[cas-user] Re: Can Apereo CAS redirect user to login page if got unrecognized ticket?
I recommend to use hazelcast cas ticket registry. In this case all nodes will have information about all tickets. So you don't need sticky sessions in this case. On Thursday, April 23, 2020 at 3:30:25 PM UTC+3, Сергей Степанов wrote: > > Hello! I need your help. > > > > I have several nodes of CAS, balanced through Nginx using ip hash. This > works fine, but when I add or remove nodes, some users get "Ticket not > recognized" exception. > > Is it possible to make CAS delete unrecognized tickets and redirect user > to login page? > > And, also, can you tell me where exactly CAS stores ticket on the client > (cookie name)? > > > > Thank you! > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b2b79f9-70af-441c-a2c9-7fb84b9afe2e%40apereo.org.
Re: [cas-user] Re: CAS 6.1.3 Discovery Client not initialized
Dmitriy, Good point, thank you. I solved my issue via adding this property spring.cloud.discovery.client.composite-indicator.enabled=false On Tuesday, February 25, 2020 at 3:12:40 PM UTC+2, Dmitriy Kopyleenko wrote: > > Looks like something that is coming from Spring Boot 2.2: > https://github.com/spring-cloud/spring-cloud-commons/issues/633 > > <https://github.com/spring-cloud/spring-cloud-commons/issues/633> > D <https://github.com/spring-cloud/spring-cloud-commons/issues/633>. > > On February 25, 2020 at 05:32:53, 'Maksim Kopeyka' via CAS Community ( > cas-...@apereo.org ) wrote: > > Still have this problem even on my local PC. It worked fine with 6.0.3 but > doesn't work with 6.1.3. Looks like a bug... > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-...@apereo.org . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f128a52-3f06-4091-8fc0-8da6de4b3f00%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f128a52-3f06-4091-8fc0-8da6de4b3f00%40apereo.org?utm_medium=email_source=footer> > . > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c277ac76-01b4-40b0-a9d1-7aca27dcff86%40apereo.org.
[cas-user] Re: CAS 6.1.3 jpa service registry doesn't work properly
Hi Bob,
Workaround with modification of
CasServiceRegistryInitializationConfiguration.java works fine, thank you.
Is it possible to fix this issue via adding some additional dependency
to build.gradle?
On Thursday, April 2, 2020 at 6:35:51 PM UTC+3, Bob wrote:
>
> Hi Maksim,
>
> I had a similar issue with CAS 6.1.x.
> The workaround from Michele worked for me. Please have a look at it:
> https://groups.google.com/a/apereo.org/d/msg/cas-user/UZRwiZdgBAA/QixAg4q1AAAJ
> Hope this helps.
> Regards,
>
> Bob
>
>
> On Thursday, April 2, 2020 at 3:58:09 PM UTC+2, Maksim Kopeyka wrote:
>>
>> Hi Guys,
>>
>> I used CAS 6.0.3 with jpa service registry and I have seen records in
>> database according to content of json files from /etc/cas/services.
>> After migration to CAS 6.1.3 I don't see any records in DB.
>> I tried
>> cas.serviceRegistry.jpa.ddlAuto=create-drop
>> and
>> cas.serviceRegistry.jpa.ddlAuto=update
>>
>> .I deleted tables from DB and CAS recreated it during startup but tables
>> still empty. Seems to me it's a bug.
>>
>> This is my properties
>> cas.serviceRegistry.json.location=file:/etc/cas/services
>> cas.serviceRegistry.initFromJson=true
>> cas.serviceRegistry.jpa.url=jdbc:mysql:
>> //${MYSQL_DATABASE_URL}:${MYSQL_DATABASE_PORT}/${MYSQL_DATABASE_NAME}
>> cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL8Dialect
>> cas.serviceRegistry.jpa.user=${MYSQL_USER}
>> cas.serviceRegistry.jpa.password=${MYSQL_PASSWORD}
>> cas.serviceRegistry.jpa.ddlAuto=update
>> cas.serviceRegistry.jpa.driverClass=com.mysql.jdbc.Driver
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb47cf10-057a-4301-9f5b-77b937ea69f9%40apereo.org.
[cas-user] CAS 6.1.3 jpa service registry doesn't work properly
Hi Guys,
I used CAS 6.0.3 with jpa service registry and I have seen records in
database according to content of json files from /etc/cas/services.
After migration to CAS 6.1.3 I don't see any records in DB.
I tried
cas.serviceRegistry.jpa.ddlAuto=create-drop
and
cas.serviceRegistry.jpa.ddlAuto=update
.I deleted tables from DB and CAS recreated it during startup but tables
still empty. Seems to me it's a bug.
This is my properties
cas.serviceRegistry.json.location=file:/etc/cas/services
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.jpa.url=jdbc:mysql:
//${MYSQL_DATABASE_URL}:${MYSQL_DATABASE_PORT}/${MYSQL_DATABASE_NAME}
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.MySQL8Dialect
cas.serviceRegistry.jpa.user=${MYSQL_USER}
cas.serviceRegistry.jpa.password=${MYSQL_PASSWORD}
cas.serviceRegistry.jpa.ddlAuto=update
cas.serviceRegistry.jpa.driverClass=com.mysql.jdbc.Driver
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0de7c4e2-11c5-41a1-b08f-776cabc82204%40apereo.org.
Re: [cas-user] CAS logout via ajax call
I think ma ajax call doesn't use cookies because of CORS. So logout doesn't work. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/26aa8b38-5f23-4494-b688-dd15a94f4839%40apereo.org.
[cas-user] CAS logout via ajax call
Hi Guys,
I have environment with Keycloak and CAS 6.1.3 and I have a problem with
logout from CAS in case I have load balancer with SSL in front of CAS.
Keycloak sends server-to-server logout request to CAS and it works
perfectly without SSL so I have had an idea to solve issue with SSL via
sending GET request to CAS logout endpoint via ajax request.
I modified Keycloak html page a bit
https://my.cas.com/cas/logout', false);xhttp.send();">
${msg("doSignOut")}
So I see my request in CAS access log after logout from Keycloak
[27/Mar/2020:17:19:44 +0200] 192.168.1.108 "GET /cas/logout HTTP/1.0" 200 (
64 ms)
But CAS session still alive after this call. Logout works fine if I call
the same endpoint manually in browser.
How to do this via ajax?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/672725a6-91a1-40dd-91cc-1b1b051ed836%40apereo.org.
Re: [cas-user] Re: Keycloak Backchannel Logout and CAS
I debugged CAS and found strange behavior 1. Keycloak sends correct request to "/idp/profile/SAML2/POST/SLO" endpoint 2. CAS sends redirect to "/cas/logout" in both cases (http and https) however session will be invalidated in http mode only - https://github.com/apereo/cas/blob/master/support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.java#L70 3. Java code related to "/cas/logout" doesn't triggered however it triggers in case I call "/cas/logout" in browser - https://github.com/apereo/cas/blob/master/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutManager.java#L37 Why code related to "/cas/logout" doesn't triggered? On Wednesday, March 18, 2020 at 5:29:09 PM UTC+2, Maksim Kopeyka wrote: > > I excluded nginx from my local env so I have only executable CAS.war and > keycloak. > I configured CAS to use SSL in this way: > > server.ssl.enabled=true > server.ssl.key-store-type=JKS > server.ssl.key-store=C:/Environment/jdk-11.0.5/bin/caskeystore.jks > server.ssl.key-store-password=changeit > server.ssl.key-alias=my.cas.com > > Backchannel logout doesn't work. Looks like SSL causes this issue, doesn't > matter it's nginx or embedded tomcat. > > On Tuesday, March 17, 2020 at 11:49:34 PM UTC+2, Maksim Kopeyka wrote: >> >> Ray, >> >> I have had some issues related to self-signed certificate on my local >> env. CAS and Keycloak produced exception related to certificate and flow >> didn't work at all. >> I regenerated certificate for domain instead of 127.0.0.1 and all >> exceptions were gone. So it's not an issue with certificate. >> Also I have the same problem on real environment with real certificate. >> It also works fine without SSL but with SSL CAS session stay alive after >> logout in keycloak. >> >> On Tuesday, March 17, 2020 at 5:44:35 PM UTC+2, rbon wrote: >>> >>> Maksim, >>> >>> Could this be a certificate issue? >>> >>> If this is self signed certificate, you will need to add it to the java >>> keystore (trust store). >>> https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores >>> >>> Ray >>> >>> On Mon, 2020-03-16 at 16:46 -0700, 'Maksim Kopeyka' via CAS Community >>> wrote: >>> >>> That's interesting. Backchannel logout works in case load balancer of >>> CAS (nginx) doesn't use SSL however backchannel doesn't work in case nginx >>> uses SSL. >>> I see the same output in console of CAS server in both cases (with SSL >>> and without SSL) >>> >>> -- >>> >>> Ray Bon >>> Programmer Analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | rb...@uvic.ca >>> >>> I respectfully acknowledge that my place of work is located within the >>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >>> WSÁNEĆ Nations. >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f7a364f-a4b6-4644-bd8d-6f86ce16e4ef%40apereo.org.
Re: [cas-user] CAS Logout Issue
Hi Ramakrishna,
Did you solve your issue? I have the same problem with SSL session which is
alive after backchannel logout.
On Wednesday, May 23, 2018 at 2:32:41 PM UTC+3, Ramakrishna G wrote:
>
> Ok Ray. Thanks for your help!!
>
> Anyone who has worked on Mod_auth_cas along with CAS server pls guide me.
> My issue is MOD_AUTH_CAS_S cookie is not removed from browser after logout.
>
> Thanks
> Ramakrishna G
>
> On Tue, May 22, 2018 at 9:53 PM, Ray Bon >
> wrote:
>
>> Ramakrishna,
>>
>> This now sounds like an issue on the client side. I have not used
>> mod_auth_cas. Try debugging it and your client for how they handle the
>> logout request.
>>
>> Ray
>>
>> On Tue, 2018-05-22 at 15:41 +0530, Ramakrishna G wrote:
>>
>> Ray,
>>
>> I was able to solve the ssl issue using open_sll. Now I am using https at
>> both end with valid certificate.
>>
>> But my original problem of cas not logging out still persist.
>>
>> On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G
>> > wrote:
>>
>> Ray,
>>
>> I configured ssl as advised by you. Now I have a different issue.
>>
>> When I use CASValidateURL with https url I get this Unauthorized error.
>> If i remove https it works but logout issue still persist Unauthorized
>>
>> This server could not verify that you are authorized to access the
>> document requested. Either you supplied the wrong credentials (e.g., bad
>> password), or your browser doesn't understand how to supply the credentials
>> required.
>>
>>
>> I am sharing my config
>>
>> CASCookiePath /var/cache/mod_auth_cas/
>>
>> CASCertificatePath /etc/httpd/conf/casdev.crt
>>
>> CASLoginURL https://192.168.111.12:8443/cas/login
>>
>> CASRootProxiedAs https://192.168.111.12:8443
>>
>> CASValidateURL https://192.168.111.12:8443/cas/serviceValidate
>>
>> #CASValidateURL http://192.168.111.12:/cas/serviceValidate // *Tomcat
>> http port *
>>
>> CASValidateSAML Off
>>
>> CASSSOEnabled On
>>
>>SSLProxyEngine on
>>SSLProxyVerify none
>>SSLProxyCheckPeerCN off
>>SSLProxyCheckPeerName off
>>SSLProxyCheckPeerExpire off
>>Loglevel debug
>>
>> AllowOverride
>> AuthType CAS
>> require valid-user
>> CASRenew On
>> ProxyPass http://192.168.111.10/
>> ProxyPassReverse http://192.168.111.10/
>>
>>
>> Require all granted
>> ProxyPass https://192.168.111.12:9443/cas *// Tomcat
>> https port 9443*
>> ProxyPassReverse https://192.168.111.12:9443/cas
>>
>>
>>
>>
>>
>> On Fri, May 18, 2018 at 8:50 PM, Ray Bon >
>> wrote:
>>
>> Ramakrishna,
>>
>> During log out when CAS contacts your service (where mod_auth_cas is), it
>> does so with https. You need to install the custom certificate that is on
>> your service into the jvm running CAS.
>>
>> sudo keytool -import -file ${certName} -alias ${aliasName} -keystore
>> $JAVA_HOME/jre/lib/security/cacerts
>>
>> https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl
>>
>> Ray
>>
>> On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
>>
>> Ray,
>>
>> Let me explain you my architecture. I have a CAS client (mod_auth_cas)
>> which redirects to NGINX Load Balancer. The nginx forwards to one of the
>> active CAS Server. Do I need to install certificates on all CAS Server?
>>
>> User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for
>> internal communication from Nginx to CAS server. i.e Plain http
>> comminication is happenning from nginx to cas server.
>>
>>
>> Can you pls guide me how can I achieve logout for my approach.
>>
>> On Thu, May 17, 2018 at 9:49 PM, Ray Bon >
>> wrote:
>>
>> Ramakrishna,
>>
>> Add this to the log config:
>>
>>
>>
>> The above may produce a lot of messages.
>> It looks to be a problem with CAS contacting your client. It could be a
>> certificate issue.
>> I guess you created a certificate since it is on a 192 ip. Did you add
>> the certificate to the java key store? If CAS and your client are on
>> different machines, then the certificate will need to be added to both.
>>
>> Ray
>>
>> On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote:
>>
>> Hi Ray,
>>
>> As said by you, I enabled logs and this is the output
>>
>> 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager]
>> - > [TGT-2-*eGcHG1JqHs-client]>
>> 2018-05-17 11:50:46,501 DEBUG
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>> > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=
>> https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,
>> *artifactId=*
>> ,principal=casuser,loggedOutAlready=false,format=XML]]...>
>> 2018-05-17 11:50:46,503 DEBUG
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >
Re: [cas-user] Re: Keycloak Backchannel Logout and CAS
I excluded nginx from my local env so I have only executable CAS.war and keycloak. I configured CAS to use SSL in this way: server.ssl.enabled=true server.ssl.key-store-type=JKS server.ssl.key-store=C:/Environment/jdk-11.0.5/bin/caskeystore.jks server.ssl.key-store-password=changeit server.ssl.key-alias=my.cas.com Backchannel logout doesn't work. Looks like SSL causes this issue, doesn't matter it's nginx or embedded tomcat. On Tuesday, March 17, 2020 at 11:49:34 PM UTC+2, Maksim Kopeyka wrote: > > Ray, > > I have had some issues related to self-signed certificate on my local env. > CAS and Keycloak produced exception related to certificate and flow didn't > work at all. > I regenerated certificate for domain instead of 127.0.0.1 and all > exceptions were gone. So it's not an issue with certificate. > Also I have the same problem on real environment with real certificate. It > also works fine without SSL but with SSL CAS session stay alive after > logout in keycloak. > > On Tuesday, March 17, 2020 at 5:44:35 PM UTC+2, rbon wrote: >> >> Maksim, >> >> Could this be a certificate issue? >> >> If this is self signed certificate, you will need to add it to the java >> keystore (trust store). >> https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores >> >> Ray >> >> On Mon, 2020-03-16 at 16:46 -0700, 'Maksim Kopeyka' via CAS Community >> wrote: >> >> That's interesting. Backchannel logout works in case load balancer of CAS >> (nginx) doesn't use SSL however backchannel doesn't work in case nginx uses >> SSL. >> I see the same output in console of CAS server in both cases (with SSL >> and without SSL) >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | rb...@uvic.ca >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f634118-8170-4df8-b715-d451874c0704%40apereo.org.
Re: [cas-user] Re: Keycloak Backchannel Logout and CAS
Ray, I have had some issues related to self-signed certificate on my local env. CAS and Keycloak produced exception related to certificate and flow didn't work at all. I regenerated certificate for domain instead of 127.0.0.1 and all exceptions were gone. So it's not an issue with certificate. Also I have the same problem on real environment with real certificate. It also works fine without SSL but with SSL CAS session stay alive after logout in keycloak. On Tuesday, March 17, 2020 at 5:44:35 PM UTC+2, rbon wrote: > > Maksim, > > Could this be a certificate issue? > > If this is self signed certificate, you will need to add it to the java > keystore (trust store). > https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores > > Ray > > On Mon, 2020-03-16 at 16:46 -0700, 'Maksim Kopeyka' via CAS Community > wrote: > > That's interesting. Backchannel logout works in case load balancer of CAS > (nginx) doesn't use SSL however backchannel doesn't work in case nginx uses > SSL. > I see the same output in console of CAS server in both cases (with SSL and > without SSL) > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f392bf04-62a3-475d-9596-7fff454e1d2b%40apereo.org.
[cas-user] Re: Keycloak Backchannel Logout and CAS
That's interesting. Backchannel logout works in case load balancer of CAS (nginx) doesn't use SSL however backchannel doesn't work in case nginx uses SSL. I see the same output in console of CAS server in both cases (with SSL and without SSL) -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d9f080c-2f94-44b7-a0c6-1e09b3e0bd08%40apereo.org.
[cas-user] Re: CAS 6.1.3 Discovery Client not initialized
Still have this problem even on my local PC. It worked fine with 6.0.3 but doesn't work with 6.1.3. Looks like a bug... -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f128a52-3f06-4091-8fc0-8da6de4b3f00%40apereo.org.
[cas-user] CAS 6.1.3 Discovery Client not initialized
Hi Guys,
The *cas/actuator/health* endpoint returns json with "Discovery Client not
initialized" status after updating from CAS 6.0.3 to 6.1.3 . Does it mean I
should use additional properties to fix it or it's related to network
configuration?
{
"description":"Discovery Client not initialized",
"status":"UNKNOWN",
"components":{
"discoveryComposite":{
"description":"Discovery Client not initialized",
"status":"UNKNOWN",
"components":{
"discoveryClient":{
"description":"Discovery Client not initialized",
"status":"UNKNOWN"
}
}
},
"diskSpace":{
"status":"UP",
"details":{
"total":19163136000,
"free":9581965312,
"threshold":10485760
}
},
"memory":{
"status":"UP",
"details":{
"freeMemory":387328608,
"totalMemory":518979584
}
},
"ping":{
"status":"UP"
},
"refreshScope":{
"status":"UP"
},
"session":{
"status":"UP",
"details":{
"name":"TicketRegistryHealthIndicator",
"sessionCount":0,
"ticketCount":0,
"message":"OK"
}
},
"system":{
"status":"UP",
"details":{
"systemUsage":0.019733628072337486,
"systemLoad":0.22,
"processUsage":5.457595723356569E-4,
"jvmUsed":2.41595672E8,
"jvmCommitted":6.35633664E8,
"heapUsed":1.32786576E8,
"heapCommitted":5.18979584E8,
"uptime":239.72,
"requests":0.0,
"maxRequest":0.0
}
}
}
}
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6dd5d4a3-74cf-44c5-8abe-f994e1fc3cf4%40apereo.org.
Re: [cas-user] CAS5.3.x: Error getting flow information for URL
Hi Jay, Did you solve problem with Null input buffer? I have the same exception. On Friday, May 18, 2018 at 7:19:07 PM UTC+3, Jay wrote: > > Ray, > To answer your question. > Yes there are two tomcat servers running the application and load balancer > switches between the servers. I will check with the Run team for clustering > or setting load balancer to be sticky. > > Travis, > Yes the encryption keys are copied across the servers so they are same. > Anyhow I will verify that once as well. > > Regards, > Jay > > On Friday, May 18, 2018 at 9:44:44 PM UTC+5:30, Travis Schmidt wrote: >> >> Do you have the same webflow encryption keys set in each of the config >> files on the different servers? If the property is not present the server >> generates it's own on each server at start up, resulting in each server not >> understanding the other. >> >> >> >> On Fri, May 18, 2018 at 8:39 AM Ray Bon wrote: >> >>> Jay, >>> >>> Are there multiple CAS servers? Could this be a result of the load >>> balancer switching between CAS servers for each request (load form, post >>> form)? >>> You may need to cluster your tomcats or set load balancer to be sticky. >>> >>> Ray >>> >>> On Thu, 2018-05-17 at 22:42 -0700, Jay wrote: >>> >>> Hi Ray, >>> >>> >>> Yes, it does not allow the user to be validated and login successfully. >>> It redirects back to login page only. >>> >>> Any suggestion to look into specifically. >>> >>> We see this issue when we hit the load balance url but not when we >>> directly access the server url. >>> >>> Thanks, >>> Jay >>> >>> On Thursday, May 17, 2018 at 11:46:17 AM UTC-5, rbon wrote: >>> >>> Jay, >>> >>> I seem to recall a message like this was produced because of a 'feature' >>> to clear out the flow if it sat for too long. It would show up periodically >>> and had no bearing on how long the user took to log in. >>> Does it cause a problem? >>> >>> Ray >>> >>> On Thu, 2018-05-17 at 01:16 -0700, Jay wrote: >>> >>> Hello everyone, >>> >>> We have CAS application running in Tomcat in two different instances and >>> load balanced by a F5 url. >>> Any application is configured with the F5 url for login authentication >>> and authorization. >>> >>> We have customized the url to *https:///las/v3/login* >>> (Naming the war file as *las#v3.war* sets the context path here) >>> >>> When I use individual server instance login/logout works absolutely >>> fine. (i.e. *:/las/v3/login* ) >>> >>> We see below error after we give the user credential and clink on login >>> button. >>> >>> 2018-05-17 01:49:36,786 DEBUG >>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <*Error getting >>> flow information for URL* >>> [/las/v3/login?service=http%3A%2F%2Flocalhost%3A3001%2Flogin%3Fdestination%3D%252Fconfiguration%252Faccounts%252F34864%252FproductLines%252FPrismPostPD%252Ftemplates%252F311]> >>> >>> [m >>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: >>> Error decoding flow execution >>> at >>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:99) >>> >>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] >>> at >>> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) >>> >>> ~[spring-webflow-2.4.7.RELEASE.jar:2.4.7.RELEASE] >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> ~[?:1.8.0_31] >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> >>> ~[?:1.8.0_31] >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> >>> ~[?:1.8.0_31] >>> at java.lang.reflect.Method.invoke(Method.java:483) ~[?:1.8.0_31] >>> at >>> org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:216) >>> >>> ~[spring-core-4.3.14.RELEASE.jar:4.3.14.RELEASE] >>> at >>> org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470) >>> >>> ~[spring-cloud-context-1.3.0.RELEASE.jar:1.3.0.RELEASE] >>> at >>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) >>> >>> ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE] >>> at >>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) >>> >>> ~[spring-aop-4.3.14.RELEASE.jar:4.3.14.RELEASE] >>> at com.sun.proxy.$Proxy165.resumeExecution(Unknown Source) ~[?:?] >>> at >>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253) >>> >>> ~[spring-webflow-2.4.7.RELEASE.jar:2.4.7.RELEASE] >>> at >>> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) >>> >>> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE] >>> at >>> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) >>> >>> ~[spring-webmvc-4.3.14.RELEASE.jar:4.3.14.RELEASE] >>> at >>>
Re: [cas-user] Hazelcast-Ticket Registry config
Hi M.Pedis, Did you solve problem with Null input buffer? I have the same exception. On Thursday, November 7, 2019 at 1:40:54 PM UTC+2, M.Pedis wrote: > > Hi Dave , > > 2019-11-07 06:02:21,471 ERROR > [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - > java.lang.IllegalArgumentException: Null input buffer > at javax.crypto.Cipher.doFinal(Cipher.java:2198) ~[?:?] > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6ab29ff-3ae7-486d-9379-4b9ecaaf05fa%40apereo.org.
Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry
I used asyncBackupCount=3 before and behavior was the same.
Regarding UDP I may try to use it but it should work with tcpIpEnabled too
so it's not an issue.
I guess this problem is related to docker environment somehow. I don't have
an access to configuration of VM. Probably I have to expose some additional
port(s) on docker. I found thread about dockerized env of CAS with
hazelcast in this group but this env is based on docker swarm but my env
doesn't support docker swarm.
I saw this property in the documentation of CAS
# ${configurationKey}.cluster.outboundPorts[0]=45000
But container stops with exception if I add it to properties file:
Binding to target [Bindable@2dd2e270 type =
> org.apereo.cas.configuration.CasConfigurationProperties, value =
> 'provided', annotations =
> array[@org.springframework.boot.context.properties.ConfigurationProperties(ignoreInvalidFields=false,
>
> ignoreUnknownFields=false, prefix=cas, value=cas)]] failed:
> Property: cas.ticket.registry.hazelcast.cluster.outboundports[0]
> Value: 33000-33100
> Origin: class path resource [application-dev.properties]:82:56
> Reason: The elements
> [cas.ticket.registry.hazelcast.cluster.outboundports[0]] were left unbound.
On Friday, February 7, 2020 at 12:31:02 AM UTC+2, David Curry wrote:
>
> I believe, if you have 4 members, that asyncBackupCount should be 3.
> Because a node doesn't back itself up. (Hazelcast might be smart enough to
> fix that itself, but I don't know.)
>
> Also, I'm curious as to why you have tcpIpEnabled set to true? You'd be
> much better off, from a performance standpoint, setting it to false and
> using UDP. TCP blocks, UDP doesn't.
>
> I've never run this in docker, so I don't know what, if anything, you need
> to do differently. But I would be at least a little suspicious of the
> interactions there -- it should work of course, but could you be missing
> something in the docker config, or the config on the host?
>
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu
>
>
> On Thu, Feb 6, 2020 at 4:36 PM 'Maksim Kopeyka' via CAS Community <
> cas-...@apereo.org > wrote:
>
>> Hi David,
>>
>> I tried similar config with 4 nodes:
>>
>>>
>>> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
>>> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
>>> cas.ticket.registry.hazelcast.cluster.backupCount=0
>>> cas.ticket.registry.hazelcast.cluster.port=5701
>>> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
>>> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>>>
>>> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
>>> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>>> cas.ticket.registry.hazelcast.crypto.enabled=false
>>
>>
>> I see this output on each node i.e. hazelcast creates a cluster and sees
>> all nodes:
>>
>> 2020-02-06 21:20:49,235 INFO
>>> [com.hazelcast.internal.cluster.ClusterService] -
>>> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
>>> Members {size:4, ver:4} [
>>> Member [wcdc-rant-affiliateidp-dev-1]:5701 -
>>> a245c93b-beb0-4929-b831-e40a323cad8b
>>> Member [ecdc-rant-affiliateidp-dev-2]:5701 -
>>> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
>>> Member [wcdc-rant-affiliateidp-dev-2]:5701 -
>>> 9d3f52c9-1475-462e-844a-1b534efdca73
>>> Member [ecdc-rant-affiliateidp-dev-1]:5701 -
>>> e9f81f52-7a99-4428-a402-5a2f48cba838 this
>>> ]
>>> >
>>
>>
>> However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about
>> session on Node 4.
>>
>> I don't see any errors in the logs related to hazelcast but this one
>> appears time to time
>>
>>> 2020-02-06 17:31:56,248 ERROR
>>> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] -
>>> java.lang.IllegalArgumentException: Null input buffer
>>> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
>>> at
>>> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>>>
>>> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]
>>
>>
>>
>> On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>>>
>>> Maksim,
>>>
>>> If you don't want to ever lose tickets, the
Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry
Hi David,
I tried similar config with 4 nodes:
> cas.ticket.registry.hazelcast.cluster.members=${HAZELCAST_CLUSTER_MEMBERS}
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=4
> cas.ticket.registry.hazelcast.cluster.backupCount=0
> cas.ticket.registry.hazelcast.cluster.port=5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
>
> cas.ticket.registry.hazelcast.cluster.publicAddress=${HAZELCAST_PUBLIC_ADDRESS}
> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
> cas.ticket.registry.hazelcast.crypto.enabled=false
I see this output on each node i.e. hazelcast creates a cluster and sees
all nodes:
2020-02-06 21:20:49,235 INFO
> [com.hazelcast.internal.cluster.ClusterService] -
> <[ecdc-rant-affiliateidp-dev-1]:5701 [dev] [3.12.4]
> Members {size:4, ver:4} [
> Member [wcdc-rant-affiliateidp-dev-1]:5701 -
> a245c93b-beb0-4929-b831-e40a323cad8b
> Member [ecdc-rant-affiliateidp-dev-2]:5701 -
> bcbcd799-8cb8-4e5d-8802-5d95d4015ffd
> Member [wcdc-rant-affiliateidp-dev-2]:5701 -
> 9d3f52c9-1475-462e-844a-1b534efdca73
> Member [ecdc-rant-affiliateidp-dev-1]:5701 -
> e9f81f52-7a99-4428-a402-5a2f48cba838 this
> ]
> >
However tickets distribution doesn't work. Nodes 1, 2, 3 don't know about
session on Node 4.
I don't see any errors in the logs related to hazelcast but this one
appears time to time
> 2020-02-06 17:31:56,248 ERROR
> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] -
> java.lang.IllegalArgumentException: Null input buffer
> at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
> at
> org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92)
>
> ~[cas-server-core-util-api-6.1.3.jar!/:6.1.3]
On Wednesday, February 5, 2020 at 9:28:43 PM UTC+2, David Curry wrote:
>
> Maksim,
>
> If you don't want to ever lose tickets, then you would want all nodes to
> back up all other nodes. So if you have 3 member nodes, you would want 2
> async backup nodes (asyncBackupCount) and also you'd probably want to
> disable the default sync backup (backupCount) node since it will block.
> Here are the settings we're running with in production (although this is
> CAS 5):
>
> cas.ticket.registry.hazelcast.cluster.members:
> cas01.newschool.edu,cas02.newschool.edu,cas03.newschool.edu,
> cas04.newschool.edu,cas05.newschool.edu
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 4
> cas.ticket.registry.hazelcast.cluster.backupCount: 0
> cas.ticket.registry.hazelcast.cluster.port: 5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false
> cas.ticket.registry.hazelcast.crypto.encryption.key:
> xxxIoXN6SBU5bF+iAVTKgw==
> cas.ticket.registry.hazelcast.crypto.signing.key:
>
> xxxmEbPGT_MXg0JWYLTe4oFaOaklocCqlY2VuHBdAHuh0V6-PdQxmgi4tTA3CZZos8TUbzg-L9nYHJpA5RqcvA
> cas.ticket.registry.hazelcast.crypto.enabled: true
>
> This works well for us behind an F5 load balancer; we do not use sticky
> sessions. We can (and do) reboot servers in the pool without anyone getting
> re-prompted to log in (just don't reboot them all at once).
>
> The crypto stuff (last three lines) is not needed for this to work, but
> you (arguably) might want it in production. You can leave it off while
> getting things to work and enable it later.
>
> One other thing -- did you remember to open 5701 in the firewall on all
> the servers?
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 646 909-4728 • david...@newschool.edu
>
>
> On Wed, Feb 5, 2020 at 1:40 PM Ray Bon >
> wrote:
>
>> Maksim,
>>
>> There is this config setting
>> cas.ticket.registry.hazelcast.cluster.members=
>> Add IPs of all members to the list.
>> https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#hazelcast-ticket-registry
>>
>> and the link to common settings.
>>
>> There are some hazelcast loggers in log4j2.xml
>>
>> > level="${sys:hazelcast.log.level}" includeLocation="true" />
>>
>> Ray
>>
>> On Wed, 2020-02-05 at 09:16 -0800, 'Maksim Kopeyka' via CAS Community
>> wrote:
>>
>> Ray,
>>
>> I asked about CAS functionality to distribute tickets across nodes. I
>> need specific CAS functionality based on Hazelcast and seems to me this
>> functionality doesn't work as expected so I need to check it somehow. Maybe
>> with some debug logging
Re: [cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry
Hi Ray,
Seems to me Hazelcast doesn't distribute data across all nodes because each
node doesn't have information about sessions on other nodes.
How to check data distribution?
On Friday, January 31, 2020 at 11:02:05 PM UTC+2, rbon wrote:
>
> Maksim,
>
> Hazelcast is distributed but not replicated. Thus, when a server goes
> down, the tickets on that server are lost. You have to relogin only if your
> ticket was on that server.
> Hazelcast has some mechanism of determining which node has which ticket.
> It may also be possible to make hazelcast replicated but I have not tried.
>
> Ray
>
> P.S. you have two node3s in your config.
>
> On Fri, 2020-01-31 at 11:51 -0800, 'Maksim Kopeyka' via CAS Community
> wrote:
>
> Hi Andy,
>
> Your example is very helpful. Thank you.
> I see how hazelcast tickets registry works on my local env. I turned off
> active container and another container continues to work with my active
> session without relogin.
>
> However on my remote env. with CAS 6.1.3 it doesn't work in this way. Load
> balancer ask me to re-login If I turn off active container.
> Each node with hazelcast sees other nodes. I see such messages on all
> nodes in case node1 is turned off:
>
> WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
> dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.
> net.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701
> }, Error-Count: 5>
> WARN [com.hazelcast.internal.cluster.impl.MembershipManager] - <[node2]:
> 5701 [dev] [3.12.4] Member [node1]:5701 -
> b1fba639-dfff-4536-b5f4-a8681920594d
> is suspected to be dead for reason: No connection>
> WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
> dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.
> net.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701
> }, Error-Count: 6>
> WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
> dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.
> net.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701
> }, Error-Count: 7>
> WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
> dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.
> net.SocketException {Connection refused to address node1/xx.xx.xx.xx:57001
> }, Error-Count: 8>
>
>
>
> This is my hazelcast settings:
>
> cas.ticket.registry.hazelcast.cluster.members=node1:5701,node2:5701,node3:
> 5701,node3:5701
> cas.ticket.registry.hazelcast.cluster.asyncBackupCount=3
> cas.ticket.registry.hazelcast.cluster.port=5701
> cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
> cas.ticket.registry.hazelcast.cluster.publicAddress=node1:5701
> cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
>
>
> Why hazelcast doesn't share data across the cluster?
>
> These messages I see on startup
>
> WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
> configured your member address as host name. Please be aware of that your
> dns can be spoofed. Make sure that your dns configurations are correct.>
> WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
> configured your member address as host name. Please be aware of that your
> dns can be spoofed. Make sure that your dns configurations are correct.>
> WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
> configured your member address as host name. Please be aware of that your
> dns can be spoofed. Make sure that your dns configurations are correct.>
> WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
> configured your member address as host name. Please be aware of that your
> dns can be spoofed. Make sure that your dns configurations are correct.>
> WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4]
> Could not find a matching address to start with! Picking one of non-loopback
> addresses.>
> INFO [org.apereo.cas.util.CoreTicketUtils] - encryption/signing
> is turned off. This MAY NOT be safe in a clustered production environment.
> Consider using other choices to handle encryption, signing and
> verification of ticket registry tickets, and verify the chosen ticket
> registry does support this behavior.>
>
>
> On Wednesday, January 22, 2020 at 3:18:34 AM UTC+2, Andy Ng wrote:
>
> Hi Maksim,
>
> Pretty sure:
> cas.ticket.registry.hazelcast.cluster.public-address
>
[cas-user] Re: CAS 6 - Dockerized Deployments on two VMs with ticket registry
Hi Andy,
Your example is very helpful. Thank you.
I see how hazelcast tickets registry works on my local env. I turned off
active container and another container continues to work with my active
session without relogin.
However on my remote env. with CAS 6.1.3 it doesn't work in this way. Load
balancer ask me to re-login If I turn off active container.
Each node with hazelcast sees other nodes. I see such messages on all nodes
in case node1 is turned off:
WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.net
.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701},
Error-Count: 5>
WARN [com.hazelcast.internal.cluster.impl.MembershipManager] - <[node2]:5701
[dev] [3.12.4] Member [node1]:5701 - b1fba639-dfff-4536-b5f4-a8681920594d is
suspected to be dead for reason: No connection>
WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.net
.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701},
Error-Count: 6>
WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.net
.SocketException {Connection refused to address node1/xx.xx.xx.xx:5701},
Error-Count: 7>
WARN [com.hazelcast.nio.tcp.TcpIpConnectionErrorHandler] - <[node2]:5701 [
dev] [3.12.4] Removing connection to endpoint [node1]:5701 Cause => java.net
.SocketException {Connection refused to address node1/xx.xx.xx.xx:57001},
Error-Count: 8>
This is my hazelcast settings:
cas.ticket.registry.hazelcast.cluster.members=node1:5701,node2:5701,node3:
5701,node3:5701
cas.ticket.registry.hazelcast.cluster.asyncBackupCount=3
cas.ticket.registry.hazelcast.cluster.port=5701
cas.ticket.registry.hazelcast.cluster.portAutoIncrement=false
cas.ticket.registry.hazelcast.cluster.instanceName=localhost
cas.ticket.registry.hazelcast.cluster.publicAddress=node1:5701
cas.ticket.registry.hazelcast.cluster.tcpipEnabled=true
Why hazelcast doesn't share data across the cluster?
These messages I see on startup
WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
configured your member address as host name. Please be aware of that your
dns can be spoofed. Make sure that your dns configurations are correct.>
WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
configured your member address as host name. Please be aware of that your
dns can be spoofed. Make sure that your dns configurations are correct.>
WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
configured your member address as host name. Please be aware of that your
dns can be spoofed. Make sure that your dns configurations are correct.>
WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] You
configured your member address as host name. Please be aware of that your
dns can be spoofed. Make sure that your dns configurations are correct.>
WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.4] Could
not find a matching address to start with! Picking one of non-loopback
addresses.>
INFO [org.apereo.cas.util.CoreTicketUtils] -
On Wednesday, January 22, 2020 at 3:18:34 AM UTC+2, Andy Ng wrote:
>
> Hi Maksim,
>
> Pretty sure:
> cas.ticket.registry.hazelcast.cluster.public-address
> and
> cas.ticket.registry.hazelcast.cluster.publicAddress
>
> Both works the same, since spring property allows both camelCase and
> kebak-case.
>
>
> And I did successfully use docker CAS and use Hazelcast as ticketing
> system, however I am using it for demo so I just included a whole bunch of
> private IP so it works..
>
> here's my CAS properties:
>
>
> cas.ticket.registry.hazelcast.cluster.members=172.20.0.1,172.20.0.2,172.20.0.3,172.20.0.4,172.20.0.5,172.20.0.6,172.20.0.7,172.20.0.8,172.20.0.9,172.20.0.10
> cas.ticket.registry.hazelcast.cluster.instanceName=localhost
> my project link as well so you can reference if want to:
> https://github.com/NgSekLong/SelectUrCAS/blob/master/source/ticket-registry/hazelcast/cas.yml
>
>
> Cheers!
> - Andy
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/96f3ec2f-45dc-428f-8bb8-06931484f4ec%40apereo.org.
[cas-user] Re: ClassNotFoundException after upgrading CAS 6.0.3 to 6.1 3
I found a reason of this exception. My 6.0.3 version of CAS uses application.properties from *src\main\resources*. This exception disappears if I copy-paste content of this file to *etc\cas\config\cas.properties* and delete *application.properties* file. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9e7aa0e-6ff7-433a-8047-26f0c5dfb75b%40apereo.org.
[cas-user] ClassNotFoundException after upgrading CAS 6.0.3 to 6.1 3
Hello,
I have a strange problem after upgrading CAS from 6.0.3 to 6.1.3: I don't
use any *cas.authn.mfa.** properties. Should I add some additional
dependency to my list to fix this exception?
This exception appears after big STOP label in console:
Caused by: org.springframework.beans.BeanInstantiationException: Failed to
instantiate [org.apereo.cas.services.ServiceRegistryInitializer]: Factory
method 'serviceRegistryInitializer' threw exception; nested exception is
javax.persistence.PersistenceException:
org.hibernate.type.SerializationException: could not deserialize
.
Caused by: java.lang.ClassNotFoundException:
org.apereo.cas.services.RegisteredServiceMultifactorPolicy$FailureModes
at java.base/java.net.URLClassLoader.findClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
at
org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:92)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Unknown Source)
at java.base/java.io.ObjectInputStream.resolveClass(Unknown Source)
at
org.hibernate.internal.util.SerializationHelper$CustomObjectInputStream.resolveClass(SerializationHelper.java:350)
at java.base/java.io.ObjectInputStream.readNonProxyDesc(Unknown
Source)
at java.base/java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.base/java.io.ObjectInputStream.readEnum(Unknown Source)
at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)
at java.base/java.io.ObjectInputStream.defaultReadFields(Unknown
Source)
at java.base/java.io.ObjectInputStream.readSerialData(Unknown Source)
at java.base/java.io.ObjectInputStream.readOrdinaryObject(Unknown
Source)
at java.base/java.io.ObjectInputStream.readObject0(Unknown Source)
at java.base/java.io.ObjectInputStream.readObject(Unknown Source)
at java.base/java.io.ObjectInputStream.readObject(Unknown Source)
at
org.hibernate.internal.util.SerializationHelper.doDeserialize(SerializationHelper.java:225)
This is a list of dependencies:
compile
"org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-jdbc-drivers:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-jdbc:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-jpa-service-registry:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-bootadmin-client:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
compile
"org.apereo.cas:cas-server-support-rest:${project.'cas.version'}"
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c0bfd0b-ea5a-40a9-8a64-dfce7722b9fc%40apereo.org.
Re: [cas-user] Re: Duplicate entry for SAML2_ATTRIBUTE_QUERY_TICKETS raised
It doesn't make sense for me, see Andy's answer above. On Wednesday, January 22, 2020 at 4:05:10 PM UTC+2, Roger Yerbanga wrote: > > So change it to false and let us know if it works. > > On Wed, Jan 22, 2020 at 5:38 AM 'Maksim Kopeyka' via CAS Community < > cas-...@apereo.org > wrote: > >> Same problem with CAS 6.0.3 and JPA ticket registry. >> And yes, I have this >> property: cas.authn.samlIdp.attributeQueryProfileEnabled=true >> >> On Friday, October 19, 2018 at 11:58:55 PM UTC+3, Roger Yerbanga wrote: >>> >>> Hello all, >>> >>> With Cas 5.3.4. >>> >>> Has someone already gotten something like this : >>> >>> >>> Hibernate: >>> insert >>> into >>> SAML2_ATTRIBUTE_QUERY_TICKETS >>> (NUMBER_OF_TIMES_USED, CREATION_TIME, EXPIRATION_POLICY, >>> EXPIRED, LAST_TIME_USED, PREVIOUS_LAST_TIME_USED, object, relyingParty, >>> SERVICE, ticketGrantingTicket_ID, TYPE, ID) >>> values >>> (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'SATQ', ?) >>> 2018-10-19 16:46:56,395 ERROR >>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - <(conn=3232) Duplicate >>> entry 'SATQ-oG9xzSjwFzlCyugfCdoRxugEKCU=' for key 'PRIMARY'> >>> 2018-10-19 16:46:56,398 ERROR >>> [org.hibernate.internal.ExceptionMapperStandardImpl] - >> during managed flush [org.hibernate.exception.ConstraintViolationException: >>> could not execute statement]> >>> 2018-10-19 16:46:56,400 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-...@apereo.org . >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3992136-f15d-43f5-8574-4360518daf26%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3992136-f15d-43f5-8574-4360518daf26%40apereo.org?utm_medium=email_source=footer> >> . >> > > > -- > ! roger > -- www.yerbynet.com -- > Un ordinateur sans connexion Internet, c'est un peu comme une télévision > sans antenne :) > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba31cd50-932d-4c7b-9c13-f2847d8b11d1%40apereo.org.
[cas-user] Re: Duplicate entry for SAML2_ATTRIBUTE_QUERY_TICKETS raised
Same problem with CAS 6.0.3 and JPA ticket registry. And yes, I have this property: cas.authn.samlIdp.attributeQueryProfileEnabled=true On Friday, October 19, 2018 at 11:58:55 PM UTC+3, Roger Yerbanga wrote: > > Hello all, > > With Cas 5.3.4. > > Has someone already gotten something like this : > > > Hibernate: > insert > into > SAML2_ATTRIBUTE_QUERY_TICKETS > (NUMBER_OF_TIMES_USED, CREATION_TIME, EXPIRATION_POLICY, EXPIRED, > LAST_TIME_USED, PREVIOUS_LAST_TIME_USED, object, relyingParty, SERVICE, > ticketGrantingTicket_ID, TYPE, ID) > values > (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'SATQ', ?) > 2018-10-19 16:46:56,395 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - <(conn=3232) Duplicate > entry 'SATQ-oG9xzSjwFzlCyugfCdoRxugEKCU=' for key 'PRIMARY'> > 2018-10-19 16:46:56,398 ERROR > [org.hibernate.internal.ExceptionMapperStandardImpl] - during managed flush [org.hibernate.exception.ConstraintViolationException: > could not execute statement]> > 2018-10-19 16:46:56,400 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3992136-f15d-43f5-8574-4360518daf26%40apereo.org.
[cas-user] CAS 6 - Dockerized Deployments on two VMs with ticket registry
Hello,
I have a problems with configuration of ticket registry in my env.
This env contains several VMs and each VM has a docker container with CAS
6.0.3. The multicast doesn't work on this env.
I have similar env with keycloak and I configured JDBC_PING to use
distributed cache over all nodes.
So I need something similar for CAS.
*Hazelcast*
I found this example based on hazelcast. Unfortunately I don't see
hazelcast members in CAS log, i.e. it doesn't work with CAS 6.1.3
https://apereo.github.io/2019/05/13/cas61x-docker-hazelcast-mgmtcenter/#dockerized-cas-deployment
This example uses this properties:
cas.ticket.registry.hazelcast.cluster.public-address
However CAS documentation has this one:
${configurationKey}.cluster.publicAddress
I tried both without success.
*Ehcache*
I tried to configure it via JGroupsCacheManagerPeerProviderFactory TCPPING
but every time I have got a null pointer during login to CAS 6.0.3:
cas-only-local-2 |
> ---
> cas-only-local-2 | GMS: address=a0e029837788-38715,
> cluster=ticketRegistryCacheManager, physical address=192.168.96.3:40001
> cas-only-local-2 |
> ---
> cas-only-local |
> ---
> cas-only-local | GMS: address=3a992373bbcb-29947,
> cluster=ticketRegistryCacheManager, physical address=192.168.80.3:40001
> cas-only-local |
> ---
> cas-only-local |
> =
> cas-only-local | WHO: casuser
> cas-only-local | WHAT: Supplied credentials:
> [UsernamePasswordCredential(username=casuser, source=null)]
> cas-only-local | ACTION: AUTHENTICATION_SUCCESS
> cas-only-local | APPLICATION: CAS
> cas-only-local | WHEN: Mon Jan 20 22:04:55 UTC 2020
> cas-only-local | CLIENT IP ADDRESS: 192.168.1.106
> cas-only-local | SERVER IP ADDRESS: 192.168.80.3
> cas-only-local |
> =
> cas-only-local |
> =
> cas-only-local | WHO: casuser
> cas-only-local | WHAT: NULL_POINTER_EXCEPTION
> cas-only-local | ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
> cas-only-local | APPLICATION: CAS
> cas-only-local | WHEN: Mon Jan 20 22:04:55 UTC 2020
> cas-only-local | CLIENT IP ADDRESS: 192.168.1.106
> cas-only-local | SERVER IP ADDRESS: 192.168.80.3
> cas-only-local |
> =
> cas-only-local |
> cas-only-local | java.lang.NullPointerException: null
> cas-only-local | at
> net.sf.ehcache.distribution.RMISynchronousCacheReplicator.listRemoteCachePeers(RMISynchronousCacheReplicator.java:335)
>
> ~[ehcache-2.10.6.jar!/:2.10.6]
> cas-only-local | at
> net.sf.ehcache.distribution.RMISynchronousCacheReplicator.replicatePutNotification(RMISynchronousCacheReplicator.java:145)
>
> ~[ehcache-2.10.6.jar!/:2.10.6]
> cas-only-local | at
> net.sf.ehcache.distribution.RMISynchronousCacheReplicator.notifyElementPut(R
Does somebody have any luck with Hazelcast or Ehcache on similar env?
Maybe somebody uses JPA Ticket Registry? Documentation says it's fairly
unnecessary and complicated process. All CAS instances in my env. use the
same DB.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/68445b7a-d115-48d3-b284-ebd5aa36b77d%40apereo.org.
Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used
Petr, Thank you for example. How to configure *port* and *remotePort* for 4 nodes? Maxim On Wednesday, January 15, 2020 at 10:27:25 AM UTC+2, Petr Gašparík - AMI Praha a.s. wrote: > > Maksim, > you definitely need to set up High Availability with ticket registry > replication: > > https://apereo.github.io/cas/6.1.x/high_availability/High-Availability-Guide.html#high-availability-guide-haclustering > > > We use Ehcase for this (just two nodes), so we have: > >- cas.properties: cas.ticket.registry.ehcache.configLocation=ehcache-replicated.xml> >- ehcache-replicated.xml - see attached: you need to deploy this on >both nodes, and to specify port of one node as remotePort of another node. > > I hope this helps > > -- > > with best regards > > *Petr Gašparík* > IT security consultant > > > > > út 14. 1. 2020 v 21:35 odesílatel Ray Bon > > napsal: > >> Maksim, >> >> Default registry is in memory, >> https://apereo.github.io/cas/6.1.x/ticketing/Default-Ticket-Registry.html >> . >> You will find it easier to start with a single CAS node. >> See, >> https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html, >> >> for an approach to getting things set up. >> >> Ray >> >> On Tue, 2020-01-14 at 12:14 -0800, 'Maksim Kopeyka' via CAS Community >> wrote: >> >> Ray, >> >> We didn't setup any registry configuration yet. We have several nodes of >> CAS with load balancer. >> I don't see any *cas.ticket.registry* properties in our config. >> >> Maksim >> >> On Tuesday, January 14, 2020 at 7:29:52 PM UTC+2, rbon wrote: >> >> Maksim, >> >> Most (all) of the ticket registries should be able to handle mulit node >> CAS. Perhaps your registry configuration is incomplete. >> What is your current config? >> >> Ray >> >> -- >> >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | rb...@uvic.ca >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | rb...@uvic.ca >> >> I respectfully acknowledge that my place of work is located within the >> ancestral, traditional and unceded territory of the Songhees, Esquimalt and >> WSÁNEĆ Nations. >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-...@apereo.org . >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/61ec5cf8a135159f0d3a323ec022cac8b2587058.camel%40uvic.ca >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/61ec5cf8a135159f0d3a323ec022cac8b2587058.camel%40uvic.ca?utm_medium=email_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20a1889c-2dea-4393-a4e7-03f653a4dcf1%40apereo.org.
Re: [cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used
Ray, We didn't setup any registry configuration yet. We have several nodes of CAS with load balancer. I don't see any *cas.ticket.registry* properties in our config. Maksim On Tuesday, January 14, 2020 at 7:29:52 PM UTC+2, rbon wrote: > > Maksim, > > Most (all) of the ticket registries should be able to handle mulit node > CAS. Perhaps your registry configuration is incomplete. > What is your current config? > > Ray > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a03d04f2-094e-4b80-93f2-3eef28165e33%40apereo.org.
[cas-user] Problem with logout in case several nodes of CAS and several nodes of Keycloak are used
The main problem on multi-node environment is keycloak sends a POST request to SLO endpoint of CAS but CAS won't ask username/password next time i.e. previous session is alive. What the best practice to solve such problem? We have tried to do a broadcast of POST request to SLO endpoint to all nodes of CAS environment but keycloak has had an exceptions related to java.net.SocketException: Connection reset. Maybe Hazelcast-Ticket Registry may help us? *When there is only one keycloak and one CAS server* Everything works as expected: - Keycloak will send the sign out POST request to the only CAS server. - The only CAS server will then log user out, terminate the existing connection, and ask about username/password for new authentication requests. *When there are multiple CAS and keycloak servers* - User connects to keycloak server 1 (K1) with a persistent connection. - K1 redirects user to CAS server 1 (C1) for authentication. - User connects to C1 with a persistent connection and logs in. - C1 redirects the user to the keycloak VIP (K1 in this case, because of the persistent connection between user and K1). - C1 creates a connection to the keycloak VIP, sends some data, and then terminates the connection. - User click on the "Sign Out" button, and K1 logs user out. - Instead of redirecting user to CAS for a log out (which will put user on C1 due to the persistent connection between user and C1), K1 sends a POST request to the CAS VIP. - Because this is a new connection from K1 to CAS and there are multiple servers under the CAS VIP, K1 may connect to CAS server 2 (C2) and send the sign out POST request to that server. - At this time, user still has a persistent connection with C1. - When the user hit the CAS VIP again, the persistent connection between user and C1 is utilized. - C1 knows the user is already logged in hence it does not ask about username/password again. C1 then sends data to the keycloak VIP and redirects user to keycloak. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/749ddf53-52ba-4f72-afa7-6560d744c045%40apereo.org.
[cas-user] Re: Keycloak Backchannel Logout and CAS
I tried this functionality in keycloak. I see a POST request to CAS after logout from keycloak and I see this request in CAS access log but my CAS session still active. Did I miss something? How to logout from CAS too? DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-17) Executing request POST /cas/idp/profile/SAML2/POST/SLO HTTP/1.1 DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-17) Target auth state: UNCHALLENGED DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-17) Proxy auth state: UNCHALLENGED DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> POST /cas/idp/profile/SAML2/POST/SLO HTTP/1.1 DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> Content-Length: 4596 DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> Host: dev-cas-idp.myhost.com DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> Connection: Keep-Alive DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.4 (Java/1.8.0_212) DEBUG [org.apache.http.headers] (default task-17) http-outgoing-0 >> Accept-Encoding: gzip,deflate DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "POST /cas/idp/profile/SAML2/POST/SLO HTTP/1.1[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "Content-Length: 4596[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "Host: dev-cas-idp.myhost.com[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.4 (Java/1.8.0_212)[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >> "[\r][\n]" DEBUG [org.apache.http.wire] (default task-17) http-outgoing-0 >>
[cas-user] (6.0.3) sessionCount has never decrease after logout
Hi Guys, I have a 1 instance of CAS and 1 instance of CAS ADMIN on localhost. I see in cas admin "sessionCount" value is incremented after each login to CAS. However value won't be changed if I click "log out". I don't see any errors in CAS console. Is it a bug in CAS? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b11f0c82-bac2-4dc3-ad68-032210dd3028%40apereo.org.
Re: [cas-user] Keycloak Backchannel Logout and CAS
Hi Ray, Your link about background call from CAS to Keycloak however my question about background call from Keycloak to CAS. On Wednesday, December 4, 2019 at 11:32:08 PM UTC+2, rbon wrote: > > Maksim, > > Yes it does, > https://apereo.github.io/cas/6.1.x/installation/Logout-Single-Signout.html#back-channel > > Ray > > On Wed, 2019-12-04 at 13:23 -0800, 'Maksim Kopeyka' via CAS Community > wrote: > > Hi Guys, > > I use CAS as IDP in keycloak. > IDP has option "Backchannel Logout". This is a description: > > Backchannel logout is a background, out-of-band, REST invocation to the > IDP to logout the user. Some IDPs can only perform logout through browser > redirects as they may only be able to identity sessions via a browser > cookie. > > > Does CAS support such way to logout? > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b3ab4b3-3f2a-4869-b28b-77d2a5e95611%40apereo.org.
[cas-user] Keycloak Backchannel Logout and CAS
Hi Guys, I use CAS as IDP in keycloak. IDP has option "Backchannel Logout". This is a description: Backchannel logout is a background, out-of-band, REST invocation to the IDP to logout the user. Some IDPs can only perform logout through browser redirects as they may only be able to identity sessions via a browser cookie. Does CAS support such way to logout? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d57f22d5-ec47-4efe-928e-7ce690f62481%40apereo.org.
Re: [cas-user] Re: CAS 6.0.3 ignores header and footer in my theme
Hi Steve, https://apereo.github.io/cas/6.1.x/ux/User-Interface-Customization-Themes.html#dynamic-themes https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#themes https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/k-yfoou7Zy0 On Tuesday, November 12, 2019 at 4:56:29 AM UTC+2, Steve Cheung wrote: > > Hi Maksim, > > I want to do the same thing here to custom a login form. May I know which > url you follow to do? > > Thanks, Steve > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0ea6143-3b0f-40f7-aa17-5bb823edc0f2%40apereo.org.
[cas-user] Re: CAS 6.0.3 ignores header and footer in my theme
My bad, I didn't set theme prefix for this line in casLoginView.html:
http://www.ultraq.net.nz/thymeleaf/layout;
layout:decorate="~{layout}">
So with prefix everything works as expected:
http://www.ultraq.net.nz/thymeleaf/layout;
layout:decorate="~{test/layout}">
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/956f5905-17cc-42b0-a642-0723b9d20c16%40apereo.org.
[cas-user] CAS 6.0.3 ignores header and footer in my theme
Hi Guys,
I have to create a custom theme. According to documentation this task is
simple enough. However CAS ignores 2 of 3 fragments of my theme. I see my
login form but header and footer is ignored and CAS shows default header
and footer.
This is my folders structure:
- resources/templates/test
-
- fragments
-
- footer.html
- header.html
- loginform.html
- casLoginView.html
- layout.html
The content of all files is trivial. I expected to see a white screen with
HEADER, FOOTER and LOGIN FORM text however I see a big CAS logo with
default header and footer and with text LOGIN FORM. How to override header
and footer fragments?
*casLoginView.html*
http://www.ultraq.net.nz/thymeleaf/layout;
layout:decorate="~{layout}">
CAS Acceptable Use Policy View
Login Form goes here
*layout.html*
http://www.ultraq.net.nz/thymeleaf/layout;>
CAS
Central Authentication Service
Header fragment will go here
CAS content will go here
Footer fragment will go here
*footer.html - ignored*
Footer Fragment
FOOTER
*header.html - ignored*
Header Fragment
HEADER
loginform.html
Login Form Fragment
LOGIN FORM
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3798bb6-4652-4b7c-852f-5e913a79fe6c%40apereo.org.
[cas-user] Re: Request a Service Ticket via rest api
Problem has been resolved by adding a header "Accept: text/plain". Seems to me It should be added to documentation. On Saturday, October 12, 2019 at 1:29:47 AM UTC+3, Maksim Kopeyka wrote: > > Hi Guys, > > I'm trying to request a service ticket according to documentation > https://apereo.github.io/cas/6.0.x/protocol/REST-Protocol.html#request-a-service-ticket > but I don't see it in the response however I see it in the log file and > this ticket is validated without problems. How to obtain service ticket via > rest api response? > > In my case I send a POST request to my CAS > http://10.131.30.55:8443/cas/v1/tickets/TGT-2-t-zrIbxxx with > parameter service=http://www.example.com > and Content-Type=application/x-www-form-urlencoded > > This is a response headers: > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > Pragma: no-cache > Expires: 0 > X-Content-Type-Options: nosniff > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Content-Type: application/vnd.cas.services+yaml;charset=UTF-8 > Content-Length: 0 > Date: Fri, 11 Oct 2019 22:19:54 GMT > Server: Apereo CAS > > This is a log file: > 2019-10-11 22:19:54,030 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN > = > WHO: gsi > WHAT: ST-1-l6udFD0OXHBYplF91h--lXRnVdY8d63a7ebd424 for > http://www.example.com > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Oct 11 22:19:54 UTC 2019 > CLIENT IP ADDRESS: 10.85.189.191 > SERVER IP ADDRESS: 172.19.0.2 > = > > > > 2019-10-11 22:19:54,036 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN > = > WHO: gsi > WHAT: [status=200-OK,body=ST-1-l6udFD0OXHBYplF91h--lXRnVdY8d63a7ebd424] > ACTION: REST_API_SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Oct 11 22:19:54 UTC 2019 > CLIENT IP ADDRESS: 10.85.189.191 > SERVER IP ADDRESS: 172.19.0.2 > = > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9bf13c4c-f94f-428f-9fef-df1f1713a4d0%40apereo.org.
[cas-user] Request a Service Ticket via rest api
Hi Guys, I'm trying to request a service ticket according to documentation https://apereo.github.io/cas/6.0.x/protocol/REST-Protocol.html#request-a-service-ticket but I don't see it in the response however I see it in the log file and this ticket is validated without problems. How to obtain service ticket via rest api response? In my case I send a POST request to my CAS http://10.131.30.55:8443/cas/v1/tickets/TGT-2-t-zrIbxxx with parameter service=http://www.example.com and Content-Type=application/x-www-form-urlencoded This is a response headers: Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Content-Type: application/vnd.cas.services+yaml;charset=UTF-8 Content-Length: 0 Date: Fri, 11 Oct 2019 22:19:54 GMT Server: Apereo CAS This is a log file: 2019-10-11 22:19:54,030 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://www.example.com ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Oct 11 22:19:54 UTC 2019 CLIENT IP ADDRESS: 10.85.189.191 SERVER IP ADDRESS: 172.19.0.2 = > 2019-10-11 22:19:54,036 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46083c84-300b-4681-a2c6-fd51c3bdfe7d%40apereo.org.
