Re: [cas-user] Service Registry - Store in MySQL database

2020-01-28 Thread Ray Bon 
Bob,

We are using the 5.1.5 version of cas management. You only need to upgrade it 
if you want newer features, etc.
I also have grumblings about the 6.x version. I put off upgrading cas 
management until it settles.

Ray

On Tue, 2020-01-28 at 12:34 -0800, Bob wrote:
Hi Ray,

No, I'm currently just using the cas overlay (6.1.x).
I did try to get cas management working but had some issue with a pre-defined 
service registry in some kind of git repo.
Whenever I tried to enter a service via cas management, there was no option to 
save it to my database. All it ever did was show this 1 entry from a git repo.
SInce I did get it working (reading my json file and store it in MySQL 
database) without cas management for version 5.3.9, I assumed it would work for 
version 6 as well.
Do you think cas management is the only way to get it stored in the database? I 
might have another look at it then.
Thanks,

Bob


On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote:
Bob,

Are you using the cas management server, 
https://github.com/apereo/cas-management-overlay?
If you are, what do the logs say when you try to save?

Ray

On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
Hello,

We are upgrading to CAS 6.1.x.
Most things seem to work fine (LDAP and reading Service Registry from json 
file) but we cannot get it to save the Service Registry in a MySQL casdb.
Is there a way to manually enter a Service Registry into a MySQL database?

Running CAS has created 3 tables in our MySQL database:

regex_registered_service
regex_registered_service_regex_registered_service_property
regex_registered_service_registered_service_impl_contact

Table regex_registered_service has the following columns:

+--+
| COLUMN_NAME  |
+--+
| access_strategy  |
| attribute_release|
| description  |
| environments |
| evaluation_order |
| expiration_policy|
| expression_type  |
| id   |
| information_Url  |
| logo |
| logout_type  |
| logout_url   |
| mfa_policy   |
| name |
| privacy_Url  |
| proxy_policy |
| proxy_ticket_expiration_policy   |
| public_key   |
| required_handlers|
| response_Type|
| service_Id   |
| service_ticket_expiration_policy |
| sso_participation_policy |
| theme|
| username_attr|
+--+
25 rows in set (0.00 sec)

How would I get the following json into this table?

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://localhost:9000/dashboard;,
  "name" : "My App",
  "id" : 10001000,
  "description" : "My Dashboard App",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "memberOf" : "authorities"
}
  },
  "evaluationOrder" : 100,
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}

Thanks in advance!

Bob

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.


On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote:
Bob,

Are you using the cas management server, 
https://github.com/apereo/cas-management-overlay?
If you are, what do the logs say when you try to save?

Ray

On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
Hello,

We are upgrading to CAS 6.1.x.
Most things seem to work fine (LDAP and reading Service Registry from json 
file) but we cannot get it to save the Service Registry in a MySQL casdb.
Is there a way to manually enter a Service Registry into a MySQL database?

Running CAS has created 3 tables in our MySQL database:

regex_registered_service
regex_registered_service_regex_registered_service_property
regex_registered_service_registered_service_impl_contact

Table regex_registered_service has the following columns:

+--+
| COLUMN_NAME  |
+--+
| access_strategy  |
| attribute_release|
| description  |
| environments |
| evaluation_order |
| expiration_policy|
| expression_type  |
| id   |
| information_Url  |
|

Re: [cas-user] Service Registry - Store in MySQL database

2020-01-28 Thread Bob 
Hi Ray,

No, I'm currently just using the cas overlay (6.1.x).
I did try to get cas management working but had some issue with a 
pre-defined service registry in some kind of git repo.
Whenever I tried to enter a service via cas management, there was no option 
to save it to my database. All it ever did was show this 1 entry from a git 
repo.
SInce I did get it working (reading my json file and store it in MySQL 
database) without cas management for version 5.3.9, I assumed it would work 
for version 6 as well.
Do you think cas management is the only way to get it stored in the 
database? I might have another look at it then.
Thanks,

Bob


On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote:
>
> Bob,
>
> Are you using the cas management server, 
> https://github.com/apereo/cas-management-overlay?
> If you are, what do the logs say when you try to save?
>
> Ray
>
> On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
>
> Hello,
>
> We are upgrading to CAS 6.1.x.
> Most things seem to work fine (LDAP and reading Service Registry from json 
> file) but we cannot get it to save the Service Registry in a MySQL casdb.
> Is there a way to manually enter a Service Registry into a MySQL database?
>
> Running CAS has created 3 tables in our MySQL database:
>
> regex_registered_service
> regex_registered_service_regex_registered_service_property
> regex_registered_service_registered_service_impl_contact
>
>
> Table regex_registered_service has the following columns:
>
> +--+
> | COLUMN_NAME  |
> +--+
> | access_strategy  |
> | attribute_release|
> | description  |
> | environments |
> | evaluation_order |
> | expiration_policy|
> | expression_type  |
> | id   |
> | information_Url  |
> | logo |
> | logout_type  |
> | logout_url   |
> | mfa_policy   |
> | name |
> | privacy_Url  |
> | proxy_policy |
> | proxy_ticket_expiration_policy   |
> | public_key   |
> | required_handlers|
> | response_Type|
> | service_Id   |
> | service_ticket_expiration_policy |
> | sso_participation_policy |
> | theme|
> | username_attr|
> +--+
> 25 rows in set (0.00 sec)
>
> How would I get the following json into this table?
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "https://localhost:9000/dashboard;,
>   "name" : "My App",
>   "id" : 10001000,
>   "description" : "My Dashboard App",
>   "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "memberOf" : "authorities"
> }
>   },
>   "evaluationOrder" : 100,
>   "accessStrategy" : {
> "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "enabled" : true,
> "ssoEnabled" : true
>   }
> }
>
> Thanks in advance!
>
> Bob
>
> -- 
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
> WSÁNEĆ Nations.
>

On Tuesday, January 28, 2020 at 8:31:44 PM UTC+1, rbon wrote:
>
> Bob,
>
> Are you using the cas management server, 
> https://github.com/apereo/cas-management-overlay?
> If you are, what do the logs say when you try to save?
>
> Ray
>
> On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
>
> Hello,
>
> We are upgrading to CAS 6.1.x.
> Most things seem to work fine (LDAP and reading Service Registry from json 
> file) but we cannot get it to save the Service Registry in a MySQL casdb.
> Is there a way to manually enter a Service Registry into a MySQL database?
>
> Running CAS has created 3 tables in our MySQL database:
>
> regex_registered_service
> regex_registered_service_regex_registered_service_property
> regex_registered_service_registered_service_impl_contact
>
>
> Table regex_registered_service has the following columns:
>
> +--+
> | COLUMN_NAME  |
> +--+
> | access_strategy  |
> | attribute_release|
> | description  |
> | environments |
> | evaluation_order |
> | expiration_policy|
> | expression_type  |
> | id   |
> | information_Url  |
> | logo

Re: [cas-user] How do I cut some of the information that is logged with SERVICE_ACCESS_ENFORCEMENT_TRIGGERED log entries to our cas_audit log to reduce log verbosity?

2020-01-28 Thread Ray Bon 
Carl,

To change output of audit logging, you could override it with a custom 
implementation, 
https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
 This describes modifying text but the process can be used to modify java 
classes as well. But see, 
https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog entry, 
https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.

To hide log entries, you can use filters. For example:






See here for filter possibilities, 
https://logging.apache.org/log4j/2.x/manual/filters.html

Ray

On Mon, 2020-01-27 at 14:22 -0800, crdaudt wrote:
In updating from CAS 5.x to CAS 6.1.x, I see that additional logging 
information has been added to the cas_audit log, specifically, log entries that 
include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED".  We would either like to 
reduce, the amount of information in these entries, or possibly even omit these 
entries altogether.  The reason is that the security groups listing for many of 
our users results in rather large log entries.  For example, my own entry for 
""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an entry that is over 3,000 
characters long.

Perhaps some of my ideas below are not very good ideas, and I am open to 
perspective.


Idea 1:  Is it possible to replace the logged results of the "memberOf" field 
with ellipses, and if so, how?

-->I.e., change:
2020-01-27 15:56:06,835 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 
15:56:06 EST 2020|CAS|[result=Service Access 
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
 attributes={displayName=[Doe, John], mail=[john_...@myuniversity.edu], 
memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security 
Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty 
Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, 
CN=securityGroup3,OU=Faculty Groups,OU=Security 
Groups,DC=myADdomain,DC=myuniversity,DC=edu], sAMAccountName=[john_doe], 
UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56

-->Into something like this:
2020-01-27 15:56:06,835 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 
15:56:06 EST 2020|CAS|[result=Service Access 
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
 attributes={displayName=[Doe, John], mail=[john_...@myuniversity.edu], 
memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56


Idea 2:  Is it possible to omit the log entries for 
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?


Idea 3:  Is it possible to create two separate audit log files, one without the 
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this cas_audit.log) and 
one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" (call this 
cas_audit_log.verbose)?  If so, how?  In this case, I would likely gzip the 
verbose logs relatively frequently.


I am open to other ideas as well.

Carl

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1412f2d1aed004a664829275c8fa588055406ccd.camel%40uvic.ca.

Re: [cas-user] Service Registry - Store in MySQL database

2020-01-28 Thread Ray Bon 
Bob,

Are you using the cas management server, 
https://github.com/apereo/cas-management-overlay?
If you are, what do the logs say when you try to save?

Ray

On Tue, 2020-01-28 at 03:50 -0800, Bob wrote:
Hello,

We are upgrading to CAS 6.1.x.
Most things seem to work fine (LDAP and reading Service Registry from json 
file) but we cannot get it to save the Service Registry in a MySQL casdb.
Is there a way to manually enter a Service Registry into a MySQL database?

Running CAS has created 3 tables in our MySQL database:

regex_registered_service
regex_registered_service_regex_registered_service_property
regex_registered_service_registered_service_impl_contact

Table regex_registered_service has the following columns:

+--+
| COLUMN_NAME  |
+--+
| access_strategy  |
| attribute_release|
| description  |
| environments |
| evaluation_order |
| expiration_policy|
| expression_type  |
| id   |
| information_Url  |
| logo |
| logout_type  |
| logout_url   |
| mfa_policy   |
| name |
| privacy_Url  |
| proxy_policy |
| proxy_ticket_expiration_policy   |
| public_key   |
| required_handlers|
| response_Type|
| service_Id   |
| service_ticket_expiration_policy |
| sso_participation_policy |
| theme|
| username_attr|
+--+
25 rows in set (0.00 sec)

How would I get the following json into this table?

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://localhost:9000/dashboard;,
  "name" : "My App",
  "id" : 10001000,
  "description" : "My Dashboard App",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "memberOf" : "authorities"
}
  },
  "evaluationOrder" : 100,
  "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}

Thanks in advance!

Bob

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/28a6de36656d4784ca8b9fa0cfdecbba1c4e5543.camel%40uvic.ca.

Re: [cas-user] Re: [CAS 6.1] Base64 decoding failed / incorrect header check

2020-01-28 Thread Pasek, Christine 
Hi Mike,

Yes, we do support Google Apps and have the same entry in our logs:

"at
org.apereo.cas.support.saml.authentication.principal.GoogleAccountsServiceFactory.createService(GoogleAccountsServiceFactory.java:30)"

Thanks for sharing your insight. Hopefully, we can figure this out!

Chris


On Sat, Jan 25, 2020 at 3:33 PM Mike Osterman  wrote:

> Hi all,
>
> Just another piece to the puzzle...
>
> We have been on 5.3.x for a while, but it wasn't until we added and
> deployed support for Google Apps that we started seeing this error.
>
> Note that not too far down the error stack you find this line:
> "at
> org.apereo.cas.support.saml.authentication.principal.GoogleAccountsServiceFactory.createService(GoogleAccountsServiceFactory.java:34"
>
> So perhaps this is specific to
> the org.apereo.cas:cas-server-support-saml-googleapps dependency that Josh
> shared? Christine, do you have Google Apps support on 5.3.x as well?
>
> I can also concur that it doesn't seem to be causing any authentication
> issues, but it is definitely muddying up the logs and adding noise to
> troubleshooting other issues.
>
> Thanks,
> Mike
>
> On Wed, Jan 22, 2020 at 7:31 AM Pasek, Christine  wrote:
>
>> That is good to hear. Thanks for letting me know.
>>
>> On Wed, Jan 22, 2020 at 9:29 AM Josh 
>> wrote:
>>
>>> Hi Chris -
>>>
>>> No luck finding a solution on the error, however the good news is other
>>> than polluting our logs (which we could mitigate) there does not appear to
>>> be any negative user impact.
>>>
>>> We're several million authentications into this upgrade without any
>>> users reporting issues.
>>>
>>>
>>> On Wednesday, January 22, 2020 at 9:45:40 AM UTC-5, Christine Pasek
>>> wrote:

 Hello Josh,

 I have just upgraded from 5.2.X to 5.3.X and am experiencing the same
 error and like you, everything seems to be working fine.

 Were you able to find a solution to fixing this error?

 Thanks!
 Chris

>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5632664-a375-4e32-8776-abaf6058218e%40apereo.org
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHFOFS0_cENrJHgcQvz4QYGzGSQgQ-VcnF8V1cn3z%2BVNc9CpPw%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHXrLCJ0YLreBT2hDPQ%2BT58%3D%3D8mqcd13TVSS%3D8YPvo6fCQ%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHFOFS2r0ha8PSnKZX6QgSn%3DJuyJjCqwTm%3DkzQUVkrGi9mn7nQ%40mail.gmail.com.

[cas-user] CAS 5.3.x with Mongo Ticket Store (anyone had any issues)

2020-01-28 Thread Justin Isenhour 
Hey All,

We are planning to go live in production with CAS 5.3.7 using MongoDB 
ticket store in the next 6 weeks.  We have been using CAS for many years 
and are upgrading from 3.5.1 and DB2.  We been running this in non-prd 
environment for last few months and everything has performed well even 
under many various load/capacity tests.  Just wanted to reach out to the 
community at large to find out if anyone else is running CAS 5 with MongoDb 
Ticket Store and have you had any issues, advice, or lessons learned that 
could help us head off any potential future production incidents? 

Thanks in advance,
Justin Isenhour

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1bcf6e3-5a0d-44c7-9012-e1301a275fee%40apereo.org.

[cas-user] CAS 5.3.2 ConcurrentModificationException when creating TGT

2020-01-28 Thread Chris Luczkow 
Hi -

We're seeing this intermittent exception when running under heavy load:

java.util.ConcurrentModificationException: null
at java.util.ArrayList.sort(ArrayList.java:1464) ~[?:1.8.0_201]
at java.util.Collections.sort(Collections.java:175) ~[?:1.8.0_201]
at org.springframework.core.OrderComparator.sort(OrderComparator.java:167) 
~[spring-core-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at 
org.apereo.cas.rest.factory.ChainingRestHttpRequestCredentialFactory.fromRequestBody(ChainingRestHttpRequestCredentialFactory.java:41)
 
~[cas-server-core-rest-5.3.2.jar:5.3.2]
at 
org.apereo.cas.support.rest.resources.TicketGrantingTicketResource.createTicketGrantingTicketForRequest(TicketGrantingTicketResource.java:114)
 
~[cas-server-support-rest-5.3.2.jar:5.3.2]
at 
org.apereo.cas.support.rest.resources.TicketGrantingTicketResource.createTicketGrantingTicket(TicketGrantingTicketResource.java:66)
 
~[cas-server-support-rest-5.3.2.jar:5.3.2]

Wondering if this is a known issue or how to troubleshoot further.

Thanks
Chris

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2ae8b98-81a7-409c-a33c-6df8a1b71919%40apereo.org.

[cas-user] Service Registry - Store in MySQL database

2020-01-28 Thread Bob 
Hello,

We are upgrading to CAS 6.1.x.
Most things seem to work fine (LDAP and reading Service Registry from json 
file) but we cannot get it to save the Service Registry in a MySQL casdb.
Is there a way to manually enter a Service Registry into a MySQL database?

Running CAS has created 3 tables in our MySQL database:

regex_registered_service
regex_registered_service_regex_registered_service_property
regex_registered_service_registered_service_impl_contact


Table regex_registered_service has the following columns:

+--+
| COLUMN_NAME  |
+--+
| access_strategy  |
| attribute_release|
| description  |
| environments |
| evaluation_order |
| expiration_policy|
| expression_type  |
| id   |
| information_Url  |
| logo |
| logout_type  |
| logout_url   |
| mfa_policy   |
| name |
| privacy_Url  |
| proxy_policy |
| proxy_ticket_expiration_policy   |
| public_key   |
| required_handlers|
| response_Type|
| service_Id   |
| service_ticket_expiration_policy |
| sso_participation_policy |
| theme|
| username_attr|
+--+
25 rows in set (0.00 sec)

How would I get the following json into this table?

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://localhost:9000/dashboard;,
  "name" : "My App",
  "id" : 10001000,
  "description" : "My Dashboard App",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "memberOf" : "authorities"
}
  },
  "evaluationOrder" : 100,
  "accessStrategy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}

Thanks in advance!

Bob

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33bd23b5-1921-4c6a-bd49-3f6e3554af4d%40apereo.org.

Re: [cas-user] Re: Double Login for Mozilla 4.0 User Agent

2020-01-28 Thread Justin Isenhour 
Awesome, thanks for all the feedback guys. Very much appreciated.

Get Outlook for Android


From: cas-user@apereo.org  on behalf of leleuj 

Sent: Tuesday, January 28, 2020 5:59:55 AM
To: CAS Community 
Subject: [cas-user] Re: Double Login for Mozilla 4.0 User Agent

Hi,

You have the following property/option: cas.tgc.pinToSession (true by default) 
to attach the IP and user-agent to the SSO session.
In most cases, it's the right choice, but you may want to disable that behavior.
Thanks.
Best regards,
Jérôme


Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit :
Hi Justin,

Nice that you think of a workaround!

I think it is strange that ticket granting ticket containing user agent...

Therefore, I have  go ahead and done some additional digging and found the 
following:
https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58


Seems to me that, instead of the TGT containing user agent, is that the cookie 
manager will not allow cookie created under differnet user agent.

@Override
protected String obtainValueFromCompoundCookie(final String cookieValue, final 
HttpServletRequest request) {
val cookieParts = 
Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).splitToList(cookieValue);
if (cookieParts.isEmpty()) {
throw new IllegalStateException("Invalid empty cookie");
}
val value = cookieParts.get(0);
if (!cookieProperties.isPinToSession()) {
LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it 
was provided");
return value;
}
if (cookieParts.size() != COOKIE_FIELDS_LENGTH) {
throw new IllegalStateException("Invalid cookie. Required fields are missing");
}
val remoteAddr = cookieParts.get(1);
val userAgent = cookieParts.get(2);
if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) {
throw new IllegalStateException("Invalid cookie. Required fields are empty");
}
val clientInfo = ClientInfoHolder.getClientInfo();
if (!remoteAddr.equals(clientInfo.getClientIpAddress())) {
throw new IllegalStateException("Invalid cookie. Required remote address "
+ remoteAddr + " does not match " + clientInfo.getClientIpAddress());
}
val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request);
if (!userAgent.equals(agent)) {
throw new IllegalStateException("Invalid cookie. Required user-agent " + 
userAgent + " does not match " + agent);
}
return value;
}


Have you see the above error (Invalid cookie. Required user-agent) in your 
CAS error log? If so then it would justified my theory.

Still, I don't think it is wise to touch on that part of the source code, but 
it is always good to know in case you need to actually make support on the 
legacy service for cross compatibility and main browser.

Cheers!
- Andy









--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY5PR12MB41628350507E03DB95B7602BF30A0%40BY5PR12MB4162.namprd12.prod.outlook.com.

[cas-user] Re: Double Login for Mozilla 4.0 User Agent

2020-01-28 Thread leleuj 
Hi,

You have the following property/option: *cas.tgc.pinToSession* (true by 
default) to attach the IP and user-agent to the SSO session.
In most cases, it's the right choice, but you may want to disable that 
behavior.
Thanks.
Best regards,
Jérôme


Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit :
>
> Hi Justin,
>
> Nice that you think of a workaround!
>
> I think it is strange that ticket granting ticket containing user agent...
>
> Therefore, I have  go ahead and done some additional digging and found the 
> following:
>
> https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58
>
>
> Seems to me that, instead of the TGT containing user agent, is that the 
> cookie manager will not allow cookie created under differnet user agent.
>
> @Override
> protected String obtainValueFromCompoundCookie(final String cookieValue, 
> final HttpServletRequest request) {
> val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).
> splitToList(cookieValue);
> if (cookieParts.isEmpty()) {
> throw new IllegalStateException("Invalid empty cookie");
> }
> val value = cookieParts.get(0);
> if (!cookieProperties.isPinToSession()) {
> LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value 
> as it was provided");
> return value;
> }
> if (cookieParts.size() != COOKIE_FIELDS_LENGTH) {
> throw new IllegalStateException("Invalid cookie. Required fields are 
> missing");
> }
> val remoteAddr = cookieParts.get(1);
> val userAgent = cookieParts.get(2);
> if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) 
> {
> throw new IllegalStateException("Invalid cookie. Required fields are empty
> ");
> }
> val clientInfo = ClientInfoHolder.getClientInfo();
> if (!remoteAddr.equals(clientInfo.getClientIpAddress())) {
> throw new IllegalStateException("Invalid cookie. Required remote address "
> + remoteAddr + " does not match " + clientInfo.getClientIpAddress());
> }
> val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request);
> if (!userAgent.equals(agent)) {
> throw new IllegalStateException("Invalid cookie. Required user-agent " + 
> userAgent + " does not match " + agent);
> }
> return value;
> }
>
>
> Have you see the above error (*Invalid cookie. Required user-agent*) 
> in your CAS error log? If so then it would justified my theory.
>
> Still, I don't think it is wise to touch on that part of the source code, 
> but it is always good to know in case you need to actually make support on 
> the legacy service for cross compatibility and main browser.
>
> Cheers!
> - Andy
>
>
>
>
>
>
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.

[cas-user] Re: Double Login for Mozilla 4.0 User Agent

2020-01-28 Thread Andy Ng 
Hi Justin,

Nice that you think of a workaround!

I think it is strange that ticket granting ticket containing user agent...

Therefore, I have  go ahead and done some additional digging and found the 
following:
https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58


Seems to me that, instead of the TGT containing user agent, is that the 
cookie manager will not allow cookie created under differnet user agent.

@Override
protected String obtainValueFromCompoundCookie(final String cookieValue, 
final HttpServletRequest request) {
val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).
splitToList(cookieValue);
if (cookieParts.isEmpty()) {
throw new IllegalStateException("Invalid empty cookie");
}
val value = cookieParts.get(0);
if (!cookieProperties.isPinToSession()) {
LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as 
it was provided");
return value;
}
if (cookieParts.size() != COOKIE_FIELDS_LENGTH) {
throw new IllegalStateException("Invalid cookie. Required fields are missing
");
}
val remoteAddr = cookieParts.get(1);
val userAgent = cookieParts.get(2);
if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) 
{
throw new IllegalStateException("Invalid cookie. Required fields are empty"
);
}
val clientInfo = ClientInfoHolder.getClientInfo();
if (!remoteAddr.equals(clientInfo.getClientIpAddress())) {
throw new IllegalStateException("Invalid cookie. Required remote address "
+ remoteAddr + " does not match " + clientInfo.getClientIpAddress());
}
val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request);
if (!userAgent.equals(agent)) {
throw new IllegalStateException("Invalid cookie. Required user-agent " + 
userAgent + " does not match " + agent);
}
return value;
}


Have you see the above error (*Invalid cookie. Required user-agent*) in 
your CAS error log? If so then it would justified my theory.

Still, I don't think it is wise to touch on that part of the source code, 
but it is always good to know in case you need to actually make support on 
the legacy service for cross compatibility and main browser.

Cheers!
- Andy








-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f373ad7a-bc64-4c43-ad51-6921811ac28b%40apereo.org.