Re: [cas-user] Getting 403 when POST to /cas endpoint

[Yan Zhou]

Hi, 

Try to implement this:  people logged into their app (that does not use 
CAS),  they click a link in their webapp, that triggers a POST to CAS 
/login endpoint, with SAML Assertion in POST body. My CAS implementation 
will detect the payload and then follow a different route of validating 
SAML, etc. (the CAS login page does not show up, instead, we are validating 
SAML Assertion).   I thought the non-interactive type of login also comes 
in through the /login endpoint. Because we still want it to go through 
service validation, TGT/ST generation, etc., so it has to go through CAS 
login flow.  

But we noticed that such POST made by another Webapp on /cas endpoint fails 
in FF and Chrome, it works in IE. 

CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see 
anything in CAS or Tomcat logs (after turn on DEBUG).  My guess is there is 
some kind of CSRF type of protection in CAS preventing such post? I placed 
"executionKey" in the form post, made no difference, still 403. 

How would such non-interactive flow work?   If CAS indeed has something 
prevent such POST, why does IE work and what that is?

Thanks,
Yan

On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp wrote:

> Why are you trying to POST to the login URL? It looks like this isn't
> the POST from the login page? What do the CAS logs say?
>
> On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote:
> > Hello, 
> > 
> > i am using CAS 5.3.X, but I think the same would apply to CAS4 or
> > CA5.
> > 
> >  > action="https://.MyCASEndPoint,,>/cas/login">
> > 
> > 
> > In browser, when I submit this form, I get 403, 
> > 
> > But, when I use PostMan, it returns CAS login page. 
> > 
> > I do not understand why in browser (FF and Chrome), I am getting 403,
> > is that because of CSRF? I tried to put in "execution" as hidden
> > value, but that did not help). 
> > 
> > Why does Postman return a different result as Chrome/FF?
> > 
> > Thanks,
> > Yan
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1704227-b04a-48c0-9fbb-ce9fe7ca1ccdn%40apereo.org.

[cas-user] 3.5.2 Oracle DB compatibility

[Kylie L]

Will CAS 3.5.2 work with an Oracle 19c  or 18c database?

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c9b1a3f-b236-430b-8d57-677cb5654a3en%40apereo.org.

Re: [cas-user] Getting 403 when POST to /cas endpoint

['Richard Frovarp' via CAS Community]

Why are you trying to POST to the login URL? It looks like this isn't
the POST from the login page? What do the CAS logs say?

On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote:
> Hello, 
> 
> i am using CAS 5.3.X, but I think the same would apply to CAS4 or
> CA5.
> 
>  action="https://.MyCASEndPoint,,>/cas/login">
> 
> 
> In browser, when I submit this form, I get 403,  
> 
> But, when I use PostMan, it returns CAS login page. 
> 
> I do not understand why in browser (FF and Chrome), I am getting 403,
> is that because of CSRF?  I tried to put in "execution" as hidden
> value, but that did not help). 
> 
> Why does Postman return a different result as Chrome/FF?
> 
> Thanks,
> Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9b6ed50da22a5cb6f82aa376e8354039519e6b.camel%40ndsu.edu.

[cas-user] Getting 403 when POST to /cas endpoint

[Yan Zhou]

Hello, 

i am using CAS 5.3.X, but I think the same would apply to CAS4 or CA5.

https://.MyCASEndPoint,,>/cas/login">


In browser, when I submit this form, I get 403,  

But, when I use PostMan, it returns CAS login page. 

I do not understand why in browser (FF and Chrome), I am getting 403, is 
that because of CSRF?  I tried to put in "execution" as hidden value, but 
that did not help). 

Why does Postman return a different result as Chrome/FF?

Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed75ec30-3910-4120-b237-bc347e467147n%40apereo.org.

Re: [cas-user] [CAS] Configuration files protection in a production environment

[Ray Bon]

Davide,

We use the cas config server (spring cloud config). It has tools to encrypt 
secrets.

I remember someone on the list had a different solution to what you are asking 
but I can not find it at the moment nor remember what it was, but I liked it.

Some searching in the archives should find it.

Ray


On Thu, 2021-01-21 at 07:54 -0800, Davide Malacrida wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.


Hello everyone,

Lately we have been working on a locally deployed instance of Apereo CAS, in 
order to study the product a bit. We have the following doubt regarding how 
configuration files should be treated when deploying Apereo CAS in a real 
production environment:

In order to keep configuration files safe from being read and/or manipulated by 
an external attacker, we have basically encrypted every  pair with a 
symmetric key, which is shared with Apereo CAS itself. With this solution 
Apereo CAS can still access the configuration files when it starts, but if 
someone manages to get into the VM where the product is installed, he won’t be 
able to do anything with the files because they are encrypted.

However, we have decided to take this route just because this particular 
instance of the product is deployed locally and is used only for learning 
purposes. I have read online that sometimes when deploying in a real production 
environment, a good practice is to keep the configuration files in an external 
encrypted DB. The product can than be configured to gather these files from the 
external DB when it starts. I was wondering, is this considered a best practice 
when it comes to Apereo CAS (and most importantly, is this feature supported)? 
Also, are there any other best practices which you would suggest to use with 
Apereo CAS when it comes to protecting configuration files in real production 
environment?

Thanks for your help,

Davide Malacrida

IAM Functional Analyst

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I respectfully acknowledge that my place of work is located within the 
ancestral, traditional and unceded territory of the Songhees, Esquimalt and 
WSÁNEĆ Nations.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a59fb6e6e2e987b43bcb5cb533dfeb58d08971e.camel%40uvic.ca.

[cas-user] Re: Sanitize username

[Rafiek M]

Hi Andy,

Thanks for the help! We went with a custom filter that sanitizes the 
username value. We might refactor it to a custom Authentication handler in 
the future, but a filter is seems like a pretty stable and simple solution 
for now.

kind regards,
Rafiek

Op donderdag 21 januari 2021 om 03:08:17 UTC+1 schreef Andy Ng:

> Hi Rafiek,
>
> I can think of 3 methods of implementing your requirement:
>
>1. *Using Principal Transformation:*
>   1. e.g. 
>   
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#authentication-principal-transformation
>  
>   for Principal transformation for database
>   2. However, this kind of principal transformation only do 
>   transformation, it will not output error if the transformation not work
>   3. Also, you are bounded by the default set of princiapl 
>   transformation option allowed (to upper, to lower), which is doubt is 
> your 
>   goal
>2. *Using pre-processor by Groovy script :*
>   1. While I didn't used this before, by the description it seems 
>   match your use case:
>   2. 
>   
> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#authentication-pre-processing
>   3. See if this will be useful, if not use the other options
>3. *Using custom Authentication Handler:*
>   1. Another ways is to implement custom authentication handler
>   2. see this for how to do it in older version of CAS: 
>   https://apereo.github.io/2018/06/12/cas53-authn-handlers/  
>   3. It is a lot more custom code, but those code usually is backward 
>   compatible (I use custom authen starting from 5.1 all the way to 6.2, 
> seems 
>   like still working without much edit)
>   4. The best thing about this option, is that you will have full 
>   control on how you sanitize the username, including using maybe other 
>   component (e.g. JDBC) for your santization if you so choose
>
> See if this is useful. Or maybe other option available as well, if so 
> other can add in.
>
> Cheers!
> - Andy
>
> On Monday, 18 January 2021 at 20:22:51 UTC+8 rafiek.moh...@gmail.com 
> wrote:
>
>> Hi all,
>>
>> Does anybody know how to sanitize the username? We are able to send any 
>> sequence of characters for the username, but we would like to limit the 
>> allowed set of characters.
>>
>> regards,
>> Rafiek
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e488fc0e-04a9-4be1-8595-1c81af57294fn%40apereo.org.

Re: [cas-user] [CAS] Automatically updated Time-based access strategy extension to current date

[Misagh]

Probably not "less custom", but I would either write my own access
strategy or use the one based on aan external groovy script to embed
logic in there.

On Thu, Jan 21, 2021 at 7:54 PM Davide Malacrida
 wrote:
>
> Hello everyone,
>
> Lately we have been working on a locally deployed instance of Apereo CAS, in 
> order to study the product a bit. We have the following doubt regarding how 
> time-based service access strategy should be configured.
>
>
>
> In order to implement this functionality, we have used the time-based access 
> strategy extension, as described in the documentation 
> (https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html#time-based).
>  However, the documentation only described how one can set a static date and 
> time for this policy. Instead, we wanted the attributes startingDateTime and  
> endingDateTime to be automatically updated with the current date. In order to 
> do this, we have created a custom script. This script is scheduled to run 
> every day at the same hour and basically writes the values of these 
> attributes, so that they are always updated with the current date.
>
>
>
> We were wondering, is this the way time-based access strategy is supposed to 
> be implemented? Is there another less custom way that should be used in order 
> to achieve this result?
>
>
>
> Thanks for your help,
>
> Davide Malacrida
>
> IAM Functional Analyst
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1920ce52-3ea4-4bc5-8b59-973186abf819n%40apereo.org.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkdHXjrGT4eMZuQgy%3DRr6kLSY1nYcuUEH3fDDjz5RogWWA%40mail.gmail.com.

[cas-user] [CAS] Configuration files protection in a production environment

[Davide Malacrida]

Hello everyone,

Lately we have been working on a locally deployed instance of Apereo CAS, 
in order to study the product a bit. We have the following doubt regarding 
how configuration files should be treated when deploying Apereo CAS in a 
real production environment: 

In order to keep configuration files safe from being read and/or 
manipulated by an external attacker, we have basically encrypted every 
 pair with a symmetric key, which is shared with Apereo CAS 
itself. With this solution Apereo CAS can still access the configuration 
files when it starts, but if someone manages to get into the VM where the 
product is installed, he won’t be able to do anything with the files 
because they are encrypted.

However, we have decided to take this route just because this particular 
instance of the product is deployed locally and is used only for learning 
purposes. I have read online that sometimes when deploying in a real 
production environment, a good practice is to keep the configuration files 
in an external encrypted DB. The product can than be configured to gather 
these files from the external DB when it starts. I was wondering, is this 
considered a best practice when it comes to Apereo CAS (and most 
importantly, is this feature supported)? Also, are there any other best 
practices which you would suggest to use with Apereo CAS when it comes to 
protecting configuration files in real production environment?

Thanks for your help,

*Davide Malacrida*

IAM Functional Analyst

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01cc7bcf-aecc-4dc5-9b29-05b493dd24f3n%40apereo.org.

[cas-user] [CAS] Automatically updated Time-based access strategy extension to current date

[Davide Malacrida]

Hello everyone,

Lately we have been working on a locally deployed instance of Apereo CAS, 
in order to study the product a bit. We have the following doubt regarding 
how time-based service access strategy should be configured.

 

In order to implement this functionality, we have used the time-based 
access strategy extension, as described in the documentation (
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html#time-based).
 
However, the documentation only described how one can set a static date and 
time for this policy. Instead, we wanted the attributes *startingDateTime* 
and  *endingDateTime* to be automatically updated with the current date. In 
order to do this, we have created a custom script. This script is scheduled 
to run every day at the same hour and basically writes the values of these 
attributes, so that they are always updated with the current date.

 

We were wondering, is this the way time-based access strategy is supposed 
to be implemented? Is there another less custom way that should be used in 
order to achieve this result?

 

Thanks for your help,

*Davide Malacrida*

IAM Functional Analyst

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1920ce52-3ea4-4bc5-8b59-973186abf819n%40apereo.org.

[cas-user] Understanding and customising audit log output

[George Papakyriakopoulos]

Hello everyone,

In the process of investigating an issue where some of our CAS users report 
their OneTimeToken getting rejected although they are supplying the correct 
ones from their Google Authenticator output (we have verified as much), I 
was trying to look into how I could potentially edit the CAS code to alter 
the audit log being emitted on a failed authentication attempt when 
providing an incorrect OneTimeToken.

I have spent a lot of time trying to understand how CAS and the Inspektr 
framework are intertwined and how information is passed from one to the 
other, but I'll admit I am a bit lost between the abstraction layers. Can 
any of you point me towards how I should approach this ? Ideally the end 
goal is to be able to edit the "WHO" or "WHAT" audit log field, 
specifically for an AUTHENTICATION_FAILED action during OTP submission and 
add custom information there.

Thank you very much in advance,
George

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea8c09e6-a220-4596-9ad8-3a6f289a45dfn%40apereo.org.