HI all, I am moving from 6.5 to 6.6 and all is going well. In the end, if I follow the guidance provided in the error message and the documentation. This still fails. The difference is simple: iteration vs iterations.
I just wanted top point out that this particular property does not work. I am setting this through the startup command it also doesn't work when set as an environment variable. - The first option is the documented property name. Please see 6.6.X > Configuration > Securing Configuration Properties <https://apereo.github.io/cas/6.6.x/configuration/Configuration-Properties-Security-CAS.html#casstandaloneconfigurationsecurityinitializationvectorPropertyConfig> - It fails to work, CAS shuts down after the first attempted access of an encrypted property. --cas.standalone.configuration-security.iteration=35 or export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATION=35 - The second option is not in the documentation - It does work - It returns and ERROR [cas.configuration.CasConfigurationPropertiesValidator] -- full message below. - If I use this property but set the value to anything but the originally used iteration (say 39 for example) it fails just as though had used the documented property name. - this tells me it is actually working and not relying on the default. --cas.standalone.configuration-security.iterations=35 or export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATIONS=35 HERE is the message. Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties cas.standalone.configuration-security.iterations = 35 (Origin: "cas.standalone.configuration-security.iterations" from property source "commandLineArgs")Listed settings above are no longer recognized by CAS 6.6.12. They may have been renamed, removed, or relocated to a new namespace in the CAS configuration schema. CAS will ignore such settings to proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition from the property source. Failure to do so puts the server stability in danger and complicates future upgrades. I will follow the guidance when the property actually works. I bring this up, because it does not. In the past when brought this up there has been assertion that it can't be broken because the unit test passes. Ultimately I'm seeing that because of the path of execution whatever the unit test coverage, it isn't covering the way the property is used. On Wednesday, September 7, 2022 at 5:03:10 PM UTC-5 Ray Bon wrote: > Andrew, > > CamelCase or kabob-case does not matter, spring handles both (kabob is > newer). > The options should have the same name regardless of where they are set. > What differs is when they are processed during startup. Some other step is > getting in the way for the property file, but it sounds like the developers > know there is a problem with that 'other step'. > > Ray > > On Wed, 2022-09-07 at 13:02 -0700, Andrew Marker wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > Thanks for the response. > > I initially found the Issue I have described and provided the messages for > when I was running v6.3.7.4. it was not related to that version but it was > at that point I was trying for the first time to encrypt properties. > > I reached out to Unicon (in March 2022) with whom my organization > contracts with for open source support. I was looking for help to encrypt > properties and I was trying to follow the guidance I could find in the CAS > documentation. > > After beginning the conversation much the way you have by identifying the > properties as they are documented, we finally got beyond the point were we > just refer to the documentation or the code references and through testing > re-affirmed the failure I am describing. > > I was told that it will be fixed in a future version an answer that > satisfied my need as I could continue to leverage the camelCase as > described in the quasi official CAS how-too blog > <https://fawnoos.com/2019/05/08/cas61x-jasypt-encryption/> . Today, in > v6.5.9 It still works with camelCase. > > I'm trying to surface the issue now because with the move to v6.5.9 during > my review the error message appeared at startup. > > -- You cannot use the property as documented > <https://apereo.github.io/cas/6.5.x/configuration/Configuration-Properties-Security.html#standalone> > > or referred to in the Class you sent. It just does not work when placed > in the a commandLineArgs collection*.* > > > If I use: > > *--cas.standalone.configuration-security.iterations=999* > -*-cas.standalone.configurationSecurity.iterations=999* > > 2022-09-07 14:39:35,708 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]> > > 2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt password> > > 2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt provider> > > 2022-09-07 14:39:35,717 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt iterations> > > ........ > > 2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Attempting to decode key [cas.authn.ldap[0].bindCredential]> > > 2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Initializing Jasypt...> > > 2022-09-07 14:39:38,303 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Decrypting value > [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...> > > 2022-09-07 14:39:38,319 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Decrypted value > [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==] successfully.> > > > When I use what is documented: > > *--cas.standalone.configuration-security.iteration=999* > > 2022-09-07 14:32:13,852 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]> > > 2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt password> > > 2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] > - <Configured Jasypt provider> > > NO ITERATOR Picked up > > ....... > > 2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Attempting to decode key [cas.authn.ldap[0].bindCredential]> > > 2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Initializing Jasypt...> > > 2022-09-07 14:32:16,363 TRACE [org.apereo.cas.util.crypto.CipherExecutor] > - <Decrypting value > [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...> > > 2022-09-07 14:32:16,416 ERROR [org.apereo.cas.util.crypto.CipherExecutor] > - <*Could not decrypt value* > [{cas-cipher}wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]> > > > *-------------------------------------------------------* > > If the fact is: The documentation and class say: *iteration* but the > command line uses *iterations* and that is intentional, it is confusing. > > > If this is good grammar and the tech document requires you to know the > difference to make a jump from the literally represented value to the > contextual place to use one vs the other. Man it would be great if that > was explained in the documentation. I've always been able to just use the > property as documented. > > > On Tuesday, September 6, 2022 at 3:58:40 PM UTC-5 Ray Bon wrote: > > Andrew, > > The current property is 'iteration'; > https://github.com/apereo/cas/blob/6.5.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java > > 'iterations' "worked" because the real default was used; since 'Failed to > bind properties' message was printed. > Maybe setting debug/trace logging for org.apereo.cas.util will provide > some more insight. > > Ray > > On Tue, 2022-09-06 at 11:40 -0700, Andrew Marker wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > In my CAS instance: > These are working with error message: > ** cas.standalone.configuration-security.iterations* > ** cas.standalone.configurationsecurity.iterations* > > > This is what is documented and it fails: > > ** **cas.standalone.configuration-security.iteration* > > On Tuesday, September 6, 2022 at 1:34:03 PM UTC-5 Andrew Marker wrote: > > *The warning message about the property seems to be incorrect, and using > the documented property seems to lead to failure.* > > Today, I was testing a move from v6.5.7 to v6.5.9 and I saw a warning that > I did not see in the previous version at runtime. I'm not having a > functional problem, but there seems to be a disconnect between the code and > the documentation. > > When I start CAS, I am seeing the following ERROR. > > Failed to bind properties under 'cas' to > org.apereo.cas.configuration.CasConfigurationProperties > > *cas.standalone.configurationsecurity.iterations *= 999 (Origin: > "cas.standalone.configurationSecurity.iterations" from property source > "commandLineArgs") > > ---------------------------- > > The documented property is: > > *cas.standalone.configuration-security.iteration*=999 > > 2022-09-06 12:58:30,001 ERROR [org.apereo.cas.util.crypto.CipherExecutor] > - <Could not decrypt value [{cas-cipher}someawesometext] > > *> It appears the documented property does not work* > > *----------------------* > > *To try to understand the scope I tried the following:* > > 2022-09-06 13:13:22,629 ERROR > [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - < > > Failed to bind properties under 'cas' to > org.apereo.cas.configuration.CasConfigurationProperties > > *cas.standalone.configuration-security.iterations* = 999 > > This however seemed still to function. > > *----------------------* > > In the event my original was incorrect and being ignored giving way to the > default, I tried what is posted. > > *cas.standalone.configuration-security.iteration=0* > > This too led to a fail to decrypt message. > > *----------------------* > > Using the old naming convention, I pass > > > - iterations > - password > - provider (SunJCE). > > I've never needed to pass: > > > - Algorithm > - Initialization vector > > Is there some additional requirement necessary to move to the new property > names? > > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/859e6ff9-385b-4061-9c60-af6dc9b2d601n%40apereo.org.
