Re: [cas-user] Trouble with Auditing Configuration
Did you define the p-namespace? http://docs.spring.io/spring/docs/current/spring-framework-reference/html/beans.html#beans-p-namespace Cheers, Scott On Mon, Mar 2, 2015 at 5:33 PM, Juan Quintanilla jquin...@fiu.edu wrote: Hi, Trying to configure auditing for CAS 3.5.3 to an oracle database, I configured the tables and modified the auditTrailContext.xml file to include the necessary lines but when I startup tomcat I encounter the following error: [/WEB-INF/spring-configuration/auditTrailContext.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 164; columnNumber: 110; The prefix p for attribute p:dataSource-ref associated with an element type bean is not bound. I verified that I have the dataSource bean defined in my deployer configuration, so I just wanted to see if someone has encountered a similar error. Below is a snippet of the auditTrailContext.xml file: bean id=inspektrTransactionManager class=org.springframework.jdbc.datasource.DataSourceTransactionManager p:dataSource-ref=dataSource / bean id=inspektrTransactionTemplate class=org.springframework.transaction.support.TransactionTemplate p:transactionManager-ref=inspektrTransactionManager p:isolationLevelName=ISOLATION_READ_COMMITTED p:propagationBehaviorName=PROPAGATION_REQUIRED / !-- For audit table cleaning -- bean id=auditTrailManager class=com.github.inspektr.audit.support.JdbcAuditTrailManager constructor-arg index=0 ref=inspektrTransactionTemplate / property name=dataSource ref=dataSource / property name=cleanupCriteria ref=auditCleanupCriteria / /bean bean id=auditCleanupCriteria class=com.github.inspektr.audit.support.MaxAgeWhereClauseMatchCriteria constructor-arg index=0 value=90 / /bean ___ Juan Quintanilla jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java cas-client 3.3.3 logging
SLF4J is very similar to Commons Logging in that there is an API jar and then one or more implementations/bindings. You should have transitively gotten the slf4j-api class (since we would have to compile against it) and you would have to provide the binding that maps to your logger of choice (Logback is one common one): http://www.slf4j.org/manual.html On Thu, Feb 5, 2015 at 10:16 PM, Baron Fujimoto ba...@hawaii.edu wrote: We're using the Java cas-client (3.3.3) to provide RemoteUser authentication for our Shibboleth IdP service. This version seems of the cas-client seems to require slf4j where our previously used version (3.2.1) didn't(?). I encountered the the following error until I put a copy of slf4j-api-1.7.10.jar in out {tomcat_base}/lib directory: = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar SEVERE: Exception loading sessions from persistent storage java.lang.NoClassDefFoundError: Lorg/slf4j/Logger; [...] = Then I discovered that unless I also provided a binding for a logging framework, it generates the warning: = ~/tomcat/lib/ Sep 9 17:46 cas-client-core-3.3.3.jar Jan 6 10:15 slf4j-api-1.7.10.jar SLF4J: Failed to load class org.slf4j.impl.StaticLoggerBinder. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. = The IdP war includes the logback-core binding, but apparently that doesn't get picked up: ~/idp/war/idp.war!/WEB-INF/lib/logback-core-1.0.11.jar If I include the logback-core binding from the slf4j-1.7.10 distribution it generates the fatal error: = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar 270747 Apr 2 2014 logback-classic-1.1.2.jar 32119 Jan 6 10:15 slf4j-api-1.7.10.jar SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/home/shib/tomcat/lib/logback-classic-1.1.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:war:file:/home/shib/idp/war/idp.war^/WEB-INF/lib/logback-classic-1.0.11.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder] Failed to instantiate SLF4J LoggerFactory Reported exception: java.lang.NoClassDefFoundError: ch/qos/logback/core/joran/spi/JoranException at org.slf4j.LoggerFactory.bind(LoggerFactory.java:142) [...] = Finally, I settled on using the simple binding, since that only generates a warning and seems to fall back on logback (From the idp.war? Now it picks it up?) = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar 32119 Jan 6 10:15 slf4j-api-1.7.10.jar 10705 Jan 6 10:15 slf4j-simple-1.7.10.jar SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/home/shib/tomcat/lib/slf4j-simple-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:war:file:/home/shib/idp/war/idp.war^/WEB-INF/lib/logback-classic-1.0.11.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder]== I only arrived at this through a series of empirical experiments. I'd appreciate any advice on the recommended way to properly deal with this though. Aloha, -baron -- Baron Fujimoto ba...@hawaii.edu :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java cas-client 3.3.3 logging
I'm going to guess you might have a classpath issue. If you're putting SLF4J in the parent classpath (TOMCAT/lib), I don't think it will be able to look into a child for the binding (logback). I think it would only work the other way. I am not a Tomcat classpath expert though as I haven't used Tomcat in a while and even then we rarely put JARs outside the app itself. On Fri, Feb 6, 2015 at 3:00 PM, Baron Fujimoto ba...@hawaii.edu wrote: I eventually came up with something that works that's basically consistent with what I think you're saying, though I'm not sure about transitively getting the slf4j-api class since I encountered a fatal error until I explicitly provided that myself. As for the binding, my initial thought was to use whatever the main idp app was using (logback), but even there I'm confused by the the combination of situations I encountered: if I don't provide a binding, it warns and defaults to NOP; if I provide a logback binding, it complains of conflict and barfs; and if I provide an non-logback alternate binding, it notes the multiple bindings and choose the main app's logback binding (where it previously did not pick it up in the NOP case). So this is where I question my approach to resolving this. I mean, it seems to work, but it doesn't seem like this is the right way to go about it. Ideally it seems like it should pick up or re-use the binding provided in the idp war, but I don't know how you do that. -baron On Fri, Feb 06, 2015 at 01:16:07PM -0500, Scott Battaglia wrote: SLF4J is very similar to Commons Logging in that there is an API jar and then one or more implementations/bindings. You should have transitively gotten the slf4j-api class (since we would have to compile against it) and you would have to provide the binding that maps to your logger of choice (Logback is one common one): http://www.slf4j.org/manual.html On Thu, Feb 5, 2015 at 10:16 PM, Baron Fujimoto ba...@hawaii.edu wrote: We're using the Java cas-client (3.3.3) to provide RemoteUser authentication for our Shibboleth IdP service. This version seems of the cas-client seems to require slf4j where our previously used version (3.2.1) didn't(?). I encountered the the following error until I put a copy of slf4j-api-1.7.10.jar in out {tomcat_base}/lib directory: = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar SEVERE: Exception loading sessions from persistent storage java.lang.NoClassDefFoundError: Lorg/slf4j/Logger; [...] = Then I discovered that unless I also provided a binding for a logging framework, it generates the warning: = ~/tomcat/lib/ Sep 9 17:46 cas-client-core-3.3.3.jar Jan 6 10:15 slf4j-api-1.7.10.jar SLF4J: Failed to load class org.slf4j.impl.StaticLoggerBinder. SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. = The IdP war includes the logback-core binding, but apparently that doesn't get picked up: ~/idp/war/idp.war!/WEB-INF/lib/logback-core-1.0.11.jar If I include the logback-core binding from the slf4j-1.7.10 distribution it generates the fatal error: = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar 270747 Apr 2 2014 logback-classic-1.1.2.jar 32119 Jan 6 10:15 slf4j-api-1.7.10.jar SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/home/shib/tomcat/lib/logback-classic-1.1.2.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:war:file:/home/shib/idp/war/idp.war^/WEB-INF/lib/logback-classic-1.0.11.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder] Failed to instantiate SLF4J LoggerFactory Reported exception: java.lang.NoClassDefFoundError: ch/qos/logback/core/joran/spi/JoranException at org.slf4j.LoggerFactory.bind(LoggerFactory.java:142) [...] = Finally, I settled on using the simple binding, since that only generates a warning and seems to fall back on logback (From the idp.war? Now it picks it up?) = ~/tomcat/lib/ 106079 Sep 9 17:46 cas-client-core-3.3.3.jar 32119 Jan 6 10:15 slf4j-api-1.7.10.jar 10705 Jan 6 10:15 slf4j-simple-1.7.10.jar SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/home/shib/tomcat/lib/slf4j-simple-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:war:file:/home/shib/idp/war/idp.war^/WEB-INF/lib/logback-classic-1.0.11.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type
Re: [cas-user] Intermittant Login Issues for one application
If I'm understanding your issue, you're visiting the login page and after attempting to login, it refreshes the page instead of redirecting? The login page uses a HTTP Servlet Session so its possible your time between visiting the page and logging in is greater than the session time out. On Mon, Feb 2, 2015 at 2:28 PM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: I’m having intermittent issues with a single application and my CAS 4 instance. When clicking login on the cas form sometimes the cas server returns 200 instead of 302 directing me back to the application to initiate service ticket validation. Other times, it works without issue. I’m not sure what this could be as it’s the first time I’ve come across it and it worked just fine in 3.5.2. Has anyone come across anything like this before? Geoff -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Intermittant Login Issues for one application
If its the session time out issues, 200 is the right response as there's no actual error just an expired session. How much time is passing from when the page is loaded to when you hit Login? On Tue, Feb 3, 2015 at 8:31 AM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: Essentially, yes –but only sometimes. The access log in tomcat shows a 200 response when it doesn’t work and a 302 when it does. Geoff *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Tuesday, February 03, 2015 8:09 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Intermittant Login Issues for one application If I'm understanding your issue, you're visiting the login page and after attempting to login, it refreshes the page instead of redirecting? The login page uses a HTTP Servlet Session so its possible your time between visiting the page and logging in is greater than the session time out. On Mon, Feb 2, 2015 at 2:28 PM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: I’m having intermittent issues with a single application and my CAS 4 instance. When clicking login on the cas form sometimes the cas server returns 200 instead of 302 directing me back to the application to initiate service ticket validation. Other times, it works without issue. I’m not sure what this could be as it’s the first time I’ve come across it and it worked just fine in 3.5.2. Has anyone come across anything like this before? Geoff -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: geoff.whitta...@unf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Intermittant Login Issues for one application
A session will time out regardless. I believe the default is like 5 minutes. On Feb 3, 2015 2:55 PM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: I can’t say with certainty that it’s been after ‘x’ amount of time. However, my first thought was the terminate websession listener as I’ve had problems with it in the past. I disabled it by commenting it out in cas-servelet and I didn’t see a change. Geoff *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Tuesday, February 03, 2015 8:38 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Intermittant Login Issues for one application If its the session time out issues, 200 is the right response as there's no actual error just an expired session. How much time is passing from when the page is loaded to when you hit Login? On Tue, Feb 3, 2015 at 8:31 AM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: Essentially, yes –but only sometimes. The access log in tomcat shows a 200 response when it doesn’t work and a 302 when it does. Geoff *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Tuesday, February 03, 2015 8:09 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Intermittant Login Issues for one application If I'm understanding your issue, you're visiting the login page and after attempting to login, it refreshes the page instead of redirecting? The login page uses a HTTP Servlet Session so its possible your time between visiting the page and logging in is greater than the session time out. On Mon, Feb 2, 2015 at 2:28 PM, Whittaker, Geoffrey geoff.whitta...@unf.edu wrote: I’m having intermittent issues with a single application and my CAS 4 instance. When clicking login on the cas form sometimes the cas server returns 200 instead of 302 directing me back to the application to initiate service ticket validation. Other times, it works without issue. I’m not sure what this could be as it’s the first time I’ve come across it and it worked just fine in 3.5.2. Has anyone come across anything like this before? Geoff -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: geoff.whitta...@unf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: geoff.whitta...@unf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] tomcat error
You're attempting to use a class in your Spring configuration that doesn't exist on your classpath: nested exception is java.lang.ClassNotFoundException: org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver That typically means a missing dependency or a typo (or that the class doesn't exist any more). In this case, I would assume there's a CAS module missing or that class was replaced (I apologize I can't remember off the top of my head) On Fri, Jan 30, 2015 at 5:41 AM, Chris Cheltenham cchelten...@swaintechs.com wrote: Anyone know what this is telling me? I appreciate your help in advance. I have gone through my docs over and over but I cannot figure out why this is happening. 2015-01-30 05:30:51,724 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in Servl etContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' wh ile setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver#62d185fe' of type [org.jasig.cas.authe ntication.principal.CredentialsToLDAPAttributePrincipalResolver] while setting bean property 'credentialsToPrincipalResolvers' with ke y [0]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.authentica tion.principal.CredentialsToLDAPAttributePrincipalResolver] for bean with name 'org.jasig.cas.authentication.principal.CredentialsToLD APAttributePrincipalResolver#62d185fe' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is ja va.lang.ClassNotFoundException: org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ClassCastException with cas client in Confluence 5.6.6 WAR/EAR installation
Which of the two Confluence classes are you using? https://github.com/Jasig/java-cas-client/tree/master/cas-client-integration-atlassian/src/main/java/org/jasig/cas/client/integration/atlassian The 3.5 is one is supposed to be for 3.5+ but its possible they changed things again on us :-) On Wed, Jan 28, 2015 at 1:32 PM, kylan.hug...@gmail.com wrote: I've been trying to install the cas client into the latest version of confluence WAR/EAR edition using the instructions here https://wiki.jasig.org/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1 and using the latest version of the cas client from the github https://github.com/Jasig/cas. Confluence: 5.6.6 Tomcat: 7.0.57 I've been getting the following error when clicking on the further configuration link in setup or when trying to login: java.lang.ClassCastException: com.atlassian.confluence.security.seraph.ConfluenceUserPrincipal cannot be cast to com.atlassian.user.User at com.atlassian.confluence.security.ConfluenceGroupCache.getGroups(ConfluenceGroupCache.java:33) at com.atlassian.confluence.security.ConfluenceRoleMapper.seraphHasRole(ConfluenceRoleMapper.java:53) at com.atlassian.confluence.security.ConfluenceRoleMapper.hasRole(ConfluenceRoleMapper.java:48) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:185) at com.atlassian.confluence.web.filter.ConfluenceSecurityFilter.doFilter(ConfluenceSecurityFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.confluence.web.filter.ThreadLocalCacheFilter.doFilter(ThreadLocalCacheFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:100) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:35) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:148) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:236) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:61) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
Re: [cas-user] CAS server release v3.5.3
Guys -- Can we please kill this thread? The project has acknowledged that there are opportunities to improve our reaction and messaging around security concerns and I'm confident we'll incorporate the learnings from this thread if there are any issues in the future. I encourage individuals who discover security concerns to please continue to report them directly to the Security Contact Group: https://wiki.jasig.org/display/JSG/Security+Contact+Group This allows us to ensure that a proper investigation occurs, prepare appropriate communications, and incorporate a fix or mitigation strategy as appropriate. Kind regards, Scott On Sun, Jan 25, 2015 at 12:11 AM, Paul B. Henson hen...@csupomona.edu wrote: On Sat, Jan 24, 2015 at 08:17:08PM -0800, Yuri Ticini wrote: Oh man, are you still here insisting with this bullshit? How old are you, fourteen? [...] Does that mean you're above all these people? If that's the case, why you're keeping your silly sysadmin job? Go for the gold man, you're probably a rare genius! [...] And apparently you don't even understand how LDAP searches work with wildcards, so why bother? [...] Ah, and one more thing: trying to justify your recent douche behavior on a bit of a bad mood is coward. Go find yourself a therapist. [...] I'm following your advice and forwarding messages from you to Junk. I'm not interested at all in what you have to say. Therefore, feel free to try to pretend to be smart and superior responding to this Throw unfounded petty insults right and left and then say don't bother to reply because you won't read it? Doesn't matter to me you won't see this, but for the people that do I think that speaks for itself. And for the record, I've had off-list correspondence with a number of people, some of them directly associated with the project, who agree with me the announcement was poorly handled and the CVE poorly written. It seems I'm just the only one with the lack of tact to call it out in public. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] errors when building project
You're still building within CAS. If you were using the pure WAR overlay process, your errors should not be coming from this directory: /usr/local/cas-server-4.0.0/cas-server-webapp/target/surefire-reports On Thu, Dec 18, 2014 at 6:00 PM, Chris Adams chris.a.ad...@state.or.us wrote: Actually, I am using Maven WAR overlay. I am having a heck of a time building a basic WAR package. I started on a Unix machine and now am testing on a Win 7. The latest attempt gives me an error about the license plugin. [ERROR] Failed to execute goal com.mycila.maven-license-plugin:maven-license-plu gin:1.9.0:check (default) on project cas-server-webapp: Resource c:\SSO\CAS\src\ licensing\header.txt not found in file system, classpath or URL: unknown protocol l: c - [Help 1] I added a plugin section in the pom.xml and ran it again, to no avail. Is the license header information supposed to be fetched from mycila.com, or …..? plugin groupIdcom.mycila.maven-license-plugin/groupId artifactIdmaven-license-plugin/artifactId configuration header${cs.dir}\src\licensing\header.txt/header skipExistingHeaderstrue/skipExistingHeaders strictChecktrue/strictCheck headerDefinitions headerDefinition${cs.dir}\src\licensing\header-definitions.xml/headerDefinition /headerDefinitions aggregatetrue/aggregate excludes excludeLICENSE/exclude exclude**/INSTALL*/exclude exclude**/NOTICE*/exclude exclude**/README*/exclude exclude**/readme*/exclude exclude**/*.log/exclude exclude**/*.license/exclude exclude**/*.txt/exclude exclude**/*.crt/exclude exclude**/*.crl/exclude exclude**/*.key/exclude exclude**/*.checkstyle/exclude exclude**/*.properties/exclude exclude**/.gitignore/exclude exclude**/overlays/**/exclude excludesrc/licensing/**/exclude exclude**/testCA/**/exclude exclude**/.idea/**/exclude exclude**/*.keystore/exclude exclude**/*.example/exclude exclude**/*.sample/exclude exclude**/*.conf/exclude exclude**/*.doc/exclude exclude**/*.jmx/exclude /excludes /configuration executions execution phasecompile/phase goals goalcheck/goal /goals /execution /executions /plugin *From:* John Gasper [mailto:jgas...@unicon.net] *Sent:* Wednesday, December 17, 2014 8:43 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] errors when building project Chris, It looks like you are trying to build CAS Server from source, and not building a deployment using the Maven WAR Overlay method. If so, unless you have a specific reason, I'd look into using the overlay method. As for the specific error, that's common when mixing incompatible library versions. You may need to do some excluding. Good luck! John On 12/16/14 1:04 PM, Chris Adams wrote: Hello all, When building a project, I get some error messages. I know that I can build without running tests, but I am wondering what this means and whether I should figure it out before building. I did run with debug logging and this is the result. I am not sure how to proceed. Results : Tests in error: testWiring(org.jasig.cas.WiringTests): Error creating bean with name 'serviceRegistryReloaderJobDetail' defined in file [/usr/local/cas-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: org.apache.commons.collections.SetUtils.orderedSet(Ljava/util/Set;)Ljava/util/Set; Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 01:10 min [INFO] Finished at: 2014-12-16T13:00:58-08:00 [INFO] Final Memory: 26M/64M [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project cas-server-webapp: There are test failures. [ERROR] [ERROR] Please refer to /usr/local/cas-server-4.0.0/cas-server-webapp/target/surefire-reports for the individual test results. [ERROR] - [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project cas-server-webapp: There are
Re: [cas-user] errors when building project
You can actually build from anywhere (sorry I didn't mention that the first time... was in a bit of a hurry). The important piece is that the CAS items are pulled in as dependencies versus you compiling the project from source. It looks like Dimo pointed you towards a good template. On Fri, Dec 19, 2014 at 11:15 AM, Chris Adams chris.a.ad...@state.or.us wrote: Thank you for your reply. Where should I be building from ? *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, December 19, 2014 5:33 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] errors when building project You're still building within CAS. If you were using the pure WAR overlay process, your errors should not be coming from this directory: /usr/local/cas-server-4.0.0/cas-server-webapp/target/surefire-reports On Thu, Dec 18, 2014 at 6:00 PM, Chris Adams chris.a.ad...@state.or.us wrote: Actually, I am using Maven WAR overlay. I am having a heck of a time building a basic WAR package. I started on a Unix machine and now am testing on a Win 7. The latest attempt gives me an error about the license plugin. [ERROR] Failed to execute goal com.mycila.maven-license-plugin:maven-license-plu gin:1.9.0:check (default) on project cas-server-webapp: Resource c:\SSO\CAS\src\ licensing\header.txt not found in file system, classpath or URL: unknown protocol l: c - [Help 1] I added a plugin section in the pom.xml and ran it again, to no avail. Is the license header information supposed to be fetched from mycila.com, or …..? plugin groupIdcom.mycila.maven-license-plugin/groupId artifactIdmaven-license-plugin/artifactId configuration header${cs.dir}\src\licensing\header.txt/header skipExistingHeaderstrue/skipExistingHeaders strictChecktrue/strictCheck headerDefinitions headerDefinition${cs.dir}\src\licensing\header-definitions.xml/headerDefinition /headerDefinitions aggregatetrue/aggregate excludes excludeLICENSE/exclude exclude**/INSTALL*/exclude exclude**/NOTICE*/exclude exclude**/README*/exclude exclude**/readme*/exclude exclude**/*.log/exclude exclude**/*.license/exclude exclude**/*.txt/exclude exclude**/*.crt/exclude exclude**/*.crl/exclude exclude**/*.key/exclude exclude**/*.checkstyle/exclude exclude**/*.properties/exclude exclude**/.gitignore/exclude exclude**/overlays/**/exclude excludesrc/licensing/**/exclude exclude**/testCA/**/exclude exclude**/.idea/**/exclude exclude**/*.keystore/exclude exclude**/*.example/exclude exclude**/*.sample/exclude exclude**/*.conf/exclude exclude**/*.doc/exclude exclude**/*.jmx/exclude /excludes /configuration executions execution phasecompile/phase goals goalcheck/goal /goals /execution /executions /plugin *From:* John Gasper [mailto:jgas...@unicon.net] *Sent:* Wednesday, December 17, 2014 8:43 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] errors when building project Chris, It looks like you are trying to build CAS Server from source, and not building a deployment using the Maven WAR Overlay method. If so, unless you have a specific reason, I'd look into using the overlay method. As for the specific error, that's common when mixing incompatible library versions. You may need to do some excluding. Good luck! John On 12/16/14 1:04 PM, Chris Adams wrote: Hello all, When building a project, I get some error messages. I know that I can build without running tests, but I am wondering what this means and whether I should figure it out before building. I did run with debug logging and this is the result. I am not sure how to proceed. Results : Tests in error: testWiring(org.jasig.cas.WiringTests): Error creating bean with name 'serviceRegistryReloaderJobDetail' defined in file [/usr/local/cas-server-4.0.0/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml]: Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: org.apache.commons.collections.SetUtils.orderedSet(Ljava/util/Set;)Ljava/util/Set; Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 01:10 min [INFO] Finished at: 2014-12-16T13:00:58-08:00
Re: [cas-user] gateway mode
Depending on the client, you can alter the behavior. The Java client supports providing a custom implementation of the GatewayResolver so you could store the result of the gateway request per session (or some other method) to reduce the number of round trips. On Tue, Dec 9, 2014 at 3:47 PM, Misagh Moayyed mmoay...@unicon.net wrote: If that's not the design intent, what might the proper use of gateway in this context be? Maybe check once, mark locally as unauth if not authenticated and not hit the server again until the user explicitly clicks a Login URL? Yes. A guest view that renders relevant content to an unauthenticated user. Also might come in handy if you authenticate via CAS without a target service to only then land on a portal-like page that spawns links to various apps. -Original Message- From: Tom Poage [mailto:tfpo...@ucdavis.edu] Sent: Tuesday, December 9, 2014 9:50 AM To: cas-user@lists.jasig.org Subject: [cas-user] gateway mode Looking for opinion/experience/knowledge: Is it common for a web app using gateway mode to hit the CAS server on every click of a CAS-protected site when the user has no CAS session? This seems a waste of CAS server resources to keep checking just in case the user authenticated through some other channel, especially very busy sites (we have one of these). If that's not the design intent, what might the proper use of gateway in this context be? Maybe check once, mark locally as unauth if not authenticated and not hit the server again until the user explicitly clicks a Login URL? Thanks. Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Rapid Memory Consumption and Interpreting Heap Dump
I think there are two items to consider here: 1. is how to do we make sure a misconfigured client doesn't denial of service a server (I thought some of our throttling stuff should have handled that, but maybe not?) 2. why is your specific client going nuts (is that user not found and it gets into a loop, etc.) On Mon, Dec 8, 2014 at 12:30 PM, David A. Kovacic d...@case.edu wrote: Actually if you read the docs, it describes how to rate-limit (throttle) FAILED login attempts. What we are seeing is large numbers of SUCCESSFUL logins, at least as evidenced by the large number of STs generated, from the same user over a shortly period of time (thousands in about an hour). On 12/2/14 7:23 PM, Trenton D. Adams wrote: It does have a way of rate limiting per user, check the docs. :D On 14-12-02 05:17 PM, Carl Waldbieser wrote: Dave, How many logins? We recently had a misconfugured cas client from a vendor almost fill /var. It was tens of thousands of logins. It would be nice if cas had some way to rate limit ST and login requests per user. Thanks, Carl On Dec 2, 2014 3:26 PM, David A. Kovacic d...@case.edu mailto:d...@case.edu wrote: I'm not sure how or where you would mark this as a singleton instance - although if you go back to an actual Google web page multiple times from the same browser session you reuse the ST if that's what you mean. This actually looked like multiple logins from a single user over the span of about 30 minutes. Not sure if this was some poorly written webapp logging in several time or what. On 12/2/14 1:32 PM, Erik-Paul Dittmer wrote: Rapid heap memory consumption (which are not garbage collected) *can* be caused by unfinished Spring Webflow flow sessions; this is something we have observed. However, when looking at your memory dump, the majority of the instances (and size) is being claimed by the GoogleAccountService. Perhaps this is not marked as a singleton instance? On Tue, Dec 2, 2014 at 6:38 PM, David A. Kovacic d...@case.edu mailto:d...@case.edu wrote: All, Yesterday evening one of our CAS 4.0.0 servers went from under a GB of heap usage to 3GB in a matter of about 10 minutes. The end result was that again the SSO service died (one server with a heap memory OoM error and the other trying to replicate the ehcache to the dead server. This was definitely not a memory leak issue as the servers had been restarted only earlier that morning, so they had only been up for about 17 hours or so. Out system monitors also indicated that the memory usage rather suddenly skyrocketed (over the course of about 20 minutes) so we suspect that the memory consumption is a symptom of some other issue. We have a heap dump but I am having a bit of trouble trying to analyze it with jvisualvm as I have never used the tool before. If I am interpreting the dump correctly, it appears that tickets only play a very small part of the overall memory usage (see screen shot). Has anyone heard or experienced anything like what we are seeing? This is becoming increasingly frustrating as every time we think we have the issues resolved and turn our attention elsewhere one server or the other crashes and takes the service down with it. Dave -- You are currently subscribed tocas-u...@lists.jasig.org mailto:cas-user@lists.jasig.org as:epditt...@digitalmisfits.com mailto:epditt...@digitalmisfits.com To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user -- Erik-Paul Dittmer T: +31 (0) 64 761 87 57 Visit us at http://www.digitalmisfits.com - - - - - - - - - - - - - - - - - - - - - - - - - - Digital Misfits does not accept any liability for any errors, omissions, delays of receipt or viruses in the contents of this message which arise as a result of e-mail transmission. -- You are currently subscribed tocas-u...@lists.jasig.org mailto:cas-user@lists.jasig.org as:d...@case.edu mailto:d...@case.edu To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed tocas-u...@lists.jasig.org mailto:cas-user@lists.jasig.org as:cwaldbie...@gmail.com mailto:cwaldbie...@gmail.com To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: tre...@athabascau.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Problems with self-cleaning com_audit_trail
I think you most likely need to use some aspect of the Spring's scheduling/timer mechanism to actually trigger the cleanup periodically. On Wed, Dec 3, 2014 at 7:51 AM, Alexi Pascual alexi.pasc...@uc.cl wrote: We are using the file as it appears in the guide, configuring the JDBC support. Records are inserted correctly, but the clean of the records doesn't execute. Attachment our setup. Alexi Pascual El 03/12/14 a las 01:48, Scott Battaglia escribió: Can you post your configuration? Are you using something to schedule the clean method to be called? On Mon, Dec 1, 2014 at 4:03 PM, Alexi Pascual apasc...@uc.cl wrote: hi, I have problems with self-cleaning com_audit_trail table. I doesn't clean the old records. I followed the page https://wiki.jasig.org/display/CASUM/Auditing+and+Statistics+Via+Inspektr I have installed 3.5.2 CAS with postgresql 8.2.4. The table was created: CREATE TABLE com_audit_trail ( aud_user character varying(100) NOT NULL, aud_client_ip character varying(15) NOT NULL, aud_server_ip character varying(15) NOT NULL, aud_resource character varying(100) NOT NULL, aud_action character varying(100) NOT NULL, applic_cd character varying(5) NOT NULL, aud_date timestamp with time zone NOT NULL, CONSTRAINT com_audit_trail_pk PRIMARY KEY (aud_user, aud_client_ip, aud_server_ip, aud_resource, aud_action, applic_cd, aud_date) ) Does anybody has the same problem? -- Alexi Pascual -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: apasc...@uc.cl To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Problems with self-cleaning com_audit_trail
Can you post your configuration? Are you using something to schedule the clean method to be called? On Mon, Dec 1, 2014 at 4:03 PM, Alexi Pascual apasc...@uc.cl wrote: hi, I have problems with self-cleaning com_audit_trail table. I doesn't clean the old records. I followed the page https://wiki.jasig.org/ display/CASUM/Auditing+and+Statistics+Via+Inspektr I have installed 3.5.2 CAS with postgresql 8.2.4. The table was created: CREATE TABLE com_audit_trail ( aud_user character varying(100) NOT NULL, aud_client_ip character varying(15) NOT NULL, aud_server_ip character varying(15) NOT NULL, aud_resource character varying(100) NOT NULL, aud_action character varying(100) NOT NULL, applic_cd character varying(5) NOT NULL, aud_date timestamp with time zone NOT NULL, CONSTRAINT com_audit_trail_pk PRIMARY KEY (aud_user, aud_client_ip, aud_server_ip, aud_resource, aud_action, applic_cd, aud_date) ) Does anybody has the same problem? -- Alexi Pascual -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] initial CAS deployment not working
Have you checked the Tomcat logs for any errors/exceptions? Cheers, Scott On Thu, Nov 20, 2014 at 3:50 PM, Chris Adams chris.a.ad...@state.or.us wrote: Hello, I am quite new to CAS. I have been plodding along to get this server up and running, but have come to a roadblock. At this point, I only want to be able to get CAS available via http, for proof of concept. I have all the components in place and have Tomcat running successfully on port 8080. Using Maven, I built the WAR file and then moved it into the Tomcat webapps folder and started Tomcat. Tomcat starts up, but I don’t see it referencing the cas.war file and I believe it should. Going to the URL:8080/cas/ results in a 404. I would appreciate if someone could get me on the right track so that I can get on to bigger and more fun things. Many thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] initial CAS deployment not working
It looks like CAS was deployed. Does it work if you go to host:8080/cas/login instead of host:8080/cas/ ? On Thu, Nov 20, 2014 at 6:57 PM, Chris Adams chris.a.ad...@state.or.us wrote: I checked the permssions on the cas.war file and the tomcat user has full access to it. I waded through the logs and there were some entries that might be of some help. 20-Nov-2014 15:46:16.540 WARNING [localhost-startStop-1] org.apache.catalina.loa der.WebappClassLoaderBase.clearReferencesThreads The web application [cas] appea rs to have started a thread named [FileWatchdog] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread: java.lang.Thread.sleep(Native Method) org.apache.log4j.helpers.FileWatchdog.run(FileWatchdog.java:104) *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Thursday, November 20, 2014 1:05 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] initial CAS deployment not working Have you checked the Tomcat logs for any errors/exceptions? Cheers, Scott On Thu, Nov 20, 2014 at 3:50 PM, Chris Adams chris.a.ad...@state.or.us wrote: Hello, I am quite new to CAS. I have been plodding along to get this server up and running, but have come to a roadblock. At this point, I only want to be able to get CAS available via http, for proof of concept. I have all the components in place and have Tomcat running successfully on port 8080. Using Maven, I built the WAR file and then moved it into the Tomcat webapps folder and started Tomcat. Tomcat starts up, but I don’t see it referencing the cas.war file and I believe it should. Going to the URL:8080/cas/ results in a 404. I would appreciate if someone could get me on the right track so that I can get on to bigger and more fun things. Many thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: chris.a.ad...@state.or.us To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue
What is your eviction policy for things in the cache? On Fri Nov 14 2014 at 3:06:16 PM David A. Kovacic d...@case.edu wrote: Do those setting go in CATALINA_OPTS or JAVA_OPTS in the setenv.sh file? On 11/14/14 9:39 AM, Zac Harvey wrote: We've been using 2 load balanced 4.0.0 nodes (LDAP auth handler) for almost 3 months now and never needed a restart. That tells me this is either specific to your configuration or custom code (3rd party of inhouse) you've added on top of what CAS provides. Either way it doesn't seem to be a problem with CAS core. Can you give us more details about your setup? Most importantly, you will want to profile your server with something like jVisualVM (comes with the JDK). This will help you see what is actually going on with your memory. http://visualvm.java.net/gettingstarted.html Even more most importantly, you can configure your Tomcat nodes to dump the memory heap to a file when your experience on OutOfMemoryException: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=path to dump file If this happens again in PROD, or if you can reproduce it in non-prod, load one of these files in jVisualVM and explore its contents. Without too much poking around it should quickly tell you where most of your memory was getting chewed up. If you report back with your findings from this heap dump analysis we can better pinpoint where your memory leak is coming from. HTH From: David A. Kovacic d...@case.edu Sent: Friday, November 14, 2014 9:30 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS 4.0.0 Production Issue: Heap Memory Issue All, For the the second time both of our SSO servers running under Tomcat ran out of heap memory last night. They had been up about 7 days straight with no restarts. It looks like they again ran out of memory at about 1GB used (which seems to be the default Java heap size). We have lots of memory available on those servers so the last time this happened, we thought to increase the max heap size to 2GB. Our research had indicated that to increase heap memory for a Java app running under Tomcat you need to add the following line in the Tomcat CATALINA_HOME/bin/setenv.sh file: CATALINA_OPTS=-Xms1000m -Xmx2000m Supposedly according to our research, this increases minimum heap size to 1000MB and max heap size to 2000MB (just under 1GB and 2GB respectively). This is all running under RHEL 6 with Tomcat 7.0.54 and Oracle Java jdk1.8.0_05. Is there something we are missing here? Do we need to do something to tell Tomcat that it needs to allocate more memory than the default to the CAS application itself? The only applications we are running under Tomcat are the CAS webapp and the CAS management webapp which is pretty much idle all the time. We relaod services using the default 2 minute timer in both CAS and CAS-management. This is a fairly major issue for us as we are in the middle of our student registration period and we are seeing huge usage from Blackboard during the late-night hours (which is perversely when these servers tend to run out of heap). People are beginning to take a very jaundiced view of the supposedly improved SSO service that our move from RubyCAS was supposed to give them. Dave -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS pt_BR Language
We always accept translations (assuming they are accurate :-)). The easiest way is to generate a pull request with the changes from out github repository. An example workflow: https://github.com/Jasig/cas/wiki/Contributor-Guidelines On Mon, Oct 6, 2014 at 6:19 PM, Denys gsde...@fassof.com wrote: Hi, I'm using CAS 4 in internal applications and I see that the portuguese language have not messages actualized. I would like to help team translating it - If possible, of course. Future more we pretend to start use of uPortal, and also translate it. Can I help you with translations? if yes, How can I start work? Thanks -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] single sign not working in firefix version firefox-29.0.1
The cookies are session cookies so browsers are supposed to clean them up when the browser closes. Chrome may not do that. The important thing is that SSO works within the same browser session. On Mon, Sep 22, 2014 at 2:10 PM, Santosh kumar kr.santosh3...@gmail.com wrote: Hi, Single sign on working in chrome bt not in mozila, actually when i close firefox and after start firefox then cookie got deleted, bt in chrome i close and after open cookie still available so in chrome its working bt not in firefox. please help.. On Fri, Sep 19, 2014 at 6:38 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: I think you need to give a bit more information about what exactly is not working. Can you briefly describe what happens with each browser, and what the differences you observe are? Thanks, Carl Waldbieser Lafayette College - Original Message - From: Santosh kumar kr.santosh3...@gmail.com To: cas-user@lists.jasig.org Sent: Friday, September 19, 2014 5:49:19 AM Subject: [cas-user] single sign not working in firefix version firefox-29.0.1 Hi, Cas single sign not working in firefox-29.0.1 version , But its working in Chrome 37.0.2062.120 m version please give solution. Thanks and Regards, Santosh Kumar Mail id - kr.santosh3...@gmail.com Mobile no. - 9967106799 -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: kr.santosh3...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Hi, Thanks and Regards, Santosh Kumar Mail id - kr.santosh3...@gmail.com Mobile no. - 9967106799 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] This is embarassing
No issues with removing but we should see what the protocol spec says :-) On Sat, Sep 20, 2014 at 2:33 AM, Jérôme LELEU lel...@gmail.com wrote: +1 to remove as well Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2014-09-19 23:39 GMT+02:00 Misagh Moayyed mmoay...@unicon.net: +1 to remove. -Original Message- From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: Friday, September 19, 2014 12:02 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] This is embarassing Can anyone give me one good reason to keep that check box? I'm pretty sure you've given us a good executive summary for removing it. :) In any case, while your experience sounds particularly bad, we've had some headaches supporting extended flows while maintaining proper function of the warn feature. Ticket expiration like you noted is the main concern. It's probably best to simply remove it; nobody here uses it either. Arguably nobody _any_where. M -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] mailing list link is broken
Try: https://wiki.jasig.org/display/JSG/cas-user On Tue, Sep 16, 2014 at 9:53 AM, Rex Roof r...@wccnet.edu wrote: This link in the footer is broken: http://www.ja-sig.org/wiki/display/JSG/cas-user it redirects to https://www.apereo.org/ and doesn't provide a path to update my mailing list settings. where do I go to update my settings? https://www.apereo.org/wiki/display/JSG/cas-user also doesn't work. - Rex Roof WCC Systems Engineer r...@wccnet.edu -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Default Tciket Registry default size
I don't think there is a maximum number of entries. There however is an initial capacity and load factor: http://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ConcurrentHashMap.html#ConcurrentHashMap%28int,%20float%29 On Fri, Sep 12, 2014 at 9:18 AM, Chris Peck crp...@email.wm.edu wrote: I'm using the DefaultTicketRegistry and have not tweaked the settings. According to the docs, the default size is based on the defaults of ConcurrentHashMap, and them documents how to change intialCapacity, etc... Basically, I'm curious as to how many entries the default setting will hold, so I can decide if I need to override the default settings. Thanks, Chris Peck -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Case Study of CAS
Unfortunately, no one is required to register with CAS as a user. We've got various large corporations, governments, non-government organizations, etc. using CAS. Most of the ones that publish their association are universities though.What are their concerns? Security, scale, etc.? On Fri, Sep 12, 2014 at 7:57 AM, Dheeraj Dubey dheeraj.du...@zensar.in wrote: Hi All, I have suggested CAS as a solution for SSO to my client. They worked on Finance domain. Now they want us to provide case study of any other finance company using CAS. If any one aware about any finance case study where CAS has been used. I have searched client list of CAS almost all are University. Thanks and Regards, Dheeraj Dubey -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java CAS Client 3.2.2 ?
I just released it. It will take a bit of time to make it out into the world. On Fri, Sep 5, 2014 at 11:34 PM, Andrew Petro apetro.li...@gmail.com wrote: Those changes sound fine to me and worth making to get a fixed Java CAS Client 3.2.2 out the door. Andrew On Mon, Sep 1, 2014 at 10:32 PM, Scott Battaglia scott.battag...@gmail.com wrote: If I make the following changes I can get a 3.2.2 build: 1. Ignore Saml11TicketValidatorTests (its running into some issue with the way it starts the server; apparently we ignore these on master which is weird) 2. Update Spy Memcache Client to latest version (only more recent versions are in Maven Central) 3. Update Atlassian repository to new location I am assuming no one has any issue with these changes to get a 3.2.2 build out. If not, I'll cut the release tomorrow night. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java CAS Client 3.2.2 ?
If I make the following changes I can get a 3.2.2 build: 1. Ignore Saml11TicketValidatorTests (its running into some issue with the way it starts the server; apparently we ignore these on master which is weird) 2. Update Spy Memcache Client to latest version (only more recent versions are in Maven Central) 3. Update Atlassian repository to new location I am assuming no one has any issue with these changes to get a 3.2.2 build out. If not, I'll cut the release tomorrow night. On Fri, Aug 29, 2014 at 9:28 AM, Marvin Addison marvin.addi...@gmail.com wrote: https://github.com/Jasig/java-cas-client/pull/81 Wrong base branch. Let's try again: https://github.com/Jasig/java-cas-client/pull/82 M -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Client Security Vulnerability CVE-2014-4172
That exclusion list is alarming. Not that this is great solution, but I wonder if most of those would be excluded automatically by excluding the SAML jar. Nonetheless we should definitely look at the effort involved in a 3.2.1.1 release as we want to maximize the number of people who upgrade. On Tue, Aug 12, 2014 at 3:42 PM, Andrew Petro apetro.li...@gmail.com wrote: This set of transitive dependency exclusions *might* allow bumping from Java CAS Client 3.2.1 to 3.3.2: https://github.com/Jasig/uPortal/pull/404 I'm concerned about potentially losing Tomcat 6 support (needs testing?) and about how fragile this solution may be. Still feeling like a bump to a Java CAS Client 3.2.1.1 would be a more conservative and appropriate move for this late in the rel-4-0-patches uPortal maintenance branch. On Mon, Aug 11, 2014 at 10:50 PM, Andrew Petro apetro.li...@gmail.com wrote: MA we will consider providing official patches for [Java CAS Client 3.2 and 3.1] lines if there is interest. TM if [fixed versions of 3.2 and 3.1 Java CAS client versions] were available that would ease the patching, I'm sure. Yes, it would ease patching. I'm finding getting a uPortal 4.0 release squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be substantially unpleasant. Andrew On Mon, Aug 11, 2014 at 4:50 PM, Tim McLaughlin tim.mclaugh...@wwu.edu wrote: On 2014/08/11, 12:46 PM, Marvin Addison marvin.addi...@gmail.com wrote: Does this affect ALL versions of the Java client prior to 3.3.2? I did code review of the latest 3.2 and 3.1 versions and they were both vulnerable. I built one-off patches for my institution, but we will consider providing official patches for those lines if there is interest. So far I'm doing fact-finding before I announce to folks here, but if they were available that would ease the patching, I'm sure. Don't know how much trouble that is. :) For my couple of apps, I will probably take the opportunity to get current. Also, is there a way to get the 3.3.2 jar without having to do a Maven build? Latest on the downloads site is 3.2.x. I noticed there's no download bundle as well. I imagine Scott simply hasn't gotten to it yet, but I'm sure simply mentioning it here will make it magically appear :) M :) As always, the work of those of you officially involved with CAS is much appreciated. Thanks, Tim -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Client Security Vulnerability CVE-2014-4172
We would need logs to confirm this. The service should be doing an extract string match. Cheers, Scott On Mon, Aug 11, 2014 at 12:40 PM, Chad Killingsworth chadkillingswo...@missouristate.edu wrote: I actually stumbled across similar behavior last week. In my case the CAS Server issued a ticket for service: https://mydomain.com/path And the successfully validated the ticket against service: http://mydomain.com/path Even though both services had different configurations. Shouldn't this be a bug with the CAS Server? The server should refuse to validate a ticket if the the validation service URL is not exactly equal to the requesting service. This was observed against CAS Server version 3.5.2. Chad Killingsworth Assistant Director of Web and New Media Missouri State University -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Client Security Vulnerability CVE-2014-4172
If by magically appear, you mean hours later, then yes :-) http://downloads.jasig.org/cas-clients/ On Mon, Aug 11, 2014 at 3:46 PM, Marvin Addison marvin.addi...@gmail.com wrote: Does this affect ALL versions of the Java client prior to 3.3.2? I did code review of the latest 3.2 and 3.1 versions and they were both vulnerable. I built one-off patches for my institution, but we will consider providing official patches for those lines if there is interest. Also, is there a way to get the 3.3.2 jar without having to do a Maven build? Latest on the downloads site is 3.2.x. I noticed there's no download bundle as well. I imagine Scott simply hasn't gotten to it yet, but I'm sure simply mentioning it here will make it magically appear :) M -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Ticket Validation Succeeds Against Services With Different Protocols
This apparently happens because we don't believe we have access to the TARGET to validate: https://github.com/Jasig/cas/blob/master/cas-server-support-saml/src/main/java/org/jasig/cas/support/saml/authentication/principal/SamlService.java#L96 Not quite sure why we believe that since we're passing TARGET: https://github.com/Jasig/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java#L93 I believe we should remove that method and allow for the default behavior. On Mon, Aug 11, 2014 at 4:10 PM, Marvin Addison marvin.addi...@gmail.com wrote: 2014-08-11 14:48:53,829 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZVJ45whjWQCXrJQVHVmd-abbott] for service [https://ckillingsworth2.missouristate.edu/testcasapp] for user [chk790] Can you post the corresponding log entry that reads something like the following: Successfully validated ticket [ST-1-ZVJ45whjWQCXrJQVHVmd-abbott]. You may have bigger problems if you do not have such a line. Chad noted that this is a load-balanced service, so the validation may have happened on another node since the ticket request and validation have distinct sources. M -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Manually writing CASTGC cookie CAS4
Only the CAS server can set the CASTGC cookie and it can only do that when being directly interacted with via the web browser. If you need the cookie set in the web browser, there must be some interaction with the CAS server. On Tue, Aug 5, 2014 at 9:23 PM, Puneet Goyal pgo...@qasource.com wrote: Hi , I have a scenario where I am authenticating a user by using CAS’s REST api and writing the returned cookie to response The thought was when a secured page is encountered and user goes to CAS’s login page, he will get logged in using the CASTGC cookie. But this doesn’t work correctly as CASTGC cookie is not read by the page. *The question here is:* *1. **Is this the correct way of doing programmatic log in.? ( As in this scenario I can’t show cas’s login page, user logs In using a separate form)* *2. **I see a CASPRIVACY cookie also coming up now, what is the use of this cookie and do I need to write this as well to response?* Regards Puneet Goyal -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Remember me with 4.0.0
It looks like we may have moved the class (not sure why) and didn't update our documentation. It now appears to live one package up: https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/authentication/RememberMeUsernamePasswordCredential.java On Thu, Jul 31, 2014 at 2:43 AM, Vallee Romain vallee.rom...@gmail.com wrote: Hello Cas User :) i try now to insert remember me box . I follow this docs -- http://jasig.github.io/cas/4.0.0/installation/Configuring-Authentication-Components.html But, when i try to connect, i got this error: 2014-07-31 08:28:56,275 DEBUG [org.jasig.cas.web.FlowExecutionExceptionResolver] - Ignoring the received exception due to a type mismatch java.lang.IllegalArgumentException: Unable to load class 'org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredential' at org.springframework.webflow.engine.builder.model.FlowModelFlowBuilder.toClass(FlowModelFlowBuilder.java:960) at org.springframework.webflow.engine.builder.model.FlowModelFlowBuilder.parseFlowVariable(FlowModelFlowBuilder.java:389) at org.springframework.webflow.engine.builder.model.FlowModelFlowBuilder.buildVariables(FlowModelFlowBuilder.java:172) at org.springframework.webflow.engine.builder.FlowAssembler.directAssembly(FlowAssembler.java:103) at org.springframework.webflow.engine.builder.FlowAssembler.assembleFlow(FlowAssembler.java:91) at org.springframework.webflow.engine.builder.DefaultFlowHolder.assembleFlow(DefaultFlowHolder.java:109) at org.springframework.webflow.engine.builder.DefaultFlowHolder.getFlowDefinition(DefaultFlowHolder.java:84) at org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl.getFlowDefinition(FlowDefinitionRegistryImpl.java:61) at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:138) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:827) at javax.servlet.http.HttpServlet.service(HttpServlet.java:620) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at
Re: [cas-user] CAS Logging and CAS with MySQL
I don't see any password encoder configured. If you don't have one configured that means you're comparing the hashed password against your plain text password. You can see from this line: https://github.com/Jasig/cas/blob/master/cas-server-support-jdbc/src/main/java/org/jasig/cas/adaptors/jdbc/QueryDatabaseAuthenticationHandler.java#L60 It does a comparison against the value returned (which in your case looks hashed based on the field name) On Mon, Jul 21, 2014 at 11:17 PM, jason ja...@metroworks.co.jp wrote: Well thanks for the help; it's progress just to confirm that my config seems okay. I feel like improper credentials to my database in the deployerConfigContext.xml file should result in clear error messages in the logs to the effect that the database connection is failing. Any developer on the project care to comment? Should I file an issue for this? Similarly, as I've mentioned before, upping the log level to DEBUG everywhere I can find still does not seem to give me any indication as to why the authentication is failing. Does the database connection fail? Does it fail to find the correct username? Does it find the username, but not a password field? Does it find both those things, but then the password fails to match? I have no idea. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Rebuilding a single cas-server-support-anything component
Can you open an issue/pull request for this? Thanks! Scott On Mon, Jul 21, 2014 at 9:26 AM, daniel.char...@unice.fr wrote: Hi Guillaume, I have do : cd /cas-server-4.0.0/ vi pom.xml replace header${cs.dir}/src/licensing/header.txt/header by header${licenseHeader}/header mvn package install worked for me Bye - Daniel CHARLOT D.S.I. Université de Nice Sophia-Antipolis Administrateur Systèmes et Réseaux 28, avenue de Valrose - BP 2135 - 06103 NICE Tél : 04-92-07-67-07 Le 18 juil. 2014 à 12:58, Misagh Moayyed mmoay...@unicon.net a écrit : The best approach is that if you are using the maven overlay method, configure your pom to include the maven compiler plugin, and simply copy the java class file from the patch over to your build at the exact location by the same exact name. The build process will use yours instead of the default. That would be least invasive change. -Original Message- From: Guillaume Rousse [mailto:guillaume.rou...@inria.fr guillaume.rou...@inria.fr] Sent: Friday, July 18, 2014 2:09 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Rebuilding a single cas-server-support-anything component Le 18/07/2014 10:39, Misagh Moayyed a écrit : Are you building from master? If so, try pulling once. I just ran the build and all passes for me. No, from cas-server 4.0 release, as I'm trying to minimize the changes. -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 -- You are currently subscribed to cas-user@lists.jasig.org as: daniel.char...@unice.fr To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 4 demo (login failure?)
The test user changed. You can find it here: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml#L111 If you could file a bug report, we'd be happy to update the documentation. Thanks Scott On Fri, Jul 18, 2014 at 4:56 PM, John Gasper jgas...@unicon.net wrote: Try casuser and Mellon. I'm sure it is somewhere on jasig.github.io/cas, but I know it is mentioned here: https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method On 7/18/14, 10:30 AM, dano wrote: Hi folks I just followed the instructions from INSTALL.TXT for cas 4. I am able to loadup the login page: http://localhost:8080/cas-server-webapp-4.0.0/login but am not able to login. From what I gather as long as the username/password is the same it should work for the demo? Excerpt from INSTALL.TXT The default authentication plugin accepts NetID=password. Enter in an identical value for NetID and password and click LOGIN. but does not. does the demo require https? there is warning in the login page, saying Non-secure Connection..Single Sign On WILL NOT WORK.. any tips pointers appreciated.. thanks Dan -- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Adding rememberme to ehcache ticketRegistry
I don't know if I recommend using remember me with an in-JVM cache. You're basically asking it to store days worth of TGTs in the heap, and that's assuming you configure it correctly. They'll also be kicked out as memory runs out (and if the TTL in the cache is less than the remember me expiration). You've disabled store to disk which means its eventually going to have to kick things out. On Mon, Jul 7, 2014 at 4:32 AM, rayman idan.frid...@cellebrite.com wrote: I am having problem connectings the dots. I implemented remember me following this tutorial: https://wiki.jasig.org/display/CASUM/Remember+Me We moved to cluster env (HA support) therefor we using now ehcache to cache our tickets between the nodes. How ever I lost the rememberMe registry. I noted this from the remember me tutorial: NOTE: if you use a different ticket registry that configures the ticket lifetime in the bean configuration (such as Memcache/Repcache), you will need to adjust the ticket lifetime in the bean configuration as well ! I have difficulties connecting the dots. How I add now the rememberme support into the current ehcache system. The old remember me functionally use to be declared here: ticketExpirationPolicies.xml: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy property name=sessionExpirationPolicy bean class=org.jasig.cas.ticket.support.TimeoutExpirationPolicy constructor-arg index=0 value=1080 / /bean /property property name=rememberMeExpirationPolicy bean class=org.jasig.cas.ticket.support.TimeoutExpirationPolicy constructor-arg index=0 value=259200 / /bean /property /bean But now that I have new ticketRegistry bean I have no idea how to adjust into it the rememberme policy. I have attached here the new TicketRegistry.xml having the ehcache configuration: ?xml version=1.0 encoding=UTF-8? !-- .. bean id=cacheManager class=org.springframework.cache.ehcache.EhCacheManagerFactoryBean property name=configLocation value=classpath:${ehcache.profiles.active}.xml / property name=shared value=true / property name=cacheManagerName value=ticketRegistryCacheManager / /bean bean id=ticketRegistry class=org.jasig.cas.ticket.registry.EhCacheTicketRegistry p:serviceTicketsCache-ref=serviceTicketsCache p:ticketGrantingTicketsCache-ref=ticketGrantingTicketsCache / bean id=abstractTicketCache class=org.springframework.cache.ehcache.EhCacheFactoryBean abstract=true property name=cacheManager ref=cacheManager / property name=diskExpiryThreadIntervalSeconds value=0 / property name=diskPersistent value=false / property name=eternal value=false / property name=maxElementsInMemory value=1 / property name=maxElementsOnDisk value=0 / property name=memoryStoreEvictionPolicy value=LRU / property name=overflowToDisk value=false / property name=bootstrapCacheLoader ref local=ticketCacheBootstrapCacheLoader / /property /bean bean id=serviceTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean parent=abstractTicketCache property name=cacheName value=org.jasig.cas.ticket.ServiceTicket / property name=cacheEventListeners ref local=ticketRMISynchronousCacheReplicator / /property property name=timeToIdle value=0 / property name=timeToLive value=300 / /bean bean id=ticketGrantingTicketsCache class=org.springframework.cache.ehcache.EhCacheFactoryBean property name=cacheName value=org.jasig.cas.ticket.TicketGrantingTicket / property name=cacheEventListeners ref local=ticketRMIAsynchronousCacheReplicator / /property property name=timeToIdle value=0 / property name=timeToLive value=7201 / /bean bean id=ticketRMISynchronousCacheReplicator class=net.sf.ehcache.distribution.RMISynchronousCacheReplicator constructor-arg name=replicatePuts value=true / constructor-arg name=replicatePutsViaCopy value=true / constructor-arg name=replicateUpdates value=true / constructor-arg name=replicateUpdatesViaCopy value=true / constructor-arg name=replicateRemovals value=true / /bean bean id=ticketRMIAsynchronousCacheReplicator class=net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator parent=ticketRMISynchronousCacheReplicator constructor-arg name=replicationInterval value=1 / constructor-arg name=maximumBatchSize value=100 / /bean bean id=ticketCacheBootstrapCacheLoader class=net.sf.ehcache.distribution.RMIBootstrapCacheLoader constructor-arg
Re: [cas-user] CAS: Are the repos for CAS 4.0 broken?
If this can be consistently reproduced, would someone mind filing a bug in JIRA for this? Thanks! Scott On Tue, Jul 8, 2014 at 7:08 AM, geoffroy desvernay d...@centrale-marseille.fr wrote: On 06/18/2014 13:47, David A. Kovacic wrote: We (Case Western Reserve) did try following the links that were failing to the repositories by entering them in a browser and found that the Maven 2 repositories had changed (the branch of the tree we got to - http://oss.sonatype.org/content/repositories/releases/org/ http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-integration-restlet/4.0.0/cas-server-integration-restlet-4.0.0.pom was modified 6/14/14). The lower branches in the links that Maven was trying to find were all missing. We've talked with support at Sonatype and while their suggestions cleared up a majority of the issues, we still have not gotten a successful build since 6/13 when we started a fresh install of 3.5.2.1. We also are running on a Linux system (RHEL 6). In short, this looks like something either the folks at Sonatype will have to change/correct or that the folks at JASig will need to update (working with Sonatype) will need to update to accommodate the changes to the repositories. Still the same problem here (freebsd workstation): problem with double-redirect (http://developer.ja-sig.org - http://oss.sonatype.org - https://oss.sonatype.org) successful workaround with a local proxy: in /etc/hosts: 127.0.0.1 developer.ja-sig.org in nginx.conf: server { server_name developer.ja-sig.org; root /usr/local/www/nada; listen 127.0.0.1:80; location /maven2 { proxy_pass https://oss.sonatype.org/content/repositories/releases; proxy_http_version 1.1; } } My 2 cts… ps: I tried changing url of 'jasig-repository' in root's pom.xml, but doesn't seems to be used when building my 'overlay'… -- *geoffroy desvernay* C.R.I - Administration systèmes et réseaux Ecole Centrale de Marseille Tel: (+33|0)4 91 05 45 24 Fax: (+33|0)4 91 05 44 26 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS: Are the repos for CAS 4.0 broken?
You're getting some form of redirect: remote = 'html headtitle301' - RETRYING What does the redirect say? On Tue, Jun 17, 2014 at 1:31 PM, Zac Harvey zhar...@commercehub.com wrote: I have the following pom.xml file: ?xml version=1.0 encoding=UTF-8? project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi= http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation= http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd modelVersion4.0.0/modelVersion groupIdcom.me.myorg/groupId artifactIdmycas/artifactId packagingwar/packaging version1.0-SNAPSHOT/version build plugins plugin artifactIdmaven-war-plugin/artifactId configuration warNamemycas/warName /configuration /plugin /plugins /build dependencies dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-webapp/artifactId version${cas.version}/version typewar/type scoperuntime/scope /dependency dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-support-ldap/artifactId version${cas.version}/version /dependency dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-integration-restlet/artifactId version${cas.version}/version /dependency /dependencies properties cas.version4.0.0/cas.version /properties repositories repository idja-sig/id url http://oss.sonatype.org/content/repositories/releases//url; /repository /repositories /project When I run “mvn package” I get all sorts of download errors, a sample of which are: [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '780ba3cf6b6eb0f7c9f6d41d8d25a86a2f46b0c4'; remote = 'html headtitle301' - RETRYING Downloading: http://oss.sonatype.org/content/repositories/releases//org/jasig/cas/cas-server-support-ldap/4.0.0/cas-server-support-ldap-4.0.0.pom http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-support-ldap/4.0.0/cas-server-support-ldap-4.0.0.pom 184b downloaded (cas-server-support-ldap-4.0.0.pom) [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '780ba3cf6b6eb0f7c9f6d41d8d25a86a2f46b0c4'; remote = 'html headtitle301' - IGNORING [WARNING] POM for 'org.jasig.cas:cas-server-support-ldap:pom:4.0.0:compile' is invalid. Its dependencies (if any) will NOT be available to the current build. Downloading: http://oss.sonatype.org/content/repositories/releases//org/jasig/cas/cas-server-integration-restlet/4.0.0/cas-server-integration-restlet-4.0.0.pom http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-integration-restlet/4.0.0/cas-server-integration-restlet-4.0.0.pom 184b downloaded (cas-server-integration-restlet-4.0.0.pom) [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '780ba3cf6b6eb0f7c9f6d41d8d25a86a2f46b0c4'; remote = 'html headtitle301' - RETRYING Downloading: http://oss.sonatype.org/content/repositories/releases//org/jasig/cas/cas-server-integration-restlet/4.0.0/cas-server-integration-restlet-4.0.0.pom http://oss.sonatype.org/content/repositories/releases/org/jasig/cas/cas-server-integration-restlet/4.0.0/cas-server-integration-restlet-4.0.0.pom 184b downloaded (cas-server-integration-restlet-4.0.0.pom) [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '780ba3cf6b6eb0f7c9f6d41d8d25a86a2f46b0c4'; remote = 'html headtitle301' - IGNORING [WARNING] POM for 'org.jasig.cas:cas-server-integration-restlet:pom:4.0.0:compile' is invalid. If I try to open any of the downloaded JARs under ~/.m2 they are malformed and won’t open in my Archive Manager. What is wrong with the Maven2/CAS repos? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see
Re: [cas-user] Recommended CAS server/client
You should use the 4.0.0 release of the server and the 3.3.1 release of the CAS client. And we should update our documentation :-) On Mon, Jun 16, 2014 at 6:34 PM, Tom Arnold tar...@gmail.com wrote: (This is another attempt at posting using the Google Group. My last one seems to have been bounced by Wisc. Apologies if this gets posted multiple times somehow.) I'm interested in using CAS with JBoss AS 7. Could someone recommend which combination of server/client I should start with? According to the homepage the latest CAS server is 3.5.2.1, but the mailing list says that 4.0.0 is out. According to the wiki the latest Java client is 3.2.1, but I see 3.3.1 in Maven. Thanks! Tom -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Recommended CAS server/client
I've updated our www.jasig.org/cas page. Which wiki link was out of date? On Mon, Jun 16, 2014 at 10:06 PM, Scott Battaglia scott.battag...@gmail.com wrote: You should use the 4.0.0 release of the server and the 3.3.1 release of the CAS client. And we should update our documentation :-) On Mon, Jun 16, 2014 at 6:34 PM, Tom Arnold tar...@gmail.com wrote: (This is another attempt at posting using the Google Group. My last one seems to have been bounced by Wisc. Apologies if this gets posted multiple times somehow.) I'm interested in using CAS with JBoss AS 7. Could someone recommend which combination of server/client I should start with? According to the homepage the latest CAS server is 3.5.2.1, but the mailing list says that 4.0.0 is out. According to the wiki the latest Java client is 3.2.1, but I see 3.3.1 in Maven. Thanks! Tom -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS: Please confirm cas.properties behavior
https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties On Fri, Jun 13, 2014 at 7:15 AM, Zac Harvey zhar...@commercehub.com wrote: I’m seeing some behavior that **appears** to be default CAS behavior, but it’s just not working like I expected and it has me stumped. If I create a brand new project directory, and only stick a pom.xml in it (hence using 100% CAS defaults, no overrides or customizations whatsoever) and run “mvn clean package”, I get a cas.war that deploys to Tomcat just fine (using CAS 4.0.0 and Tomcat 7). But then I go ahead and add a src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml file, that has the following contents: bean id=”propertyPlaceholderConfigurer” class=”org.springframework.beans.factory.config.PropertyPlaceholderConfigurer” property name=”ignoreResourceNotFound” value=”true” / property name=”locations” list valuefile:/home/myuser/cas.properties/value /list /property /bean And, just to see what happens, I intentionally **do not** put a cas.properties file under /home/myuser. Now when I run “mvn clean package” and deploy the cas.war to Tomcat, I get all sorts of exceptions in the Tomcat log, complaining about there not being a host.name property specified (which is true since I don’t have a /home/myuser/cas.properties file). I **expected** CAS to look for /home/myuser/cas.properties and, if it can’t be found, to use the same defaults that were applied before I added a propertyFileConfigurer.xml file. Instead, it looks like CAS looks for /home/myuser/cas.properties, and if it can’t be found, just gives up and doesn’t try to apply any defaults at all. Is this normal CAS behavior? If so, what are all the other properties (besides host.name) that I need to provide CAS with, and where is this documented? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS: Please confirm cas.properties behavior
You've re-defined this file: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml by creating your own. So I don't understand why you think it would still apply those properties if that bean definition no longer exists. On Fri, Jun 13, 2014 at 9:07 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, So can you (or anyone else) confirm that my suspicions about default cas.properties behavior is correct? Also, Scott, is the cas.properties link you reference below simply the minimal props I need to define inside my cas.properties file? *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, June 13, 2014 8:02 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS: Please confirm cas.properties behavior https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties On Fri, Jun 13, 2014 at 7:15 AM, Zac Harvey zhar...@commercehub.com wrote: I’m seeing some behavior that **appears** to be default CAS behavior, but it’s just not working like I expected and it has me stumped. If I create a brand new project directory, and only stick a pom.xml in it (hence using 100% CAS defaults, no overrides or customizations whatsoever) and run “mvn clean package”, I get a cas.war that deploys to Tomcat just fine (using CAS 4.0.0 and Tomcat 7). But then I go ahead and add a src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml file, that has the following contents: bean id=”propertyPlaceholderConfigurer” class=”org.springframework.beans.factory.config.PropertyPlaceholderConfigurer” property name=”ignoreResourceNotFound” value=”true” / property name=”locations” list valuefile:/home/myuser/cas.properties/value /list /property /bean And, just to see what happens, I intentionally **do not** put a cas.properties file under /home/myuser. Now when I run “mvn clean package” and deploy the cas.war to Tomcat, I get all sorts of exceptions in the Tomcat log, complaining about there not being a host.name property specified (which is true since I don’t have a /home/myuser/cas.properties file). I **expected** CAS to look for /home/myuser/cas.properties and, if it can’t be found, to use the same defaults that were applied before I added a propertyFileConfigurer.xml file. Instead, it looks like CAS looks for /home/myuser/cas.properties, and if it can’t be found, just gives up and doesn’t try to apply any defaults at all. Is this normal CAS behavior? If so, what are all the other properties (besides host.name) that I need to provide CAS with, and where is this documented? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS: Please confirm cas.properties behavior
No, its not easy to understand. You overwrote where it would look for the file but you're still expecting it to find the file. If you want CAS to still leverage the default file, you should have your property configurer reference both. I can't speak for how Unicon defines their overlay. You'll have to let one of them chime into this thread. (they're usually really good about responding) On Fri, Jun 13, 2014 at 9:20 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott, But it’s easy to understand why I’m expecting CAS to behave the way I do. Take a look at: https://github.com/Unicon/unicon-cas-overlay/blob/master/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml That project says “Hey CAS, look on the file system for /etc/cas/cas.properties.” Then, at: https://github.com/Unicon/unicon-cas-overlay/blob/master/etc/cas.properties In that cas.properties files, several of the properties that exist at the link you sent me ( https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml) aren’t defined. So again, it’s unclear as to what properties CAS needs by default, and because of that, it’s unclear how CAS supplies its own defaults when the supplied cas.properties file omits them. Thanks again! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, June 13, 2014 9:13 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS: Please confirm cas.properties behavior You've re-defined this file: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml by creating your own. So I don't understand why you think it would still apply those properties if that bean definition no longer exists. On Fri, Jun 13, 2014 at 9:07 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, So can you (or anyone else) confirm that my suspicions about default cas.properties behavior is correct? Also, Scott, is the cas.properties link you reference below simply the minimal props I need to define inside my cas.properties file? *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, June 13, 2014 8:02 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS: Please confirm cas.properties behavior https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties On Fri, Jun 13, 2014 at 7:15 AM, Zac Harvey zhar...@commercehub.com wrote: I’m seeing some behavior that **appears** to be default CAS behavior, but it’s just not working like I expected and it has me stumped. If I create a brand new project directory, and only stick a pom.xml in it (hence using 100% CAS defaults, no overrides or customizations whatsoever) and run “mvn clean package”, I get a cas.war that deploys to Tomcat just fine (using CAS 4.0.0 and Tomcat 7). But then I go ahead and add a src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml file, that has the following contents: bean id=”propertyPlaceholderConfigurer” class=”org.springframework.beans.factory.config.PropertyPlaceholderConfigurer” property name=”ignoreResourceNotFound” value=”true” / property name=”locations” list valuefile:/home/myuser/cas.properties/value /list /property /bean And, just to see what happens, I intentionally **do not** put a cas.properties file under /home/myuser. Now when I run “mvn clean package” and deploy the cas.war to Tomcat, I get all sorts of exceptions in the Tomcat log, complaining about there not being a host.name property specified (which is true since I don’t have a /home/myuser/cas.properties file). I **expected** CAS to look for /home/myuser/cas.properties and, if it can’t be found, to use the same defaults that were applied before I added a propertyFileConfigurer.xml file. Instead, it looks like CAS looks for /home/myuser/cas.properties, and if it can’t be found, just gives up and doesn’t try to apply any defaults at all. Is this normal CAS behavior? If so, what are all the other properties (besides host.name) that I need to provide CAS with, and where is this documented? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas
Re: [cas-user] CAS: Please confirm cas.properties behavior
You can actually specify multiple files so you can include the original one. If you add your local file second then it will overwrite comparable values in the first one: http://docs.spring.io/spring/docs/2.5.6/api/org/springframework/core/io/support/PropertiesLoaderSupport.html#setLocations(org.springframework.core.io.Resource[]) (sorry Google returned the 2.5.6 docs but I am assuming it hasn't changed much) On Fri, Jun 13, 2014 at 9:35 AM, Dmitriy Kopylenko dkopyle...@unicon.net wrote: I’ll try. There is nothing special how we (at Unicon) define the CAS props and the referenced overlay is just an example of best practices of what worked really well for our CAS deployments. As Scott explained, it is 'either OR' situation in the way that the PPC (PropertyPlaceholderConfigurer) is defined - it’s either the default one in CAS which looks for the properties file in the WAR’s class path, or the one you redefine with whatever properties resource location you choose. I think it’s possible to have a complex PPC definition to combine 2 (or more) locations, but I personally don’t see the benefit for such complexity. Best, Dmitriy. On Jun 13, 2014, at 9:26 AM, Scott Battaglia scott.battag...@gmail.com wrote: No, its not easy to understand. You overwrote where it would look for the file but you're still expecting it to find the file. If you want CAS to still leverage the default file, you should have your property configurer reference both. I can't speak for how Unicon defines their overlay. You'll have to let one of them chime into this thread. (they're usually really good about responding) On Fri, Jun 13, 2014 at 9:20 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott, But it’s easy to understand why I’m expecting CAS to behave the way I do. Take a look at: https://github.com/Unicon/unicon-cas-overlay/blob/master/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml That project says “Hey CAS, look on the file system for /etc/cas/cas.properties.” Then, at: https://github.com/Unicon/unicon-cas-overlay/blob/master/etc/cas.properties In that cas.properties files, several of the properties that exist at the link you sent me ( https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml) aren’t defined. So again, it’s unclear as to what properties CAS needs by default, and because of that, it’s unclear how CAS supplies its own defaults when the supplied cas.properties file omits them. Thanks again! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, June 13, 2014 9:13 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS: Please confirm cas.properties behavior You've re-defined this file: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml by creating your own. So I don't understand why you think it would still apply those properties if that bean definition no longer exists. On Fri, Jun 13, 2014 at 9:07 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, So can you (or anyone else) confirm that my suspicions about default cas.properties behavior is correct? Also, Scott, is the cas.properties link you reference below simply the minimal props I need to define inside my cas.properties file? *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, June 13, 2014 8:02 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] CAS: Please confirm cas.properties behavior https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties On Fri, Jun 13, 2014 at 7:15 AM, Zac Harvey zhar...@commercehub.com wrote: I’m seeing some behavior that **appears** to be default CAS behavior, but it’s just not working like I expected and it has me stumped. If I create a brand new project directory, and only stick a pom.xml in it (hence using 100% CAS defaults, no overrides or customizations whatsoever) and run “mvn clean package”, I get a cas.war that deploys to Tomcat just fine (using CAS 4.0.0 and Tomcat 7). But then I go ahead and add a src/main/webapp/WEB-INF/spring-configuration/propertyFileConfigurer.xml file, that has the following contents: bean id=”propertyPlaceholderConfigurer” class=”org.springframework.beans.factory.config.PropertyPlaceholderConfigurer” property name=”ignoreResourceNotFound” value=”true” / property name=”locations” list valuefile:/home/myuser/cas.properties/value /list /property /bean And, just to see what happens, I intentionally **do not** put
Re: [cas-user] CAS: Example of LDAP authentication for CAS 4.0?
I think this should point you in the right direction: http://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html On Fri, Jun 13, 2014 at 2:03 PM, Zac Harvey zhar...@commercehub.com wrote: I have a CAS server on 3.5.2.1 and am upgrading it to 4.0. In my deployerConfigContext.xml I have the following beans defined: !-- This ldapAuthHandler bean used to be of type org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler prior to trying to upgrade… -- bean id=”ldapAuthHandler” class=”org.jasig.cas.authentication.LdapAuthenticationHandler” !-- several other properties here, omitted for brevity -- property name=”contextSource” ref=”contextSource” / /bean bean id=”contextSource” class=”org.springframework.ldap.core.support.LdapContextSource” !-- lots of stuff -- /bean When I deploy this I get a runtime classpath saying that “org.springframework.ldap.core.support.LdapContextSource” doesn’t exist. I looked at my pom.xml and see: dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-support-ldap/artifactId version${cas.version}/version /dependency So I go into my local ~/.m2 cache and find cas-server-support-ldap’s pom.xm; and I **don’t** see it pulling in: dependency groupIdorg.springframework.ldap/groupId artifactIdspring-ldap-core/artifactId version2.0.2.RELEASE/version /dependency …like I expected it to (this was the behavior with 3.5.2.1). This explains why the upgrade to 4.0 is breaking, but for the life of me I can’t find a good working example of LDAP-based auth in CAS 4.0. Any ideas? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Heartbeat messages or bad configs on my end?
I don't know if its a pulse/heartbeat off the top of my head (you could probably use your own access logs to confirm), but if this is your production server, you may want to set logging to INFO level or above. On Mon, Jun 9, 2014 at 7:01 AM, Zac Harvey zhar...@commercehub.com wrote: I noticed that our cas.log was growing quite large and took a look at it. Every few seconds I see log messages that look like: 2014-06-08 18:52:06,506 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,507 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. ... etc. 2014-06-08 18:52:08,280 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] – Reloading registered services. I’m seeing this at all hours of the day, even when the internal users that use our CAS SSO system have gone home for the day and cannot access the server. It looks like it’s some sort of heartbeat/pulse log message, but due to the nature of the messages, I can’t tell if perhaps I’ve misconfigured something. Ideas? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Heartbeat messages or bad configs on my end?
Hi, At debug level, each argument extractor indicates whether they detected anything that matches the protocol they are designed to detect. Extractor did not generate service merely means that the extractor did not detect anything that would indicate that it can handle the protocol that you're using. So for example, if you've got the CAS 2.0 protocol extractor and the SAML 1.1 extractor configured, and you just go to /login without anything, neither of those would be able to create a service request. Its a helpful debug message if you are testing protocols, but can be alarming if seen frequently :-) LT-* are the login tokens used to allow you to transition from /login (GET) to /login (POST) and ensure that credentials are not being RE-POSTED. They are lightweight and nothing to worry about. On Mon, Jun 9, 2014 at 7:19 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, This is a dev server and we wanted the log level to be DEBUG to potentially catch anything from getting into production. Our prod server is INFO as you suggested. When you say I could use our own “access logs” to confirm, what logs are you talking about? I’m pretty new to CAS and haven’t configured any special logs in addition to the log4j settings that CAS ships with. Most importantly, I’m pretty sure these are just heartbeats, because there’s no way anyone was logging in yesterday on 6/08. Just no way. What I’m worried about is the fact that one message seems to indicate a failure (“Extractor did not generate service”), while another message seems to indicate a heavyweight object being created (“Generated login ticket LT-293949j...”). For the former I’m worried its indicative that something isn’t configured correctly, and for the latter I’m also worried that something isn’t configured correctly and that my CAS server is chewing up unnecessary memory… *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Monday, June 09, 2014 7:14 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Heartbeat messages or bad configs on my end? I don't know if its a pulse/heartbeat off the top of my head (you could probably use your own access logs to confirm), but if this is your production server, you may want to set logging to INFO level or above. On Mon, Jun 9, 2014 at 7:01 AM, Zac Harvey zhar...@commercehub.com wrote: I noticed that our cas.log was growing quite large and took a look at it. Every few seconds I see log messages that look like: 2014-06-08 18:52:06,506 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,507 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. ... etc. 2014-06-08 18:52:08,280 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] – Reloading registered services. I’m seeing this at all hours of the day, even when the internal users that use our CAS SSO system have gone home for the day and cannot access the server. It looks like it’s some sort of heartbeat/pulse log message, but due to the nature of the messages, I can’t tell if perhaps I’ve misconfigured something. Ideas? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Heartbeat messages or bad configs on my end?
No. It means those particular requests didn't send a request that looks like a protocol that an argument extractor recognizes. That could happen if you just go to /login without anything else. On Mon, Jun 9, 2014 at 7:30 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott, One last followup: My understanding is that there’s really only 2 protocols available for me to use here for login: CAS2.0 or SAML1.1. If that’s the case, and both the CAS and SAML argument extractors are **both** reporting that they don’t detects anything matching their respective protocols, then wouldn’t this mean that my CAS server isn’t implementing **any** protocols?!?! If so, how is my CAS server even working right now? I do have users logging in and successfully working inside of authenticated apps all day long... is my CAS instance “pretending” to work when in fact it really isn’t!?! Please advise, and thanks again! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Monday, June 09, 2014 7:25 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Heartbeat messages or bad configs on my end? Hi, At debug level, each argument extractor indicates whether they detected anything that matches the protocol they are designed to detect. Extractor did not generate service merely means that the extractor did not detect anything that would indicate that it can handle the protocol that you're using. So for example, if you've got the CAS 2.0 protocol extractor and the SAML 1.1 extractor configured, and you just go to /login without anything, neither of those would be able to create a service request. Its a helpful debug message if you are testing protocols, but can be alarming if seen frequently :-) LT-* are the login tokens used to allow you to transition from /login (GET) to /login (POST) and ensure that credentials are not being RE-POSTED. They are lightweight and nothing to worry about. On Mon, Jun 9, 2014 at 7:19 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, This is a dev server and we wanted the log level to be DEBUG to potentially catch anything from getting into production. Our prod server is INFO as you suggested. When you say I could use our own “access logs” to confirm, what logs are you talking about? I’m pretty new to CAS and haven’t configured any special logs in addition to the log4j settings that CAS ships with. Most importantly, I’m pretty sure these are just heartbeats, because there’s no way anyone was logging in yesterday on 6/08. Just no way. What I’m worried about is the fact that one message seems to indicate a failure (“Extractor did not generate service”), while another message seems to indicate a heavyweight object being created (“Generated login ticket LT-293949j...”). For the former I’m worried its indicative that something isn’t configured correctly, and for the latter I’m also worried that something isn’t configured correctly and that my CAS server is chewing up unnecessary memory… *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Monday, June 09, 2014 7:14 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Heartbeat messages or bad configs on my end? I don't know if its a pulse/heartbeat off the top of my head (you could probably use your own access logs to confirm), but if this is your production server, you may want to set logging to INFO level or above. On Mon, Jun 9, 2014 at 7:01 AM, Zac Harvey zhar...@commercehub.com wrote: I noticed that our cas.log was growing quite large and took a look at it. Every few seconds I see log messages that look like: 2014-06-08 18:52:06,506 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,507 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:06,508 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] – Generated login ticket LT-29348-393849393493jdiejdiejf498 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] – Extractor did not generate service. 2014-06-08 18:52:07,791 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] – Extractor did not generate service. ... etc. 2014-06-08 18:52:08,280 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] – Reloading registered services. I’m seeing this at all hours of the day, even when the internal users that use our CAS SSO system have gone home for the day and cannot access the server. It looks like it’s some sort of heartbeat/pulse log message, but due to the nature of the messages, I can’t tell if perhaps I’ve misconfigured something. Ideas? Thanks in advance! -- You are currently subscribed
Re: [cas-user] What Spring beans are available to CAS JSP pages?
You should be able to add as many additional configuration files as you want. With respect to referencing the bean from the JSP, you should refer to the Spring documentation (which will most likely be more accurate than any information I would give you) On Mon, Jun 9, 2014 at 8:55 AM, Zac Harvey zhar...@commercehub.com wrote: I want a custom org.my.FizzBuzz Java class that I need to configure in CAS’ applicationContext.xml and would like to have access to it in the casLogoutView.jsp page. So in the app context, the wiring might look something like: bean id=”fizzBuzz” class=”org.me.FizzBuzz” property name=”foo” ref=”foo” /bean etc. And then in the casLogoutView.jsp, something like: % FizzBuzz fizzBuz = (FizzBuzz)applicationContext.getBean(“fizzBuzz”); // Do stuff with fizzBuzz. % My questions: (1) In my spring-configuration/ directory, there is no applicationContext.xml. If I add one, and only define this one FizzBuzz bean (and its dependencies), will that “blow out” all of the other beans that CAS is defining/injecting underneath the hood? If so, how can I define my FizzBuzz (in any XML) so that it’s available to the JSP? (2) How can I obtain a reference to applicationContext and/or my FizzBuzz bean inside the JSP? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] What Spring beans are available to CAS JSP pages?
CAS loads any Spring configuration file that matches the list here: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/web.xml#L31 It will load all files under /spring-configuration If you name-collide with anything in the directory then you will override. Otherwise its addative. You can read more about it here: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/README.txt On Mon, Jun 9, 2014 at 4:05 PM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, I guess I asked the wrong questions here :-) To create my CAS project, I created a $PROJECT_HOME/pom.xml and used the POM example from the CAS 4.0 manual. Then I ran mvn clean package and it produced a simple $PROJECT_HOME/target/cas.war for me. I then created a src/main/webapp/WEB-INF/spring-configuration directory. What I’m wondering is this: Does CAS use applicationContext.xml (the Spring standard) for wiring Spring beans? If so, if I add my own applicationContext.xml under my newly-created spring-configuration/ directory, will it override (blow out) or automagically-merge with the applicationContext.xml used under the hood by CAS? And, if CAS doesn’t use its own applicationContext.xml, then what file does it use, and how do I extend-without-blowing-out this file? Thanks again! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Monday, June 09, 2014 3:59 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] What Spring beans are available to CAS JSP pages? You should be able to add as many additional configuration files as you want. With respect to referencing the bean from the JSP, you should refer to the Spring documentation (which will most likely be more accurate than any information I would give you) On Mon, Jun 9, 2014 at 8:55 AM, Zac Harvey zhar...@commercehub.com wrote: I want a custom org.my.FizzBuzz Java class that I need to configure in CAS’ applicationContext.xml and would like to have access to it in the casLogoutView.jsp page. So in the app context, the wiring might look something like: bean id=”fizzBuzz” class=”org.me.FizzBuzz” property name=”foo” ref=”foo” /bean etc. And then in the casLogoutView.jsp, something like: % FizzBuzz fizzBuz = (FizzBuzz)applicationContext.getBean(“fizzBuzz”); // Do stuff with fizzBuzz. % My questions: (1) In my spring-configuration/ directory, there is no applicationContext.xml. If I add one, and only define this one FizzBuzz bean (and its dependencies), will that “blow out” all of the other beans that CAS is defining/injecting underneath the hood? If so, how can I define my FizzBuzz (in any XML) so that it’s available to the JSP? (2) How can I obtain a reference to applicationContext and/or my FizzBuzz bean inside the JSP? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] What Spring beans are available to CAS JSP pages?
I'm saying the former. We're using standard Spring here so it operates the same way it would for any other Spring application. On Mon, Jun 9, 2014 at 8:23 PM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott, however after reading that README.txt I'm even more confused now! Are you saying that I could define my FizzBuzz bean inside, say, widget.xml, and the web.xml config (which looks for contextConfigLocations in spring-configuration/*.xml) will find widget.xml, read my FizzBuzz bean out of it, and then make it available to the entire app's context? Or are you saying that I need to make a fizzBuzz.xml file, define a FizzBuzz bean (with an id of fizzBuzz) inside it, in order to make it available to the entire app's context? Thanks again for any clarification here! -- *From:* Scott Battaglia scott.battag...@gmail.com *Sent:* Monday, June 9, 2014 4:53 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] What Spring beans are available to CAS JSP pages? CAS loads any Spring configuration file that matches the list here: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/web.xml#L31 It will load all files under /spring-configuration If you name-collide with anything in the directory then you will override. Otherwise its addative. You can read more about it here: https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/README.txt On Mon, Jun 9, 2014 at 4:05 PM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, I guess I asked the wrong questions here :-) To create my CAS project, I created a $PROJECT_HOME/pom.xml and used the POM example from the CAS 4.0 manual. Then I ran mvn clean package and it produced a simple $PROJECT_HOME/target/cas.war for me. I then created a src/main/webapp/WEB-INF/spring-configuration directory. What I’m wondering is this: Does CAS use applicationContext.xml (the Spring standard) for wiring Spring beans? If so, if I add my own applicationContext.xml under my newly-created spring-configuration/ directory, will it override (blow out) or automagically-merge with the applicationContext.xml used under the hood by CAS? And, if CAS doesn’t use its own applicationContext.xml, then what file does it use, and how do I extend-without-blowing-out this file? Thanks again! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Monday, June 09, 2014 3:59 PM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] What Spring beans are available to CAS JSP pages? You should be able to add as many additional configuration files as you want. With respect to referencing the bean from the JSP, you should refer to the Spring documentation (which will most likely be more accurate than any information I would give you) On Mon, Jun 9, 2014 at 8:55 AM, Zac Harvey zhar...@commercehub.com wrote: I want a custom org.my.FizzBuzz Java class that I need to configure in CAS’ applicationContext.xml and would like to have access to it in the casLogoutView.jsp page. So in the app context, the wiring might look something like: bean id=”fizzBuzz” class=”org.me.FizzBuzz” property name=”foo” ref=”foo” /bean etc. And then in the casLogoutView.jsp, something like: % FizzBuzz fizzBuz = (FizzBuzz)applicationContext.getBean(“fizzBuzz”); // Do stuff with fizzBuzz. % My questions: (1) In my spring-configuration/ directory, there is no applicationContext.xml. If I add one, and only define this one FizzBuzz bean (and its dependencies), will that “blow out” all of the other beans that CAS is defining/injecting underneath the hood? If so, how can I define my FizzBuzz (in any XML) so that it’s available to the JSP? (2) How can I obtain a reference to applicationContext and/or my FizzBuzz bean inside the JSP? Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja
Re: [cas-user] (WebSeal) Pre authorization with SAML Response and CAS
For solution #1, what is your concern about passing the SAMLResponse to CAS? Your actions should have access to any of the request methods (i.e. to retrieve it from the query string) On Tue, May 20, 2014 at 10:39 AM, Anders Malmborg anders.malmb...@porscheinformatik.at wrote: We happily uses CAS for SSO including proxy ticketing for some time now. We use LDAP as authentication handler. Now there is a case where we are called from a WebSeal providing a SAMLResponse. After validating the SAMLResponse a Service Ticket should be generated and verified by the application. After consulting documentation in the web I came up with two possible solutions, each with its drawbacks. Solution 1: Validate the SAMLResponse in CAS (inspired by https://wiki.jasig.org/display/CASUM/X.509+Certificates): * Implement a Credentials class wrapping the SAMLResponse * Extend AbstractNonInteractiveCredentialsAction to construct credential above. * Extend AbstractPreAndPostProcessingAuthenticationHandler to validate the SAMLResponse. * Implement a CredentialsToPrincipalResolver to handle the SAMLResponse Credential. The login-webflow will redirect to the CredentialsAction (bullet 2) before (on failure) going on to the standard login form. -Drawback: how to pass the SAMLResponse to CAS from the service to authenticate? Solution 2: Use Spring Security Pre-authentication filter to validate in the service (CAS Client) and use https://wiki.jasig.org */display/CASUM/Trusted: * Validate the SAML in a Spring Security Pre-authentication filter prior to calling CAS. * Extend org.springframework.security.cas.web.CasAuthenticationEntryPoint.preCommence(HttpServletRequest, HttpServletResponse) to pass a Principal based on the authentication in the filter. -Drawback: How can a Principal be set on the (final) HttpServletRequest passed to CasAuthenticationEntryPoint.preCommence(HttpServletRequest, HttpServletResponse)? Any hints how to solve this would be appreciated... Regards, Anders -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How/where is CASTGC generated?
What exactly are you hoping to discover by looking at that class? There are really only two scenarios where a TGT is not created/placed into a cookie: 1. Authentication failed (no TGT is generated) 2. Non-secure connection (http vs. https) On Mon, Jun 2, 2014 at 8:15 AM, Zac Harvey zhar...@commercehub.com wrote: Can anybody tell me where (inside the CAS source code) the CASTGC cookie gets created and handed back to the browser? I see an org.jasig.cas.web.support.CookieRetrievingCookieGenerator... am I close? -Original Message- From: Zac Harvey Sent: Friday, May 30, 2014 5:33 PM To: 'cas-user@lists.jasig.org' Subject: RE: [cas-user] How/where is CASTGC generated? Thanks Andy, Yes I've been using the F12 tool in IE (I guess it's called DebugBar) and have confirmed that in about 50% of the cases, after a user logs in via IE, the browser does not receive a CASTGC cookie. Thoughts? Thanks again, Zac -Original Message- From: Andrew Morgan [mailto:mor...@orst.edu] Sent: Friday, May 30, 2014 5:26 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] How/where is CASTGC generated? On Fri, 30 May 2014, Zac Harvey wrote: It looks like (maybe) the CookieRetrievingCookieGenerator is responsible for creating the CASTGC? https://github.com/Jasig/cas/blob/master/cas-server-webapp-support/src /main/java/org/jasig/cas/web/support/CookieRetrievingCookieGenerator.j ava I am running into instances where CASTGC is not being generated and I need to debug why. Is anyone aware of circumstances where CASTGC will not get generated? Have you tried using Web Developer (Firefox) or DebugBar (IE) so that you can view the HTTP traffic between your browser and the CAS server? Those tools can show you a lot about what is really happening. For example, you can see if the CAS server is sending the CASTGC cookie to your browser. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 4.0.0 SingleSignOutFilter
My questions: 1. Will configuring SingleSignOutFilter in web.xml complete my implementation for single sign out, or is there more config that I need to do? If so, where? You cannot have single sign out without the filter. Whether it completes the configuration depends on your set up (i.e. if your network topology requires additional work) 2. Once single sign out is implemented, will it have the expected behavior that I describe above? Meaning, if I go to the /logout link, then anytime I try to go to an authenticated URL, it should redirect me back to the /login page? Yes 3. How can I tell which protocol (CAS 2.0 or SAML 1.1) I'm using? I should be using whatever default CAS 4.0.0 ships with as I didn't override anything in my project. By default the server should have CAS 2.0 and SAML 1.1 enabled. Your client is talking via whichever filter you configured (most likely 2.0 spec) On Thu, Jun 5, 2014 at 3:45 PM, Zac Harvey zhar...@commercehub.com wrote: I followed the CAS Best Practices ( https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method) for building a “cas.war” (v4.0.0) and deploying it to Tomcat7. When I spin up Tomcat, I am able to access my CAS login page at: https://localhost:8443/cas/login I then deploy one of my client apps (a Grails web app using Shiro for authentication), which comes online at: http://localhost:9100/myapp I go to an authenticated URL for myapp.war (the CAS client app): http://localhost:9100/myapp/secret I am successfully redirected to my CAS login page (for now, I'm using the default casLoginView.jsp). I check my browser cookies, and for the CAS site I have a JSESSIONID. I login using the CAS default credentials (username is *casuser*; password is *Melon*) and am successfully redirected to http://localhost:9100/myapp/secret. Great success! I check my cookies again and see that I have the same exact JSESSIONID as well as a new CASTGC cookie. I now go directly to my CAS logout page: https://localhost:8443/cas/logout I see a Logout successful message, and check my cookies again. The CASTGC cookie is gone, and I still have a JSESSIONID, however, it's a different one than the first JSESSIONID that I got. I now go back to my authenticated URL: http://localhost:9100/myapp/secret I expect to be redirected to the CAS login page: instead I am allowed to view the /secret page and **appear to still be authenticated, even after logging out!!!** I *believe* I need to implement the SingleSignOutFilter by placing it in myapp's web.xml as instructed here: https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out My questions: 1. Will configuring SingleSignOutFilter in web.xml complete my implementation for single sign out, or is there more config that I need to do? If so, where? 2. Once single sign out is implemented, will it have the expected behavior that I describe above? Meaning, if I go to the /logout link, then anytime I try to go to an authenticated URL, it should redirect me back to the /login page? 3. How can I tell which protocol (CAS 2.0 or SAML 1.1) I'm using? I should be using whatever default CAS 4.0.0 ships with as I didn't override anything in my project. Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Single signout for Shiro-CAS client apps
The only CAS cookie you care about is the CASTGC. That should be created/destroyed on login/logout. Any jsession cookies are managed by your container. On Thu, May 29, 2014 at 3:41 PM, Zac Harvey zhar...@commercehub.com wrote: I have 4 Grails apps using the Shiro-CAS plugin for CAS/SSO: http://grails.org/plugin/shiro-cas When I log in to one of these apps, and then navigate to all the others, I see individual JSESSIONID cookies for each app. I also see both a CASTGC cookie and a JSESSIONID cookie for my CAS server site. I noticed that when I go to my CAS server’s /logout link, that not all these cookies are destroyed. Instead I have to restart the browser to clear them all out. Is there any way around this (I’m on 3.5.2.1)? Is there any way to destroy all the cookies associated with the CAS session? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Redirect to specific URL on logout
This class ha the basic flow of logout (you can see where it reads a service parameter for redirect): https://github.com/Jasig/cas/blob/master/cas-server-webapp-support/src/main/java/org/jasig/cas/web/flow/LogoutAction.java On Thu, May 29, 2014 at 3:35 PM, Zac Harvey zhar...@commercehub.com wrote: I see the views/jsp/…/casLogOutView.jsp file, but was wondering how I could configure CAS to redirect the user to, say, http://google.com after they go to the logout link (https://my-cas-server:5443/logout). Is this possible? If so, how? -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] What is the TLTUID cookie?
A quick Google search indicates that its part of IBM's Tealeaf. That would be part of your infrastructure. On Tue, Jun 3, 2014 at 10:40 AM, Zac Harvey zhar...@commercehub.com wrote: What is TLTUID and what is it used for? I only see it in after IE logins. Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas server and radius authentication
We need to make sure that we properly deprecate things before we remove them (even if we consider them unnecessary or imperfect). Did that happen here? (I am on vacation, so responses are delayed) On Jun 5, 2014 9:13 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, As the *retries* property has a default value, it's not necessary to set it in the constructor. Plus, there is a dedicated setter. So I think it explains why the constructor with the retries argument has disappeared. We can add it back though (or update the doc accordingly), it's not a big deal... Best regards, 2014-06-05 14:42 GMT+02:00 Stefan Paetow stefan.pae...@ja.net: I’ve put in a pull request to restore that functionality in 4.1.0 (or even 4.0.1). Stefan *From:* Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] *Sent:* 28 May 2014 15:09 *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Cas server and radius authentication Looking at the JRadiusServerImpl in 4.0, the constructor only takes the protocol and RadiusClientFactory (no 'number of retries’ property) https://github.com/Jasig/cas/blob/v4.0.0/cas-server-support-radius/src/main/java/org/jasig/cas/adaptors/radius/JRadiusServerImpl.java#L72 So apparently the wiki documentation is wrong. Try adjusting the bean definition for radiusServer1 accordingly. Cheers, D. On May 28, 2014, at 9:43 AM, Reuben Popp reuben.p...@gmail.com wrote: Good morning to all, Quick question for the group. I'm attempting to deploy CAS with radius authentication and am running into a little trouble. The environment consists of the following: Redhat ES 6.5 Cas Server 4.0 Apache Tomcat 7 Java 1.6 I renamed the cas-server-uber-webapp-4.0.0.war to cas.war and moved it to /opt/apache-tomcat/webapps and made sure it had the appropriate permissions, after which I restarted tomcat to ensure that the war file was deployed. I then modified tomcat root/cas/WEB-INF/deployerConfigContext.xml as per the documentation for cas server 4 in the wiki: https://wiki.jasig.org/display/CASUM/RADIUS Restarting tomcat, I see the following errors in the catalina.out log: 2014-05-28 08:18:09,911 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'radiusAuthenticationHandler' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusAuthenticationHandler' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'radiusServer1' while setting bean property 'servers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusServer1' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities) snip Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'radiusAuthenticationHandler' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusAuthenticationHandler' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'radiusServer1' while setting bean property 'servers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusServer1' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities) snip Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusAuthenticationHandler' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'radiusServer1' while setting bean property 'servers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'radiusServer1' defined in ServletContext resource
Re: [cas-user] Cas 4.0 : JCaptcha
I don't think that wiki section is valid and we should probably remove it. On Jun 4, 2014 4:29 AM, Sunil Kalahasti sunilkalaha...@gmail.com wrote: Hi, We would like to include captcha in login page. Can we still use the configuration provided at https://wiki.jasig.org/display/CAS4UM/JCaptcha with CAS 4.0 ? When I try to include the following dependencies, they are not resolved: dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-integration-jcaptcha/artifactId version${project.version}/version /dependency dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-integration-jcaptcha-inmemory/artifactId version${project.version}/version /dependency Could anyone please advise how to proceed further? Thanks, Sunil. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] How/where is CASTGC generated?
Just an FYI it will not be sent over http. On May 30, 2014 11:48 PM, Andrew Morgan mor...@orst.edu wrote: On Fri, 30 May 2014, Zac Harvey wrote: Thanks Andy, Yes I've been using the F12 tool in IE (I guess it's called DebugBar) and have confirmed that in about 50% of the cases, after a user logs in via IE, the browser does not receive a CASTGC cookie. Thoughts? Hmm, Developer Tools (F12) isn't the same as DebugBar. I can't find a place in Developer Tools to view the HTTP headers, but I haven't used it. Another place you can check the behavior of CAS is the CAS log files. For example, check the audit.log file for ACTION: TICKET_GRANTING_TICKET_CREATED entries. audit.log and cas.log may be able to give you some clues. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
We put them on CASImpl because technically that is where the transaction would occur (a single method on that class could call multiple ticketregistry methods) On May 30, 2014 3:00 PM, Marvin Addison marvin.addi...@gmail.com wrote: I think the underlying problem in the code is that @Transaction annotations were placed at the wrong layer, on the methods in class CentralAuthenticationServiceImpl. +1 Your analysis and solution are probably the best evidence we have for that claim. I recall having made a similar suggestion in the past, but I didn't have a sound argument at the time. I believe your problem and solution provide the evidence we need to move forward with a fix in the next release of CAS. I would appreciate your filing a Jira issue to make the change you suggested and citing this thread as a reference. Thanks for your persistence working through this issue and sharing the result. Hopefully it will lead to a fix for this long-standing issue. M -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
No. You may call multiple methods on the same registry that should be part of the same transaction. On May 30, 2014 6:01 PM, Andrew Morgan mor...@orst.edu wrote: On Fri, 30 May 2014, Scott Battaglia wrote: We put them on CASImpl because technically that is where the transaction would occur (a single method on that class could call multiple ticketregistry methods) You can have multiple ticket registries? How does that work and why would you want that? :) Andy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
I agree. I was just explaining why it was there :-) On May 30, 2014 4:19 PM, Marvin Addison marvin.addi...@gmail.com wrote: We put them on CASImpl because technically that is where the transaction would occur (a single method on that class could call multiple ticketregistry methods) Correct, but clearly that approach has some undesirable side effects. The only registry that would benefit from @Transactional on the CASImpl methods is JPATicketRegistry; all other backends are not transactional across multiple calls if they have transactional support at all. My opinion is that TicketRegistry has outlived its usefulness. I believe we would be better served by a generic StorageService facility (get/put/delete) that has @Transactional on its methods as needed for the JPA implementation. With a careful design of the semantics of get/put I'm confident we could provide secure ticket storage without the side effects that Andrew reported. Additionally, this approach would naturally isolate dependencies into technology-specific modules (JPA, Ehcache, memcached, LDAP) and hopefully reduce the number of components. In any case it's probably not as easy as simply dropping @Transactional on CASImpl for the reasons you cited, but with some deeper changes to our storage subsystem I believe we can have a win/win. I think a Jira issue citing the problem and solution Andrew noted would justify further research and development work in that direction. M -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
Yes I believe you should be safe. On May 30, 2014 8:04 PM, Andrew Morgan mor...@orst.edu wrote: On Fri, 30 May 2014, Marvin Addison wrote: I think the underlying problem in the code is that @Transaction annotations were placed at the wrong layer, on the methods in class CentralAuthenticationServiceImpl. +1 Your analysis and solution are probably the best evidence we have for that claim. I recall having made a similar suggestion in the past, but I didn't have a sound argument at the time. I believe your problem and solution provide the evidence we need to move forward with a fix in the next release of CAS. I would appreciate your filing a Jira issue to make the change you suggested and citing this thread as a reference. Thanks for your persistence working through this issue and sharing the result. Hopefully it will lead to a fix for this long-standing issue. My testing hasn't indicated any problems with my workaround (transactions only on the delete() and save() methods). Do you think that is a safe workaround for this issue? At least in my simple configuration, I can't see a reason to have transactions on anything else. I really need this workaround because I have some maintenance to perform on our MySQL server. If that is going to cause a CAS outage, then the impact of the MySQL maintenance will be much larger! Thanks, Andy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] cas mvn build error
Looks like a temporary problem connecting to a remote server? Could not transfer artifact org.opensaml:opensaml:pom:1.1b from/to ja-sig (http://developer.ja-sig.org/maven2/): Connection to http://developer.ja-sig.org refused: Connection timed out - [Help 1] On Thu, May 29, 2014 at 11:42 AM, James Strother james.strot...@tulsacc.edu wrote: I am trying to rebuild my cas environment via mvn and am getting the following error: [ERROR] Failed to execute goal on project local-cas: Could not resolve dependencies for project org.university.cas:local-cas:war:1.0: Failed to collect dependencies for [org.jasig.cas:cas-server-webapp:war:3.4.12 (runtime), org.jasig.cas:cas-server-core:jar:3.4.12 (compile), org.jasig.cas:cas-server-support-ldap:jar:3.4.12 (compile), org.jasig.cas:cas-server-support-x509:jar:3.4.12 (compile), org.springframework:spring-beans:jar:3.0.4.RELEASE (provided), net.sf.ehcache:ehcache-core:jar:2.5.0 (compile), org.hibernate:hibernate-core:jar:3.5.0-CR-2 (runtime), org.hibernate:hibernate-entitymanager:jar:3.5.0-CR-2 (runtime), c3p0:c3p0:jar:0.9.1.2 (compile), mysql:mysql-connector-java:jar:5.1.13 (runtime), org.opensymphony.quartz:quartz:jar:1.6.1 (compile), javax.servlet:jstl:jar:1.1.2 (compile), taglibs:standard:jar:1.1.2 (compile), ognl:ognl:jar:2.7.3 (runtime), org.hibernate:hibernate-validator:jar:4.0.2.GA (runtime)]: Failed to read artifact descriptor for org.opensaml:opensaml:jar:1.1b: Could not transfer artifact org.opensaml:opensaml:pom:1.1b from/to ja-sig ( http://developer.ja-sig.org/maven2/): Connection to http://developer.ja-sig.org refused: Connection timed out - [Help 1] [ERROR] Any hints? Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed
Servlet session timeouts are configured via the web.xml: http://www.mkyong.com/servlet/how-to-configure-the-session-timeout-in-servlet/ On Fri, May 23, 2014 at 8:46 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Misagh! This seems to be my exact problem (and just like I expected, a session expiry). My big question: it says that the remedy is to configure the default CAS session timeout to be an appropriate value. How/where do I configure this timeout (what file, what property, etc.)? Thanks again! *From:* Misagh Moayyed [mailto:mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 6:22 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Does this help? http://jasig.github.io/cas/4.0.0/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Thursday, May 22, 2014 12:57 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Last week I rolled out a new, custom login page to our test CAS server (where our QA team works). Before this we were using the default CAS login page (under src/main/webapp/WEB-INF/views/jsp/default, etc.). For the last week, I’ve been receiving complaints from many testers that sometimes, intermittently, they’re unable to login. What happens is that they: 1. Attempt to login with their username/password (our underlying AuthenticationHandler didn’t change at all, so their credentials should be working) 2. The form essentially resets but does not log them in (both the username and password fields clear) After spending an enormous amount of time troubleshooting this, I am able to reproduce it. 1. Login and then log out of CAS (this step might not be necessary but I believe it sets the rest of the steps up to become reproducible; under the hood I think its correctly setting and then clearing the CASTGC and JSESSIONID cookies) 2. Go back to the login page (in our case: https://devauth01.ourcompany.org:5443/login). 3. Check for the existence of a JSESSIONID cookie in your browser - it seems to always there; perhaps it is set by CAS when the login page is fetched by the browser. Remove it. 4. Attempt to login. 5. Just like my QA testers are reporting, the page redirects to https://devauth01.ourcompany.org:5443/login;jsessionid=3AF7CCAE3C526ADB8BF8E00EDD20876Band does not bring you to the “Log In Successful” page. Instead the form just resets, but you’re just staring at a fresh new login screen. So, a few questions on this: (a) I know that my QA testers are not going in and manually removing cookies (honestly, I don’t think they would know how). But I’m wondering if something is happening where they are keeping browsers open for too long, or perhaps closing tabs but keeping the main browser open, and the JSESSIONID is expiring? Or perhaps some other process is somehow clearing it? Does any of this make sense? (b) What’s the fix? Regardless of **how** the JSESSIONID is getting lost (either by manually removing the cookie, or by some weird expiry or other voo doo magic), it’s quite apparent to me: if the JSESSIONID doesn’t exist when the user attempts to login, then the form won’t submit and the user won’t be authenticated. So what’s the solution here? Thanks! *Zac Harvey* Senior Technical Lead – Internal Engineering CommerceHub 255 Fuller Road Suite 327 Albany, NY 12203 518.810.0700 Ext: 3622 http://www.commercehub.com -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed
No. The web.xml's session timeout only controls the Servlet session. CAS uses the servlet session to maintain some information during the login flow, but the CAS single sign session is separate and stored outside of the web.xml session. On Fri, May 23, 2014 at 9:03 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott Misagh! Just curious – how does this server-side session timeout correlate with client-side logins? Say I set session-timeout to 10 minutes; does that mean the user will be automagically logged out after 10 minutes? *From:* Misagh Moayyed [mailto:mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 8:53 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed web.xml, session-timeout. *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Friday, May 23, 2014 5:47 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Misagh! This seems to be my exact problem (and just like I expected, a session expiry). My big question: it says that the remedy is to configure the default CAS session timeout to be an appropriate value. How/where do I configure this timeout (what file, what property, etc.)? Thanks again! *From:* Misagh Moayyed [mailto:mmoay...@unicon.net mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 6:22 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Does this help? http://jasig.github.io/cas/4.0.0/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Thursday, May 22, 2014 12:57 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Last week I rolled out a new, custom login page to our test CAS server (where our QA team works). Before this we were using the default CAS login page (under src/main/webapp/WEB-INF/views/jsp/default, etc.). For the last week, I’ve been receiving complaints from many testers that sometimes, intermittently, they’re unable to login. What happens is that they: 1. Attempt to login with their username/password (our underlying AuthenticationHandler didn’t change at all, so their credentials should be working) 2. The form essentially resets but does not log them in (both the username and password fields clear) After spending an enormous amount of time troubleshooting this, I am able to reproduce it. 1. Login and then log out of CAS (this step might not be necessary but I believe it sets the rest of the steps up to become reproducible; under the hood I think its correctly setting and then clearing the CASTGC and JSESSIONID cookies) 2. Go back to the login page (in our case: https://devauth01.ourcompany.org:5443/login). 3. Check for the existence of a JSESSIONID cookie in your browser - it seems to always there; perhaps it is set by CAS when the login page is fetched by the browser. Remove it. 4. Attempt to login. 5. Just like my QA testers are reporting, the page redirects to https://devauth01.ourcompany.org:5443/login;jsessionid=3AF7CCAE3C526ADB8BF8E00EDD20876Band does not bring you to the “Log In Successful” page. Instead the form just resets, but you’re just staring at a fresh new login screen. So, a few questions on this: (a) I know that my QA testers are not going in and manually removing cookies (honestly, I don’t think they would know how). But I’m wondering if something is happening where they are keeping browsers open for too long, or perhaps closing tabs but keeping the main browser open, and the JSESSIONID is expiring? Or perhaps some other process is somehow clearing it? Does any of this make sense? (b) What’s the fix? Regardless of **how** the JSESSIONID is getting lost (either by manually removing the cookie, or by some weird expiry or other voo doo magic), it’s quite apparent to me: if the JSESSIONID doesn’t exist when the user attempts to login, then the form won’t submit and the user won’t be authenticated. So what’s the solution here? Thanks! *Zac Harvey* Senior Technical Lead – Internal Engineering CommerceHub 255 Fuller Road Suite 327 Albany, NY 12203 518.810.0700 Ext: 3622 http://www.commercehub.com -- You are currently subscribed to cas-user@lists.jasig.org as: mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: zhar...@commercehub.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently
Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed
It all depends on your user base. At a previous employer, most people didn't leave the login page open unused for a while so we could use a shorter time (i.e. 5m or 10m). If you've got a user population that does a GET /login and then hangs around for hours and expects POST /login to work, then you'll need a larger time :-) On Fri, May 23, 2014 at 9:59 AM, Zac Harvey zhar...@commercehub.com wrote: And, as a 2nd question there, how can I test to make sure that setting session-timeout to a larger value is in fact fixing my login issues? *From:* Zac Harvey *Sent:* Friday, May 23, 2014 9:58 AM *To:* 'cas-user@lists.jasig.org' *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Scott, but now I’m even more confused! If the servlet session is separate from the CAS single sign in session, then how is it causing my login issue (where the form seems to clear/reset but not login)? *From:* Scott Battaglia [mailto:scott.battag...@gmail.comscott.battag...@gmail.com] *Sent:* Friday, May 23, 2014 9:53 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed No. The web.xml's session timeout only controls the Servlet session. CAS uses the servlet session to maintain some information during the login flow, but the CAS single sign session is separate and stored outside of the web.xml session. On Fri, May 23, 2014 at 9:03 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott Misagh! Just curious – how does this server-side session timeout correlate with client-side logins? Say I set session-timeout to 10 minutes; does that mean the user will be automagically logged out after 10 minutes? *From:* Misagh Moayyed [mailto:mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 8:53 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed web.xml, session-timeout. *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Friday, May 23, 2014 5:47 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Misagh! This seems to be my exact problem (and just like I expected, a session expiry). My big question: it says that the remedy is to configure the default CAS session timeout to be an appropriate value. How/where do I configure this timeout (what file, what property, etc.)? Thanks again! *From:* Misagh Moayyed [mailto:mmoay...@unicon.net mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 6:22 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Does this help? http://jasig.github.io/cas/4.0.0/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Thursday, May 22, 2014 12:57 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Last week I rolled out a new, custom login page to our test CAS server (where our QA team works). Before this we were using the default CAS login page (under src/main/webapp/WEB-INF/views/jsp/default, etc.). For the last week, I’ve been receiving complaints from many testers that sometimes, intermittently, they’re unable to login. What happens is that they: 1. Attempt to login with their username/password (our underlying AuthenticationHandler didn’t change at all, so their credentials should be working) 2. The form essentially resets but does not log them in (both the username and password fields clear) After spending an enormous amount of time troubleshooting this, I am able to reproduce it. 1. Login and then log out of CAS (this step might not be necessary but I believe it sets the rest of the steps up to become reproducible; under the hood I think its correctly setting and then clearing the CASTGC and JSESSIONID cookies) 2. Go back to the login page (in our case: https://devauth01.ourcompany.org:5443/login). 3. Check for the existence of a JSESSIONID cookie in your browser - it seems to always there; perhaps it is set by CAS when the login page is fetched by the browser. Remove it. 4. Attempt to login. 5. Just like my QA testers are reporting, the page redirects to https://devauth01.ourcompany.org:5443/login;jsessionid=3AF7CCAE3C526ADB8BF8E00EDD20876Band does not bring you to the “Log In Successful” page. Instead the form just resets, but you’re just staring at a fresh new login screen. So, a few questions on this: (a) I know that my QA testers are not going in and manually removing cookies (honestly, I don’t think they would know how). But I’m wondering if something
Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed
Because as I mentioned the servlet session is used to hold information as part of the login flow (i.e. from when you GET the /login to when you POST to /login) On Fri, May 23, 2014 at 9:58 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks Scott, but now I’m even more confused! If the servlet session is separate from the CAS single sign in session, then how is it causing my login issue (where the form seems to clear/reset but not login)? *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, May 23, 2014 9:53 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed No. The web.xml's session timeout only controls the Servlet session. CAS uses the servlet session to maintain some information during the login flow, but the CAS single sign session is separate and stored outside of the web.xml session. On Fri, May 23, 2014 at 9:03 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott Misagh! Just curious – how does this server-side session timeout correlate with client-side logins? Say I set session-timeout to 10 minutes; does that mean the user will be automagically logged out after 10 minutes? *From:* Misagh Moayyed [mailto:mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 8:53 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed web.xml, session-timeout. *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Friday, May 23, 2014 5:47 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Misagh! This seems to be my exact problem (and just like I expected, a session expiry). My big question: it says that the remedy is to configure the default CAS session timeout to be an appropriate value. How/where do I configure this timeout (what file, what property, etc.)? Thanks again! *From:* Misagh Moayyed [mailto:mmoay...@unicon.net mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 6:22 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Does this help? http://jasig.github.io/cas/4.0.0/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Thursday, May 22, 2014 12:57 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Last week I rolled out a new, custom login page to our test CAS server (where our QA team works). Before this we were using the default CAS login page (under src/main/webapp/WEB-INF/views/jsp/default, etc.). For the last week, I’ve been receiving complaints from many testers that sometimes, intermittently, they’re unable to login. What happens is that they: 1. Attempt to login with their username/password (our underlying AuthenticationHandler didn’t change at all, so their credentials should be working) 2. The form essentially resets but does not log them in (both the username and password fields clear) After spending an enormous amount of time troubleshooting this, I am able to reproduce it. 1. Login and then log out of CAS (this step might not be necessary but I believe it sets the rest of the steps up to become reproducible; under the hood I think its correctly setting and then clearing the CASTGC and JSESSIONID cookies) 2. Go back to the login page (in our case: https://devauth01.ourcompany.org:5443/login). 3. Check for the existence of a JSESSIONID cookie in your browser - it seems to always there; perhaps it is set by CAS when the login page is fetched by the browser. Remove it. 4. Attempt to login. 5. Just like my QA testers are reporting, the page redirects to https://devauth01.ourcompany.org:5443/login;jsessionid=3AF7CCAE3C526ADB8BF8E00EDD20876Band does not bring you to the “Log In Successful” page. Instead the form just resets, but you’re just staring at a fresh new login screen. So, a few questions on this: (a) I know that my QA testers are not going in and manually removing cookies (honestly, I don’t think they would know how). But I’m wondering if something is happening where they are keeping browsers open for too long, or perhaps closing tabs but keeping the main browser open, and the JSESSIONID is expiring? Or perhaps some other process is somehow clearing it? Does any of this make sense? (b) What’s the fix? Regardless of **how** the JSESSIONID is getting lost (either by manually removing the cookie, or by some weird expiry or other voo doo magic), it’s quite apparent to me: if the JSESSIONID doesn’t exist when the user attempts to login, then the form won’t submit
Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed
Your second and third scenarios have nothing to do with the servlet session. Therefore the 20 minute questions are not valid. As mentioned, the servlet session is only used to maintain some state during the login flow. It is NOT used for the single sign on session. On Fri, May 23, 2014 at 10:08 AM, Zac Harvey zhar...@commercehub.comwrote: Sorry, last followup question here (I promise) – I don’t think I worded my last question quite right. Say I set the session-timeout from 5 minutes (the default) to, say, 20 minutes: 1. When does the “20 minute” timer start ticking (meaning, what even triggers the session-timeout to begin counting)? A user logging in? 2. Scenario A: the user logs in and continuous to use several apps (all joined via SSO) for the full 20 minutes. What happens when they do a page refresh after the 20 minutes is up? 3. Scenario B: the user logs in and then ideles for the full 20 minutes. What happens when they do a page refresh after the 20 minutes is up? Thanks again for all your help thus far – getting answers to these followups should clear everything up for me! *From:* Scott Battaglia [mailto:scott.battag...@gmail.com] *Sent:* Friday, May 23, 2014 10:03 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed It all depends on your user base. At a previous employer, most people didn't leave the login page open unused for a while so we could use a shorter time (i.e. 5m or 10m). If you've got a user population that does a GET /login and then hangs around for hours and expects POST /login to work, then you'll need a larger time :-) On Fri, May 23, 2014 at 9:59 AM, Zac Harvey zhar...@commercehub.com wrote: And, as a 2nd question there, how can I test to make sure that setting session-timeout to a larger value is in fact fixing my login issues? *From:* Zac Harvey *Sent:* Friday, May 23, 2014 9:58 AM *To:* 'cas-user@lists.jasig.org' *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Scott, but now I’m even more confused! If the servlet session is separate from the CAS single sign in session, then how is it causing my login issue (where the form seems to clear/reset but not login)? *From:* Scott Battaglia [mailto:scott.battag...@gmail.comscott.battag...@gmail.com] *Sent:* Friday, May 23, 2014 9:53 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed No. The web.xml's session timeout only controls the Servlet session. CAS uses the servlet session to maintain some information during the login flow, but the CAS single sign session is separate and stored outside of the web.xml session. On Fri, May 23, 2014 at 9:03 AM, Zac Harvey zhar...@commercehub.com wrote: Thanks again Scott Misagh! Just curious – how does this server-side session timeout correlate with client-side logins? Say I set session-timeout to 10 minutes; does that mean the user will be automagically logged out after 10 minutes? *From:* Misagh Moayyed [mailto:mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 8:53 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed web.xml, session-timeout. *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Friday, May 23, 2014 5:47 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Thanks Misagh! This seems to be my exact problem (and just like I expected, a session expiry). My big question: it says that the remedy is to configure the default CAS session timeout to be an appropriate value. How/where do I configure this timeout (what file, what property, etc.)? Thanks again! *From:* Misagh Moayyed [mailto:mmoay...@unicon.net mmoay...@unicon.net] *Sent:* Friday, May 23, 2014 6:22 AM *To:* cas-user@lists.jasig.org *Subject:* RE: [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Does this help? http://jasig.github.io/cas/4.0.0/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission *From:* Zac Harvey [mailto:zhar...@commercehub.comzhar...@commercehub.com] *Sent:* Thursday, May 22, 2014 12:57 PM *To:* cas-user@lists.jasig.org *Subject:* [cas-user] Login page refuses to authenticate if JSESSIONID has been removed Last week I rolled out a new, custom login page to our test CAS server (where our QA team works). Before this we were using the default CAS login page (under src/main/webapp/WEB-INF/views/jsp/default, etc.). For the last week, I’ve been receiving complaints from many testers that sometimes, intermittently, they’re unable to login. What happens is that they: 1. Attempt to login
Re: [cas-user] how do I install cas 3.5.2 in tomcat 7? I don't find documentation.
Are you looking to deployer the server or integrate the client? You mention both in the email. On Fri, May 23, 2014 at 8:51 AM, Carlos co...@uoc.edu wrote: Hi, I had cas 3.5.2 in jboss 4 and now I'm moving to tomcat 7. First of all I had to add the following to my catalina.bat because there was a problem: set JAVA_OPTS = -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false After that it started aprently correctly but the behaviour compared to JBOSS previous version is different. In the jboss version I could retrieve the authentication from SecurityContextHolder.getContext() in my FlowExecutionListener and it was AnonymousAuthenticationToken but in tomcat 7 I get null. Pherhaps something related to threads managemnte different between both containers? On top of that, I have seen that there are some cas client jars specific for tomcat and for the version 7 like: - cas-client-integration-tomcat-common-3.2.1.jar - cas-client-integration-tomcat-v7-3.2.1.jar and I don't know how I have to use them and when it is necessary. Is there any procedure to properly install cas webapp in tomcat 7. Thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
If the only thing reading from a database is the services registry, it doesn't even do that frequently (it actually keeps a cached copy in memory) so I'm not sure where else database failures can be coming in during a login. On Wed, May 21, 2014 at 11:43 AM, Andrew Morgan mor...@orst.edu wrote: Heh, that's exactly what Marvin asked me last year. :) No, Inspektr is logging to an audit file. To make doubly sure, I even turned off auditing by commenting out the auditTrailManager bean and removing the auditTrailContext.xml file. Thanks, Andy On Tue, 20 May 2014, Scott Battaglia wrote: Are you storing any auditing data in the database? On Tue, May 20, 2014 at 7:03 PM, Andrew Morgan mor...@orst.edu wrote: I'm reviving my old thread from last year because I need to perform some maintenance on MySQL and we cannot have our CAS instance be unavailable for the duration of the maintenance. I'm running CAS v3.5.2 with my ticket registry stored in memcache and my services registry stored in MySQL. When MySQL is down, submitting the CAS login form returns a CAS is unavailable error page from the CAS server. I have attached the stack trace that is dumped into catalina.out when this error occurs. I am simulating a MySQL outage with the following iptables rule: iptables -A INPUT -p tcp -i eth0 --dport 3306 -s 128.193.x.y -j REJECT --reject-with tcp-reset A packet capture of the traffic to the MySQL server shows that during a successful authentication (MySQL up), the following SQL commands are issued: SET autocommit=0 commit SET autocommit=1 SET autocommit=0 commit SET autocommit=1 When MySQL is down, the first SET autocommit=0 is sent, which then causes the CAS is unavailable error. The stack trace indicates that some Spring AOP proxy is intercepting the call to createTicketGrantingTicket(). I see that createTicketGrantingTicket() has an @Transactional annotation applied to it. Could this be causing the spurious calls to autocommit and commit? I know a few people have reported this same issue, and other people have reported things working fine while MySQL is down. Is there any additional logging or testing I can do to narrow this down? Thanks, Andy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Registry in database
Are you storing any auditing data in the database? On Tue, May 20, 2014 at 7:03 PM, Andrew Morgan mor...@orst.edu wrote: I'm reviving my old thread from last year because I need to perform some maintenance on MySQL and we cannot have our CAS instance be unavailable for the duration of the maintenance. I'm running CAS v3.5.2 with my ticket registry stored in memcache and my services registry stored in MySQL. When MySQL is down, submitting the CAS login form returns a CAS is unavailable error page from the CAS server. I have attached the stack trace that is dumped into catalina.out when this error occurs. I am simulating a MySQL outage with the following iptables rule: iptables -A INPUT -p tcp -i eth0 --dport 3306 -s 128.193.x.y -j REJECT --reject-with tcp-reset A packet capture of the traffic to the MySQL server shows that during a successful authentication (MySQL up), the following SQL commands are issued: SET autocommit=0 commit SET autocommit=1 SET autocommit=0 commit SET autocommit=1 When MySQL is down, the first SET autocommit=0 is sent, which then causes the CAS is unavailable error. The stack trace indicates that some Spring AOP proxy is intercepting the call to createTicketGrantingTicket(). I see that createTicketGrantingTicket() has an @Transactional annotation applied to it. Could this be causing the spurious calls to autocommit and commit? I know a few people have reported this same issue, and other people have reported things working fine while MySQL is down. Is there any additional logging or testing I can do to narrow this down? Thanks, Andy -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java 8?
I built from the command line using the latest code (not the 4.0.x branch). I'll try again later. On Tue, May 13, 2014 at 11:14 AM, Tom Poage tfpo...@ucdavis.edu wrote: On May 12, 2014, at 7:59 PM, Scott Battaglia scott.battag...@gmail.com wrote: I just tried building and running it locally. I was able to do so though I didn't do extensive testing. Thank you! Tried to build myself and got e.g. [INFO] --- aspectj-maven-plugin:1.4:compile (default) @ cas-server-core --- [WARNING] bad version number found in .../.m2/repository/org/aspectj/aspectjrt/1.7.2/aspectjrt-1.7.2.jar expected 1.6.11 found 1.7.2 org.aspectj.apache.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 15 at org.aspectj.apache.bcel.classfile.Constant.readConstant(Constant.java:133) at org.aspectj.apache.bcel.classfile.ConstantPool.init(ConstantPool.java:45) Any attempts to resolve only made things worse. So something lurking in there. Started to dig, but eventually had to move on to other priorities. Did you build with maven or Eclipse? (versions?) Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Java 8?
I just tried building and running it locally. I was able to do so though I didn't do extensive testing. On Wed, May 7, 2014 at 4:55 PM, Tom Poage tfpo...@ucdavis.edu wrote: Any venture building/running CAS with Java 8? Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS service throwing Could not initialize class org.opensaml.XML
Can you confirm the OpenSAML jar is in your lib directory? On Wed, Apr 16, 2014 at 3:25 AM, ray idan.frid...@cellebrite.com wrote: Hi, This bug is teasing me now for 2 days I find it hard to figure out. I am adding one of our Spring applications to work with our CAS servers. The cas server working properly (other cas services working as expected). When I access protected resource in that app I am being redirected to CAS. after submitting login password I get this: HTTP Status 500 - Filter execution threw an exception type Exception report message Filter execution threw an exception description The server encountered an internal error that prevented it from fulfilling this request. exception javax.servlet.ServletException: Filter execution threw an exception org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) root cause java.lang.NoClassDefFoundError: Could not initialize class org.opensaml.XML org.opensaml.SAMLObject.fromStream(Unknown Source) org.opensaml.SAMLResponse.init(Unknown Source) org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:51) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:197) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:65) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) note The full stack trace of the root cause is available in the Apache Tomcat/7.0.30 logs. I tried to change a bit the pom dependencies. still nothing. Anyone has any hint for a solution? thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] About the CAS upgrade
clean is the appropriate term, not chean. If you can point us to the exact link that says chean instead of clean, we'll be happy to change it (assuming we're the host of the page). On Mon, Apr 7, 2014 at 10:10 AM, Kelvin Young hksi...@gmail.com wrote: Hi , the phase is copy from the link , so I sure it is correct command. 2014-04-07 18:17 GMT+08:00 Jérôme LELEU lel...@gmail.com: Hi, *Unknown lifecycle phase chean*: did you type *chean* instead of *clean*? Best, Jérôme 2014-04-07 12:08 GMT+02:00 Kelvin Young hksi...@gmail.com: Hi , I have followed the link to setup it , but got the following error , would advise what is wrong ? thanks error message Some problems were encountered while building the effective model for adde.com:local-cas:war:1.0-SNAPSHOT [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-war-plugin is missing. @ line 13, column 12 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] [INFO] Using the builder org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder with a thread count of 1 [INFO] [INFO] [INFO] Building local-cas 1.0-SNAPSHOT [INFO] [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 0.292 s [INFO] Finished at: 2014-04-07T18:05:01+08:00 [INFO] Final Memory: 7M/85M [INFO] [ERROR] Unknown lifecycle phase chean. You must specify a valid lifecycle phase or a goal in the format plugin-prefix:goal or plugin-group-id:plugin-artifact-id[:plugin-version]:goal. Available lifecycle phases are: validate, initialize, generate-sources, process-sources, generate-resources, process-resources, compile, process-classes, generate-test-sources, process-test-sources, generate-test-resources, process-test-resources, test-compile, process-test-classes, test, prepare-package, package, pre-integration-test, integration-test, post-integration-test, verify, install, deploy, pre-clean, clean, post-clean, pre-site, site, post-site, site-deploy. - [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/LifecyclePhaseNotFoundException $vi pom.xml ?xml version=1.0 encoding=UTF-8? project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd modelVersion4.0.0/modelVersion groupIdadde.com/groupId artifactIdlocal-cas/artifactId packagingwar/packaging version1.0-SNAPSHOT/version build plugins plugin artifactIdmaven-war-plugin/artifactId configuration warNamecas/warName /configuration /plugin /plugins /build dependencies dependency groupIdorg.jasig.cas/groupId artifactIdcas-server-webapp/artifactId version${cas.version}/version typewar/type scoperuntime/scope /dependency /dependencies properties cas.version3.5.2/cas.version /properties repositories repository idja-sig/id url http://oss.sonatype.org/content/repositories/releases/ /url /repository /repositories /project Let's walk through this step by step: ?xml version=1.0 encoding=UTF-8? project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
Re: [cas-user] New system missing ticket prefix
SAML artifacts don't use the prefix (if I recall correctly). I believe only tickets related to the CAS protocol do. On Sat, Mar 29, 2014 at 5:27 PM, ccook craig.c...@tulsacc.edu wrote: new to cas, have added some systems successfully using guides however a new system isn't working and isn't getting the usual TGT or ST ticket prefix that the working systems get. The vendor says it is using samlart to do the authentication. any ideas? 2014-03-29 16:31:44,549 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5] for service [ https://xxx.x.cas.cgi?ACTION=LOGINREPOSITORY=STUPROD] for user [T] 2014-03-29 16:31:44,549 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: T WHAT: AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5 for https://X.xx.cas.cgi?ACTION=LOGINREPOSITORY=STUPROD ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Sat Mar 29 16:31:44 CDT 2014 2014-03-29 16:31:44,874 INFO [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - Unsupported ticket prefix for ticketId 'AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5', return null 2014-03-29 16:31:44,874 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5] does not exist. 2014-03-29 16:31:44,874 INFO [org.jasig.cas.ticket.registry.EhCacheTicketRegistry] - Unsupported ticket prefix for ticketId 'AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5', return null 2014-03-29 16:31:44,874 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: AAFSsPYAkNKN6Mb0Q6Li8D8gawrtLAHGafMRn+kBFVjlij+M7GHTPrK5 ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Sat Mar 29 16:31:44 CDT 2014 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] example of Saml11TicketValidator
The newest version of the CAS Client is leveraging OpenSAML 2 (whereas older versions used OpenSAML 1.1). That may be why you're experiencing different behavior. With respect to proxying: proxying is part of the CAS protocol and not the SAML 1.1 protocol. If you need proxying + attributes you may be better off with a custom server response. On Thu, Mar 20, 2014 at 11:01 PM, Alua Kinzhebayeva alua.kinzhebay...@gmail.com wrote: No. Colleague of mine used just Saml11TicketValidator in his custom filter from latest cas-client jar. After he switched to an earlier version problem was gone.(might need to double check versions with him, but I do remember him picking latest once) Now we managed to get it working, could you answer another question? Is it possible to validate proxy ticket and get user principal with attributes? We changed a line of validator in cas-servlet.xml to enable proxy ticket validation, Saml11TicketValidator validates ticket, but instead of username as it was providing me before, now it gives me proxyCallback url specified in web.xml of an app that issues proxy ticket. Alua 21 Mar 2014, в 08:27, Scott Battaglia scott.battag...@gmail.com написал(а): Are you just using the Saml11 filter? Or are you using it in custom code? On Thu, Mar 20, 2014 at 1:20 AM, Alua.Kinzhebayeva alua.kinzhebay...@gmail.com wrote: Hello! Could someone provide short working example of using Saml11TicketValidator in their own filter? We switched to using it from Cas20ProxyTicketValidator. Previous validator worked fine, but now we need extra attributes. Our current problem is when we launch JBoss AS 7 in debug mode, PermGen exception gets thrown although we allocated 2GB (even tried 4) on validate method call. Thank you for your time, Alua -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: alua.kinzhebay...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] wrong redirect
Unless you've customized your CAS client, I don't believe this property exists: init-param param-namecasServerRegistrationUrl/param-name param-valuehttp://localhost:9090/cas/casRegistrationView.jsp ?/param-value /init-param On Fri, Mar 21, 2014 at 3:47 AM, pavan pavan.pat...@anmsoft.com wrote: Hi Jerome, Thanks for your help. I have configure as you suggested but some mistake happens from my end and it is redirect to login page. Please suggest me i am going wrong some where. it is still going to http://localhost:9090/cas/login?service=http%3A%2F%2Fpavan.myapps.com%3A8080%2F%2Fbit%2Ffaces%2Fjsp%2FcasRegistration.jsp following is code cas client side:- filter filter-nameCAS Authentication Filter/filter-name filter-classorg.jasig.cas.client.authentication.AuthenticationFilter/filter-class init-parambag param-namecasServerLoginUrl/param-name param-valuehttp://localhost:9090/cas/login/param-value /init-param init-param param-namecasServerRegistrationUrl/param-name param-valuehttp://localhost:9090/cas/casRegistrationView.jsp ?/param-value /init-param init-param param-nameserverName/param-name param-valuehttp://pavan.myapps.com:8080//param-value /init-param /filter following is code cas server side:- - 1.default_view.properties casRegistrationView.(class)=org.springframework.web.servlet.view.JstlView casRegistrationView.url=/casRegistrationView.jsp - 2.web.xml filter-mapping filter-namespringSecurityFilterChain/filter-name url-pattern/casRegistrationView/url-pattern /filter-mapping servlet-mapping servlet-namecas/servlet-name url-pattern/casRegistrationView/url-pattern /servlet-mapping -- 3.cas-server.xml bean id=xmlViewResolver class=org.springframework.web.servlet.view.XmlViewResolver p:order=1 p:location=/WEB-INF/view/views.xml / !-- Locale Resolver -- bean id=localeResolver class=org.springframework.web.servlet.i18n.CookieLocaleResolver/ bean id=localeChangeInterceptor class=org.springframework.web.servlet.i18n.LocaleChangeInterceptor/ bean id=urlBasedViewResolver class=org.springframework.web.servlet.view.UrlBasedViewResolver p:viewClass=org.springframework.web.servlet.view.InternalResourceView p:prefix=/WEB-INF/view/jsp/ p:suffix=.jsp p:order=2/ bean id=errorHandlerResolver class=org.jasig.cas.web.FlowExecutionExceptionResolver/ bean class=org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter/ bean id=handlerMappingC class=org.springframework.web.servlet.handler.SimpleUrlHandlerMapping property name=mappings props prop key=/logoutlogoutController/prop prop key=/serviceValidateserviceValidateController/prop prop key=/validatelegacyValidateController/prop prop key=/proxyproxyController/prop prop key=/proxyValidateproxyValidateController/prop prop key=/samlValidatesamlValidateController/prop prop key=/services/add.htmladdRegisteredServiceSimpleFormController/prop prop key=/services/edit.htmleditRegisteredServiceSimpleFormController/prop prop key=/services/loggedOut.htmlserviceLogoutViewController/prop prop key=/services/viewStatistics.htmlviewStatisticsController/prop prop key=/services/*manageRegisteredServicesMultiActionController/prop prop key=/openid/*openIdProviderController/prop prop key=/authorizationFailure.htmlpassThroughController/prop prop key=/403.htmlpassThroughController/prop prop key=/statushealthCheckController/prop prop key=/addUserregistrationController/prop prop key=/casRegistrationViewcasRegistrationController/prop /props /property property name=alwaysUseFullPath value=true/ !-- uncomment this to enable sending PageRequest events. property name=interceptors list ref bean=pageRequestHandlerInterceptorAdapter / /list /property -- /bean bean id=casRegistrationController class=org.jasig.cas.registration.controller.CasRegistrationViewController p:casRegistrationController-ref=casRegistrationController /bean -- new controller introduce 4.CasRegistrationViewController.java package org.jasig.cas.registration.controller; import
[cas-user] Jasig CAS Client for Java 3.3.1 Released
Dear community, We're pleased to announce both the Jasig CAS Client for Java 3.3.0 release and the 3.3.1 release (mostly because I forgot to send out the announcement for 3.3.0). You can find the release notes for 3.3.0 here: https://issues.jasig.org/secure/ReleaseNote.jspa?projectId=10100version=10880 And the release notes for 3.3.1 here: https://issues.jasig.org/secure/ReleaseNote.jspa?projectId=10100version=12981 We're in the process of updating the documentation to reference the new features so if you have any questions, please contact us on the list. You can find all of the artifacts in the Maven repository here: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.jasig.cas.client%22 Cheers, Scott -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] example of Saml11TicketValidator
Are you just using the Saml11 filter? Or are you using it in custom code? On Thu, Mar 20, 2014 at 1:20 AM, Alua.Kinzhebayeva alua.kinzhebay...@gmail.com wrote: Hello! Could someone provide short working example of using Saml11TicketValidator in their own filter? We switched to using it from Cas20ProxyTicketValidator. Previous validator worked fine, but now we need extra attributes. Our current problem is when we launch JBoss AS 7 in debug mode, PermGen exception gets thrown although we allocated 2GB (even tried 4) on validate method call. Thank you for your time, Alua -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] More then one client in web.xml
The CAS Client can also support multiple server names (I think they are separated by space) and it will match the server name to the Host header when attempting to construct the service url. It will only match from that finite set of servers though. On Tue, Mar 18, 2014 at 2:22 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, I understand that you want to define several CAS services using the Java CAS client. As the configuration relies on filters (AuthenticationFilter, Cas10TicketValidationFilter...), you can configure easily several CAS services if you map your filters on several different urls. Best regards, Jérôme 2014-03-17 18:34 GMT+01:00 shiva gsh...@indussoftware.net: Hello , Is it possible in JAVA client (web.xml) use more then one client at a time like test.test.com abc.test.com Please help me Thanks, Shiva.G -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Possible perl-AuthCAS bug or client problem
Can you post a safe version of your perl-AuthCAS configuration? (remove any sensitive/private information). I'm not familiar with the perl client but someone here may be able to notice where the extra : and / are coming from. On Tue, Mar 18, 2014 at 10:10 AM, Aaron Bennett abenn...@clarku.edu wrote: Hi, I apologize in advance for posting this to likely the wrong place, but I'm looking to rule out a server config issue here. I'm working on enabling CAS support in Sympa (an open-source listserve that uses perl-AuthCAS). Here's the errors I'm seeing in the cas log: Mar 18 09:11:43 odo-665 cas: INFO Audit trail record BEGIN = WHO: systemstes...@clarku.edu WHAT: ST-13-sPDJBVCa7YUP6bSrBorJ-cas.clarku.edu for http://testlists.clarku.edu/sso_login_succeeded/Login ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Mar 18 09:11:43 EDT 2014 CLIENT IP ADDRESS: 140.232.0.61 SERVER IP ADDRESS: 10.6.65.22 = Mar 18 09:11:43 odo-665 cas: ERROR ServiceTicket [ ST-13-sPDJBVCa7YUP6bSrBorJ-cas.clarku.edu] with service [ http://testlists.clarku.edu/sso_login_succeeded/Login does not match supplied service [http://testlists.clarku.edu://sso_login_succeeded/Login] Mar 18 09:11:43 odo-665 cas: INFO Audit trail record BEGIN = WHO: audit:unknown WHAT: ST-13-sPDJBVCa7YUP6bSrBorJ-cas.clarku.edu ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Tue Mar 18 09:11:43 EDT 2014 CLIENT IP ADDRESS: 140.232.1.46 SERVER IP ADDRESS: 10.6.65.22 = Does anyone have a guess where that extra : is coming from in the supplied service ID? I'm using perl-AuthCAS-1.5.2 on Centos 6. -Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS W:508.793.7315 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] A cache somewhere in CAS?
Which version of CAS are you using? You have connection pooling for LDAP enabled (at least as far as I can tell) and I think certain versions didn't ensure that the final bind used a non-pool connection. My memory may be a bit hazy though :-) On Thu, Feb 27, 2014 at 12:01 PM, David Olivier david.oliv...@univ-lyon2.fr wrote: Hi to all. We have a problem with our CAS server. It authenticates against an LDAP server. I include the deployerConfigContext.xml file that specifies (if I understand correctly) the method used. (Passwords deleted.) I'm sorry for not being more specific about our configuration, but our CAS server was originally installed by an external company and we don't understand all the workings. Our problem is that when we change the password of a user through another application in our LDAP server, for about 15 minutes the CAS server accepts both the old and the new passwords. It is as if there was some cache involved somewhere. It appears to be session-independent. Does that ring a bell? Thanks for any answer you can give. David -- David Olivier http://david.olivier.name/ Fixe 0478773079; portable 0642060747 Accorder notre pr??f??rence ?? la vie d??'un ??tre simplement parce qu??'il est membre de notre esp??ce nous mettrait dans la m??me position que les racistes qui accordent leur pr??f??rence aux membres de leur propre race. - Peter Singer, La Lib??ration animale -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Client on WebLogic
What WebLogic support files would you expect to be available? Why wouldn't the normal CAS client jar work? On Mon, Feb 24, 2014 at 12:45 PM, Adam Causey apcau...@vcu.edu wrote: Hello, Has anyone successfully setup the CAS Java client on WebLogic? I am helping out one of our users, and their application is installed on WebLogic. I notice that there are no support files for WebLogic that are offered (http://repo2.maven.org/maven2/org/jasig/cas/client/), so I am even wondering if it is a possibility. I normally only deal with Tomcat, which is a fairly straightforward installation. Thanks! -Adam -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas java client support specific page authentication
Your URL pattern is: url-pattern/*/url-pattern You may want to look up the documentation on that to confirm what it should be for just hitting that one page. Also, you may wish to consider migrating to the more recent Jasig CAS Client for Java (3.3.0). On Mon, Feb 24, 2014 at 9:38 AM, shiva gsh...@indussoftware.net wrote: Hello all, Here is the my web.xml content , I want cas authentication only to https://test-site.net , I don't want CAS for reaming pages after the URL ex:- https://test-site.net/test.jsp like this Please provide valuable suggestions !-- CAS -- filter filter-nameCAS Filter/filter-name filter-classedu.yale.its.tp.cas.client.filter.CASFilter/filter-class init-param param-nameedu.yale.its.tp.cas.client.filter.loginUrl/param-name param-valuehttps://domain.edu/cas/login/param-value /init-param init-param param-nameedu.yale.its.tp.cas.client.filter.validateUrl/param-name param-valuehttps://domain.edu/cas/serviceValidate/param-value /init-param init-param param-nameedu.yale.its.tp.cas.client.filter.serverName/param-name param-valuetest-site.net/param-value /init-param /filter filter-mapping filter-nameCAS Filter/filter-name url-pattern/*/url-pattern /filter-mapping !-- Ends -- Regards, Shiva.G *From:* Scott Battaglia scott.battag...@gmail.com *Sent:* Monday, February 24, 2014 12:08 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Cas java client support specific page authentication Why not just apply the filter to that specific page in your web.xml? On Fri, Feb 21, 2014 at 2:32 PM, shiva gsh...@indussoftware.net wrote: Hello, We are using cas java client in web.xml I have a requirement that it only needs one specific page needs cas authentication Please advise me Thanks Shiva -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: gsh...@indussoftware.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas java client support specific page authentication
Why not just apply the filter to that specific page in your web.xml? On Fri, Feb 21, 2014 at 2:32 PM, shiva gsh...@indussoftware.net wrote: Hello, We are using cas java client in web.xml I have a requirement that it only needs one specific page needs cas authentication Please advise me Thanks Shiva -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Container removing HTTPS and service validating
If its the standard Java client, you should be able to specify the protocol as part of the service url prefix. I also know that Apache can set a flag to indicate that a request came in as HTTPS (so that Tomcat knows), not sure if Nginx can (I would assume it can) On Wed, Feb 12, 2014 at 9:32 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, In your CAS client, the service used for the validation is a property you can configure to a HTTPS url, isn't it? Best regards, Jérôme 2014-02-12 2:36 GMT+01:00 Joe Osowski joe.osow...@gmail.com: I'm not able to authenticate tickets as my service URL changes inside the servlet container. My web application sits behind Nginx and it handles the HTTPS. The connector to tomcat is wired for http. Like so: https-Nginx-http-tomcat-servlet So when cas authenticates my user: /cas/login?service=https%3A%2F%2Fserver.org%2F and redirects back my server like so: https://server.org/?ticket=ST-4-cohYFICwLFQ2WkKqFfeU-cas By the time tomcat gets the request, it sees: http://server.org/?ticket=ST-4-cohYFICwLFQ2WkKqFfeU-cas Now when I do the proxy validate, CAS won't confirm the ticket as the service has changed. /cas/proxyValidate?service=https%3A%2F%2Fserver.org%2Fticket=ST-4-cohYFICwLFQ2WkKqFfeU-cas Is there a way to turn off checking the protocol? -Joe -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Ticket Expiration not working
How are you determining that you are still logged in? On Mon, Feb 3, 2014 at 10:39 PM, mmaceachran mmaceach...@yahoo.com wrote: All, I am using CAS 3.5.2 and I cannot seem to get my tickets to expire. I have changed ticketExperationPolicies.xml like this: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy p:maxTimeToLiveInSeconds=${tgt.maxTimeToLiveInSeconds:60} p:timeToKillInSeconds=${tgt.timeToKillInSeconds:60}/ I believe that this will expire after 1 min, but after a long period of inactivity, I am still logged in. Any ideas where I should look? -- View this message in context: http://jasig.275507.n4.nabble.com/Ticket-Expiration-not-working-tp4661891.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] REMINDER: Send your proposals for the Open Apereo 2014 Conference (Jasig/Sakai)
All, please see the message below about the upcoming Open Apereo 2014 Conference. I hope you'll consider submitting a proposal. *---* *Time flies! The call for proposals for Open Apereo 2014 is open and the early decision deadline is almost here!* *Submit your proposal https://www.concentra-cms.com/cfp/p/OpenApereo2014 before January 21 for an early review decision by February 3.* *Submit your proposal by February 7 (the final CFP deadline) for decisions in March.* The Open Apereo conference is an exciting opportunity to collaborate with your peers in higher education. What makes the conference so compelling is YOU – your success stories and your amazing work. You may submit a presentation session, birds of a feather discussion, showcase night demonstration, or “flipped” presentation. We'd love to hear about: · Advances in teaching, learning, and research with technology · Identity and access management · New developments and features for products like uPortal, Sakai, Apereo OAE, CAS, ePortfolios, Bedework, and others · Exciting and innovative implementations of and integrations with Apereo and other open-source software · Information security · Learning analytics · Advocacy and awareness of open-source solutions · and more! The annual conference is a global networking point for developers, faculty, administrators, advocates, support specialists, and others in the open-source community. Join us in Miami, FL on June 1-4, 2014 to *Innovate, Incubate, Implement!* We look forward to your proposal! https://www.concentra-cms.com/cfp/p/OpenApereo2014 Sincerely, Ian Dolphin, Executive Director, Apereo Foundation Laura McCord, Open Apereo 2014 Planning Committee Chair Reba-Anna Lee, Open Apereo 2014 Program Committee Co-chair Alan Regan, Open Apereo 2014 Program Committee Co-chair -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Automatic Login... best practices
That info should actually be available via the Inspektr library (I believe the ThreadLocal ClientInfoHolder is what you need). Cheers, Scott On Sat, Dec 28, 2013 at 3:56 AM, Idan Fridman id...@cellebrite.com wrote: Hi, You were talking about authentication handlers. Is it possible to retrieve the service host/ip via that authentication handler? Because if you implement AuthenticationHandler you could get only the Credentials. Thanks, Ray - Reply message - From: Jérôme LELEU lel...@gmail.com To: cas-user@lists.jasig.org cas-user@lists.jasig.org Subject: [cas-user] CAS Automatic Login... best practices Date: Sat, Dec 28, 2013 09:53 Hi, OK. You don't need an auto login process here (as you don't have the user's password, which is a good thing), but as I also suggested, you need an authentication handler taking a username and a OTP (one-time password) = an authentication code, to authenticate a user. I would got that way. So you would have two authentication handlers, one processing user's login and password and one processing a username and an authentication code (which can be used only once). Best regards, Jérôme 2013/12/27 Joe joe.osow...@gmail.com Sorry, rereading what I want to do, I can see now, how it's a bit misleading. So (on the application server side) I have authenticated the user via an authentication code, and have created the account. CAS has not yet authenticated the user. I want to tell CAS that the current user and session is authenticated without passing the password back over the public wire .(The application server might pass the user/password to CAS). I can think of a few ways to do this, but is there a recommended way? -Joe -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: id...@cellebrite.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Logging in JSON?
Obviously, let us know if that doesn't work. ;-) On Dec 26, 2013 1:35 PM, Tom Poage tfpo...@ucdavis.edu wrote: On 12/20/2013 07:49 PM, Scott Battaglia wrote: Since we're actually depending on SLF4J, you should be free to swap out the default logger to whatever you prefer (just exclude log4j 1.2 and include your preferred). I was hoping that was the case. :-) Thanks! Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Logging in JSON?
Since we're actually depending on SLF4J, you should be free to swap out the default logger to whatever you prefer (just exclude log4j 1.2 and include your preferred). On Fri, Dec 20, 2013 at 3:34 PM, Tom Poage tfpo...@ucdavis.edu wrote: Happy Friday. Anyone kicked around trying to change the CAS server build to emit logs as JSON? I was initially thinking of Inspektr audit entries (vs. multi-line or delimited audit logs) to allow easy parsing, filtering, etc. but other log sources might also benefit. CAS (3.5.2, 4.0RC) uses slf4j, though underneath appears to bind to/rely on log4j 1.2 (perhaps I'm not reading the POM correctly). The log4j 1.2 source shows what it supports is rather archaic, e.g. RFC 3164 from circa 2001. Does the CAS server have known dependencies requiring log4j 1.2? Seems there could be (at least) two ways to go: both log4j 2.x and an extension to Logback (Loggly) support JSON, not to mention a bunch of improved logging features. Don't want to (re)start any Stack Overflow wars, but preference? Any plans to update? Offhand I don't see anything related on issues.jasig.org. http://logging.apache.org/log4j/2.x/manual/layouts.html https://github.com/qos-ch/logback-extensions/wiki/Loggly http://www.loggly.com/docs/log-types/ Thanks! Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Maven deleted my src folder when I packaged the deploymnetConfigContext.xml
I've never seen Maven delete the /src directory (clean only delete build) so I unfortunately don't know what to say to you. There shouldn't be anything you have to do to avoid that situation. That said, I highly recommend you use a version control system in case something is deleted (i.e. Git, SVN, etc.) On Thu, Dec 12, 2013 at 11:34 AM, allen joslin ajos...@epathlearning.comwrote: Hi there, I was following the best practices tutorial and had created the $PROJECT_HOME/src/main/webapp/WEB-INF/ folder and put in the deployerConfigContext.xml file and did the: mvn clean package -- whic worked just fine But the $PROJECT_HOME/src folder is then GONE, I don't think that's supposed to happen... I was given maven3 instead of maven2 on the machine I'm using -- did that cause the trouble? How can I avoid losing my additions? thanks -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Slow throughput for CAS
Can you also post your other relevant configurations? I.e. thread pool sizes and other configuration for Tomcat and Apache as well as any relevant information about the AD server? Thanks Scott On Tue, Nov 19, 2013 at 12:47 PM, Linda Toth ltt...@alaska.edu wrote: Hello We continue to see issues around CAS performance in conjunction with a remote LDAP server. First, we have read in this forum from several contributors that CAS performance exceeds the performances of its services. In an effort to understand why CAS is not performing at the levels others have reported, we are providing more details of our CAS implementation. Tests: Tests show that CAS plateaus at 9 *simultaneous* login attempts. At that point, the tester will aggregate logins and continue to push them through, but at some point the multi-tasking slows down to the point that Apache times out. The tests were isolated to authentication to confirm that communicating to client services did not affect the login rate. During tests, the CPU and Memory consumption remain at low levels. The priority of the task is set high enough to be handled immediately. There is nothing that suggests the disk may be thrashing due to swapping. CAS Server: - CAS is run on a VM hosted upon RHEL 6, with 4G memory, 1G PermGen, Allocated disk space for CAS is 1008M while total logging is 3G - Tomcat 6 is the web server - Authentication is handled via a remote AD LDAP server - Apache handles SSL encryption/decryption between the user and CAS. AD Server: The AD environment is not clustered, so the load is not being balanced. -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 907-450-8320 Fairbanks, Alaska 99775 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] A Very Basic Question
Typically you'll need JDK1.6 or higher and newer version of Tomcat (if you organization has not standardized on a particular version, the latest one is always a good choice). Beyond that depends on your requirements, i.e. high availability, load, etc. On Thu, Oct 31, 2013 at 10:36 AM, Chris Singleton ch...@palnet.info wrote: Greetings, My organization is planning to implement CAS for our multi-site library consortia in the coming months, and I'd like to get a feel for what sort of technical specifications are necessary for this. We'll most likely be running it on a virtualized Red Hat system, but window is an option. specific information I'm looking for is recommended disk space allocation and possible dependency issues. I'm aware of the necessity of JDK 1.6 or higher, but not much else. Any information you have would be appreciated. Thank you! Christopher J Singleton PALnet Application Specialist -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] No logout callbacks from CAS 4.0.0-RC1
I don't really know if between RC1 and RC2 was really the right time to introduce changing the default behavior of the services management tool. I doubt everyone checks all of their services between new local CAS deployments. On Tue, Oct 22, 2013 at 8:13 AM, Jérôme LELEU lel...@gmail.com wrote: Hi, Yes, something has changed. Services are now by default not allowed to proxy (security reasons). So you may need to change that if you want to use a CAS service as a proxy. Best regards, Jérôme 2013/10/22 tgjorgoski tgjorgo...@gmail.com Thanks for the prompt reply! We moved to the 4.0.0-RC2-SNAPSHOT in our build, but now, upon the initial logging, we get the following message: Authentication Failed: service.not.authorized.proxy Are there some additional considerations that we need to take in account in RC2 vs. RC1? In the CAS log there is the following: [code] 2013-10-22 12:00:23,141 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated tgjorgo...@gmail.com with credentials [tgjorgo...@gmail.com +password]. 2013-10-22 12:00:23,145 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [tgjorgo...@gmail.com+password] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Oct 22 12:00:23 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = 2013-10-22 12:00:23,149 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: TGT-1-nTCToQNaBckEsjMrXd7mSJ5Q55Eow162WiohuFoUNpJbthHVlU-cas01.example.org ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Tue Oct 22 12:00:23 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = 2013-10-22 12:00:23,155 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ ST-1-WagZV4ScHyXSVwWgWpuC-cas01.example.org] for service [ https://localhost:8443/foo-service/j_spring_cas_security_check] for user [tgjorgo...@gmail.com] 2013-10-22 12:00:23,156 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: tgjorgo...@gmail.com WHAT: ST-1-WagZV4ScHyXSVwWgWpuC-cas01.example.org for https://localhost:8443/foo-service/j_spring_cas_security_check ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Oct 22 12:00:23 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = 2013-10-22 12:00:23,350 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement: Service [https://localhost:8443/foo-service/j_spring_cas_security_check] attempted to proxy, but is not allowed. 2013-10-22 12:00:23,351 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: tgjorgo...@gmail.com WHAT: service.not.authorized.proxy ACTION: PROXY_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Tue Oct 22 12:00:23 CEST 2013 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 = [/code] -- You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Auditing and Statistics Via Inspektr
Newer versions of Inspektr just do auditing. We use Perf4J for statistics. We should clean up that page to make that more clear. On Thu, Oct 17, 2013 at 12:55 PM, Steve Cook steve.c...@humber.ca wrote: Configuring CAS 3.5.2 to use Inspektr for auditing and statistics. I am using the documentation from https://wiki.jasig.org/display/CASUM/Auditing+and+Statistics+Via+Inspektr, the auditing it working great, but I am not getting any statistic data in the database, what am I missing? Thanks again! ** ** Steve ** ** -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Service Management
On Wed, Oct 2, 2013 at 7:28 PM, Kurt Jn Marie kurtjnma...@gmail.com wrote: Hello All, I am new to CAS, but I have almost completed my CAS server configurations. I have a few questions of which I am hoping to get some answers from the CAS experts. 1. I am using mysql to manage services. After my first entry, I can no longer access the services management page https://cas.domainname.com:8443/cas/services/. If I delete the entries from the database, I am able to access the service management page once again. In the cas documentation, it states that the first service that should be added is the service itself. Can someone tell me the purpose of the service management page? Do I need to add the URL for each of my applications that will be authenticating through cas in service management? You should add each service (services can either be the exact url, an Ant pattern, or a RegEx expression) that will be accessing CAS to the services management tool. 2. How do I add additional services to service management after the first one is added? The first service you add should match the service management tool itself (i.e.https://cas.domainname.com:8443/cas/services) as the tool itself authenticates through CAS. Which version of CAS are you using? I thought we had a notice on the management page that gave the url to add. Cheers Scott Thanks, Kurt -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user