[cas-user] Re: Two instances of CAS

[Colin Wilkinson]

Hi Pablo,

Two version of tomcat running under separate users.

CAS1 Details,

Tomcat Location: /opt/tomcat1
CAS Config: /etc/cas/config
Tomcat User: tomcat101

CAS2 Details,

Tomcat Location: /opt/tomcat2
CAS Config: /etc/cas2/config
Tomcat User: tomcat1012

This issue should be able to be replicated via one instance, just config 
the cas another directory other than default e.g /etc/anotherCAS/config 
rather than /etc/cas/config and make sure that tomcat is not able to write 
to /etc/cas and the issue should be replicated.

Regards,
Colin

On Thursday, 20 April 2023 at 03:25:45 UTC+10 Pablo Vidaurri wrote:

> are you running two instances of cas under the same jvm (same tomcat)?
>
> On Monday, March 27, 2023 at 12:39:54 AM UTC-5 wilc...@gmail.com wrote:
>
>> Hi,
>>
>> We have picked up a weird issue during our development of a our CAS 
>> upgrade. We are running two instances of CAS an instance handle only the 
>> delegation authentication for employee/students to Azure Ad and applicants 
>> to the second instance of CAS for on premise AD.
>>
>> This issue when you try and run CAS configuration from another directory 
>> e.g. "/etc/applicantCas/config" and the main directory of "/etc/cas/config" 
>> is not accessible (not writtable).
>>
>> The issue looks that either the configuration is not be read or or 
>> something as I am getting the following error
>>
>> Caused by: java.io.FileNotFoundException: /etc/cas/config/keystore.jwks 
>> (Permission denied)
>>
>> Even though I have the following set
>>
>>
>> cas.authn.oidc.jwks.fileSystem.jwks-file=file:/etc/applicantCas/config/defaultKeystore.jwks
>>
>> I have overlay configured with
>> implementation 
>> "org.apereo.cas:cas-server-core-api-configuration-model"
>> implementation "org.apereo.cas:cas-server-webapp-init"
>> implementation 
>> "org.apereo.cas:cas-server-support-json-service-registry"
>> implementation "org.apereo.cas:cas-server-support-oauth-webflow"
>> implementation "org.apereo.cas:cas-server-support-oidc"
>> implementation "org.apereo.cas:cas-server-support-ldap"
>>
>> Tomcat is set to 
>> with -Dcas.standalone.configuration-directory=/etc/applicantCas/config
>> Tomcat is set to run from user/group tomcat1012 (tomcat 10 instance 2)
>>
>> The main CAS configuration "/etc/cas/config/" is set to user/group 
>> tomcat101 (tomcat 10 instance 1) and hence the main configuration is 
>> writtable from tomcat1012.
>>
>> I think part of the issue that 
>> in FileSystemOidcJsonWebKeystoreProperties.java the variable  jwksFile is 
>> hardcoded to  "file:/etc/cas/config/keystore.jwks"
>>
>> Should not the above variable honor the  
>> cas.standalone.configuration-directory setting.
>>
>> I apologies if this is not clear.
>>
>> Regards,
>> Colin
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/323e8885-c261-4cbf-a333-2ca702d15072n%40apereo.org.

[cas-user] Two instances of CAS

[Colin Wilkinson]

Hi,

We have picked up a weird issue during our development of a our CAS 
upgrade. We are running two instances of CAS an instance handle only the 
delegation authentication for employee/students to Azure Ad and applicants 
to the second instance of CAS for on premise AD.

This issue when you try and run CAS configuration from another directory 
e.g. "/etc/applicantCas/config" and the main directory of "/etc/cas/config" 
is not accessible (not writtable).

The issue looks that either the configuration is not be read or or 
something as I am getting the following error

Caused by: java.io.FileNotFoundException: /etc/cas/config/keystore.jwks 
(Permission denied)

Even though I have the following set

cas.authn.oidc.jwks.fileSystem.jwks-file=file:/etc/applicantCas/config/defaultKeystore.jwks

I have overlay configured with
implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"
implementation "org.apereo.cas:cas-server-support-json-service-registry"
implementation "org.apereo.cas:cas-server-support-oauth-webflow"
implementation "org.apereo.cas:cas-server-support-oidc"
implementation "org.apereo.cas:cas-server-support-ldap"

Tomcat is set to 
with -Dcas.standalone.configuration-directory=/etc/applicantCas/config
Tomcat is set to run from user/group tomcat1012 (tomcat 10 instance 2)

The main CAS configuration "/etc/cas/config/" is set to user/group 
tomcat101 (tomcat 10 instance 1) and hence the main configuration is 
writtable from tomcat1012.

I think part of the issue that 
in FileSystemOidcJsonWebKeystoreProperties.java the variable  jwksFile is 
hardcoded to  "file:/etc/cas/config/keystore.jwks"

Should not the above variable honor the  
cas.standalone.configuration-directory setting.

I apologies if this is not clear.

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7113bf1d-7df9-44bc-960c-15d498dd71adn%40apereo.org.

[cas-user] CAS 7.0.0-RC5 change passsword issue

[Colin Wilkinson]

Hi,

I think you have a slight coding mistake in PasswordChangeAction.java. When 
we were testing change password the other current password was coming back 
null.

I believe you have a coding mistake in the following lines of code as in 
the below code you are just setting it back to itself.

Optional.ofNullable(WebUtils.getCredential(requestContext, 
UsernamePasswordCredential.class))
.ifPresent(credential -> 
bean.setCurrentPassword(bean.getCurrentPassword()));

What I think you meant was

Optional.ofNullable(WebUtils.getCredential(requestContext, 
UsernamePasswordCredential.class))
.ifPresent(credential -> 
bean.setCurrentPassword(credential   .getToPassword()));

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a60aa83-9ea9-449b-a852-d57f8257edccn%40apereo.org.

Re: [cas-user] CAS 7.0.0-RC4 Pac4j Azure not working

[Colin Wilkinson]

Hi Jérôme,

Worked like a charm.

Regards,
Colin

On Tuesday, 21 February 2023 at 17:41:30 UTC+11 CAS Community wrote:

> Hi,
>
> It should be fixed: 
> https://github.com/pac4j/pac4j/commit/f8a9450f794add3a65544c8586552305f9976b70
> Can you test with CAS 7.0.0-RC4 and pac4j v6.0.0-RC6-SNAPSHOT (pull 
> pac4j-core and pac4j-oidc in version 6.0.0-RC6-SNAPSHOT and exclude the 
> same dependencies in v6.0.0-RC5).
> Thanks.
> Best regards,
> Jérôme
>
>
> Le vendredi 17 février 2023 à 04:17:28 UTC+1, wilc...@gmail.com a écrit :
>
>> HI  Jérôme,
>>
>> I happy to post the configuration if required, but I think you have a 
>> slight error in CAS causing the tenant id to get lost.
>>
>> In "BaseDelegatedClientFactory.java" you have the "getOidcClientFrom" 
>> method which has the following for azure
>>
>> if (clientProperties.getAzure().isEnabled() && 
>> StringUtils.isNotBlank(clientProperties.getAzure().getId())) {
>> LOGGER.debug("Building OpenID Connect client for Azure 
>> AD...");
>> val azure = 
>> getOidcConfigurationForClient(clientProperties.getAzure(), 
>> AzureAd2OidcConfiguration.class);
>> azure.setTenant(clientProperties.getAzure().getTenant());
>> *val cfg = new AzureAd2OidcConfiguration(azure);*
>> val azureClient = new AzureAd2Client(cfg);
>> configureClient(azureClient, clientProperties.getAzure(), 
>> casProperties);
>> return azureClient;
>> }
>>
>> Highlighted in bold is what I think the issue is as when I inspected the 
>> "AzureAd2OidcConfiguration" the constructor does set the tenant and this is 
>> causing the tenant to get lost.
>>
>> I have some custom changes to set the login_hint for azure when using the 
>> dynamic lookup. I added extra code to test if changing it to below worked 
>> and it proceed to microsoft but I got another error after it came back. I 
>> will post that error in another message.
>>
>> if (clientProperties.getAzure().isEnabled() && 
>> StringUtils.isNotBlank(clientProperties.getAzure().getId())) {
>> LOGGER.debug("Building OpenID Connect client for Azure 
>> AD...");
>> val cfg= 
>> getOidcConfigurationForClient(clientProperties.getAzure(), 
>> AzureAd2OidcConfiguration.class);
>> cfg.setTenant(clientProperties.getAzure().getTenant());
>> val azureClient = new AzureAd2Client(cfg);
>> configureClient(azureClient, clientProperties.getAzure(), 
>> casProperties);
>> return azureClient;
>> }
>>
>> Thanks.
>> Regards,
>> Colin
>>
>>
>> On Thursday, 16 February 2023 at 17:56:46 UTC+11 leleuj wrote:
>>
>>> Hi,
>>>
>>> What is your related CAS delegated authn configuration?
>>>
>>> Remove any sensitive information!
>>>
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>> Le mer. 15 févr. 2023 à 06:18, Colin Wilkinson  a 
>>> écrit :
>>>
>>>> Hi,
>>>>
>>>> I am just testing out configuration against CAS 7.0.0-RC4. The 
>>>> configuration is currently deployed to our dev server against CAS 6.6.x 
>>>> this is working fine.
>>>>
>>>> But when I go to run against CAS 7.0.0.RC4 I get,
>>>>
>>>> Caused by: java.net.URISyntaxException: Illegal character in path at 
>>>> index 34: https://login.microsoftonline.com/{tenantid}/v2.0
>>>>
>>>> I have attached the fully stack trace.
>>>>
>>>> -- 
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to cas-user+u...@apereo.org.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c5e292-89cf-4968-99e9-dd82f31c55a3n%40apereo.org
>>>>  
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c5e292-89cf-4968-99e9-dd82f31c55a3n%40apereo.org?utm_medium=email_source=footer>
>>>> .
>>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31121a90-9d98-4e04-9f50-324c561d0a9bn%40apereo.org.

[cas-user] Re: Pac4j Azure Ad issue

[Colin Wilkinson]

This is a pac4j issue and has been raised with pac4j as 

https://groups.google.com/g/pac4j-dev/c/k8Dj3ihjtMU

On Monday, 20 February 2023 at 17:05:47 UTC+11 Colin Wilkinson wrote:

> Hi,
>
>
> I am unsure if this related to Pac4j Azure Ad redirect issue 
> <https://groups.google.com/a/apereo.org/g/cas-user/c/xXYmX2f7rg0> or even 
> if its a a CAS issue, but I thought I would start here.
>
> I patched the above issue locally to prevent the tenant from going missing 
> so that I could continure on testing bit hit another error in 
> "org.pac4j.oidc.credentials.authenticator.OidcAuthenticator".
>
> When using the "cas.authn.pac4j.oidc[0].azure" it fails with the following 
> error
>
> Token response: status=401, 
> content={"error":"invalid_client","error_description":"AADSTS7000218: The 
> request body must contain the following parameter: 'client_assertion' or 
> 'client_secret'.\r\nTrace ID: 
> 2de9a836-b6a8-4ce9-bca2-a88862983800\r\nCorrelation ID: 
> 9ad131b2-ba04-4e51-be8d-e7f99f7a8ab9\r\nTimestamp: 2023-02-20 
> 04:58:34Z","error_codes":[7000218],"timestamp":"2023-02-20 
> 04:58:34Z","trace_id":"2de9a836-b6a8-4ce9-bca2-a88862983800","correlation_id":"9ad131b2-ba04-4e51-be8d-e7f99f7a8ab9","error_uri":"
> https://login.microsoftonline.com/error?code=7000218
> ","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"b6a5a1ff-b5f3-4f73-b5c7-91b62aba058b\"]}}}"
>
> If I can over to "cas.authn.pac4j.oidc[0].generic" remove the 
> "cas.authn.pac4j.oidc[0].azure.tenant" as that is azure specific and 
> correct set the discoverUri to what it should be and get the following,
>
> Token response: status=200, 
>
> Regards,
> Colin
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f185a89-c5e7-4908-ac12-053c05f00e38n%40apereo.org.

[cas-user] Pac4j Azure Ad issue

[Colin Wilkinson]

Hi,


I am unsure if this related to Pac4j Azure Ad redirect issue 
 or even 
if its a a CAS issue, but I thought I would start here.

I patched the above issue locally to prevent the tenant from going missing 
so that I could continure on testing bit hit another error in 
"org.pac4j.oidc.credentials.authenticator.OidcAuthenticator".

When using the "cas.authn.pac4j.oidc[0].azure" it fails with the following 
error

Token response: status=401, 
content={"error":"invalid_client","error_description":"AADSTS7000218: The 
request body must contain the following parameter: 'client_assertion' or 
'client_secret'.\r\nTrace ID: 
2de9a836-b6a8-4ce9-bca2-a88862983800\r\nCorrelation ID: 
9ad131b2-ba04-4e51-be8d-e7f99f7a8ab9\r\nTimestamp: 2023-02-20 
04:58:34Z","error_codes":[7000218],"timestamp":"2023-02-20 
04:58:34Z","trace_id":"2de9a836-b6a8-4ce9-bca2-a88862983800","correlation_id":"9ad131b2-ba04-4e51-be8d-e7f99f7a8ab9","error_uri":"https://login.microsoftonline.com/error?code=7000218","claims":"{\"access_token\":{\"capolids\":{\"essential\":true,\"values\":[\"b6a5a1ff-b5f3-4f73-b5c7-91b62aba058b\"]}}};

If I can over to "cas.authn.pac4j.oidc[0].generic" remove the 
"cas.authn.pac4j.oidc[0].azure.tenant" as that is azure specific and 
correct set the discoverUri to what it should be and get the following,

Token response: status=200, 

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/49cc65f9-eb58-4ea9-bf33-0ba19697c006n%40apereo.org.

Re: [cas-user] CAS 7.0.0-RC4 Pac4j Azure not working

[Colin Wilkinson]

HI  Jérôme,

I happy to post the configuration if required, but I think you have a 
slight error in CAS causing the tenant id to get lost.

In "BaseDelegatedClientFactory.java" you have the "getOidcClientFrom" 
method which has the following for azure

if (clientProperties.getAzure().isEnabled() && 
StringUtils.isNotBlank(clientProperties.getAzure().getId())) {
LOGGER.debug("Building OpenID Connect client for Azure AD...");
val azure = 
getOidcConfigurationForClient(clientProperties.getAzure(), 
AzureAd2OidcConfiguration.class);
azure.setTenant(clientProperties.getAzure().getTenant());
*val cfg = new AzureAd2OidcConfiguration(azure);*
val azureClient = new AzureAd2Client(cfg);
configureClient(azureClient, clientProperties.getAzure(), 
casProperties);
return azureClient;
}

Highlighted in bold is what I think the issue is as when I inspected the 
"AzureAd2OidcConfiguration" the constructor does set the tenant and this is 
causing the tenant to get lost.

I have some custom changes to set the login_hint for azure when using the 
dynamic lookup. I added extra code to test if changing it to below worked 
and it proceed to microsoft but I got another error after it came back. I 
will post that error in another message.

if (clientProperties.getAzure().isEnabled() && 
StringUtils.isNotBlank(clientProperties.getAzure().getId())) {
LOGGER.debug("Building OpenID Connect client for Azure AD...");
val cfg= 
getOidcConfigurationForClient(clientProperties.getAzure(), 
AzureAd2OidcConfiguration.class);
cfg.setTenant(clientProperties.getAzure().getTenant());
val azureClient = new AzureAd2Client(cfg);
configureClient(azureClient, clientProperties.getAzure(), 
casProperties);
return azureClient;
}

Thanks.
Regards,
Colin


On Thursday, 16 February 2023 at 17:56:46 UTC+11 leleuj wrote:

> Hi,
>
> What is your related CAS delegated authn configuration?
>
> Remove any sensitive information!
>
> Thanks.
> Best regards,
> Jérôme
>
>
> Le mer. 15 févr. 2023 à 06:18, Colin Wilkinson  a 
> écrit :
>
>> Hi,
>>
>> I am just testing out configuration against CAS 7.0.0-RC4. The 
>> configuration is currently deployed to our dev server against CAS 6.6.x 
>> this is working fine.
>>
>> But when I go to run against CAS 7.0.0.RC4 I get,
>>
>> Caused by: java.net.URISyntaxException: Illegal character in path at 
>> index 34: https://login.microsoftonline.com/{tenantid}/v2.0
>>
>> I have attached the fully stack trace.
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c5e292-89cf-4968-99e9-dd82f31c55a3n%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c5e292-89cf-4968-99e9-dd82f31c55a3n%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d61ec21b-6dee-411b-bcfd-60bc35cf6db3n%40apereo.org.

[cas-user] CAS 7.0.0-RC4 Pac4j Azure not working

[Colin Wilkinson]

Hi,

I am just testing out configuration against CAS 7.0.0-RC4. The 
configuration is currently deployed to our dev server against CAS 6.6.x 
this is working fine.

But when I go to run against CAS 7.0.0.RC4 I get,

Caused by: java.net.URISyntaxException: Illegal character in path at index 
34: https://login.microsoftonline.com/{tenantid}/v2.0

I have attached the fully stack trace.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c5e292-89cf-4968-99e9-dd82f31c55a3n%40apereo.org.
2023-02-15 15:14:16,139 ERROR 
[org.springframework.boot.web.servlet.support.ErrorPageFilter] - 
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing 
org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationRedirectAction@491dc17c
 in state 'delegatedAuthenticationClientRedirect' of flow 'clientredirect' -- 
action execution attributes were 'map[[empty]]'
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:63)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:83)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:67)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:52)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:103) 
~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.State.enter(State.java:202) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:240) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:416)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:218)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:125)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:551) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:411)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:214)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:107) 
~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.State.enter(State.java:202) 
~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.Flow.start(Flow.java:526) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:397)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:234)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.SubflowState.doEnter(SubflowState.java:112) 
~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.State.enter(State.java:202) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.Transition.execute(Transition.java:240) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:416)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:218)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:125)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:551) 
~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:411)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 
org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:214)
 ~[spring-webflow-2.6.0.jar:2.6.0]
at 

[cas-user] CAS 6.2.0 - OIDC - JWT Access Token

[Colin Wilkinson]

Hi,

I am trying to configure an OIDC service with JWT Access Token set to true 
with an using alternate jwks other than the default.  

I have tried bunch of different configurations within the service file but 
it always seems to use the default jwks.

At this stage I am only trying to sign but NOT encrypted it.

Regards,
Colin


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7dfb1576-5484-416a-8914-dd7b0074636cn%40apereo.org.

[cas-user] Regarding Radius MFA EAP-MCHAPV2 protocol

[Colin Wilkinson]

Hi,

While trying to integrate CAS with Radius MFA we have noticed that when 
using EAP-MCHAPV2 protocol CAS always proceeds to the login has been 
successful.

I have noticed that if CAS receives an Access Challenge reponse it proceeds 
on, but should CAS only proceed on if Access Accept has been returned

if (response instanceof AccessAccept || response instanceof AccessChallenge) 
{
val attributes = response.getAttributes().getAttributeList();
LOGGER.debug("Radius response code [{}] accepted with attributes [{}] 
and identifier [{}]",
response.getCode(), attributes, response.getIdentifier());
return new CasRadiusResponse(response.getCode(), response.getIdentifier
(), attributes);
}

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3efc394e-417d-46f3-a902-368715ab96a9o%40apereo.org.

[cas-user] Radius MFA mock call RadiusMultifactorAuthenticationProvider

[Colin Wilkinson]

HI,

We are currently trying to integrate CAS with Radius MFA and have noticed 
in the logs of the Radius server that CAS is making an initiall call of 
using the username "RadiusMultifactorAuthenticationProvider" in the 
attached method to see if the call is available.

Why does CAS make test to see if the server is available rather than 
correct screen and asking for the token.

Sending an authentication request with an dummy usernand and password is 
dangerous as it could be seen as hacking.

/**
 * Can ping.
 *
 * @return true/false
 */
public boolean canPing() {
val uidPsw = getClass().getSimpleName();
for (val server : this.servers) {
LOGGER.debug("Attempting to ping RADIUS server [{}] via simulating 
an authentication request. If the server responds "
+ "successfully, mock authentication will fail correctly.", 
server);
try {
server.authenticate(uidPsw, uidPsw);
} catch (final TimeoutException | SocketTimeoutException e) {
LOGGER.debug("Server [{}] is not available", server);
continue;
} catch (final Exception e) {
LOGGER.debug("Pinging RADIUS server was successful. Response 
[{}]", e.getMessage());
}
return true;
}
return false;
}

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff998cb1-ba6d-4af7-901d-6934f8a9ae6fo%40apereo.org.

[cas-user] Re: SAML2 Auth flow broken using CAS 6.1.0-RC6

[Colin Wilkinson]

Guys,
 
In CAS 6.1.0-RC5 CoreSamlConfiguration.java 

 
was updated to take into account the use of Apache Velocity 2.x, see Pull 
request 4187 .

The problem is that there are some modules that are importing Apache 
Velocity 1.7, once apache velocity 1.7 is imported it causes problems as in 
apache velocity 2.0 some of the key properties where renamed.

I know of the following three that are causing the problem, there maybe 
more.

   1. cas-server-support-pac4j-webflow
   2. cas-server-support-saml-idp
   3. cas-server-support-saml

The work around to the issue is to add "exclude(group: 
'org.apache.velocity', module: 'velocity')" to any module causing the 
problem.

To the people of CAS, you look to have a dependency issue "Apache Velocity 
1.7" is being imported by some modules.

Regards,
Colin

On Thursday, 17 October 2019 23:03:17 UTC+11, Michael Daley wrote:
>
> When running a fresh install of CAS 6.1.0-RC6 I receive the following 
> error after authentication using SAML2.  
>
> 2019-10-16 16:22:46,244 ERROR [org.apache.catalina.core.ContainerBase.[
> Tomcat].[localhost].[/cas].[dispatcherServlet]] -  servlet [dispatcherServlet] in context with path [/cas] threw exception 
> [Request processing failed; nested exception is 
> org.opensaml.messaging.encoder.MessageEncodingException: Error creating 
> output document] with root cause>
> org.apache.velocity.exception.ResourceNotFoundException: Unable to find 
> resource '/templates/saml2-post-binding.vm'
> at 
> org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:474)
>  
> ~[velocity-1.7.jar!/:1.7]
> at 
> org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:352)
>  
> ~[velocity-1.7.jar!/:1.7]
> at 
> org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1533)
>  
> ~[velocity-1.7.jar!/:1.7]
> at 
> org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:343) 
> ~[velocity-1.7.jar!/:1.7]
> at 
> org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.postEncode(HTTPPostEncoder.java:172)
>  
> ~[opensaml-saml-impl-3.4.5.jar!/:?]
> at 
> org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doEncode(HTTPPostEncoder.java:146)
>  
> ~[opensaml-saml-impl-3.4.5.jar!/:?]
> at 
> org.opensaml.messaging.encoder.AbstractMessageEncoder.encode(AbstractMessageEncoder.java:53)
>  
> ~[opensaml-messaging-api-3.4.5.jar!/:?]
> at 
> org.opensaml.messaging.encoder.servlet.BaseHttpServletResponseXMLMessageEncoder.encode(BaseHttpServletResponseXMLMessageEncoder.java:50)
>  
> ~[opensaml-messaging-api-3.4.5.jar!/:?]
> at 
> org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.finalizeEncode(BaseHttpServletAwareSamlObjectEncoder.java:102)
>  
> ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar!/:6.1.0-RC6]
> at 
> org.apereo.cas.support.saml.web.idp.profile.builders.enc.encoder.BaseHttpServletAwareSamlObjectEncoder.encode(BaseHttpServletAwareSamlObjectEncoder.java:63)
>  
> ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar!/:6.1.0-RC6]
> at 
> org.apereo.cas.support.saml.web.idp.profile.builders.response.SamlProfileSaml2ResponseBuilder.encode(SamlProfileSaml2ResponseBuilder.java:130)
>  
> ~[cas-server-support-saml-idp-web-6.1.0-RC6.jar!/:6.1.0-RC6]
>
> Depends added:
> compile 
> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-yaml-service-registry:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-bootadmin-client:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-ws-sts:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-ws-idp:${project.'cas.version'}"
> compile 
> "org.apereo.cas:cas-server-support-ws-idp-api:${project.'cas.version'}"
>
>
> Thanks, 
> M. Daley
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] Re: Cas Default language

[Colin Wilkinson]

Hi John,

firstly there is no such locale in java as UK, the locale for UK is en_GB 
see Java Locale “English (United Kingdom)” 
.

Secondly its defined in the wrong location, you have it defined 
application.properties but you need to define it in cas.properties.

So try,
cas.locale.defaultValue=en_GB

you do not need to specific paramName as the default for that value is 
locale

Regards,
Colin

On Tuesday, 19 February 2019 18:28:03 UTC+11, john adz wrote:
>
> Hi,
>
> I'm trying with Chrome incognito. I write what I wrote in 
> application.properties, but still in English. Do I delete the 
> messages.properties file and see the messages_uk.properties file? Do I have 
> to make a change elsewhere?
>
> Thanks,
>
> On Monday, February 18, 2019 at 12:44:23 PM UTC+3, Andy Ng wrote:
>>
>> Looking at the source code here: 
>> https://github.com/apereo/cas/blob/v5.3.7/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/config/CasWebAppConfiguration.java#L63
>>
>> The locale also affected by Cookie, maybe try using an Chrome Incognito 
>> or similar browser, so that your previous cookie is not stored?
>>
>> - Andy
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba4b931a-cc19-4adf-a14f-80dc3c94c84d%40apereo.org.

[cas-user] CAS 5.3.7 IDP Metadata creation

[Colin Wilkinson]

Hi,

We are in the process of trying to migrated so of our SAML related logins 
across to CAS when noticed that not all the end points are actually defined 
in the metadata file. Upon further investigation we found that the template 
file that is used to generate the metadata file is missing the two endpoint 
as well.

These two endpoints are missing from both the generated metadata file and 
the template file.

/idp/profile/SAML2/Redirect/SLO
/idp/profile/SAML2/Unsolicited/SSO


Is there any reason why these are missing from the template file?

The now is that the template file is stored with a jar and the location is 
hard coded to be on the class path. Can the template xml be externalised.

We would prefer not to have to alter to the metadata file once generated.

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/745ccb2e-4119-4578-a3b7-c8df58ca32aa%40apereo.org.

[cas-user] Re: lose service parameter when incorrect credential entered

[Colin Wilkinson]

Hi Yan,

As Ray correct pointed out the XML webflow defined is a basic starting 
point, if search through the you find alot of class extending 
Cas*Webflow*Configurer 
this include the DefaultLoginWebflowConfigurer.

During our upgrade from I noticed the same issue that at times the service 
parameter was going missing, but the page worked fine as long as I did NOT 
do a refresh. From my investigation the service parameter is stored upon 
entry into CAS and as long as the page is not force refresh from the user 
without the service parameter then CAS should work fine.

During my investigation I found the following redirect,


They redirect without the query parameters. There is also a redirectToLogin 
as well.


Given that you have started invalid credentials then its more than likely 
going down the "" code and not even hitting your code.


Regards,
Colin

On Thursday, 7 February 2019 05:00:05 UTC+11, Yan Zhou wrote:
>
> Hi there,
>
> I extended CAS 5.3.4.  The app. redirects to CAS login page with service 
> parameter.
>
> When I type incorrect credential, I saw the invalid credential message, 
> but I lost service parameter, the screen refreshes to have only the CAS url.
>
> What could be missing in my code?
>
> Thx!
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/90d3d5d5-e32f-4cdd-a817-083cea2d689f%40apereo.org.

Re: [cas-user] Re: CAS 5.3.x PAC4J

[Colin Wilkinson]

Regarding Authentication I have ask a separate question to see if what I 
want to do is possible.

On Wednesday, 26 September 2018 08:14:00 UTC+10, Colin Wilkinson wrote:
>
> Hi Jérôme,
>
> I am not 100% sure, if it maybe a edge bug with CAS server itself. 
> Basically its an issue when serialising the session, there is no problem 
> when executing code only when trying to serialise the session and that made 
> the problem hard to track. Basically I had two beans that were session 
> scoped and proxy class targeted and the serialisation did not like one of 
> those session scope.
>
> The first session is about user information that is required to enable 
> talking between our Enterprise Service Bus (ESB) and our systems. We 
> configure this once and store it the session. This bean is still stored in 
> the session.
>
> The second session bean use to do a lot more that it does not and has been 
> reconfigured. Now it only configures the User Information and no longer 
> need to be stored in the session. The second session bean also stores a 
> reference to the first session bean and I think that is where the problem 
> lies.
>
> This beans a located in services module that is used across multiple 
> projects without a problem.
>
> I think there maybe a problem with CAS regarding authentication handlers. 
> I initially tried to add additional authentication handler that ran after 
> the main ClientAuthenticationHandler it did not fire. I will do some 
> testing today now that CAS is functioning and get back to if there is a 
> problem
>
> I have set cas.authn.policy.all.enabled=true as well
>
> Regards,
> Colin
>
> On Tuesday, 25 September 2018 18:05:09 UTC+10, leleuj wrote:
>>
>> Hi,
>>
>> Was it a bug on your customization or something from the CAS server 
>> itself?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  
>> wrote:
>>
>>> Hi,
>>>
>>> I have worked out what the issue was. It one of the scope session beans 
>>> being loaded after the initial request that was causing the issue.
>>>
>>> Regards,
>>>
>>> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>>>>
>>>> Hi,
>>>>
>>>> We at working are looking at implementing delegated authentication for 
>>>> facebook, google, twitter, etc but there seems to be a weird issue with 
>>>> it. 
>>>> A little bit of background we have extended the delegated authentication 
>>>> as 
>>>> we need to map the email associated with facebook for instance back to a 
>>>> staff or student account. If the email has no association then we navigate 
>>>> to a registration screen which the user input a user name and password 
>>>> otherwise it logs the staff or student in. If staff or student follow the 
>>>> flow as designed then all works fine and there is no issue. If the staff 
>>>> or 
>>>> student registers using the username and password provided I trigger the 
>>>> form authentication.
>>>>
>>>> The issue arises if the user does not navigate as expected, if when 
>>>> they get the registration screen they realised they have clicked the wrong 
>>>> client and decided to go back to the main login screen and choose the 
>>>> right 
>>>> client I am receiving
>>>>
>>>> org.springframework.web.util.NestedServletException: Handler dispatch 
>>>> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>>>>
>>>>
>>>> I am certain its not the modifications I have made as its failing 
>>>> before the call to redirect to the client has happened the problem in the 
>>>> "DelegatedClientNavigationController" class with the following line, place 
>>>> debug statement proceeding the call and debug statement after the call.
>>>>  
>>>>
>>>>  this.delegatedSessionCookieManager.store(webContext);
>>>>
>>>> The main dev cas server is running 16gb of ram as initially it was only 
>>>> running 8gb of ram.
>>>>  
>>>> The possible steps to replicate the issue are as followings
>>>>
>>>>1. Navigate to CAS
>>>>2. Click Facebook (Authentication must fail)
>>>>3. Redirected back to login screen (Upon redirecting back PAC4J 
>>>>clients list goes missing)
>>>>4. Navigate back to CAS so that clien

[cas-user] CAS Authentication Handlers

[Colin Wilkinson]

Hi,

I wondering if its possible to have multiple authentication handlers run 
for the same credential type. Take "ClientCredential" for instance, I am 
trying to have multiple authentication handlers run. I am trying to leave 
your default ClientAuthenticationHandler as and have second Authentication 
handler that maps the Client email to our staff and student id's, if no map 
is found then proceed to a registration screen.

My custom authentication is named 
"VicUniClientToLoginIdAuthenticationHandler" for instance, added for 
discussion purpose.

The problem I have is that is if I have 
VicUniClientToLoginIdAuthenticationHandler set to run prior to 
ClientAuthenticationHandler and it fails the failure is register, but the 
moment ClientAuthenticationHandler an succeeds then the failure is simply 
ignored and success flow is triggered.

But if I have the ClientAuthenticationHandler set to go first and succeeds 
then VicUniClientToLoginIdAuthenticationHandler is never called.

Is this possible and how?

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/74cb78f4-6b2d-4b89-987c-b19f337b77fb%40apereo.org.

Re: [cas-user] Re: CAS 5.3.x PAC4J

[Colin Wilkinson]

Hi Jérôme,

I am not 100% sure, if it maybe a edge bug with CAS server itself. 
Basically its an issue when serialising the session, there is no problem 
when executing code only when trying to serialise the session and that made 
the problem hard to track. Basically I had two beans that were session 
scoped and proxy class targeted and the serialisation did not like one of 
those session scope.

The first session is about user information that is required to enable 
talking between our Enterprise Service Bus (ESB) and our systems. We 
configure this once and store it the session. This bean is still stored in 
the session.

The second session bean use to do a lot more that it does not and has been 
reconfigured. Now it only configures the User Information and no longer 
need to be stored in the session. The second session bean also stores a 
reference to the first session bean and I think that is where the problem 
lies.

This beans a located in services module that is used across multiple 
projects without a problem.

I think there maybe a problem with CAS regarding authentication handlers. I 
initially tried to add additional authentication handler that ran after the 
main ClientAuthenticationHandler it did not fire. I will do some testing 
today now that CAS is functioning and get back to if there is a problem

I have set cas.authn.policy.all.enabled=true as well

Regards,
Colin

On Tuesday, 25 September 2018 18:05:09 UTC+10, leleuj wrote:
>
> Hi,
>
> Was it a bug on your customization or something from the CAS server itself?
> Thanks.
> Best regards,
> Jérôme
>
>
> On Tue, Sep 25, 2018 at 4:37 AM Colin Wilkinson  > wrote:
>
>> Hi,
>>
>> I have worked out what the issue was. It one of the scope session beans 
>> being loaded after the initial request that was causing the issue.
>>
>> Regards,
>>
>> On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>>>
>>> Hi,
>>>
>>> We at working are looking at implementing delegated authentication for 
>>> facebook, google, twitter, etc but there seems to be a weird issue with it. 
>>> A little bit of background we have extended the delegated authentication as 
>>> we need to map the email associated with facebook for instance back to a 
>>> staff or student account. If the email has no association then we navigate 
>>> to a registration screen which the user input a user name and password 
>>> otherwise it logs the staff or student in. If staff or student follow the 
>>> flow as designed then all works fine and there is no issue. If the staff or 
>>> student registers using the username and password provided I trigger the 
>>> form authentication.
>>>
>>> The issue arises if the user does not navigate as expected, if when they 
>>> get the registration screen they realised they have clicked the wrong 
>>> client and decided to go back to the main login screen and choose the right 
>>> client I am receiving
>>>
>>> org.springframework.web.util.NestedServletException: Handler dispatch 
>>> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>>>
>>>
>>> I am certain its not the modifications I have made as its failing before 
>>> the call to redirect to the client has happened the problem in the 
>>> "DelegatedClientNavigationController" class with the following line, place 
>>> debug statement proceeding the call and debug statement after the call.
>>>  
>>>
>>>  this.delegatedSessionCookieManager.store(webContext);
>>>
>>> The main dev cas server is running 16gb of ram as initially it was only 
>>> running 8gb of ram.
>>>  
>>> The possible steps to replicate the issue are as followings
>>>
>>>1. Navigate to CAS
>>>2. Click Facebook (Authentication must fail)
>>>3. Redirected back to login screen (Upon redirecting back PAC4J 
>>>clients list goes missing)
>>>4. Navigate back to CAS so that clients are there
>>>5. Click Facebook should get a heap space error.
>>>
>>> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>>>
>>> The dump statement where as follows
>>>
>>> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>> this.delegatedSessionCookieManager.store(webContext);
>>> LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>>>
>>>
>>> Attached are is the success results and the heap space error results.
>>>
>>> I apologise if this does

Re: [cas-user] Re: AUP and X509 authentication

[Colin Wilkinson]

Hi,

I had to do something similar for the Password Management and did not want 
to recreate everything. So the solution I came up with was to remove the 
passwordManagementWebflowConfigurer from the execution plan and set the 
order to one before my configurer and readd the 
passwordManagementWebflowConfigurer.

It's serious issue and pain that you can set a definite order to the item 
like these CasWebflowConfigurer that actually rely on the order to execute. 
This needs to be able to be configured.

I hope this helps.

@Autowired
@Qualifier("passwordManagementWebflowConfigurer")
private CasWebflowConfigurer passwordManagementWebflowConfigurer;

@Override
public void configureWebflowExecutionPlan(final CasWebflowExecutionPlan 
plan) {
plan.getWebflowConfigurers().removeIf(casWebflowConfigurer -> 
casWebflowConfigurer.getName().equals(passwordManagementWebflowConfigurer.getName()));
final int order = Ordered.LOWEST_PRECEDENCE - 100;

try {
if 
(AopUtils.isJdkDynamicProxy(passwordManagementWebflowConfigurer)) {
((PasswordManagementWebflowConfigurer) ((Advised) 
passwordManagementWebflowConfigurer).getTargetSource().getTarget()).setOrder(order);
} else {
((PasswordManagementWebflowConfigurer) 
passwordManagementWebflowConfigurer).setOrder(order);
}
} catch (final Exception exception) {
LOGGER.error("The following error ocurred during reconfigure of 
startup sequence.", exception);
}

plan.registerWebflowConfigurer(passwordManagementWebflowConfigurer);

plan.registerWebflowConfigurer(vicUniPasswordManagementWebflowReconfigurer());
}



On Tuesday, 25 September 2018 12:49:25 UTC+10, Andy Ng wrote:
>
> Hi Curtis,
>
> Ah I missed to mention something, 
>
> when you tries to override a Bean inside a Configuration file, whether or 
> not is actually override success depends on the load sequence. Which one 
> load last will be the actual bean to be used.
> See: 
> https://stackoverflow.com/questions/11833804/overriding-bean-configuration-in-spring
>
> To make sure your defined bean takes effect, you might need to use the 
> @Import notation.
>
> So you could try out the following:
>
> ===
> @Configuration("myDomainX509AuthenticationWebflowConfiguration ")
> @EnableConfigurationProperties(CasConfigurationProperties.class)
> @Slf4j
> @Import(X509AuthenticationWebflowConfiguration.class)
> public class MyDomainX509AuthenticationWebflowConfiguration implements 
> CasWebflowExecutionPlanConfigurer {
>
> ..
>
>
>
>
> ===
>
> If this still doens't work, then maybe you might needs to stick to your 
> solution then...
>
> Cheers!
> - Andy
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5ce66094-a752-4add-a7f6-e650b52d5466%40apereo.org.

[cas-user] Re: CAS 5.3.x PAC4J

[Colin Wilkinson]

Hi,

I have worked out what the issue was. It one of the scope session beans 
being loaded after the initial request that was causing the issue.

Regards,

On Monday, 24 September 2018 15:59:52 UTC+10, Colin Wilkinson wrote:
>
> Hi,
>
> We at working are looking at implementing delegated authentication for 
> facebook, google, twitter, etc but there seems to be a weird issue with it. 
> A little bit of background we have extended the delegated authentication as 
> we need to map the email associated with facebook for instance back to a 
> staff or student account. If the email has no association then we navigate 
> to a registration screen which the user input a user name and password 
> otherwise it logs the staff or student in. If staff or student follow the 
> flow as designed then all works fine and there is no issue. If the staff or 
> student registers using the username and password provided I trigger the 
> form authentication.
>
> The issue arises if the user does not navigate as expected, if when they 
> get the registration screen they realised they have clicked the wrong 
> client and decided to go back to the main login screen and choose the right 
> client I am receiving
>
> org.springframework.web.util.NestedServletException: Handler dispatch 
> failed; nested exception is java.lang.OutOfMemoryError: Java heap space
>
>
> I am certain its not the modifications I have made as its failing before 
> the call to redirect to the client has happened the problem in the 
> "DelegatedClientNavigationController" class with the following line, place 
> debug statement proceeding the call and debug statement after the call.
>  
>
>  this.delegatedSessionCookieManager.store(webContext);
>
> The main dev cas server is running 16gb of ram as initially it was only 
> running 8gb of ram.
>  
> The possible steps to replicate the issue are as followings
>
>1. Navigate to CAS
>2. Click Facebook (Authentication must fail)
>3. Redirected back to login screen (Upon redirecting back PAC4J 
>clients list goes missing)
>4. Navigate back to CAS so that clients are there
>5. Click Facebook should get a heap space error.
>
> I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.
>
> The dump statement where as follows
>
> LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
> this.delegatedSessionCookieManager.store(webContext);
> LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
>
>
> Attached are is the success results and the heap space error results.
>
> I apologise if this does not make sense.
>
> Regards,
> Colin
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cbf7bd25-bc0d-44b8-92dd-40b8e7d653c3%40apereo.org.

[cas-user] CAS 5.3.x PAC4J

[Colin Wilkinson]

Hi,

We at working are looking at implementing delegated authentication for 
facebook, google, twitter, etc but there seems to be a weird issue with it. 
A little bit of background we have extended the delegated authentication as 
we need to map the email associated with facebook for instance back to a 
staff or student account. If the email has no association then we navigate 
to a registration screen which the user input a user name and password 
otherwise it logs the staff or student in. If staff or student follow the 
flow as designed then all works fine and there is no issue. If the staff or 
student registers using the username and password provided I trigger the 
form authentication.

The issue arises if the user does not navigate as expected, if when they 
get the registration screen they realised they have clicked the wrong 
client and decided to go back to the main login screen and choose the right 
client I am receiving

org.springframework.web.util.NestedServletException: Handler dispatch failed
; nested exception is java.lang.OutOfMemoryError: Java heap space


I am certain its not the modifications I have made as its failing before 
the call to redirect to the client has happened the problem in the 
"DelegatedClientNavigationController" class with the following line, place 
debug statement proceeding the call and debug statement after the call.
 

 this.delegatedSessionCookieManager.store(webContext);

The main dev cas server is running 16gb of ram as initially it was only 
running 8gb of ram.
 
The possible steps to replicate the issue are as followings

   1. Navigate to CAS
   2. Click Facebook (Authentication must fail)
   3. Redirected back to login screen (Upon redirecting back PAC4J clients 
   list goes missing)
   4. Navigate back to CAS so that clients are there
   5. Click Facebook should get a heap space error.

I have tried this with both 5.3.3 and 5.3.4-SNAPSHOT with no success.

The dump statement where as follows

LOGGER.debug("PRIOR TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");
this.delegatedSessionCookieManager.store(webContext);
LOGGER.debug("AFTER TO CALLING DELEGTED SESSION COOKIE MANAGER STORE");


Attached are is the success results and the heap space error results.

I apologise if this does not make sense.

Regards,
Colin


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4be9ed0d-6142-4fd6-8b35-f6ab33901824%40apereo.org.
2018-09-24 15:17:45,815 DEBUG 
[org.apereo.cas.web.DelegatedClientNavigationController] - 
2018-09-24 15:17:45,924 DEBUG 
[org.apereo.cas.web.support.EncryptedCookieValueManager] - 
2018-09-24 15:17:45,931 DEBUG [org.apereo.cas.util.EncodingUtils] - 
2018-09-24 15:17:46,000 DEBUG 
[org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - 
2018-09-24 15:17:46,003 DEBUG 
[org.apereo.cas.web.pac4j.SessionStoreCookieGenerator] - 
2018-09-24 15:17:46,003 DEBUG 
[org.apereo.cas.web.DelegatedClientNavigationController] - 


18-09-24 15:19:09,299 DEBUG 
[org.apereo.cas.web.DelegatedClientNavigationController] - 
2018-09-24 15:20:10,649 DEBUG 
[org.apereo.cas.web.FlowExecutionExceptionResolver] - 
org.springframework.web.util.NestedServletException: Handler dispatch failed; 
nested exception is java.lang.OutOfMemoryError: Java heap space
at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:982)
 ~[spring-webmvc-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
 ~[spring-webmvc-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
 ~[spring-webmvc-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
 ~[spring-webmvc-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) 
~[tomcat85-servlet-3.1-api.jar:?]
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
 ~[spring-webmvc-4.3.18.RELEASE.jar:4.3.18.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) 
~[tomcat85-servlet-3.1-api.jar:?]
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
 ~[catalina.jar:8.5.31]
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 ~[catalina.jar:8.5.31]
at 

[cas-user] Re: [Cas 5.1.8] Unable to connect to Database for authentication.

[Colin Wilkinson]

As Andy Ng has already stated you need to include the database driver, 
oracle have there own maven repository that all you need is logon 
credentials to use. Just be careful oracle include alot of dependencies 
that are not required and actually cause problems. Specifically exclude 
"com.oracle.jdbc.xmlparserv2" it complains about a missing dependency.

Oracle maven repository 


On Wednesday, 22 August 2018 01:49:46 UTC+10, Ranga Nadha wrote:
>
> Hi Everyone,
>
> We are using CAS 5.1.8 and I am trying to connect to the database for 
> authentication purpose.
>
> I have followed the below procedure but I am getting exceptions.
>
>
>- Downloaded the CAS 5.1.8
>- Modify POM.xml with the following dependency
>
> 
>  org.apereo.cas
>  cas-server-support-jdbc
>  ${cas.version}
>  
>  
>  log4j-slf4j-impl
>  
>  
>  org.codehaus.groovy
>  groovy-jsr223
>  
>   
> 
> 
>  org.apereo.cas
>  cas-server-support-jdbc-drivers
>  ${cas.version}
> 
> 
>  org.apereo.cas
>  cas-server-support-jdbc-authentication
>  ${cas.version}
> 
>
>- Build cas project using mvn clean install.
>- Take the war file and deploy in tomcat.
>- In the extracted cas war.
>- Go to Tomcat/webapps/cas/WEB-INF/classes/appliation.properties and 
>add the below properties.
>
> cas.authn.jdbc.query[0].sql=SELECT * FROM USERS WHERE USER_ID=?
> cas.authn.jdbc.query[0].url=jdbc:oracle:thin:@xxx..local:1521:db12c
> cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.Oracle12cDialect
> cas.authn.jdbc.query[0].user=
> cas.authn.jdbc.query[0].password=
> cas.authn.jdbc.query[0].driverClass=oracle.jdbc.OracleDriver
> cas.authn.jdbc.query[0].fieldPassword=PASSWORD
> cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT
> cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8
> cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA1
> cas.authn.jdbc.query[0].passwordEncoder.secret=
> cas.authn.jdbc.query[0].passwordEncoder.strength=16
>
>
> cas.authn.accept.users=
> logging.level.org.apereo=DEBUG
>
> *I am getting the below error*
>
> 2018-08-21 21:00:02,828 DEBUG 
> [org.apereo.cas.adaptors.jdbc.config.CasJdbcAuthenticationConfiguration] - 
>  me, sn=sn, cn=commonName}] for 
> [jdbc:oracle:thin:@..local:1521:dev12c]...>
> 2018-08-21 21:00:02,870 ERROR [com.zaxxer.hikari.HikariConfig] -  to load class of driverClassName oracle.jdbc.OracleDriver in HikariConfig 
> class classloader
> ParallelWebappClassLoader
>   context: cas
>   delegate: false
> --> Parent Classloader:
> java.net.URLClassLoader@13221655
> >
> 2018-08-21 21:00:02,870 ERROR [org.apereo.cas.configuration.support.Beans] 
> -  [oracle.jdbc.Oracle
> Driver] in either of HikariConfig class loader or Thread context 
> classloader]>
>
> Can any one help to resolve this issue.
>
> Thanks in advance,
>
> Thanks,
> Pandu Ranga T.
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0e06b72e-10fd-4172-919c-0939683ca9b6%40apereo.org.

[cas-user] CAS Password Management webflow

[Colin Wilkinson]

Hi,

We are in the process of upgrading from 4.1.7, we are currently doing the 
development on 5.3.0-RC4. While trying to get an understanding of how your 
password management webflow configure worked out, I created a Java class to 
be able to dump the flow to disk and noticed something really strange with 
the creation of passwordChangeAction action state. Its getting created in 
the login flow as follow, as you can see it has multiple of the same 
transition items. If you are calling from the casMustChangePassView, then 
in this instance you will be redirected to casExpiredPassView from my 
understanding.










Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb7f2679-f3ff-4229-ba2e-c746e4cab89f%40apereo.org.

[cas-user] Using Eclipse

[Colin Wilkinson]

Hi,

This is just an F.Y.I for any other person trying to import CAS into an 
eclipse workspace.

CAS does *NOT* work with the eclipse gradle buildship plugin as by the 
looks it cannot configure the class path properly and crashes on importing 
of the CAS webapp modules. When you try an import CAS via the Import -> 
"Gradle\Existing Gradle Project" it throws "Path must include project and 
resource name: /resources" error.

I stumpled across you build process page, which enabled me to import all 
projects successfully without any errors.

The process I went to import projects are

   1. Check out project
   2. navigate to project
   3. execute "./gradlew eclipse"
   4. Import project into eclipse using "General\Existing Projects into 
   Workspace"
   5. Then "Add Gradle Nature" from the "Configure" context menu of the 
   project

By the looks native gradle must configure the classpath different or 
somthing.

Regards,
Colin

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9bfb99d-457f-4568-ab25-ce9513ed056d%40apereo.org.

Re: [cas-user] CAS server in Angular JS + spring REST API architecture

[Colin Wilkinson]

Hi,

I am looking at intergrating CAS with angular not angularjs. I came across
this website during my travels and unsure if it helps.

https://github.com/fedon/spring-cas-auth

Regrads,
Colin

On Sat, Jul 8, 2017 at 2:17 AM, Filip Majernik 
wrote:

> I have a following architecture:
>
> 1.) CAS 5.1 authentication server
> 2.) Angular JS single page client which is accessing a REST API for the
> data
> 3.) Spring REST API
>
> I need to secure the REST API calls from the angular JS client. I.e. only
> authenticated users should be able to communicate with the REST API through
> the angular JS application.
>
> At the beginning, I thought I could solve this with an OAuth server
> support in CAS, but this would mean that every call to the REST API would
> require to check the access token against CAS if it is still valid.
>
> According to the documentation it should be possible to do this with proxy
> tickets. Is my assumption here correct? So it would work like this:
> 1.) The Angular JS application requests a PROXY GRANTING TICKET by
> providing the username/password to the CAS
> 2.) Then it calls any REST API method with this PGT
> 3.) The spring security in the REST API would request a proxy ticket with
> this PGT.
> 4.) All the subsequent calls to the REST API would be done with the PROXY
> TICKET and the REST API would not need to check the ticket validity against
> the CAS again.
>
> The only thing I do not understand here (coming from this
> http://docs.spring.io/spring-security/site/docs/3.1.6.
> RELEASE/reference/cas.html#cas-pt-client) is, that it requires to set the
> proxyReceptorUrl  . Does this mean that the proxy ticket cannot be
> obtained in some synchronous way, but rather it is sent to that URL?
>
> Thanks.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/64bc9900-7305-4769-9f31-
> f4e1303b5ef8%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALva2jkFssivq0nqizfLhzCKdWo%3DhnBskyOBHN6_rSGDoehLqg%40mail.gmail.com.

Re: [cas-user] CAS 5 - SNPEGO with LDAP fallback

[Colin Wilkinson]

What we found is that chrome does not have it own settings it relies on the 
Internet Explorer settings.

Internet explorer unlike Firefox has three settings.

Internet Explorer settings.
1. On and CAS server allowed.
2. On and CAS server not allowed. Note this default setting.
3. Turned off.

The issue is with 2 rather going to the login page it brings up that box. If 
configured properly to be on or off Internet Explorer works fine and so does 
chrome.

The only way we were able to over come this problem was to have the main button 
go to the login page and have a link below the button that enables SPENGO.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/22039670-73b4-4bb3-b1fe-98b853e138ab%40apereo.org.

[cas-user] Re: CAS Ticket Issue

[Colin Wilkinson]

Our issue turns out to be related to the f5 overiding the remoteAddr with 
another value and once we set the remoteAddr back to the original value 
using tomcat all is good.

Related CAS issue. 
<https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/R4WVT4Tq0g8>

Related tomcat page 
<https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html>

On Tuesday, 13 December 2016 07:31:19 UTC+11, Colin Wilkinson wrote:
>
> Hi,
>
> We seem to have an strange problem every now and then. We people are 
> already signed into the Portal and click another link that uses CAS at 
> times they are being asked to resign in, but other times it works just fine.
>
> Anyone seen this problem and is able to help. This is only happening in 
> production from what we can tell.
>
> Our CAS environment is
> CAS 4.1.7
> With SPNEGO set to mix mode on, so that it redirects to the login page if 
> not able to SSO.
> Apache HTTP 2.2
> Apache Tomcat 8.0.33
>
> Regards,
> Colin
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8552691c-d154-4585-86b7-5cb92e42b9d6%40apereo.org.

[cas-user] Re: CAS 4.2.2 Distributed Issue - NullPointerException - Unable to correctly extract the Initialization Vector

[Colin Wilkinson]

We are getting the same issue in production, did you manage to solve this

On Wednesday, 23 November 2016 17:18:34 UTC+11, liu chenghai wrote:
>
> I have the same problem and don't resolve
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

[cas-user] Re: CAS 4.1.9 error, Unable to correctly extract the Initialization Vector or ciphertext

[Colin Wilkinson]

We are getting the same issue in production, did you manage to solve this

On Tuesday, 30 August 2016 02:48:45 UTC+10, Yan Zhou wrote:
>
> Hi there,
>
> Running CAS 4.1.9 overlay, intermittently seeing this error repeatedly. 
>  Any idea what could be wrong?
>
> Thanks,
> Yan
>
>
> this is my host.name in cas.properties.
>
> host.name=qacas01.qa.medplus.com
>
>
> 2016-08-29 14:23:34,871 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - 
> Unable to correctly extract the Initialization Vector or ciphertext.
> org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
> Initialization Vector or ciphertext.
> at 
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
> at 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
> at 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
> at 
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
> at 
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
> at 
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
> at 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
> at 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
> at 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
> at 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
> at 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
> at 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
> at javax.servlet.http.HttpServlet.service(Unknown Source)
> at 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
> at javax.servlet.http.HttpServlet.service(Unknown Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at org.apache.catalina.filters.CorsFilter.handleSimpleCORS(Unknown 
> Source)
> at org.apache.catalina.filters.CorsFilter.doFilter(Unknown Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at 
> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)
> at 
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
> at 
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at 
> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at 
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
> at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at 
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
> at 
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
> at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown 
> Source)
> at org.apache.catalina.core.StandardContextValve.invoke(Unknown 
> Source)
> at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)
> at org.apache.catalina.core.StandardHostValve.invoke(Unknown 
> Source)
> at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown 
> Source)
> at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)
> at 

Re: [cas-user] Re: CAS and Windows 10

[Colin Wilkinson]

Hi Kartik,

Greatly appreciated there is an issue with top.jsp page that gets imported 
into casLoginView.jsp. We have custom JavaScript file being imported that 
is working fine in DEV but in all other regions its not coming through 
correct.

In DEV it shows up as


In TEST, UAT and PROD


As you can clearly see there has been inject of the jsessionid. The 
jsession Id also appears on the "standard.custom.css.file". I have tweaked 
our settings rather than pass the directory location pass the directory 
location and file, so that jsessionid appears at the end at least.

On Tuesday, 6 December 2016 07:23:38 UTC+11, Colin Wilkinson wrote:
>
> Hi Kartik,
>
> Thanks for the Help information we have noticed dev server is working 
> correctly, but test, uat and prod and working incorrect. May be something 
> is missing.
>
> Regards,
> Colin
>
> On Tuesday, 6 December 2016 01:51:53 UTC+11, Kartik Mehta wrote:
>>
>> I recently faced the same issue, and traced it to our customized 
>> casLoginView.jsp. It had an img tag pointing to a non-existent image file. 
>> This caused the image tag to reload the page (similar to what is pointed 
>> out here - 
>> https://www.bennadel.com/blog/2236-empty-src-and-url-values-can-cause-duplicate-page-requests.htm
>>  
>> )
>> Any chance of a missing image file in your Windows 10 environment, in 
>> case you have customized casLoginView.jsp (or any of the jsps it includes)
>>
>> On Mon, Dec 5, 2016 at 2:01 AM, Colin Wilkinson <wilc...@gmail.com> 
>> wrote:
>>
>>> There are some customisations to the login flow, but we striped the 
>>> login flow back to what is working in production and noticed it was running 
>>> the login flow effectively twice. The second running is a problem because 
>>> the URL does not including any of the query parameters.
>>>
>>> The login has been customised with the following customisations
>>>
>>>1. Enabled CAS Spnego
>>>2. Enable IP based range check
>>>3. Added a query parameter filter check to force to login page if 
>>>provided. A second button has been added to the uPortal page to provide 
>>>this parameter. Currently for students spnego is not enabled.
>>>
>>> As stated this is only an issue with connections coming from Windows 10. 
>>> We have been using this setup through out our development, testing and UAT 
>>> environment through Windows 7 with out any hassles.
>>>
>>> CAS software version CAS 4.1.7
>>>
>>> Browser version are the following and all do the same thing,
>>> Internet Explorer 11
>>> Edge 14
>>> Chrome 54
>>> Firefox 50.0.2
>>>
>>> On Sunday, 4 December 2016 18:50:57 UTC+11, Jeffrey Wong wrote:
>>>>
>>>> Probably best to also note your browser version(s), CAS version, and if 
>>>> you have any customizations. I've hit some really interesting things on 
>>>> IE, 
>>>> in which the login flow fails to execute if there's a malformed HTML 
>>>> element.
>>>>
>>>> On Saturday, December 3, 2016 at 11:22:41 PM UTC-8, Colin Wilkinson 
>>>> wrote:
>>>>>
>>>>> Guys,
>>>>>
>>>>> We have had a strange problem that took us most of the week to realise 
>>>>> that there looks to be a real weird issue with access CAS from a windows 
>>>>> 10 
>>>>> device. When accessing CAS from a Windows 10 devices through a browser it 
>>>>> executes the login flow twice. This means you loose all attributes 
>>>>> including service.
>>>>>
>>>>> The problem only exists when you open the browser from fresh, no other 
>>>>> instances of the browser running. Once you have access CAS once the flow 
>>>>> works as expected only runs once. From a fresh instances the flow runs 
>>>>> twice.
>>>>>
>>>>> Has any else experienced this. From windows 7 it works as expected.
>>>>>
>>>>> Regards,
>>>>> Colin
>>>>>
>>>> -- 
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: 
>>> https://apereo.github.io/cas/Mailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.

Re: [cas-user] Re: CAS and Windows 10

[Colin Wilkinson]

Hi Kartik,

Thanks for the Help information we have noticed dev server is working 
correctly, but test, uat and prod and working incorrect. May be something 
is missing.

Regards,
Colin

On Tuesday, 6 December 2016 01:51:53 UTC+11, Kartik Mehta wrote:
>
> I recently faced the same issue, and traced it to our customized 
> casLoginView.jsp. It had an img tag pointing to a non-existent image file. 
> This caused the image tag to reload the page (similar to what is pointed 
> out here - 
> https://www.bennadel.com/blog/2236-empty-src-and-url-values-can-cause-duplicate-page-requests.htm
>  
> )
> Any chance of a missing image file in your Windows 10 environment, in case 
> you have customized casLoginView.jsp (or any of the jsps it includes)
>
> On Mon, Dec 5, 2016 at 2:01 AM, Colin Wilkinson <wilc...@gmail.com 
> > wrote:
>
>> There are some customisations to the login flow, but we striped the login 
>> flow back to what is working in production and noticed it was running the 
>> login flow effectively twice. The second running is a problem because the 
>> URL does not including any of the query parameters.
>>
>> The login has been customised with the following customisations
>>
>>1. Enabled CAS Spnego
>>2. Enable IP based range check
>>3. Added a query parameter filter check to force to login page if 
>>provided. A second button has been added to the uPortal page to provide 
>>this parameter. Currently for students spnego is not enabled.
>>
>> As stated this is only an issue with connections coming from Windows 10. 
>> We have been using this setup through out our development, testing and UAT 
>> environment through Windows 7 with out any hassles.
>>
>> CAS software version CAS 4.1.7
>>
>> Browser version are the following and all do the same thing,
>> Internet Explorer 11
>> Edge 14
>> Chrome 54
>> Firefox 50.0.2
>>
>> On Sunday, 4 December 2016 18:50:57 UTC+11, Jeffrey Wong wrote:
>>>
>>> Probably best to also note your browser version(s), CAS version, and if 
>>> you have any customizations. I've hit some really interesting things on IE, 
>>> in which the login flow fails to execute if there's a malformed HTML 
>>> element.
>>>
>>> On Saturday, December 3, 2016 at 11:22:41 PM UTC-8, Colin Wilkinson 
>>> wrote:
>>>>
>>>> Guys,
>>>>
>>>> We have had a strange problem that took us most of the week to realise 
>>>> that there looks to be a real weird issue with access CAS from a windows 
>>>> 10 
>>>> device. When accessing CAS from a Windows 10 devices through a browser it 
>>>> executes the login flow twice. This means you loose all attributes 
>>>> including service.
>>>>
>>>> The problem only exists when you open the browser from fresh, no other 
>>>> instances of the browser running. Once you have access CAS once the flow 
>>>> works as expected only runs once. From a fresh instances the flow runs 
>>>> twice.
>>>>
>>>> Has any else experienced this. From windows 7 it works as expected.
>>>>
>>>> Regards,
>>>> Colin
>>>>
>>> -- 
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: 
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f8950-e41f-486a-a3ff-dd49120e7a0d%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f8950-e41f-486a-a3ff-dd49120e7a0d%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/af363b5b-3555-47c0-9900-5519cd38e934%40apereo.org.

[cas-user] Re: CAS and Windows 10

[Colin Wilkinson]

There are some customisations to the login flow, but we striped the login 
flow back to what is working in production and noticed it was running the 
login flow effectively twice. The second running is a problem because the 
URL does not including any of the query parameters.

The login has been customised with the following customisations

   1. Enabled CAS Spnego
   2. Enable IP based range check
   3. Added a query parameter filter check to force to login page if 
   provided. A second button has been added to the uPortal page to provide 
   this parameter. Currently for students spnego is not enabled.

As stated this is only an issue with connections coming from Windows 10. We 
have been using this setup through out our development, testing and UAT 
environment through Windows 7 with out any hassles.

CAS software version CAS 4.1.7

Browser version are the following and all do the same thing,
Internet Explorer 11
Edge 14
Chrome 54
Firefox 50.0.2

On Sunday, 4 December 2016 18:50:57 UTC+11, Jeffrey Wong wrote:
>
> Probably best to also note your browser version(s), CAS version, and if 
> you have any customizations. I've hit some really interesting things on IE, 
> in which the login flow fails to execute if there's a malformed HTML 
> element.
>
> On Saturday, December 3, 2016 at 11:22:41 PM UTC-8, Colin Wilkinson wrote:
>>
>> Guys,
>>
>> We have had a strange problem that took us most of the week to realise 
>> that there looks to be a real weird issue with access CAS from a windows 10 
>> device. When accessing CAS from a Windows 10 devices through a browser it 
>> executes the login flow twice. This means you loose all attributes 
>> including service.
>>
>> The problem only exists when you open the browser from fresh, no other 
>> instances of the browser running. Once you have access CAS once the flow 
>> works as expected only runs once. From a fresh instances the flow runs 
>> twice.
>>
>> Has any else experienced this. From windows 7 it works as expected.
>>
>> Regards,
>> Colin
>>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f8950-e41f-486a-a3ff-dd49120e7a0d%40apereo.org.

[cas-user] CAS and Windows 10

[Colin Wilkinson]

Guys,

We have had a strange problem that took us most of the week to realise that 
there looks to be a real weird issue with access CAS from a windows 10 
device. When accessing CAS from a Windows 10 devices through a browser it 
executes the login flow twice. This means you loose all attributes 
including service.

The problem only exists when you open the browser from fresh, no other 
instances of the browser running. Once you have access CAS once the flow 
works as expected only runs once. From a fresh instances the flow runs 
twice.

Has any else experienced this. From windows 7 it works as expected.

Regards,
Colin

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/24341f83-1914-4cfb-8738-ac62547ef865%40apereo.org.

Re: [cas-user] CAS 4.1.7 and SPNEGO

[Colin Wilkinson]

I have managed to solve that issue by adding the following to the 
JCIFSConfig

 p:jcifsDomain="devad.vu.edu.au"
  p:jcifsDomainController="devaddc1.devad.vu.edu.au"

Question, Is the problem a domain issue.

As you can see by the above configuration. The domain controller 
information is.

Domain: devad.vu.edu.au

Domain Controller:  devaddc1.devad.vu.edu.au


But the CAS machine configuration is the following.

CAS Address:  devportalweb1.vu.edu.au

Domain: vu.edu.au


The machine will need to connect to the devad.vu.edu.au domain correct?

On Monday, 25 July 2016 10:15:59 UTC+10, Colin Wilkinson wrote:
>
> Hi,
>
> No that is the weirdest thing the ip CAS machine.
>
> CAS Machine ip address is XX.XX.XX.XX
> DEVADDC ip address is YY.YY.YY.YY
>
> The JCIFS Config is as follows, I tried kerberosKdc with ip address and 
> same results.
>
>
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
>   p:jcifsServicePrincipal="HTTP/
> devportalweb1.vu.edu...@devad.vu.edu.au"
>   p:kerberosDebug="true"
>   p:kerberosRealm="DEVAD.VU.EDU.AU <http://devad.vu.edu.au/>"
>   
> p:kerberosConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/caskrb5.conf"
>   p:kerberosKdc="devaddc1.devad.vu.edu.au"
>   
> p:loginConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/login.conf"/>
>
> 
>
>
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"
>   p:authentication-ref="spnegoAuthentication"
>   p:principalWithDomainName="false"
>   p:NTLMallowed="true" />
>
>
> class="org.jasig.cas.support.spnego.authentication.principal.SpnegoPrincipalResolver"
>  
> />
>
> caskrb5.conf is as follows,
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = DEVAD.VU.EDU.AU <http://devad.vu.edu.au/>
>  default_keytab_name = 
> /usr/share/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/svc_casadsso.keytab
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  default_tkt_enctypes = rc4-hmac
>  default_tgs_enctypes = rc4-hmac
>
> [realms]
>  DEVAD.VU.EDU.AU <http://devad.vu.edu.au/> = {
>   kdc = devaddc1.devad.vu.edu.au:88
>  }
>
> [domain_realm]
>  .devad.vu.edu.au = DEVAD.VU.EDU.AU 
> <http://www.google.com/url?q=http%3A%2F%2FDEVAD.VU.EDU.AU=D=1=AFQjCNFvxr1ZUcuqEnIpYZBvNTSZ-aJ5jA>
>  devad.vu.edu.au = DEVAD.VU.EDU.AU <http://devad.vu.edu.au/>
>
> On Friday, 22 July 2016 20:08:50 UTC+10, Stefan Paetow wrote:
>>
>> > 2016-07-22 14:22:03,728 DEBUG 
>> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
>> > authentication: jcifs.smb.SmbException: Failed to connect: 
>> JCIFS192_30_1C<00>/XX.XX.XX.XX 
>> > jcifs.util.transport.TransportException 
>> > java.net.ConnectException: Connection refused 
>>
>> Well, who does the IP that the above failure to connect refer to? 
>> domaindc1.devad.cc.ee.aa? 
>>
>> Basically Java is trying to make an SMB connection to the KDC server (the 
>> domain controller) that is supposed to provide it with a ticket based on 
>> your credential and it's getting a connection refused. 
>>
>> Stefan Paetow 
>> Moonshot Industry & Research Liaison Coordinator 
>>
>> t: +44 (0)1235 822 125 
>> gpg: 0x3FCE5142 
>> xmpp: ste...@jabber.dev.ja.net 
>> skype: stefan.paetow.janet 
>>
>> jisc.ac.uk 
>>
>> Jisc is a registered charity (number 1149740) and a company limited by 
>> guarantee which is registered in England under Company No. 5747339, VAT No. 
>> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
>> Bristol, BS2 0JA. T 0203 697 5800. 
>>
>>
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/514f0bdc-d8c5-42a1-8e14-f6c23fd9fbce%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 4.1.7 and SPNEGO

[Colin Wilkinson]

Hi,

No that is the weirdest thing the ip CAS machine.

CAS Machine ip address is XX.XX.XX.XX
DEVADDC ip address is YY.YY.YY.YY

The JCIFS Config is as follows, I tried kerberosKdc with ip address and 
same results.

http://devad.vu.edu.au/>"
  
p:kerberosConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/caskrb5.conf"
  p:kerberosKdc="devaddc1.devad.vu.edu.au"
  
p:loginConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/login.conf"/>







caskrb5.conf is as follows,

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DEVAD.VU.EDU.AU 
 default_keytab_name = 
/usr/share/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/svc_casadsso.keytab
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac

[realms]
 DEVAD.VU.EDU.AU  = {
  kdc = devaddc1.devad.vu.edu.au:88
 }

[domain_realm]
 .devad.vu.edu.au = DEVAD.VU.EDU.AU 

 devad.vu.edu.au = DEVAD.VU.EDU.AU 

On Friday, 22 July 2016 20:08:50 UTC+10, Stefan Paetow wrote:
>
> > 2016-07-22 14:22:03,728 DEBUG 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication: jcifs.smb.SmbException: Failed to connect: 
> JCIFS192_30_1C<00>/XX.XX.XX.XX 
> > jcifs.util.transport.TransportException 
> > java.net.ConnectException: Connection refused 
>
> Well, who does the IP that the above failure to connect refer to? 
> domaindc1.devad.cc.ee.aa? 
>
> Basically Java is trying to make an SMB connection to the KDC server (the 
> domain controller) that is supposed to provide it with a ticket based on 
> your credential and it's getting a connection refused. 
>
> Stefan Paetow 
> Moonshot Industry & Research Liaison Coordinator 
>
> t: +44 (0)1235 822 125 
> gpg: 0x3FCE5142 
> xmpp: ste...@jabber.dev.ja.net  
> skype: stefan.paetow.janet 
>
> jisc.ac.uk 
>
> Jisc is a registered charity (number 1149740) and a company limited by 
> guarantee which is registered in England under Company No. 5747339, VAT No. 
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
> Bristol, BS2 0JA. T 0203 697 5800. 
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e08f924-31ec-4478-9f23-5395478af00f%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 4.1.7 and SPNEGO

[Colin Wilkinson]

Hi,

No that is the weirdest thing the ip CAS machine.

The JCIFS Config is as follows, I tried kerberosKdc with ip address and 
same results.









caskrb5.conf is as follows,

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DEVAD.VU.EDU.AU
 default_keytab_name = 
/usr/share/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/svc_casadsso.keytab
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac

[realms]
 DEVAD.VU.EDU.AU = {
  kdc = devaddc1.devad.vu.edu.au:88
 }

[domain_realm]
 .devad.vu.edu.au = DEVAD.VU.EDU.AU
 devad.vu.edu.au = DEVAD.VU.EDU.AU


On Friday, 22 July 2016 20:08:50 UTC+10, Stefan Paetow wrote:
>
> > 2016-07-22 14:22:03,728 DEBUG 
> [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
>  authentication: jcifs.smb.SmbException: Failed to connect: 
> JCIFS192_30_1C<00>/XX.XX.XX.XX 
> > jcifs.util.transport.TransportException 
> > java.net.ConnectException: Connection refused 
>
> Well, who does the IP that the above failure to connect refer to? 
> domaindc1.devad.cc.ee.aa? 
>
> Basically Java is trying to make an SMB connection to the KDC server (the 
> domain controller) that is supposed to provide it with a ticket based on 
> your credential and it's getting a connection refused. 
>
> Stefan Paetow 
> Moonshot Industry & Research Liaison Coordinator 
>
> t: +44 (0)1235 822 125 
> gpg: 0x3FCE5142 
> xmpp: ste...@jabber.dev.ja.net  
> skype: stefan.paetow.janet 
>
> jisc.ac.uk 
>
> Jisc is a registered charity (number 1149740) and a company limited by 
> guarantee which is registered in England under Company No. 5747339, VAT No. 
> GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
> Bristol, BS2 0JA. T 0203 697 5800. 
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f2538a74-2978-4ded-b7fa-3936baf08a8c%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] CAS 4.1.7 and SPNEGO

[Colin Wilkinson]

Hi CAS Community,

At my work I have been requested see if we can configure CAS to 
Authenticate with AD using SPNEGO, but I am getting the below exception.  I 
have tried a variety of things with no success.

I thinking there maybe an issue with regards to how the network is setup.

Basically the network address of the machine is some like this 
devportal.cc.eee.aa, but the domain of the domain controller that I am 
required to use for dev is domaindc1.devad,cc.eee.aa.

Basically the server is cc.eee.aa domain, but dc is devad.cc.eee.aa will 
this even work.

2016-07-22 14:22:03,279 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - 

2016-07-22 14:22:03,285 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
2016-07-22 14:22:03,292 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
2016-07-22 14:22:03,726 INFO 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 

2016-07-22 14:22:03,728 DEBUG 
[org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - 
/XX.XX.XX.XX
jcifs.util.transport.TransportException
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at jcifs.smb.SmbTransport.ssn139(SmbTransport.java:196)
at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:249)
at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:322)
at jcifs.util.transport.Transport.run(Transport.java:241)
at java.lang.Thread.run(Thread.java:745)

at jcifs.util.transport.Transport.run(Transport.java:258)
at java.lang.Thread.run(Thread.java:745)
>
2016-07-22 14:22:03,742 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 

Regards,
Colin

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e44e185f-9852-4245-9a3b-81c50c406407%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.