[cas-user] Re: CAS 5.3.x Introduces Breaking Change for RequestID in cas-server-support-saml

[Josh G]

Its worth mentioning this issue is related to the following from July:

https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ

I'd like to reiterate that patching the client is not a fix here, the core 
of 5.3 needs to be patched to gracefully accept a null RequestID as all 
previous versions of CAS have.

On Monday, August 27, 2018 at 3:25:32 PM UTC-4, Josh G wrote:
>
>
> CAS 5.3.x introduces a breaking change to how RequestIDs are handled when 
> validating SAML Services.
>
> *In 5.2.x (and all previous version of CAS), if the RequestID is not 
> present, it will gracefully fail by returning a null value:*
>
>
> https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java
>
>
>
>
> requestId = extractRequestId(requestBody);
>
> /**
>  * Extract request id from the body.
>  *
>  * @param requestBody the request body
>  * @return the string
>  */
> private static String extractRequestId(final String requestBody) {
> if (!requestBody.contains("RequestID")) {
> LOGGER.debug("Request body does not contain a request id");
> return null;
> }
>
> try {
> final int position = requestBody.indexOf("RequestID=\"") + 
> CONST_REQUEST_ID_LENGTH;
> final int nextPosition = requestBody.indexOf('"', position);
>
> return requestBody.substring(position, nextPosition);
> } catch (final Exception e) {
> LOGGER.debug("Exception parsing RequestID from request.", e);
> return null;
> }
> }
>  
>
>
> *In 5.3.x, if the RequestID is not present it will throw a 
> NullPointerException:*
>
>
> https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63
>
>
>
>
>
>
> *@NonNullfinal Attribute requestIdAttribute = 
> requestChild.getAttribute("RequestID"); requestId = 
> requestIdAttribute.getValue();This change will break all versions of 
> apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148 
> ) along with any other 
> client that does not properly implement support for the RequestID 
> parameter.*
>
> This change should be reverted (this is as simple as removing the 
> @NonNull Lombok annotation so the request will failback to a null 
> response). Breaking every install of mod_auth_cas along with other legacy 
> clients cannot be considered acceptable.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad134531-d91c-4b13-a216-b3df6070b348%40apereo.org.

Re: [cas-user] Service Registry -- Getting the 1st Application Entered

[党田力]

But 5.1.9 works.
Why?

在 2018年8月31日星期五 UTC+8下午9:46:17，Francois Campbell写道：
>
> Hi.
>
> I believe only one of the two should be in the pom.xml file at a time.
> 
> Regards
> *Francois Campbell*
> Teaching and Learning Product Lead
>
>
>
>
>
>
> On Fri, 31 Aug 2018 at 13:05, 党田力 > 
> wrote:
>
>> I had test on 5.2.6 adn 5.2.7 version
>> Only append `cas-server-support-json-service-registry` to pom.xml, the '
>> cas.serviceRegistry.initFromJson=true' is worked.
>> Only append `cas-server-support-jpa-service-registry` to pom.xml, the 
>> database is worked.
>> But I append both them, the services defined in json is not loaded.
>>
>> On 5.1.9 version works.
>>
>>
>> 在 2018年5月15日星期二 UTC+8下午8:15:55，David Curry写道：
>>>
>>> Lionel and Jann,
>>>
>>> Did you ever have the JSON service registry working? If not, I recommend 
>>> that you take all the JPA stuff out of pom.xml and cas.properties and get 
>>> that working correctly first, so that you're only trying to debug one thing 
>>> at a time. Once you have the JSON service registry working correctly, for 
>>> both the main server and the management webapp, then it's time to move 
>>> things to JPA.
>>>
>>> The basic steps for moving to JPA *should* be this:
>>>
>>> 1. REMOVE the "cas-server-support-json-service-registry" dependency from 
>>> pom.xml (server and management webapp)
>>>
>>> 2. Add the "cas-server-support-jpa-service-registry" dependency and 
>>> whatever other dependencies go with it to pom.xml (server and management 
>>> webapp)
>>>
>>> 3. Rebuild the server and management webapp
>>>
>>> 4. In the server's cas.properties file, include BOTH of these lines:
>>>
>>> cas.serviceRegistry.json.location: file:/etc/cas/services
>>> cas.serviceRegistry.initFromJson:  true
>>>
>>>
>>> The first line should already be there (since before you start these 
>>> steps you're using the JSON service registry), but you must add the second 
>>> line.
>>>
>>> 5. Add all the lines you need to configure the JPA service registry to 
>>> the server's cas.properties file.
>>>
>>> 6. Start the CAS server (do not start the management webapp). You should 
>>> see it load the services from the JSON files (again, this should already be 
>>> working before you start) and then it will magically save them into the JPA 
>>> registry.
>>>
>>> 7. Shut the server down.
>>>
>>> 8. Check the database to see that the services actually got loaded 
>>> there. If not, this is where you need to start debugging. And the first 
>>> step of that would be setting the log level to "debug" in log4j2.xml, and 
>>> adding whatever Logger configuration you need to make the Oracle JDBC 
>>> library log for you as well.
>>>
>>> Once you've got the services loaded into the database
>>>
>>> 9. Remove the "cas.serviceRegistry.json.location" and 
>>> "cas.serviceRegistry.initFromJson" properties from the server's 
>>> cas.properties file.
>>>
>>> 10. Remove the "cas.serviceRegistry.json.location" property from, and 
>>> add all the JPA properties to, the management webapp's 
>>> management.properties file.
>>>
>>> At least, that's the procedure I followed to get the MongoDB service 
>>> registry working (see 
>>> https://dacurry-tns.github.io/deploying-apereo-cas/high-avail_service-registry_overview.html).
>>>  
>>> I've not used the JPA stuff at all, so no guarantees, but I don't see why 
>>> it should be any different.
>>>
>>> --Dave
>>>
>>>
>>> --
>>>
>>> DAVID A. CURRY, CISSP
>>> *DIRECTOR OF INFORMATION SECURITY*
>>> INFORMATION TECHNOLOGY
>>>
>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>
>>> [image: The New School]
>>>
>>> On Tue, May 15, 2018 at 12:14 AM, Lionel Samuel  
>>> wrote:
>>>
 Changing in "cas.properties"  
 'cas.serviceRegistry.json.location:file:/etc/cas/services' to 
 'cas.serviceRegistry.json.location:foobar:/etc/cas/services'

 The above does not generate an error message --- is that a sign it's 
 not loaded?


 On Monday, May 14, 2018 at 8:25:37 PM UTC-7, Lionel Samuel wrote:
>
> I'm working with Jann -- attached is our pom file (we call the jar 
> my-cas -- which is reflected in the URLs).
>
> It does not look like the JSON file is loaded -- I don't think it's 
> pom related --- but at the moment we are both stumped so anything goes.
>
> 2018-05-14 20:23:17,715 WARN 
> [org.apereo.cas.services.web.ServiceThemeResolver] -  service 
> is found to match 
> [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@330c1ecf[id=
> http://localhost:8080/cas-management/manage.html,originalUrl=http://localhost:8080/cas-management/manage.html,artifactId=,principal=,loggedOutAlready=false,format=XML]]
>  
> or service access is disallowed. Using default theme [cas-theme-default]>
>
> On Monday, May 14, 2018 at 5:42:35 PM UTC-7, Jann Malenkoff wrote:
>>
>>
>> Attached is my 'cas.properties' file