<https://apereo.github.io/cas/5.2.x/installation/Configuring-Servlet-Container.html#external> External
A CAS deployment may be deployed to any number of external servlet containers. The container MUST support the servlet specification v3.1.x at a minimum. https://apereo.github.io/cas/5.2.x/installation/Configuring-Servlet-Container.html El sábado, 10 de febrero de 2018, Brian Davidson <[email protected]> escribió: > I meant to add, our pom.xml has the following dependencies (in case we’re > missing something): > > <dependencies> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-webapp-${app.server}</artifactId> > <version>${cas.version}</version> > <type>war</type> > <scope>runtime</scope> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-ldap</artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-saml</artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-hazelcast-ticket- > registry</artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-duo</artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-support-json-service-registry< > /artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.javassist</groupId> > <artifactId>javassist</artifactId> > <version>3.17.1-GA</version> > </dependency> > <dependency> > <groupId>javax.servlet</groupId> > <artifactId>servlet-api</artifactId> > <version>2.5</version> > <type>jar</type> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-core-webflow</artifactId> > <version>${cas.version}</version> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-core-web</artifactId> > <version>${cas.version}</version> > <type>jar</type> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-core-configuration</artifactId> > <version>${cas.version}</version> > <type>jar</type> > </dependency> > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-core-authentication</artifactId> > <version>${cas.version}</version> > </dependency> > </dependencies> > > > On Feb 9, 2018, at 5:19 PM, Man H <[email protected]> wrote: > > > add > <dependency> > <groupId>org.apereo.cas</groupId> > <artifactId>cas-server-core-authentication</artifactId> > <version>${cas.version}</version> > </dependency> > > with: > > cas.authn.mfa.duo[0].bypass.type=GROOVY > cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/ > config/mfaGroovyTrigger.groovy > > you should get > > 2018-02-09 19:10:39,145 DEBUG [org.apereo.cas.authentication. > GroovyMultifactorAuthenticationProviderBypass] - <Evaluating multifactor > authentication bypass properties for principal [casuser], service [null] > and provider [DefaultDuoMultifactorAuthenticationProvider] via Groovy > script [URL [file:/etc/cas/config/mfaGroovyTrigger.groovy]]> > > > > > > 2018-02-09 17:11 GMT-03:00 Brian Davidson <[email protected]>: > >> Just to add a bit to what Brian M. provided (I’m also a Brian, and a >> co-worker of Brian M’s): >> >> We have Duo MFA working if we comment out: >> cas.authn.mfa.duo[0].bypass.type=GROOVY >> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/ >> selectiveDuo.groovy >> >> We did find that CAS was unable to check to see if the user exists in Duo >> if we used the “CAS” integration in Duo. But it works if we set up the >> integration as “Auth API”. >> >> We haven’t touched webflow. With the groovy script in place, >> >> When we enable GROOVY bypass script, we get: >> >> 2018-02-09 15:04:55,638 DEBUG >> [org.springframework.webflow.engine.impl.FlowExecutionImpl] >> - <Attempting to handle [org.springframework.webflow.e >> xecution.FlowExecutionException: Exception thrown in state >> 'viewLoginFormDuo' of flow 'mfa-duo'] with root cause [java.io >> .NotSerializableException: org.springframework.core.io.UrlResource]> >> >> As well as the stack trace Brian M. provided. >> >> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece >> yesterday. Dug through source code to find that. We’re happy to provide >> updates to the documentation once we get this working. >> >> Thanks for the help! >> >> On Feb 9, 2018, at 10:14 AM, brian mancuso <[email protected]> wrote: >> >> Anything that says "REMOVED" is just stuff I pulled out before posting >> it. I didn't want to post any private/sensitive information. >> >> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote: >>> >>> What do you mean by REMOVED in properties . >>> >>> El viernes, 9 de febrero de 2018, brian mancuso <[email protected]> >>> escribió: >>> >>>> Hey all, >>>> >>>> I was originally trying to setup some custom triggers to determine who >>>> should use MFA and who is allowed to bypass. I have since been directed >>>> towards Groovy to simplify things, but I'm still having some trouble. >>>> >>>> At this point, the Groovy script's purpose is strictly to test if a >>>> certain user will bypass MFA while others will not. Here's my setup: >>>> >>>> */etc/cas/config/cas.properties* >>>> >>>> ## >>>> # Duo security 2fa authentication provider >>>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey >>>> # >>>> cas.authn.mfa.duo[0].rank=0 >>>> cas.authn.mfa.duo[0].duoApiHost=REMOVED >>>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED >>>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED >>>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED >>>> cas.authn.mfa.duo[0].id=mfa-duo >>>> cas.authn.mfa.globalProviderId=mfa-duo >>>> cas.authn.mfa.globalFailureMode=OPEN >>>> cas.authn.mfa.duo[0].bypass.type=GROOVY >>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/ >>>> selectiveDuo.groovy >>>> >>>> >>>> */etc/cas/selectiveDuo.groovy* >>>> >>>> def boolean run(final Object... args) { >>>> def authentication = args[0] >>>> def principal = args[1] >>>> def service = args[2] >>>> def provider = args[3] >>>> def logger = args[4] >>>> def httpRequest = args[5] >>>> >>>> logger.info("Evaluating principal attributes >>>> ${principal.attributes}") >>>> >>>> def bypass = principal.attributes['uid'] >>>> if ((bypass.contains("testuser") && provider.id == "mfa-duo") { >>>> logger.info("Skipping bypass for principal ${principal.id}") >>>> return false >>>> } >>>> >>>> return true >>>> } >>>> >>>> >>>> When I try to login though, whenever a user would be sent to DUO, I get >>>> a 500 error: >>>> >>>> >>>> <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png> >>>> >>>> Here's a small snippet from the output: >>>> >>>> 2018-02-09 09:04:05,717 DEBUG >>>> [org.apereo.cas.web.FlowExecutionExceptionResolver] >>>> - <Ignoring the received exception due to a type mismatch> >>>> org.springframework.webflow.execution.FlowExecutionException: >>>> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' >>>> at >>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re >>>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume >>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE >>>> .jar:2.4.6.RELEASE] >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> ~[?:1.8.0_151] >>>> >>>> Caused by: >>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: >>>> Error encoding flow execution >>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionReposito >>>> ry.getKey(ClientFlowExecutionRepository.java:114) >>>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as >>>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> >>>> Caused by: java.io.NotSerializableException: >>>> org.springframework.core.io.UrlResource >>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) >>>> ~[?:1.8.0_151] >>>> >>>> 2018-02-09 09:04:05,717 ERROR >>>> [org.springframework.boot.web.support.ErrorPageFilter] >>>> - <Forwarding to error page from request [/login] due to exception >>>> [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']> >>>> org.springframework.webflow.execution.FlowExecutionException: >>>> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo' >>>> at >>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re >>>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume >>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE >>>> .jar:2.4.6.RELEASE] >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> ~[?:1.8.0_151] >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>> ~[?:1.8.0_151] >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> ~[?:1.8.0_151] >>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] >>>> >>>> Caused by: >>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException: >>>> Error encoding flow execution >>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionReposito >>>> ry.getKey(ClientFlowExecutionRepository.java:114) >>>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3] >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as >>>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.State.enter(State.java:194) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at >>>> org.springframework.webflow.engine.Transition.execute(Transition.java:228) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex >>>> ecute(FlowExecutionImpl.java:395) ~[spring-webflow-2.4.6.RELEASE >>>> .jar:2.4.6.RELEASE] >>>> at org.springframework.webflow.engine.impl.RequestControlContex >>>> tImpl.execute(RequestControlContextImpl.java:214) >>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE] >>>> >>>> Caused by: java.io.NotSerializableException: >>>> org.springframework.core.io.UrlResource >>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548) >>>> ~[?:1.8.0_151] >>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509) >>>> ~[?:1.8.0_151] >>>> at >>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432) >>>> ~[?:1.8.0_151] >>>> >>>> >>>> I posted the output to pastebin since it was too large for just posting >>>> here: https://pastebin.com/yNPk4u7n >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/a/ap >>>> ereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b >>>> 9f%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c59 >> 24%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352C >> B5%40gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5% > 2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/4B953717-A37E-4E87-AD49- > 2BF69A7124C1%40gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4B953717-A37E-4E87-AD49-2BF69A7124C1%40gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midRf68dUz2vkF_0Zw4oqSAKvcPoGB7JAajR%2B8zMg9r8oA%40mail.gmail.com.
