login.
>>
>>
>> I think rememberMe if ok .
>>
>> But when i try to closed/open the brother, the session is already up .
>>
>> # cas.tgc.path=
>> cas.tgc.maxAge=-1
>> # cas.tgc.domain=
>> cas.tgc.name=TGC
>> cas.tgc.secure=false
>> cas.tgc.rememberMeMaxAge=135
>> cas.tgc.encryptionKey=xxx
>> cas.tgc.signingKey=x
>> cas.tgc.cipherEnabled=true
>>
>> # #remember me 31 days in seconds
>> # # Set to a negative value to never expire tickets
>> cas.ticket.tgt.maxTimeToLiveInSeconds=135
>> cas.ticket.tgt.timeToKillInSeconds=7200
>> cas.ticket.tgt.rememberMe.enabled=true
>> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>> ##
>> #Throttled Timeout
>> ##
>> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
>> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
>> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
>>
>>
>>
>> Have you got an idea ?
>>
>> Best regards
>>
>> Romain
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c32
> 97a3-0c5e-478e-ba81-0a4857dc6f5c%40apereo.org
> 
> .
>
 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: 

[cas-user] Re: CAS 5.2 LDAP Quert and Output

[Kevin Liu]

Thank Ray! 

Unfortunately, I realized searching by OU for a user won't work. This is 
because of a couple of things. 
I originally thought OUs were groups and have since discovered they are not.
I want to authenticate using sAMAccountName and when you search by groups, 
none of the memberss have sAMAccountNames as a field. It only displays 
members as their DN which doesn't contain the sAMAccountName. 
Now, I'm thinking of approaching it by pulling a user's entry, and check to 
see what they're a member of as users do display their group membership

Marc, or anyone else, how would I be able to restrict it down further? I 
see a cas.authn.ldap[0].searchEntryHandlers[0] but I'm not sure if this is 
what I want.


On Tuesday, February 27, 2018 at 3:24:33 PM UTC-6, Marc Dufour wrote:
>
> You can restrict the users able to authenticate with CAS if you have to, 
> I'm just saying that it may not be only way. Your reality is different than 
> mine.
>
> As for the attributes: they are passed to the application, or in CAS 
> terminology, the service. principalAttributeList contains the attributes 
> available to CAS to pass to the service. When you create a service, you 
> configure the AttributeReleasePolicy that tells CAS what attributes the 
> application has access to (or released to it, in CAS language). See this 
> https://apereo.github.io/cas/5.2.x/installation/Service-Management.html 
> and this 
> https://apereo.github.io/cas/5.2.x/integration/Attribute-Release.html.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0711851-a8bb-430a-85a2-3179c9222411%40apereo.org.

Re: [cas-user] What configuration for ticket 5.2 ?

[vallee.romain]

i don't find maxage into the cookie

Le mercredi 28 février 2018 14:56:24 UTC+1, Manfredo Hopp a écrit :
>
> Cookies hace maxage inside what says yours
>
> El miércoles, 28 de febrero de 2018, vallee.romain  > escribió:
>
>> Without check rememberme.
>>
>> the tgc cookie is present .
>>
>>
>> 
>>
>>
>>
>> And for cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>>
>>
>> I don't find documentation on tgt , tgc ... :(
>>
>>
>>
>> Le mercredi 28 février 2018 13:47:00 UTC+1, Manfredo Hopp a écrit :
>>>
>>>
>>> Check maxage within cookie
>>>
>>> El miércoles, 28 de febrero de 2018, vallee.romain  
>>> escribió:
>>>
 Thank you all for your response.
 I'm surprised the TGC stays after the browser closes.

 For me, if we didn't check "Remember Me", we had authentication per 
 session and not a cookie.


 cas.tgc.name=TGC
 #cas.tgc.secure=false
 #cas.tgc.rememberMeMaxAge=135
 cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4

 cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdNvNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
 cas.tgc.cipherEnabled=true

 # #remember me 31 days in seconds
 # # Set to a negative value to never expire tickets
 cas.ticket.tgt.maxTimeToLiveInSeconds=25200
 #cas.ticket.tgt.timeToKillInSeconds=7200
 cas.ticket.tgt.rememberMe.enabled=true
 cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
 #cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135


 This is my new configuration.
 but the TGC cookie still remains after the closing of the web browser.
 In version 4.2 of jasig, if we closed the browser, the session was no 
 longer maintained.



 Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
>
> Romain,
>
> I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
> If you want your session to end when browser is closed, leave out 
> cas.tgc.rememberMeMaxAge.
>
> Ray
>
> On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
>
> Hello, 
>
> i try to setup jasig TGC for this use case :
>
> When i check rememberMe : 1 months without need to enter login.password
>
> When i don't check rememberme : 7 hours unless i close the brother . 
> If i close the brother, i would like to have login/password prompte at 
> next 
> login.
>
>
> I think rememberMe if ok .
>
> But when i try to closed/open the brother, the session is already up .
>
> # cas.tgc.path=
> cas.tgc.maxAge=-1
> # cas.tgc.domain=
> cas.tgc.name=TGC
> cas.tgc.secure=false
> cas.tgc.rememberMeMaxAge=135
> cas.tgc.encryptionKey=xxx
> cas.tgc.signingKey=x
> cas.tgc.cipherEnabled=true
>
> # #remember me 31 days in seconds
> # # Set to a negative value to never expire tickets
> cas.ticket.tgt.maxTimeToLiveInSeconds=135
> cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
> ##
> #Throttled Timeout
> ##
> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
>
>
>
> Have you got an idea ?
>
> Best regards
>
> Romain
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
> -- 
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 --- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit 
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c3297a3-0c5e-478e-ba81-0a4857dc6f5c%40apereo.org
  
 
 .

>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email 

Re: [cas-user] What configuration for ticket 5.2 ?

[Man H]

Cookies hace maxage inside what says yours

El miércoles, 28 de febrero de 2018, vallee.romain 
escribió:

> Without check rememberme.
>
> the tgc cookie is present .
>
>
> 
>
>
>
> And for cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>
>
> I don't find documentation on tgt , tgc ... :(
>
>
>
> Le mercredi 28 février 2018 13:47:00 UTC+1, Manfredo Hopp a écrit :
>>
>>
>> Check maxage within cookie
>>
>> El miércoles, 28 de febrero de 2018, vallee.romain 
>> escribió:
>>
>>> Thank you all for your response.
>>> I'm surprised the TGC stays after the browser closes.
>>>
>>> For me, if we didn't check "Remember Me", we had authentication per
>>> session and not a cookie.
>>>
>>>
>>> cas.tgc.name=TGC
>>> #cas.tgc.secure=false
>>> #cas.tgc.rememberMeMaxAge=135
>>> cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
>>> cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdN
>>> vNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
>>> cas.tgc.cipherEnabled=true
>>>
>>> # #remember me 31 days in seconds
>>> # # Set to a negative value to never expire tickets
>>> cas.ticket.tgt.maxTimeToLiveInSeconds=25200
>>> #cas.ticket.tgt.timeToKillInSeconds=7200
>>> cas.ticket.tgt.rememberMe.enabled=true
>>> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>>> #cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>>>
>>>
>>> This is my new configuration.
>>> but the TGC cookie still remains after the closing of the web browser.
>>> In version 4.2 of jasig, if we closed the browser, the session was no
>>> longer maintained.
>>>
>>>
>>>
>>> Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :

 Romain,

 I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
 If you want your session to end when browser is closed, leave out
 cas.tgc.rememberMeMaxAge.

 Ray

 On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:

 Hello,

 i try to setup jasig TGC for this use case :

 When i check rememberMe : 1 months without need to enter login.password

 When i don't check rememberme : 7 hours unless i close the brother . If
 i close the brother, i would like to have login/password prompte at next
 login.


 I think rememberMe if ok .

 But when i try to closed/open the brother, the session is already up .

 # cas.tgc.path=
 cas.tgc.maxAge=-1
 # cas.tgc.domain=
 cas.tgc.name=TGC
 cas.tgc.secure=false
 cas.tgc.rememberMeMaxAge=135
 cas.tgc.encryptionKey=xxx
 cas.tgc.signingKey=x
 cas.tgc.cipherEnabled=true

 # #remember me 31 days in seconds
 # # Set to a negative value to never expire tickets
 cas.ticket.tgt.maxTimeToLiveInSeconds=135
 cas.ticket.tgt.timeToKillInSeconds=7200
 cas.ticket.tgt.rememberMe.enabled=true
 cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
 cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
 ##
 #Throttled Timeout
 ##
 cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
 cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
 cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800



 Have you got an idea ?

 Best regards

 Romain

 --
 Ray Bon
 Programmer analyst
 Development Services, University Systems
 2507218831 | CLE 019 | rb...@uvic.ca

 --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/6c3297a3-0c5e-478e-ba81-0a4857dc6f
>>> 5c%40apereo.org
>>> 
>>> .
>>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/4ac13b2f-6f76-4fc5-a725-
> de306a8972fe%40apereo.org
> 

Re: [cas-user] What configuration for ticket 5.2 ?

[vallee.romain]

Without check rememberme.

the tgc cookie is present .





And for cas.ticket.tgt.rememberMe.timeToKillInSeconds=135


I don't find documentation on tgt , tgc ... :(



Le mercredi 28 février 2018 13:47:00 UTC+1, Manfredo Hopp a écrit :
>
>
> Check maxage within cookie
>
> El miércoles, 28 de febrero de 2018, vallee.romain  > escribió:
>
>> Thank you all for your response.
>> I'm surprised the TGC stays after the browser closes.
>>
>> For me, if we didn't check "Remember Me", we had authentication per 
>> session and not a cookie.
>>
>>
>> cas.tgc.name=TGC
>> #cas.tgc.secure=false
>> #cas.tgc.rememberMeMaxAge=135
>> cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
>>
>> cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdNvNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
>> cas.tgc.cipherEnabled=true
>>
>> # #remember me 31 days in seconds
>> # # Set to a negative value to never expire tickets
>> cas.ticket.tgt.maxTimeToLiveInSeconds=25200
>> #cas.ticket.tgt.timeToKillInSeconds=7200
>> cas.ticket.tgt.rememberMe.enabled=true
>> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>> #cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>>
>>
>> This is my new configuration.
>> but the TGC cookie still remains after the closing of the web browser.
>> In version 4.2 of jasig, if we closed the browser, the session was no 
>> longer maintained.
>>
>>
>>
>> Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
>>>
>>> Romain,
>>>
>>> I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
>>> If you want your session to end when browser is closed, leave out 
>>> cas.tgc.rememberMeMaxAge.
>>>
>>> Ray
>>>
>>> On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
>>>
>>> Hello, 
>>>
>>> i try to setup jasig TGC for this use case :
>>>
>>> When i check rememberMe : 1 months without need to enter login.password
>>>
>>> When i don't check rememberme : 7 hours unless i close the brother . If 
>>> i close the brother, i would like to have login/password prompte at next 
>>> login.
>>>
>>>
>>> I think rememberMe if ok .
>>>
>>> But when i try to closed/open the brother, the session is already up .
>>>
>>> # cas.tgc.path=
>>> cas.tgc.maxAge=-1
>>> # cas.tgc.domain=
>>> cas.tgc.name=TGC
>>> cas.tgc.secure=false
>>> cas.tgc.rememberMeMaxAge=135
>>> cas.tgc.encryptionKey=xxx
>>> cas.tgc.signingKey=x
>>> cas.tgc.cipherEnabled=true
>>>
>>> # #remember me 31 days in seconds
>>> # # Set to a negative value to never expire tickets
>>> cas.ticket.tgt.maxTimeToLiveInSeconds=135
>>> cas.ticket.tgt.timeToKillInSeconds=7200
>>> cas.ticket.tgt.rememberMe.enabled=true
>>> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>>> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>>> ##
>>> #Throttled Timeout
>>> ##
>>> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
>>> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
>>> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
>>>
>>>
>>>
>>> Have you got an idea ?
>>>
>>> Best regards
>>>
>>> Romain
>>>
>>> -- 
>>> Ray Bon
>>> Programmer analyst
>>> Development Services, University Systems
>>> 2507218831 | CLE 019 | rb...@uvic.ca
>>>
>>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c3297a3-0c5e-478e-ba81-0a4857dc6f5c%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ac13b2f-6f76-4fc5-a725-de306a8972fe%40apereo.org.

Re: [cas-user] Customizing webflows

[Jérôme LELEU]

Hi,

You don't need to explicitly add the configuration class in your
spring.factories file. Adding the dependency is enough (there is already a
spring.factories file inside it).
Thanks.
Best regards,
Jérôme


On Wed, Feb 28, 2018 at 11:18 AM, yashwanth chowdary <
ryashwanthkumarchowd...@gmail.com> wrote:

> I want to use pswdreset-webflow in my cas5 overlay.I have added the
> dependencies and I have customized the login-webflow so that on click of
> changepassword button it show us the view that is configured in pswdreset
> webflow. I have added the the class "org.apereo.cas.pm.config.
> PasswordManagementWebflowConfiguration" in spring.factories file. I am
> facing an issue the below issue."NoSuchFlowFoundException"
>
>
> Please refer to the attached files for the dependencies, customized login
> flow and html files .
> Error log:
>
> org.springframework.webflow.execution.FlowExecutionException: Exception 
> thrown in state 'forceChangePassword' of flow 'login'
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>   at 
> org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
>   at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:483)
>   at 
> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
>   at 
> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
>   at 
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
>   at com.sun.proxy.$Proxy125.resumeExecution(Unknown Source)
>   at 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
>   at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
>   at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
>   at 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
>   at 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:30)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:237)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>   at 
> org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
>   at 
> 

Re: [cas-user] only delegated (pac4j SAML) authentication and no button click

[Jérôme LELEU]

Hi,

You need to use the following property :

# cas.authn.pac4j.autoRedirect=false

Thanks.
Best regards,
Jérôme


On Tue, Feb 27, 2018 at 8:35 PM, Scott Koranda  wrote:

> Hello,
>
> I am running CAS 5.2.2.
>
> I have successfully configured CAS to use pac4j for delegated
> authentication. Specifically CAS/pac4j is configured as a SAML SP.
>
> When I browse to a CAS client I am redirected to the CAS server login
> page. I can then click a button to kick off the SAML flow and am redirected
> to the SAML IdP for authentication. After returning to the CAS/pac4j SAML
> SP I am then redirected to the CAS client with a ticket, which is later
> validated and I successfully access the resource.
>
> I would like the delegated SAML authentication flow to be the only CAS
> authentication mechanism and I would like it so that I do not have to click
> a button to kick off the SAML flow. Ideally the user would never "see" the
> CAS server at all.
>
> I thought this configuration would make that happen:
>
> cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true
> cas.authn.policy.req.handlerName=Pac4j
> cas.authn.policy.req.tryAll=false
> cas.authn.policy.req.enabled=true
> cas.authn.accept.users=
>
> With this configuration I still see the login page and have to click a
> button to cause the SAML flow.
>
> Is it possible to have the SAML flow start immediately without having to
> click the button?
>
> If so what configuration do I need?
>
> Thanks,
>
> Scott K
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e93b3d08-8bf3-42e3-b7e0-
> 5e856b8f8af8%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LywiBeZwbqpMRqDa-qFcQPAK17g3-rJpbBd_bePyE4urw%40mail.gmail.com.

Re: [cas-user] [CAS 5.2.x] [OAuth] [Theme] How to make custom theme for OAuth sp

[Man H]

Try with


https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize
?
client_name=XXX&
client_id=OAuthApp&
redirect_uri=http://www.example.com/sp;
response_type=code


as serviceId


El miércoles, 28 de febrero de 2018, Andy Ng  escribió:

> Hi Manfredo,
>
> I have the custom theme loaded no problem without oauth, is just that when
> I do it with oauth, setting the theme seems like a difficult task.
>
> -Andy
>
> On Wednesday, 28 February 2018 11:55:23 UTC+8, Manfredo Hopp wrote:
>>
>>  open browser developper tool to see if itheme gets loaded
>>
>> El miércoles, 28 de febrero de 2018, Man H 
>> escribió:
>>
>>> Cant you just build a simple webapp with index.html
>>>
>>> El miércoles, 28 de febrero de 2018, Andy Ng 
>>> escribió:
>>>
 Thanks Manfedo,

 Do you mean that I should:
 - Redirect user to login using Non Oauth Service first (with theme)
 - Then redirect user to login using Oauth Service for actual Oauth login

 Am I correct?

 I would prefer not to do the above, since that mean the service
 provider need to change their code, but if needed I think the above is
 still feasible, thanks Manfedo.

 I would like to see if there are a solution that, to not use non oauth
 login first. Thanks.

 -Andy

 On Wednesday, 28 February 2018 11:26:24 UTC+8, Manfredo Hopp wrote:
>
> Try to.load that theme on a regular service, that is non oauth
>
> El miércoles, 28 de febrero de 2018, Andy Ng 
> escribió:
>
>> Hi all,
>>
>> I am using CAS 5.2.x, and using OAuth for one service provider. The
>> provider now would like to have a custom theme.
>>
>> I thought I can just do this:
>>
>> {
>>   "@class" : "org.apereo.cas.support.oauth.
>> services.OAuthRegisteredService",
>>   "clientId": "OAuthApp",
>>   "clientSecret": "xx",
>>   "serviceId" : "^http://www.example.com/sp.*;,
>>   "name" : "OAuthApp",
>>   "id" : 1000,
>>   "evaluationOrder" : 1000,
>>   "supportedResponseTypes" : [ "java.util.HashSet", [ "code" ] ],
>>   "supportedGrantTypes" : [ "java.util.HashSet",  [
>> "authorization_code" , "refresh_token"] ],
>>   "theme" : "awesome_theme"
>> }
>>
>>
>>
>> However it seems that the service the returned service is the below:
>>
>> https://mysite.example.com:443/cas/oauth2.0/callbackAuthorize?
>> client_name=XXX&
>> client_id=OAuthApp&
>> redirect_uri=http://www.example.com/sp;
>> response_type=code
>>
>>
>> So the *theme *will not load. So my question is, is it possible for
>> me to make custom theme for my OAuth SP provider?
>>
>> Thanks in advance!
>>
>> - Andy
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fa4
>> db3b-f7e5-4751-8ba6-f3ee872f0f16%40apereo.org
>> 
>> .
>>
> --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/ap
 ereo.org/d/msgid/cas-user/66302352-d0d5-40fe-803e-5d01101a48
 73%40apereo.org
 
 .

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/34df67cc-57aa-436a-90ef-
> 

Re: [cas-user] Cas 5.2 OpenLDap notworking: authentication failure and sucess

[Man H]

Log says

 - 
escribió:

> I config Cas 5.2 Authen user login by OpenLDap, but not working
> My cas.properties:
> cas.authn.accept.users=
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://localhost:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].baseDn=ou=Users,dc=xx-cas,dc=com
> cas.authn.ldap[0].userFilter=uid={user}
> cas.authn.ldap[0].bindDn=cn=Manager,dc=xx-cas,dc=com
> cas.authn.ldap[0].bindCredential=
>
> Log:
> 2018-02-28 13:43:09,886 DEBUG [org.apereo.cas.authentication.adaptive.
> DefaultAdaptiveAuthenticationPolicy] -  has authorized client [xxx.xxx.xxx.xxx] to proceed.>
> 2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] -
> 
> 2018-02-28 13:43:09,889 DEBUG [org.apereo.cas.authentication.
> RegisteredServiceAuthenticationHandlerResolver] -  authentication handlers are required for this transaction>
> 2018-02-28 13:43:09,890 DEBUG [org.apereo.cas.authentication.
> RegisteredServiceAuthenticationHandlerResolver] -  handlers used for this transaction are [HttpBasedServiceCredentialsAut
> henticationHandler]>
> 2018-02-28 13:43:09,891 ERROR [org.apereo.cas.authentication.
> PolicyBasedAuthenticationManager] -  Credentials may be incorrect or CAS cannot find authentication handler that
> supports [test] of type [UsernamePasswordCredential].>
>
> 2018-02-28 13:43:09,893 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
> -  WHO: test
> WHAT: Supplied credentials: [test]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Wed Feb 28 13:43:09 GMT+07:00 2018
> CLIENT IP ADDRESS: xxx.xxx.xxx
>
> SERVER IP ADDRESS: xxx.xxx.xxx
> >
> 2018-02-28 13:43:09,945 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  plain properties nor XML>
> 2018-02-28 13:43:09,947 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  properties nor XML>
> 2018-02-28 13:43:09,949 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  properties nor XML>
> 2018-02-28 13:43:09,950 DEBUG 
> [org.apereo.cas.web.view.CasReloadableMessageBundle]
> -  been modified>
>
> Any pointers to this will be highly appreciated . Thanks.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/6b17b820-db5e-44c3-9538-
> 19014843ab2b%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5micsUP_paSjidJfbuavP7yYc-nWo8x7T8RQFGyQDafvvEQ%40mail.gmail.com.

Re: [cas-user] What configuration for ticket 5.2 ?

[Man H]

Check maxage within cookie

El miércoles, 28 de febrero de 2018, vallee.romain 
escribió:

> Thank you all for your response.
> I'm surprised the TGC stays after the browser closes.
>
> For me, if we didn't check "Remember Me", we had authentication per
> session and not a cookie.
>
>
> cas.tgc.name=TGC
> #cas.tgc.secure=false
> #cas.tgc.rememberMeMaxAge=135
> cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
> cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdNvNpXF1FFk_
> sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
> cas.tgc.cipherEnabled=true
>
> # #remember me 31 days in seconds
> # # Set to a negative value to never expire tickets
> cas.ticket.tgt.maxTimeToLiveInSeconds=25200
> #cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
> #cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>
>
> This is my new configuration.
> but the TGC cookie still remains after the closing of the web browser.
> In version 4.2 of jasig, if we closed the browser, the session was no
> longer maintained.
>
>
>
> Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
>>
>> Romain,
>>
>> I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
>> If you want your session to end when browser is closed, leave out
>> cas.tgc.rememberMeMaxAge.
>>
>> Ray
>>
>> On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
>>
>> Hello,
>>
>> i try to setup jasig TGC for this use case :
>>
>> When i check rememberMe : 1 months without need to enter login.password
>>
>> When i don't check rememberme : 7 hours unless i close the brother . If i
>> close the brother, i would like to have login/password prompte at next
>> login.
>>
>>
>> I think rememberMe if ok .
>>
>> But when i try to closed/open the brother, the session is already up .
>>
>> # cas.tgc.path=
>> cas.tgc.maxAge=-1
>> # cas.tgc.domain=
>> cas.tgc.name=TGC
>> cas.tgc.secure=false
>> cas.tgc.rememberMeMaxAge=135
>> cas.tgc.encryptionKey=xxx
>> cas.tgc.signingKey=x
>> cas.tgc.cipherEnabled=true
>>
>> # #remember me 31 days in seconds
>> # # Set to a negative value to never expire tickets
>> cas.ticket.tgt.maxTimeToLiveInSeconds=135
>> cas.ticket.tgt.timeToKillInSeconds=7200
>> cas.ticket.tgt.rememberMe.enabled=true
>> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
>> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
>> ##
>> #Throttled Timeout
>> ##
>> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
>> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
>> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
>>
>>
>>
>> Have you got an idea ?
>>
>> Best regards
>>
>> Romain
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/6c3297a3-0c5e-478e-ba81-
> 0a4857dc6f5c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mifHoV6BFVAhmYn1rxQepy4YGbqDxf2UG4X1AhEgOo3n4w%40mail.gmail.com.

Re: [cas-user] CAS 5.2.2 logs showing authentication failure and sucess

[Man H]

See

https://groups.google.com/a/apereo.org/d/msgid/cas-user/56A68D83-B246-4917-9274-A1BE860FC5AA%40gmail.com?utm_medium=email_source=footer


El miércoles, 28 de febrero de 2018, Michael MacEachran <
mmaceach...@gmail.com> escribió:

> I am trying to add my own custom authentication handler that accesses the
> database and I have this in my main configuration class:
>
> @Bean
> public DatabaseAuthenticationProvider getAuthenticationProvider() {
> return new DatabaseAuthenticationProvider("
> databaseAuthenticationProvider", servicesManager, principalFactory, 1);
> }
>
> (the servicesManager and principalFactory are Autowired in)
>
> and I am getting this in my logs:
>
> 18-02-27 23:49:42.233 ERROR 28733 --- [nio-8443-exec-6] o.a.c.a.
> PolicyBasedAuthenticationManager : Authentication has failed. Credentials
> may be incorrect or CAS cannot find authentication handler that supports
> [mmaceachran] of type [UsernamePasswordCredential].
> 2018-02-27 23:49:42.235  INFO 28733 --- [nio-8443-exec-6] 
> o.a.i.a.s.Slf4jLoggingAuditTrailManager
> : Audit trail record BEGIN
> =
> WHO: mmaceachran
> WHAT: Supplied credentials: [mmaceachran]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Feb 27 23:49:42 EST 2018
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
>
> So I have 2 questions:
>
> 1.  How do I tell CAS to use my authentication manager
> 2.  Why does the log say that I have AUTHENTICATION_SUCCESS?
>
> Thank You!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/d3d51000-5f44-4800-93ba-
> 6341b762b023%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5micu4%2B_prp%2Baent%3DAu%3DXudRasg6njc1TLppU2bAgWoEEDw%40mail.gmail.com.

[cas-user] Customizing webflows

[yashwanth chowdary]

I want to use pswdreset-webflow in my cas5 overlay.I have added the 
dependencies and I have customized the login-webflow so that on click of 
changepassword button it show us the view that is configured in pswdreset 
webflow. I have added the the class 
"org.apereo.cas.pm.config.PasswordManagementWebflowConfiguration" in 
spring.factories file. I am facing an issue the below 
issue."NoSuchFlowFoundException"


Please refer to the attached files for the dependencies, customized login 
flow and html files .
Error log:

org.springframework.webflow.execution.FlowExecutionException: Exception thrown 
in state 'forceChangePassword' of flow 'login'
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(FlowExecutionImpl.java:263)
at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216)
at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy125.resumeExecution(Unknown Source)
at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253)
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:30)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:237)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.apereo.cas.security.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:94)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at 
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at 

Re: [cas-user] What configuration for ticket 5.2 ?

[vallee.romain]

Thank you all for your response.
I'm surprised the TGC stays after the browser closes.

For me, if we didn't check "Remember Me", we had authentication per session 
and not a cookie.


cas.tgc.name=TGC
#cas.tgc.secure=false
#cas.tgc.rememberMeMaxAge=135
cas.tgc.encryptionKey=kGF9P2ZuU0ovlaCWxhiHix1bxH2pGfqlG5qGzqdxjY4
cas.tgc.signingKey=K5yrl7ThQ5wwX8pbtEgdHF4aDuwUwFkHmhARzSRdNvNpXF1FFk_sYIgRHZZVJWdlMlGecQ-bePNlf0pexIzj2A
cas.tgc.cipherEnabled=true

# #remember me 31 days in seconds
# # Set to a negative value to never expire tickets
cas.ticket.tgt.maxTimeToLiveInSeconds=25200
#cas.ticket.tgt.timeToKillInSeconds=7200
cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
#cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135


This is my new configuration.
but the TGC cookie still remains after the closing of the web browser.
In version 4.2 of jasig, if we closed the browser, the session was no 
longer maintained.



Le mardi 27 février 2018 17:23:57 UTC+1, rbon a écrit :
>
> Romain,
>
> I guess cas.tgc.remeberMeMaxAge overrides cas.tgc.maxAge.
> If you want your session to end when browser is closed, leave out 
> cas.tgc.rememberMeMaxAge.
>
> Ray
>
> On Tue, 2018-02-27 at 00:09 -0800, vallee.romain wrote:
>
> Hello, 
>
> i try to setup jasig TGC for this use case :
>
> When i check rememberMe : 1 months without need to enter login.password
>
> When i don't check rememberme : 7 hours unless i close the brother . If i 
> close the brother, i would like to have login/password prompte at next 
> login.
>
>
> I think rememberMe if ok .
>
> But when i try to closed/open the brother, the session is already up .
>
> # cas.tgc.path=
> cas.tgc.maxAge=-1
> # cas.tgc.domain=
> cas.tgc.name=TGC
> cas.tgc.secure=false
> cas.tgc.rememberMeMaxAge=135
> cas.tgc.encryptionKey=xxx
> cas.tgc.signingKey=x
> cas.tgc.cipherEnabled=true
>
> # #remember me 31 days in seconds
> # # Set to a negative value to never expire tickets
> cas.ticket.tgt.maxTimeToLiveInSeconds=135
> cas.ticket.tgt.timeToKillInSeconds=7200
> cas.ticket.tgt.rememberMe.enabled=true
> cas.ticket.tgt.rememberMe.timeToKillInSeconds=135
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=135
> ##
> #Throttled Timeout
> ##
> cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800
> cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5
> cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800
>
>
>
> Have you got an idea ?
>
> Best regards
>
> Romain
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6c3297a3-0c5e-478e-ba81-0a4857dc6f5c%40apereo.org.

[cas-user] Cas 5.2 OpenLDap notworking: authentication failure and sucess

[s 1]

I config Cas 5.2 Authen user login by OpenLDap, but not working
My cas.properties:
cas.authn.accept.users=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=xx-cas,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=Manager,dc=xx-cas,dc=com
cas.authn.ldap[0].bindCredential=

Log:
2018-02-28 13:43:09,886 DEBUG 
[org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] 
- 
2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,887 DEBUG [org.apereo.cas.web.support.WebUtils] - 

2018-02-28 13:43:09,889 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,890 DEBUG 
[org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] 
- 
2018-02-28 13:43:09,891 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 


2018-02-28 13:43:09,893 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2018-02-28 13:43:09,945 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,947 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,949 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 
2018-02-28 13:43:09,950 DEBUG 
[org.apereo.cas.web.view.CasReloadableMessageBundle] - 

Any pointers to this will be highly appreciated . Thanks.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b17b820-db5e-44c3-9538-19014843ab2b%40apereo.org.