Re: [cas-user] Strange mod_auth_cas behavior (no cookies created in CASCookiePath)

[Neil Sabol]

Hi Matt,

Thank you for the quick reply and information - I had not considered file 
handles as a culprit. If the issue recurs, I will dig into that.

We did find some anomalies on the virtual machine where the mod_auth_cas 
behavior manifested (outdated VMware tools and really old VM hardware 
version). Not sure if those were related but we've since updated both. Will 
keep this list posted with our findings and experience going forward.

Thank you again for your time, suggestion, and expertise - it is 
appreciated!
-Neil



On Monday, May 22, 2017 at 10:07:44 AM UTC-6, matt wrote:
>
> Hi Neil,
>
> Without the logs, it is difficult to tell.  It /could/ be related to time 
> drift, but I'd find it unlikely that that would prevent writing to disk.
>
> More likely, I'd investigate number of open file handles.  Did some httpd 
> sub-process (e.g., a CGI or PHP) possibly create an egregious number of 
> handles?  This would likely show in error messages printed to the logs. 
>  lsof could also be your friend here.
>
> Matt
>
>
> On May 19, 2017 11:15 AM, "Neil Sabol" <neil@gmail.com > 
> wrote:
>
> Hello CAS Community,
>
> I hope this message finds you all well.
>
> As time permits, I am hoping to pick your brains about a mysterious issue 
> we experienced recently with mod_auth_cas (suspect it was not mod_auth_cas 
> itself but something related).
>
> We have been running mod_auth_cas (version 1.1) in production for a long 
> time without incident. Yesterday, we began to experience a strange behavior 
> on one of our production servers:
>
>
>- mod_auth_cas stopped creating cookies in the defined CASCookiePath 
>(no users were able to login to the application - all requests for 
>CAS-protected resources resulted in a redirect back to the CAS login page 
>and a 401 error upon return to the application)
>
>- Debug logs did not reveal anything interesting - the only related 
>entries I noticed were the following
>
>
> *[debug] mod_auth_cas.c(930): [client X.X.X.X] Cache entry 
>'ae0aa61bf431d62b9e4be00089e87df8' could not be opened, referer: 
>http://something.unm.edu <http://something.unm.edu> [debug] 
>mod_auth_cas.c(1676): [client X.X.X.X] Cookie 
>'ae0aa61bf431d62b9e4be00089e87df8' is corrupt or invalid, referer: 
>http://something.unm.edu <http://something.unm.edu>*
>
>- Permissions, file system status, etc. were all good - from all 
>appearances, mod_auth_cas was not attempting to create cookies in the 
>CASCookiePath (confirmed apache could write to the path, etc.)
>
>- The CASCookiePath directory contained only a .metadata file about 
>2-3 hours after this issue started occurring
>
>
> We ended up using the IT hammer to restore the affected VM from snapshot, 
> so I no longer have the specific logs or state of the system available. The 
> restore did the trick (mod_auth_cas resumed normal operation and began 
> creating cookies in the CASCookiePath), but I am concerned this issue may 
> recur.
>
> The only possible explanation for this that I can think of (in hindsight) 
> is time drift between the application server/clients/cas server. Does that 
> sound possible? If yes, would something like that be logged with debug 
> logging enabled?
>
> If you have any insight or guidance into what could cause this sort of 
> situation with mod_auth_cas, please let me know.
>
> Thank you in advance for your time and expertise!
> -Neil
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b0635b6-657c-4b2e-a091-3acd4b0fec1c%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b0635b6-657c-4b2e-a091-3acd4b0fec1c%40apereo.org?utm_medium=email_source=footer>
> .
>
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ffd07c74-3657-4072-961b-94539cfcd01c%40apereo.org.

[cas-user] Strange mod_auth_cas behavior (no cookies created in CASCookiePath)

[Neil Sabol]

Hello CAS Community,

I hope this message finds you all well.

As time permits, I am hoping to pick your brains about a mysterious issue 
we experienced recently with mod_auth_cas (suspect it was not mod_auth_cas 
itself but something related).

We have been running mod_auth_cas (version 1.1) in production for a long 
time without incident. Yesterday, we began to experience a strange behavior 
on one of our production servers:


   - mod_auth_cas stopped creating cookies in the defined CASCookiePath (no 
   users were able to login to the application - all requests for 
   CAS-protected resources resulted in a redirect back to the CAS login page 
   and a 401 error upon return to the application)
   
   - Debug logs did not reveal anything interesting - the only related 
   entries I noticed were the following
   
   
*[debug] mod_auth_cas.c(930): [client X.X.X.X] Cache entry 
   'ae0aa61bf431d62b9e4be00089e87df8' could not be opened, referer: 
   http://something.unm.edu [debug] mod_auth_cas.c(1676): [client X.X.X.X] 
   Cookie 'ae0aa61bf431d62b9e4be00089e87df8' is corrupt or invalid, referer: 
   http://something.unm.edu*
   
   - Permissions, file system status, etc. were all good - from all 
   appearances, mod_auth_cas was not attempting to create cookies in the 
   CASCookiePath (confirmed apache could write to the path, etc.)
   
   - The CASCookiePath directory contained only a .metadata file about 2-3 
   hours after this issue started occurring


We ended up using the IT hammer to restore the affected VM from snapshot, 
so I no longer have the specific logs or state of the system available. The 
restore did the trick (mod_auth_cas resumed normal operation and began 
creating cookies in the CASCookiePath), but I am concerned this issue may 
recur.

The only possible explanation for this that I can think of (in hindsight) 
is time drift between the application server/clients/cas server. Does that 
sound possible? If yes, would something like that be logged with debug 
logging enabled?

If you have any insight or guidance into what could cause this sort of 
situation with mod_auth_cas, please let me know.

Thank you in advance for your time and expertise!
-Neil

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b0635b6-657c-4b2e-a091-3acd4b0fec1c%40apereo.org.

RE: [cas-user] CASAuthNHeader to return user

[Neil Sabol]

Hello Pouria, All,

To build on David's response, you should be able to echo out the HTTP Headers 
on the server side with whatever language you are using.

For example, in PHP see http://php.net/manual/en/function.getallheaders.php 
(Example #1) - just create a test page in your DocumentRoot, place that code in 
it, and navigate to its URL in your browser.

You could also use phpinfo() in PHP. Similar functionality is available in 
other languages (Java, etc.) as well.

Hope that helps.

Thank you,
-Neil

-Original Message-
From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Hawes
Sent: Monday, November 21, 2016 2:41 PM
To: CAS Community 
Subject: Re: [cas-user] CASAuthNHeader to return user

On 21 November 2016 at 16:13, pouria Mahmoudi  wrote:
...
> Description: If enabled, this will store the user returned by CAS in 
> an HTTP header accessible to your web applications.
...
> but it doesn't look like I have an http header. At least by doing 
> Inspect Element on my browser I cannot see it.
>
> Any help would be appreciated.

These headers are not sent to your browser, so you will not see it there. They 
are only set on the server.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wD%3D%2BShy_gPkRfz3UnJcLEfhjNYFMg-B3w8VUZjAGP-9ag%40mail.gmail.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR07MB2962A8CE15415F4AFA583073B8B50%40BN6PR07MB2962.namprd07.prod.outlook.com.

RE: [cas-user] Mod_auth_cas Logout Question

[Neil Sabol]

Hi David,

We’ve had mixed results with mod_auth_cas logout.

One way we have overcome this is using a separate, intermediary (non-CAS) 
logout page to:


· Remove the MOD_AUTH_CAS and MOD_AUTH_CAS_S cookies from the user’s 
session

· Redirect the user to the CAS logout page.

We use PHP, could be anything though:

https://your.cas.server/cas/logout');
?>

Not sure if that will work for your use case, but perhaps a starting point.

Thanks,
-Neil

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Travis 
Schmidt
Sent: Thursday, August 18, 2016 9:18 AM
To: David Abney ; cas-user@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question

Make sure "CASSSOEnabled On" is set in httpd.conf.  If you are using a Service 
Registry in CAS, make sure the Logout Channel is enabled and set to 
BACK_CHANNEL.  This is working for me, but I don't have a proxy in the middle 
either.


On Thu, Aug 18, 2016 at 7:20 AM David Abney 
> wrote:
I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut 
system using CAS v4.2.  We can set a logout URL in PaperCut, which is set to 
the CAS server logout URL.  So, when I logout of PaperCut, it appears I am 
logged out of PaperCut and CAS, but if I go back to the proxy server then 
mod_auth_cas still logs me back into PaperCut without redirecting me to CAS to 
login again.

Is there a way to logout of my session with mod_auth_cas or clear my 
mod_auth_cas cookie?

Thanks,


David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761

[email_logo]
www.centre.edu

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to 
cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to 
cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaFoZ-0LAXZ9MW5CdsmRZ5mwK3TNC9S7pUu0Hd11GcaCw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR07MB2962E71CD84CF2DFD08E15F0B8150%40BN6PR07MB2962.namprd07.prod.outlook.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] CASify an AngularJS web application

[Neil Sabol]

This is great, thank you Julien!

We will look at angular-seed.

Our workaround for mod_auth_cas logout is removing the mod_auth_cas cookie and 
redirecting to the CAS logout page (in our application’s logout handler). 
Definitely not ideal but it appears to work – I’m hoping we can leverage 
something more robust like angular-seed+phpCAS going forward.

Thank you again,
-Neil

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Julien 
Gribonvald
Sent: Wednesday, May 25, 2016 1:13 AM
To: cas-user@apereo.org
Subject: Re: [cas-user] CASify an AngularJS web application

Hi,

I suggest that you look at these examples :
with java backend : https://github.com/jgribonvald/demo-spring-cas-angular
with php backend : https://github.com/prigaux/angular-seed

The problem with mod_auth_cas is that it doesn't take care of cas request 
logout ;)

Thanks
-Julien


Le 24/05/2016 17:22, Neil Sabol a écrit :
Hi Jay,

Good question – we struggled with this a little while ago and devised a 
solution that worked for our Angular JS applications. This may or may not scale 
or apply to your situation.

We discovered that mod_auth_cas “sees” routes in Angular (based on URI anyway). 
We configured mod_auth_cas to trigger when specific URIs are accessed in our 
Angular application and use those URIs POST to a “login.php” file that simply 
returns the UID of the currently authenticated user(basically, just echoing 
$SERVER[‘REMOTE_USER’]) to the Angular app. The “login.php” file must also be 
included in the paths that mod_auth_cas triggers for.

There is definitely room for improvement. We hoped to use phpCAS but it did not 
play well in our Angular app (CORS issues).

We were also unable to locate a great example, so if you (or anyone else) 
figure something out, I would be very interested to learn about your approach.

I hope this helps.

Thanks,
-Neil

From: cas-user@apereo.org<mailto:cas-user@apereo.org> 
[mailto:cas-user@apereo.org] On Behalf Of india.jai
Sent: Monday, May 23, 2016 7:57 AM
To: CAS Community <cas-user@apereo.org><mailto:cas-user@apereo.org>
Subject: [cas-user] CASify an AngularJS web application

Hi All

Is it possible to CASify an AngularJS web application ?

We are planing to refactor our existing CAS web applications and thinking of 
using AngularJS.

Not able to find a solid answer if its possible or not ?

Can you please kindly clarify ?

Thanks
Jay

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to 
cas-user@apereo.org<mailto:cas-user@apereo.org>.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to 
cas-user@apereo.org<mailto:cas-user@apereo.org>.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

--
Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to 
cas-user@apereo.org<mailto:cas-user@apereo.org>.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57455097.5090706%40recia.fr<https://groups.google.com/a/apereo.org/d/msgid/cas-user/57455097.5090706%40recia.fr?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups

RE: [cas-user] CASify an AngularJS web application

[Neil Sabol]

Hi Jay,

Good question – we struggled with this a little while ago and devised a 
solution that worked for our Angular JS applications. This may or may not scale 
or apply to your situation.

We discovered that mod_auth_cas “sees” routes in Angular (based on URI anyway). 
We configured mod_auth_cas to trigger when specific URIs are accessed in our 
Angular application and use those URIs POST to a “login.php” file that simply 
returns the UID of the currently authenticated user(basically, just echoing 
$SERVER[‘REMOTE_USER’]) to the Angular app. The “login.php” file must also be 
included in the paths that mod_auth_cas triggers for.

There is definitely room for improvement. We hoped to use phpCAS but it did not 
play well in our Angular app (CORS issues).

We were also unable to locate a great example, so if you (or anyone else) 
figure something out, I would be very interested to learn about your approach.

I hope this helps.

Thanks,
-Neil

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of india.jai
Sent: Monday, May 23, 2016 7:57 AM
To: CAS Community 
Subject: [cas-user] CASify an AngularJS web application

Hi All

Is it possible to CASify an AngularJS web application ?

We are planing to refactor our existing CAS web applications and thinking of 
using AngularJS.

Not able to find a solid answer if its possible or not ?

Can you please kindly clarify ?

Thanks
Jay

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to 
cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b64dab7-32c0-4aa8-a765-a45411994f85%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB17226BD7385ABC253F2261D9B84F0%40BY1PR0701MB1722.namprd07.prod.outlook.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Logout redirect with ASP.Net client

[Neil Sabol]

Hello Valentine,

Although I’m not familiar with the exact process in .NET, I believe this is 
something you handle in your application.

Basically, you need to redirect to the CAS logout URL with the service 
parameter set to the URL you want to redirect to once CAS logout occurs.

Example: /cas/logout?service=www.mywebsite.com

You should be able to point your application’s logout handler to that URL 
(after destroying the session in your application of course).

The phpCAS client has a built in function for this: 
phpCAS::logoutWithRedirectService
 – I’ve not had luck locating an equivalent in the .NET implementation.

Let me know if that helps and makes sense (and others, feel free to chime in if 
this is not correct).

Thanks,
-Neil

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Valentine 
Rouzaud
Sent: Thursday, April 28, 2016 7:57 AM
To: CAS Community 
Subject: [cas-user] Logout redirect with ASP.Net client

Hello,

I want to redirect to my home page after logging out from CAS so I've changed 
the "cas.logout.followServiceRedirects" to true in the cas.properties file but 
nothing seemed to happen and I still got stuck to my "localhost/cas/logout" 
page.
I then realized that never did I pick which page I'd like to be redirected to 
in the config so it probably came from there.
And indeed the URL of my logout page is just localhost/cas/logout, there are no 
?service=xxx parameter...
I'm not sure if I have to add a property in the 
cas.properties/deployerConfigContext.xml or if it's something to add in the 
Web.config of my ASP.Net project?
I'd appreciate any help, thank you.
Regards

 Valentine
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to 
cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/697becfa-c47d-48f4-8a50-1d862de8115a%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY1PR0701MB1722FE61151814980B5DCD2FB8650%40BY1PR0701MB1722.namprd07.prod.outlook.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.