Re: [cas-user] Custom OAuth Protected Service

2016-03-31 Thread Jérôme LELEU 
Hi,

OK. You raise a use case we don't really think about, but calling the
/oauth2.0/profile url to get the user profile is already an access token
validation process as if the access token is not valid, you won't get any
user profile.

Can you open an issue for that use case? So we can think how we should
properly handle that (for 4.3).

Thanks.
Best regards,
Jérôme


2016-03-30 8:27 GMT+02:00 Uwe Wolfinger :

> The goal that i want to achieve is to call a custom rest service, in a
> custom webapp (e.g. /myapp/rest/data), which should be secured with an
> access_token. So i don't want to use /oauth2.0/profile, as its of no use
> for my case.
>
> So far i know how to get an access_token, but the open question is how to
> secure the custom service.
>
> Kind regards,
> Uwe
>
> Am Mittwoch, 30. März 2016 08:09:52 UTC+2 schrieb leleuj:
>>
>> Hi,
>>
>> I'm not sure to understand what you want to do exactly. CAS server v4.2
>> provides an OAuth server support for the authorization code grant type, so
>> any OAuth client or so (properly configured) will be able to connect with
>> the CAS server.
>>
>> For sure, the CasOAuthWrapperClient (
>> https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/oauth/client/CasOAuthWrapperClient.java)
>> provided with pac4j works perfectly with it as most tests have been done
>> with it (see this demo: https://github.com/leleuj/cas-pac4j-oauth-demo
>> or this one: https://github.com/pac4j/play-pac4j-java-demo).
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> 2016-03-29 15:35 GMT+02:00 Uwe Wolfinger :
>>
>>> Thank you very much for the quick response.
>>>
>>> So if i have a custom webapp, this means that i have to write my own
>>> controller that extends BaseOAuthWrapperController. Will this work in a
>>> standalone app, or has this controller to reside within the cas.war? Are
>>> there any plans to provide a servlet filter (like
>>> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter)
>>> for this kind of authentication?
>>>
>>> Another question concerns the access_token expiration: what is the
>>> expiration time of this ticket (the same as the normal cas ticket?) and is
>>> there a service, where i can refresh the access_token?
>>>
>>> Kind regards,
>>> Uwe
>>>
>>> Am Dienstag, 29. März 2016 15:24:48 UTC+2 schrieb leleuj:

 Hi,

 Yes, /oauth2.0/profile is the only OAuth url, protected by access
 tokens. The /oauth2.0/authorize is the endpoint to call to start the
 authorization (/ authentication) process and get an access token.
 Then, you need to implement the check on the access token like it's
 done in the
 https://github.com/Jasig/cas/blob/4.2.x/cas-server-support-oauth/src/main/java/org/jasig/cas/support/oauth/web/OAuth20ProfileController.java

 Thanks.
 Best regards,
 Jérôme



 2016-03-29 15:17 GMT+02:00 Uwe Wolfinger :

> i have just installed cas version 4.2.0 with a ldap backend. Login
> works fine, now i tried to get the oauth system working, but unfortunately
> i got stuck.
>
> what i did so for:
> - enabled the oauth server mode
> - i am able to get an access_token but now the question is, how to use
> this access token.
>
> My goal would be to write a custom rest service and secure this
> service via oauth. So far i can only find the */oauth2.0/profile *service
> where i can use the access_token.
>
> So my question is, is this the only service that is protected by
> oauth? If no, how can i configure a custom service (in a client webapp - 
> as
> i would do it as a standard cas client), that ist protected by oauth.
>
> Kind Regards,
> Uwe
>
> --
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
>

 --
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> Visit this group at
>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.

Re: [cas-user] Custom OAuth Protected Service

2016-03-31 Thread Uwe Wolfinger 
Please let me know how and where to open the issue.

Kind regards,
Uwe

Am Donnerstag, 31. März 2016 09:21:13 UTC+2 schrieb leleuj:
>
> Hi,
>
> OK. You raise a use case we don't really think about, but calling the 
> /oauth2.0/profile url to get the user profile is already an access token 
> validation process as if the access token is not valid, you won't get any 
> user profile.
>
> Can you open an issue for that use case? So we can think how we should 
> properly handle that (for 4.3).
>
> Thanks.
> Best regards,
> Jérôme
>
>
> 2016-03-30 8:27 GMT+02:00 Uwe Wolfinger >
> :
>
>> The goal that i want to achieve is to call a custom rest service, in a 
>> custom webapp (e.g. /myapp/rest/data), which should be secured with an 
>> access_token. So i don't want to use /oauth2.0/profile, as its of no use 
>> for my case.
>>
>> So far i know how to get an access_token, but the open question is how to 
>> secure the custom service.
>>
>> Kind regards,
>> Uwe
>>
>> Am Mittwoch, 30. März 2016 08:09:52 UTC+2 schrieb leleuj:
>>>
>>> Hi,
>>>
>>> I'm not sure to understand what you want to do exactly. CAS server v4.2 
>>> provides an OAuth server support for the authorization code grant type, so 
>>> any OAuth client or so (properly configured) will be able to connect with 
>>> the CAS server.
>>>
>>> For sure, the CasOAuthWrapperClient (
>>> https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/oauth/client/CasOAuthWrapperClient.java)
>>>  
>>> provided with pac4j works perfectly with it as most tests have been done 
>>> with it (see this demo: https://github.com/leleuj/cas-pac4j-oauth-demo 
>>> or this one: https://github.com/pac4j/play-pac4j-java-demo).
>>>
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>>
>>>
>>>
>>> 2016-03-29 15:35 GMT+02:00 Uwe Wolfinger :
>>>
 Thank you very much for the quick response.

 So if i have a custom webapp, this means that i have to write my own 
 controller that extends BaseOAuthWrapperController. Will this work in a 
 standalone app, or has this controller to reside within the cas.war? Are 
 there any plans to provide a servlet filter (like 
 org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter) 
 for this kind of authentication?

 Another question concerns the access_token expiration: what is the 
 expiration time of this ticket (the same as the normal cas ticket?) and is 
 there a service, where i can refresh the access_token?

 Kind regards,
 Uwe

 Am Dienstag, 29. März 2016 15:24:48 UTC+2 schrieb leleuj:
>
> Hi,
>
> Yes, /oauth2.0/profile is the only OAuth url, protected by access 
> tokens. The /oauth2.0/authorize is the endpoint to call to start the 
> authorization (/ authentication) process and get an access token.
> Then, you need to implement the check on the access token like it's 
> done in the 
> https://github.com/Jasig/cas/blob/4.2.x/cas-server-support-oauth/src/main/java/org/jasig/cas/support/oauth/web/OAuth20ProfileController.java
>
> Thanks.
> Best regards,
> Jérôme
>
>
>
> 2016-03-29 15:17 GMT+02:00 Uwe Wolfinger :
>
>> i have just installed cas version 4.2.0 with a ldap backend. Login 
>> works fine, now i tried to get the oauth system working, but 
>> unfortunately 
>> i got stuck.
>>
>> what i did so for:
>> - enabled the oauth server mode
>> - i am able to get an access_token but now the question is, how to 
>> use this access token.
>>
>> My goal would be to write a custom rest service and secure this 
>> service via oauth. So far i can only find the */oauth2.0/profile 
>> *service 
>> where i can use the access_token.
>>
>> So my question is, is this the only service that is protected by 
>> oauth? If no, how can i configure a custom service (in a client webapp - 
>> as 
>> i would do it as a standard cas client), that ist protected by oauth.
>>
>> Kind Regards,
>> Uwe
>>
>> -- 
>> You received this message because you are subscribed to the Google 
>> Groups "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to cas-user+u...@apereo.org.
>> Visit this group at 
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>
>
> -- 
 You received this message because you are subscribed to the Google 
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to cas-user+u...@apereo.org.
 Visit this group at 
 https://groups.google.com/a/apereo.org/group/cas-user/.

>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> Visit this group a

Re: [cas-user] Custom OAuth Protected Service

2016-03-31 Thread Jérôme LELEU 
On Github: https://github.com/Jasig/cas/issues/new ...

2016-03-31 10:20 GMT+02:00 Uwe Wolfinger :

> Please let me know how and where to open the issue.
>
> Kind regards,
> Uwe
>
> Am Donnerstag, 31. März 2016 09:21:13 UTC+2 schrieb leleuj:
>>
>> Hi,
>>
>> OK. You raise a use case we don't really think about, but calling the
>> /oauth2.0/profile url to get the user profile is already an access token
>> validation process as if the access token is not valid, you won't get any
>> user profile.
>>
>> Can you open an issue for that use case? So we can think how we should
>> properly handle that (for 4.3).
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> 2016-03-30 8:27 GMT+02:00 Uwe Wolfinger :
>>
>>> The goal that i want to achieve is to call a custom rest service, in a
>>> custom webapp (e.g. /myapp/rest/data), which should be secured with an
>>> access_token. So i don't want to use /oauth2.0/profile, as its of no use
>>> for my case.
>>>
>>> So far i know how to get an access_token, but the open question is how
>>> to secure the custom service.
>>>
>>> Kind regards,
>>> Uwe
>>>
>>> Am Mittwoch, 30. März 2016 08:09:52 UTC+2 schrieb leleuj:

 Hi,

 I'm not sure to understand what you want to do exactly. CAS server v4.2
 provides an OAuth server support for the authorization code grant type, so
 any OAuth client or so (properly configured) will be able to connect with
 the CAS server.

 For sure, the CasOAuthWrapperClient (
 https://github.com/pac4j/pac4j/blob/master/pac4j-oauth/src/main/java/org/pac4j/oauth/client/CasOAuthWrapperClient.java)
 provided with pac4j works perfectly with it as most tests have been done
 with it (see this demo: https://github.com/leleuj/cas-pac4j-oauth-demo
 or this one: https://github.com/pac4j/play-pac4j-java-demo).

 Thanks.
 Best regards,
 Jérôme



 2016-03-29 15:35 GMT+02:00 Uwe Wolfinger :

> Thank you very much for the quick response.
>
> So if i have a custom webapp, this means that i have to write my own
> controller that extends BaseOAuthWrapperController. Will this work in a
> standalone app, or has this controller to reside within the cas.war? Are
> there any plans to provide a servlet filter (like
> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter)
> for this kind of authentication?
>
> Another question concerns the access_token expiration: what is the
> expiration time of this ticket (the same as the normal cas ticket?) and is
> there a service, where i can refresh the access_token?
>
> Kind regards,
> Uwe
>
> Am Dienstag, 29. März 2016 15:24:48 UTC+2 schrieb leleuj:
>>
>> Hi,
>>
>> Yes, /oauth2.0/profile is the only OAuth url, protected by access
>> tokens. The /oauth2.0/authorize is the endpoint to call to start the
>> authorization (/ authentication) process and get an access token.
>> Then, you need to implement the check on the access token like it's
>> done in the
>> https://github.com/Jasig/cas/blob/4.2.x/cas-server-support-oauth/src/main/java/org/jasig/cas/support/oauth/web/OAuth20ProfileController.java
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>>
>> 2016-03-29 15:17 GMT+02:00 Uwe Wolfinger :
>>
>>> i have just installed cas version 4.2.0 with a ldap backend. Login
>>> works fine, now i tried to get the oauth system working, but 
>>> unfortunately
>>> i got stuck.
>>>
>>> what i did so for:
>>> - enabled the oauth server mode
>>> - i am able to get an access_token but now the question is, how to
>>> use this access token.
>>>
>>> My goal would be to write a custom rest service and secure this
>>> service via oauth. So far i can only find the */oauth2.0/profile 
>>> *service
>>> where i can use the access_token.
>>>
>>> So my question is, is this the only service that is protected by
>>> oauth? If no, how can i configure a custom service (in a client webapp 
>>> - as
>>> i would do it as a standard cas client), that ist protected by oauth.
>>>
>>> Kind Regards,
>>> Uwe
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it,
>>> send an email to cas-user+u...@apereo.org.
>>> Visit this group at
>>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>>
>>
>> --
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+u...@apereo.org.
> Visit this group at
> https://groups.google.com/a/apereo.org/group/cas-user/.
>

 --
>>> You received this message because you are subscri

[cas-user] best practice? webapp timeout and logout when use CAS

2016-03-31 Thread Yan Zhou 
Hi there, 

We have several apps using CAS 4.1.5.  Different apps have different idle 
session timeout setting, some timeout after 30 minutes, other 1 hour, etc. 

Two questions. 

1. when user Logout from a web app.,  it provides best user experience if 
the app logs out the user AND logs out CAS SSO session.  Is that correct?

Alternatively, if the app. logs out but remain in CAS SSO session, user 
only needs to refresh browser and he will be back to app. without login 
again, that sounds a little odd:  you log out but do not have to login. 

2. when user times out (idle timeout) in an app., it seems that a refresh 
of browser will get user back into the app.   what is the best way to 
implement application idle timeout?

One that I would suggest is to require all apps have the same idle CAS 
session timeout?  CAS default is 2 hours, but we can require all apps and 
CAS to agree to a value.  Is that best practice?

Anyone can lead me to some CAS best practice on this subject?

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] Could not locate ticket CAS 4.1

2016-03-31 Thread vallee.romain 
Hello,
i'm using CAS 4.1, and i configure memcache for ticket store .

when a configure an application, i log into the cas portal, and i got this 
error in my catalia.out :
*2016-03-31 14:27:47,504 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - *


2016-03-31 14:27:47,475 DEBUG [org.jasig.cas.ticket.registry.
MemCacheTicketRegistry] - 
2016-03-31 14:27:47,480 DEBUG [org.jasig.cas.audit.spi.
TicketOrCredentialPrincipalResolver] - 
2016-03-31 14:27:47,481 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - 
2016-03-31 14:27:47,484 DEBUG [org.jasig.cas.web.support.
CookieRetrievingCookieGenerator] - 
2016-03-31 14:27:47,484 DEBUG [org.jasig.cas.web.support.
DefaultCasCookieValueManager] - 
2016-03-31 14:27:47,485 DEBUG [org.jasig.cas.util.DefaultCipherExecutor] - <
Encrypting via [A128CBC-HS256]>
2016-03-31 14:27:47,487 DEBUG [org.jasig.cas.web.support.
CookieRetrievingCookieGenerator] - 
2016-03-31 14:27:47,502 DEBUG [org.jasig.cas.
CentralAuthenticationServiceImpl] - 
2016-03-31 14:27:47,503 DEBUG [org.jasig.cas.audit.spi.
TicketOrCredentialPrincipalResolver] - 
2016-03-31 14:27:47,504 DEBUG [org.jasig.cas.
CentralAuthenticationServiceImpl] - 
*2016-03-31 14:27:47,504 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - *
2016-03-31 14:27:47,504 DEBUG [org.jasig.cas.audit.spi.
TicketOrCredentialPrincipalResolver] - 
2016-03-31 14:27:47,505 INFO [org.jasig.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - http://192.168.15.30/glpi/front/login.php
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Mar 31 14:27:47 CEST 2016
CLIENT IP ADDRESS: 192.168.15.24
SERVER IP ADDRESS: 192.168.15.250
=







It's stange, cas can't found this ticket :



in my memcache.log

root@Jasig1:~# tail -f /var/log/memcached.log
<28 get TGT-17-Rro70pmcdVUKSxxNQZTJjwqZaagZq0S1hV9choki3jXugjuVsf-cas01
>28 END
<28 get TGT-17-Rro70pmcdVUKSxxNQZTJjwqZaagZq0S1hV9choki3jXugjuVsf-cas01
>28 END
<28 get TGT-17-Rro70pmcdVUKSxxNQZTJjwqZaagZq0S1hV9choki3jXugjuVsf-cas01
>28 END
<28 get TGT-17-Rro70pmcdVUKSxxNQZTJjwqZaagZq0S1hV9choki3jXugjuVsf-cas01
>28 END
<28 get TGT-17-Rro70pmcdVUKSxxNQZTJjwqZaagZq0S1hV9choki3jXugjuVsf-cas01
>28 END
<*28 add TGT-18-gWecT4syrxi0ESMcNwz1gCQsVUEcsxE1ugIcdf1hPGEieLlgvr-cas01 0 
5259488 1619*
>28 STORED
<28 get TGT-18-gWecT4syrxi0ESMcNwz1gCQsVUEcsxE1ugIcdf1hPGEieLlgvr-cas01
>28 END
<28 get TGT-18-gWecT4syrxi0ESMcNwz1gCQsVUEcsxE1ugIcdf1hPGEieLlgvr-cas01
>28 END
<28 get TGT-18-gWecT4syrxi0ESMcNwz1gCQsVUEcsxE1ugIcdf1hPGEieLlgvr-cas01
>28 END
<28 get TGT-18-gWecT4syrxi0ESMcNwz1gCQsVUEcsxE1ugIcdf1hPGEieLlgvr-cas01
>28 END


my TGT-18 is create

Any idea cas users ??

Best regards



-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] Jpa Service Registry, how should values be stored in database table

2016-03-31 Thread Yan Zhou 
Hi,

I am overlaying 4.1.5 CAS and using JPA service registry.  I have had 
success with JSON file based service registry. Now I am moving all service 
definition into Oracle tables. 

How should values be stored in DB table columns?   Do I just copy the JSON 
data and paste it there?

I have this in ACCESS_STRAGETY column

{
"@class" : 
"org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAttributes" : true,
"caseInsensitive" : false
  }

I have this in ATTRIBUTE_RELEASE column


{
"@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" : 
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
  }

I am getting error:Caused by: javax.persistence.PersistenceException: 
org.hibernate.type.SerializationException: could not deserialize


Any examples that you can share if you have had success with JPA service 
registry?

Thx,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

Re: [cas-user] best practice? webapp timeout and logout when use CAS

2016-03-31 Thread Misagh Moayyed 

Hi there, 

We have several apps using CAS 4.1.5.  Different apps have different idle 
session timeout setting, some timeout after 30 minutes, other 1 hour, etc. 

Two questions. 

1. when user Logout from a web app.,  it provides best user experience if the 
app logs out the user AND logs out CAS SSO session.  Is that correct?
Personally, I would say yes. This generally leads you to turn off SLO. You may 
or may not want that. Ultimately, you decide what the best user experience 
should be. 



Alternatively, if the app. logs out but remain in CAS SSO session, user only 
needs to refresh browser and he will be back to app. without login again, that 
sounds a little odd:  you log out but do not have to login. 
Yes, because while your app session is gone, your CAS SSO session is there. 
Most apps typically display a logout screen describe that exact case to the 
user. “Dear user, you logged out…but not really!”. Of course, that might also 
be terribly confusing. You decide.  



2. when user times out (idle timeout) in an app., it seems that a refresh of 
browser will get user back into the app.   what is the best way to implement 
application idle timeout?

One that I would suggest is to require all apps have the same idle CAS session 
timeout?  CAS default is 2 hours, but we can require all apps and CAS to agree 
to a value.  Is that best practice?
That’s mostly what I have been discussing with folks. Synchronize timeouts 
across all apps, and agree on a reasonable policy. 



Anyone can lead me to some CAS best practice on this subject?

Thanks,
Yan
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] cas-mfa with CAS 4.1.4 and ehcache

2016-03-31 Thread Ted Fisher 
We have gotten cas-mfa with CAS 4.1.4 running and configured with an ldap auth 
handler and duo authenticating OK and we are getting service tickets generated. 
 Our next step was to get ehcache configured to use the same cache as our 
existing 3.5.0 CAs servers so that ST's would go there and apps with CAS 
clients doing ticket validation could validate them there (this is all in our 
test env right now).  From the looks of things STs and TGTs are the same so we 
should be able to share them like that.
I was pleased to see that the wiki docs explained ehcache config as very 
similar to our exsiting - we are doing RMI replication now.  I configured it 
pretty much the same as what we have now with the cache names changed to match 
our existing.  It builds and no errors logged when running and I see packets 
being sent to the other RMI addresses, so it looks like STs are being sent out 
to ehcache.  But, when the apps try to validate the ST they are not there.  I 
tried turning logging up to debug and still I see no indications of any issue.
Any pointers how to troubleshoot this ehcache issue?  Is there a way for me to 
dump the STs in cache?  It's test and I can see that there are only a few 
there.  I'd like to verify that they are making it there/.

Thanks.

Ted F. Fisher
Information Technology Services
[Description: BGSU]

From: Ted Fisher
Sent: Thursday, March 17, 2016 9:43 AM
To: 'cas-user@apereo.org' 
Subject: cas-mfa with CAS 3.5.3

I haven't been able to find any step-by docs for adding Unicon's cas-mfa with 
duo to our CAS server.  I've tried following the instructions at 
https://github.com/Unicon/cas-mfa/ which results in a good build, but no duo 
authentication.  I would assume that is because those instructions are for CAS 
4.1.X.
Is there anything that will tell me what I need to have in place and what 
settings are needed for CAS 3.5.3?
I am trying to use cas-mfa version 1.0.0-RC2 since that looks to be the last 
that supported 3.5.X.  I've tried quite a few variations based on posts I found 
from others, but nothing is leading to any progress here.
README.md in 1.0.0-RC2 points to https://github.com/Unicon/cas-mfa/  which has 
instructions for 4.1.X, so I'm not finding anything on what this should look 
like.

Any help would be appreciated.

Environment:
CAS 3.5.3  on Tomcat 7,  2 RHEL 6 servers using java version "1.7.0_95"

Thanks.

Ted F. Fisher
Server Administrator
323 Hayes Hall
Information Technology Services
Email:  tffi...@bgsu.edu
Phone: 419.372.1626
[Description: BGSU]

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] RE: cas-mfa with CAS 4.1.4 and ehcache

2016-03-31 Thread Ted Fisher 
This is my other issue with our CAS 4.1.4 with cas-mfa which we have brought up 
to replace our old CAS 3.5.0.  I have been testing with the Apereo view that is 
stock, but now I'd like to put the view from our existing CAS 3.5.0  into the 
4.1.4 instance.  I thought I  might be able to simple place the view dir from 
our 3.5.0 build into the build dir for the new one.  It builds and runs with no 
errors, but the pages do not display correctly.  Is the view that different in 
4.X from 3.x that I cannot do that?  Are there any pointers how to migrate our 
old view into the new?

Thanks.

Ted F. Fisher
Information Technology Services
[Description: BGSU]


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.