[cas-user] Re: Simple question

2016-08-22 Thread Carlos Joaquín de Nova de Nova 
Edit the cas.properties file that you use. Yo cand find the next section:

##
# CAS Internationalization
#
# locale.default=en
# locale.param.name=locale
# message.bundle.encoding=UTF-8
# message.bundle.cacheseconds=180
# message.bundle.fallback.systemlocale=false
# message.bundle.usecode.message=true
# message.bundle.basenames=classpath:custom_messages,classpath:messages

Uncomment the locale.default= line and put the value for the language that 
you want to use as default language. Uncomment the locale.param.name=locale

If you want to use spanish as default language the value por locale.default 
is:

locale.default=es

Best Regards,




El viernes, 19 de agosto de 2016, 16:52:57 (UTC+2), Carlos Cuellar escribió:
>
> How can i put the default lenguage to spanish where can i configure this 
> please.
>
> thanks
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ee9d57f3-625d-4afa-9f37-13e430adae0b%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 5.0.0 SPNEGO - How to send a view after a failed authentication

2016-08-22 Thread Misagh Moayyed 
You are to keep state in your web flow. What happens when you enter that state 
is up to you. Or for full form, you configure the flow dynamically.

-- 
Misagh

From: Philippe MARASSE 
Reply: Philippe MARASSE 
Date: August 21, 2016 at 1:38:11 PM
To: cas-user@apereo.org 
Subject:  Re: [cas-user] CAS 5.0.0 SPNEGO - How to send a view after a failed 
authentication  

Thanks for your answer, but I've seen, if I'm not mistaken, a hardcoded 
transition to viewloginform :

Component : cas-server-support-spnego-webflow
class : org.apereo.cas.web.flow.SpengoWebflowConfigurer

line 24 : 
.getTransitionSet().add(createTransition(CasWebflowConstants.TRANSITION_ID_ERROR,
 CasWebflowConstants.STATE_ID_VIEW_LOGIN_FORM));

If I modify login-webflow, I think it will be superseded by this class ?

Regards.

On 12/08/2016 17:56, Misagh Moayyed wrote:
You will likely need to adjust the login flow to account for a different view 
other than the default login view.

-- 
Misagh

From: Philippe MARASSE 
Reply: Philippe MARASSE 
Date: August 12, 2016 at 6:31:53 AM
To: cas-user@apereo.org 
Subject:  [cas-user] CAS 5.0.0 SPNEGO - How to send a view after a failed 
authentication

Folks,

Actually, when SPNEGO authentication fails, it's falling back to login
form (wether cas.authn.spnego.send401OnAuthenticationFailure is true or
false).

But in our configuration, on a failure, we need to send a specific view.
How can I achieve that behavior ?

Regards.

--
Philippe MARASSE

Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/191f5df0-b4e1-7ce2-5f82-c6e47fbbe161%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57adf1aa.6ff49626.d48a%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.


--  
Philippe MARASSE

Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur  
86021 Poitiers Cedex
Tel : 05.49.44.57.19
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/822c0ae7-eea3-faa1-0ce6-a2853df0ebf4%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57baa4fb.76cff3d7.17e1c%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Re: Simple question

2016-08-22 Thread carlos maddaleno cuellar 
Thaks I did it the problem I hace now is thah when appears some text like
"sesión" it appears "ses$#n" some strange text what could it be is like
dosent have the correct encode or codification in all the words where the ó
Is use
Thanks
El 22 ago. 2016 1:08 AM, "Carlos Joaquín de Nova de Nova" <
carlos.de.n...@gmail.com> escribió:

> Edit the cas.properties file that you use. Yo cand find the next section:
>
> ##
> # CAS Internationalization
> #
> # locale.default=en
> # locale.param.name=locale
> # message.bundle.encoding=UTF-8
> # message.bundle.cacheseconds=180
> # message.bundle.fallback.systemlocale=false
> # message.bundle.usecode.message=true
> # message.bundle.basenames=classpath:custom_messages,classpath:messages
>
> Uncomment the locale.default= line and put the value for the language that
> you want to use as default language. Uncomment the locale.param.name
> =locale
>
> If you want to use spanish as default language the value por
> locale.default is:
>
> locale.default=es
>
> Best Regards,
>
>
>
>
> El viernes, 19 de agosto de 2016, 16:52:57 (UTC+2), Carlos Cuellar
> escribió:
>>
>> How can i put the default lenguage to spanish where can i configure this
>> please.
>>
>> thanks
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To post to this group, send email to cas-user@apereo.org.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/ee9d57f3-625d-4afa-9f37-
> 13e430adae0b%40apereo.org
> 
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANEG9%2BdC3bF_EcFmOAHOKB58_90dUFHYeQUZb2UaQz5q3S0CJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Statistics on ST with ehcache monitor

2016-08-22 Thread Mathieu ALEXANDRE 
 

Hi 

My context : 

   - CAS 4.2.4 (Maven Overlay install) 
   - Tomcat 7 
   - ServicesRegistry : *json* 
   - TicketRegistry : *ehcache* 

After some hours, everything seems to work as expected.
I can see active TGTs on /cas/statistics with ehcacheMonitor enabled.

But there is nothing about STs ...
Does anyone know how to get statistics on ST with ehcache Ticket Registry ?



Thanks for your help :)

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/63ceaebd-eb16-4681-ad1d-6d460d2e98f3%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

RE: [cas-user] Mod_auth_cas Logout Question

2016-08-22 Thread David Abney 
While looking at the logs for mod_auth_cas, I couldn’t find what was causing 
the logout problems for me.  So, I followed Neil’s approach and created an 
custom logout file and I put the file on our CAS server.  The jsp file  removes 
the mod_auth_cas cookie and redirects the user back to the regular CAS logout 
url.  Setting the Papercut logout URL to this custom file seems to be doing the 
trick.

This is what the jsp file looks like:

<%
Cookie[] cookies = request.getCookies();

for (int i = 0; i < cookies.length; i++) {
  if(cookies[i].getName().equals("MOD_AUTH_CAS_S") || 
cookies[i].getName().equals("MOD_AUTH_CAS")) {
  cookies[i].setMaxAge(0);
  cookies[i].setPath("/");
  response.addCookie(cookies[i]);
}
}

response.sendRedirect("my_cas_server_logout_url");
%>


David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761

[email_logo]
www.centre.edu

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Abney
Sent: Thursday, August 18, 2016 2:53 PM
To: Travis Schmidt ; cas-user@apereo.org
Subject: RE: [cas-user] Mod_auth_cas Logout Question

Travis,

I will look at the debugging logs and see if I can find out more about the 
logout problem.

Thanks,


David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761

[email_logo]
www.centre.edu

From: Travis Schmidt [mailto:travis.schm...@gmail.com]
Sent: Thursday, August 18, 2016 2:48 PM
To: David Abney mailto:david.ab...@centre.edu>>; 
cas-user@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question

I think what is happening is that CAS uses the proxy host to create the logout 
url.  You can put logs in debug mode and then see the actual url that is trying 
to call to logout.  CAS also needs the cert for the host it will call in its 
truststore to be able to make the call for logout.  My guess is that either the 
proxy is not set up to forward the logout end point to the apache server, or 
CAS cannot establish trust with the proxy.
On Thu, Aug 18, 2016 at 9:17 AM David Abney 
mailto:david.ab...@centre.edu>> wrote:
Travis,

Below are the settings I used to try to get the mod_auth_cas logout to work, 
but I was still unsuccessful.  I guess it may have something to do with the 
fact that I am using a proxy server.

Since I am using Ubuntu, my mod_auth_cas settings are in 
/etc/apache2/mods-enabled/auth_cas.conf and they look like this:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL [my cas server login url]
CASValidateURL [my cas server validate url]
CASDebug On
CASVersion 2
#Only if using SAML
#CASValidateSAML Off
#CASAttributeDelimiter ;
CASSSOEnabled On
CASCertificatePath /etc/ssl/certs


AuthType CAS
CASAuthNHeader [my HTTP Header value]
require valid-user
CASScope /


For my proxy server I have the logout type set to BACK_CHANNEL and my 
registered service looks like this:
{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "[my proxy server url]",
  "name" : "CAS-PROXY",
  "id" : 8,
  "description" : "Allows connections from CAS Proxy",
  "proxyPolicy" : {
"@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
  },
  "evaluationOrder" : 8,
  "usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" : 
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
  }
}

Thanks,


David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761


www.centre.edu

From: Travis Schmidt 
[mailto:travis.schm...@gmail.com]
Sent: Thursday, August 18, 2016 11:18 AM

To: David Abney mailto:david.ab...@centre.edu>>; 
cas-user@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question

Make sure "CASSSOEnabled On" is set in httpd.conf.  If you are using a Service 
Registry in CAS, make sure the Logout Channel is enabled and set to 
BACK_CHANNEL.  This is working for me, but I don't have a proxy in the middle 
either.


On Thu, Aug 18, 2016 at 7:20 AM David Abney 
mailto:david.ab...@centre.edu>> wrote:
I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut 
system using CAS v4.2.  We can set a logout URL in PaperCut, which is set to

[cas-user] 4.1.9 repeated ST generation and validation when going to Service Management App

2016-08-22 Thread Yan Zhou 


Hi there, 


I am running CAS 4.1.9 overlay,  I have observed this with Service 
Management app (uses CAS, too) when two CAS servers running in a cluster 
(active/active), using Hazelcast.  See the following logs.


As you can see, after I type in user credentials, instead of one 
/serverValidate call and then shows the service management app main page, I 
see a list of ST being generated and then /serviceValidate call being made, 
one for each ST, doing so for 30 times in quick succession. The page will 
initially show some error but then it will show the right main page in 
service management app.  I have not seen that with other apps using CAS.  I 
am only showing a subset of logs.


I do not know if this is because /p3/serviceValidate call being made?


Thx

Yan



Server1  

 

172.18.58.87 - - [22/Aug/2016:14:17:55 +] "POST 
/cas/login;QDXCASSESSIONID=A0D6EAA0D47387A86D8E6148995DE45A.tomcat1?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 302 - "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas";
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.38.110 - - [22/Aug/2016:14:17:55 +] "GET 
/cas/p3/serviceValidate?ticket=ST-38-xKYtgE0t9lv7XiF0ugYL-devcas01.dev.medplus.com&service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 781 "-" "Java/1.7.0_75"

172.18.4.136 - - [22/Aug/2016:14:17:55 +] "GET 
/cas-services/manage.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 
Safari/537.36"

172.18.38.110 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/p3/serviceValidate?ticket=ST-31-tLniMcRJ9q5geaIpggzk-devcas02.dev.medplus.com&service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 781 "-" "Java/1.7.0_75"

172.18.4.136 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/manage.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 
Safari/537.36"

172.18.38.110 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/p3/serviceValidate?ticket=ST-32-tUwoRoh4USHKTUJaen1e-devcas02.dev.medplus.com&service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 782 "-" "Java/1.7.0_75"

172.18.4.136 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/manage.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 
Safari/537.36"

172.18.38.110 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/p3/serviceValidate?ticket=ST-33-RTRnMOsbyzrU6j339QE0-devcas02.dev.medplus.com&service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 782 "-" "Java/1.7.0_75"

172.18.4.136 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/manage.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 
Safari/537.36"

172.18.38.110 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/p3/serviceValidate?ticket=ST-34-snoQrdS3RQR9svVsg6PS-devcas02.dev.medplus.com&service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 782 "-" "Java/1.7.0_75"

172.18.4.136 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/manage.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; 
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 
Safari/537.36"

 

 

Server2

 

172.18.58.87 - - [22/Aug/2016:14:17:55 +] "GET 
/cas-services/login/cas?ticket=ST-38-xKYtgE0t9lv7XiF0ugYL-devcas01.dev.medplus.com
 
HTTP/1.1" 302 - "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas";
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:55 +] "GET 
/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 200 17824 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:55 +] "GET /cas/js/head.min.js 
HTTP/1.1" 200 9680 "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas";
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:55 +] "GET /cas/js/cas.js?version=7 
HTTP/1.1" 200 2789 "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas";
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:56 +] "GET /cas/api/public/config 
HTTP/1.1" 200 65 "
h

[cas-user] servlet to servlet authorized access

2016-08-22 Thread Craig Snider 
I'm trying to access a CAS protected application/servlet  from another CAS 
protected servlet on the same server (Tomcat). I'm using a 
HttpURLConnection and copying parameters and attributes (including cookies) 
from a web client HttpServletRequest (actually ShiroHttpServletRequest) and 
trying to use that information to access the service, as part of that 
request, on the other servlet, but I'm only getting a response code of 302 
back from the HttpURLConnection. Is there some way I can get authorized 
access to the second servlet?

I'm using CAS 4.2.1 with Shiro plugin 1.2.1, shiro-cas plugin 0.5.1, 
Groovy/Grails 2.4.4, Tomcat 8.0.32.

- Craig

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/367a62ff-1d79-4791-9fc8-679164a01d29%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Sporadic issues with authentication stopping

2016-08-22 Thread Jeffrey Wong 
Hey Ben,

I don't have answers, but I've seen similar in my CAS install as well.

Updating to the 4.2 helped resolve the listed exception (I no longer see it 
in the logs), but I'm having some other issues with memory management now, 
every 2-3 weeks. All of these issues require a server reload to 
(temporarily) resolve.

Is there any pattern that you're seeing for when the issues occur?

On Tuesday, August 2, 2016 at 11:41:38 AM UTC-7, Ben Branch wrote:
>
> Hello All,
>
>  
>
> Over the course of the last several months we started notice these errors 
> more frequently in our environment: 
>
>  
>
> org.springframework.ldap.UncategorizedLdapException: Uncategorized 
> exception occured during LDAP processing; nested exception is 
> javax.naming.NamingException: LDAP response read timed out, timeout 
> used:3000ms.; remaining name 'dc=xxx,dc='
>
>  
>
> org.springframework.ldap.ServiceUnavailableException: 
> x..x:636; socket closed; nested exception is 
> javax.naming.ServiceUnavailableException: ..:636; socket 
> closed; remaining name 'dc=xxx,dc=xxx'
>
>  
>
> org.springframework.ldap.CommunicationException: Connection timed out; 
> nested exception is javax.naming.CommunicationException: Connection timed 
> out [Root exception is java.net.SocketException: Connection timed out]; 
> remaining name 'dc=xxx,dc=xxx'
>
>  
>
>  
>
> When we get these errors, all authentication comes to a halt, which is 
> expected given the error messages.  We moved our AD environment behind a 
> new hardware load balancer, in hopes that this would resolve our issue, but 
> it has not.  After much thought, I began to think this might be an LDAP 
> pooling issue.  I reviewed the Spring LDAP Pooling configuration 
> documentation and it advises that we should see a NoSuchElementException 
> error message in the logs when the pool has been exhausted, but we do not 
> see that.  My AD admin does not see any issues on his side when the errors 
> occur, and our Network team does not see any issues on the Load Balancer 
> back to AD either.  I thought that maybe the load balancer might be 
> blocking connections, but when I do a `netstat`, I see the proper amount of 
> $minIdle connections back to AD and they all show a stated of Established.  
> I am in the process of rolling out our HA configuration to see if this 
> might help, but I’m concerned that this will only lead to a 50% failure 
> rate in authentications when the error occurs (1 node failing to connect 
> back to AD, while the other may still be able to connect). While I 
> understand this is better than 0% authentication, it still concerns me very 
> much. I my only resolution to this issue right now is to restart services.  
> I’m at a pretty big loss as where else to look and I feel like I’m running 
> out of avenues to explore.  Any help would be appreciated. 
>
>  
>
> CAS Version: 3.5.2 + LPPE
>
> OS: RHEL 6.8
>
> JAVA: OpenJDK 1.7
>
> JAVA App Server: Tomcat 6.0.24 (Official RHEL version)
>
>  
>
> LDAP Configuration Options from cas.properties file:
>
>  
>
> #LDAP Properties
>
> ldap.pool.minIdle=3
>
> ldap.pool.maxIdle=5
>
> ldap.pool.maxSize=10
>
>  
>
> # Maximum time in ms to wait for connection to become available
>
> # under pool exhausted condition.
>
> ldap.pool.maxWait=1
>
>  
>
> # Period in ms at which evictor process runs.
>
> ldap.pool.evictionPeriod=60
>
>  
>
> # Maximum time in ms at which connections can remain idle before
>
> # they become liable to eviction.
>
> ldap.pool.idleTime=120
>
>  
>
> # Set to true to enable connection liveliness testing on evictor
>
> # process runs.  Probably results in best performance.
>
> ldap.pool.testWhileIdle=true
>
>  
>
> # Set to true to enable connection liveliness testing before every
>
> # request to borrow an object from the pool.
>
> ldap.pool.testOnBorrow=false
>
>  
>
> # LDAP Search Results Exception
>
> ldap.authentication.ignorePartialResultException=true
>
>  
>
> # LDAP Base Environment Properties
>
> ldap.authentication.jndi.connect.timeout=3000
>
> ldap.authentication.jndi.read.timeout=3000
>
> ldap.authentication.jndi.security.level=simple
>
>  
>
> # Policy Enforcement
>
> ldap.authentication.lppe.warnAll=false
>
> ldap.authentication.lppe.dateFormat=AD
>
> ldap.authentication.lppe.dateAttribute=pwdLastSet
>
> ldap.authentication.lppe.warningDaysAttribute
>
> ldap.authentication.lppe.validDaysAttribute=maxPwdAge
>
> ldap.authentication.lppe.warningDays=14
>
> ldap.authentication.lppe.validDays=90
>
> ldap.authentication.lppe.noWarnAttribute=
>
> ldap.authentication.lppe.noWarnValues=
>
>  
>
>  
>
> Ben Branch
> UNIX/Linux Administrator
>
> University of Central Oklahoma
>
> ITIL Foundation v3, Network+, RHCE
>
> 100 N. University Drive, Box 122
>
> Edmond, OK 73034
>
> D: 405.974.2649 | M: 405.550.6804 | *bbranch@uco. edu* | 
> www.uco.edu
>
>  
>
> “I am wiser than this man, for neither of us appears to know anything 
> great and good; but he fanci

[cas-user] Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT

2016-08-22 Thread William 
I am running the following test on the latest CAS 5.0.0.RC1-SNAPSHOT build: 
https://github.com/wcrowell/cas-functional-tests/blob/5.0.x/src/test/groovy/org/apereo/cas/test/validation/MultiLevelProxySpec.groovy

I have run this test successfully against CAS 4.2.2, 4.2.4, 4.2.5-SNAPSHOT.

This test generates proxy tickets to access a really simple web app called 
protected-web-app which is a CAS client.

I noticed a behavior where I cannot use a ProxyTicket after submitting a 
ProxyGrantingTicket to the "/proxy" endpoint.  

For some reason CAS thinks it has already been used:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - 


and then it removes it:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistry] - 


I am not able to attach files in Google Groups for some reason.  Therefore, 
here is the link to the log: 
https://raw.githubusercontent.com/wcrowell/cas-functional-tests/5.0.x/logs/catalina.out

Did something change in CAS 5 with the ticket usage for Proxy Tickets or is 
this potentially a bug?

Thank you.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70c35ab9-9823-43b4-bb85-5694307d3e27%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] After a month, no tickets created in 4.2.2?

2016-08-22 Thread Jeffrey Wong 
I am not making use of proxy granting tickets, but I'll report back if it's 
still an issue once 2.2.5 drops.

In the version that I have currently deployed, the counts on the tickets 
themselves seem strange to me - When I log in 10 times, that's 10 TGTs and 
10 STs, correct? So I should expect 20 tickets to be cleaned up, rather 
than 15. If it's only counting TGTs, then I should have 10 tickets total.

I've turned on debugging, and will be monitoring this issue for when it 
happens again, and let you know what I see in the logs. Meanwhile, can you 
confirm or correct my understanding of the current ticket cleanup log? It 
looks pretty strange from my end.

On Thursday, July 21, 2016 at 11:24:12 PM UTC-7, Misagh Moayyed wrote:
>
> All expired tickets are removed by the cleaner, regardless of type. Come 
> to think of it, do you use CAS for its proxy authentication features? That 
> *might* have something to do with it, if you do.
>
> I personally don’t know if I’d recommend switching, because I don’t know 
> what the problem is. Generally, switching to something more robust and 
> distributed is a good idea, but if the problem is something else, it will 
> simply repeat and your new registry will have done nothing to fix it. I 
> would instead turn up logs, load test as much as possible and keep it 
> running under test for some time. Observe.  
>
> -- 
> Misagh
>
> From: Jeffrey Wong  
> Reply: Jeffrey Wong  
> Date: July 20, 2016 at 3:27:17 PM
> To: CAS Community  
> Cc: mmoa...@unicon.net   
> Subject:  Re: [cas-user] After a month, no tickets created in 4.2.2? 
>
> Grepping through what I have, I can confirm that the tickets are being 
> removed, as I do have log statements like the following: 
>
> catalina.out.2.gz:2016-07-08 22:19:31,948 INFO 
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <1 expired tickets 
> found and removed.>
> catalina.out.2.gz:2016-07-08 22:21:32,004 INFO 
> [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <2 expired tickets 
> found and removed.>
>
> I'm using the default in memory registry, the default 
> tgt.maxTimeToLiveInSeconds + tgt.timeToKillInSeconds. 
> st.timeToKillInSeconds=60.
>
> Other pretty bare bones defaults:
>
>
> 
>  
>  
> 
> 
>  
> 
>  
>  alias="grantingTicketExpirationPolicy" />
>  alias="serviceTicketExpirationPolicy" />
>  
> 
>  
>  alias="authenticationPolicyFactory" />
>
> Would you recommend perhaps a different ticket registry at this point 
> perhaps? I don't think I'm hitting the maximum amount of tickets that the 
> default ticket registry can hold by any means, since the maximum amount of 
> tickets I'm seeing expire is 20. Mostly it's between 0-2 tickets that are 
> expired, so I very much doubt the tickets being the memory bottleneck.
>
> ---
>
> Before I posted the above, I dug a little and noticed a strange ~200 
> tickets being cleaned up a bit before the issue (an uptick in cleanup 
> tickets). Perhaps moving to a more robust ticket registry (not just in 
> memory) might actually help to mitigate then.
>
> Are service tickets also being cleaned up with the same default ticket 
> registry? What tickets should show up in that 'expired' count? TGT only, or 
> TGT + STs?
>
> For testing, I logged in to a test instance where the tgt expirey was set 
> to 10 seconds. 10 times: 15 expired tickets. I logged in 20 times. 29 
> expired tickets.
>
> What other items are included in the expired count?
>
> On Wednesday, July 20, 2016 at 2:31:37 AM UTC-7, Misagh Moayyed wrote: 
>>
>> Does your log show that tickets are cleaned up successfully? Is your 
>> expiration policy set up to allow the cleaner to expire and clean tickets 
>> successfully? 
>>
>> Without logs, it’s just a guessing game. My bet is, somehow you’ve run 
>> out of memory. 
>>
>> -- 
>> Misagh
>>
>> From: Jeffrey Wong 
>> Reply: Jeffrey Wong 
>> Date: July 19, 2016 at 3:10:05 PM
>> To: CAS Community 
>> Subject:  [cas-user] After a month, no tickets created in 4.2.2?
>>
>> After about a month of working perfectly on 4.2.2 deployed to tomcat7, 
>> running under java8, randomly the in-memory ticketing system would not 
>> create any more tickets. Restarting the tomcat instance fixed it, but I'm 
>> wondering why CAS would randomly break on me after working so well! Using a 
>> LDAP (AD) backed user base with a mysql backed attribute DB. We have pretty 
>> minimal traffic, so I'm not sure why I am seeing issues after such a s

Re: [cas-user] servlet to servlet authorized access

2016-08-22 Thread Misagh Moayyed 

I'm trying to access a CAS protected application/servlet  from another CAS 
protected servlet on the same server (Tomcat). I'm using a HttpURLConnection 
and copying parameters and attributes (including cookies) from a web client 
HttpServletRequest (actually ShiroHttpServletRequest) and trying to use that 
information to access the service, as part of that request, on the other 
servlet, but I'm only getting a response code of 302 back from the 
HttpURLConnection. Is there some way I can get authorized access to the second 
servlet?


This is handled via proxy authn. You’ll need to get a PT for a 2nd servlet.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57bbd913.eb5f113.2850%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] After a month, no tickets created in 4.2.2?

2016-08-22 Thread Misagh Moayyed 
I hate to say this, but it depends! It depends what you mean by login, and it 
depends what you mean by 10 :) 

Before we start to discuss the answer to the ultimate question of life, the 
universe, and everything let me explode this a bit.

When you log into CAS, you get a TGT. You get an SSO session. That TGT remains 
alive so long you don’t log out and so long its expiration policy says it 
should live. For every application you log into, you will get an ST. The 
application ideally keeps track of the user session so it wouldn’t have to ask 
for more STs every time you refresh its page for instance. So:

If you log in 10 times to 10 different apps, you get 1 TGT and 10 STs. If the 
act of logging in requires you to present credentials every time, (i.e. 
renew=true) then that’s still in the end 1 TGTs and 10 STs active and legible 
for clean up, because every time you generate a new TGT, the old one is 
immediately killed and destroyed and it will not show up in the clean up log. 

The cleanup process cleans expired tickets. Regardless of the ticket type. 
Doesn’t matter of it’s a TGT, ST, OC, etc. There are many many other types. All 
you have to remember is, if it’s expired, it gets removed at certain intervals. 
The only exception to this rule is, proxy-tickets are not removed by the clean 
up process when you “logout” forcefully, and this something that is fixed in 
the next patch release, thanks to William. But you’re not using PTs, so... 

-- 
Misagh

From: Jeffrey Wong 
Reply: Jeffrey Wong 
Date: August 22, 2016 at 3:50:03 PM
To: CAS Community 
Cc: mmoay...@unicon.net 
Subject:  Re: [cas-user] After a month, no tickets created in 4.2.2?  

I am not making use of proxy granting tickets, but I'll report back if it's 
still an issue once 2.2.5 drops.

In the version that I have currently deployed, the counts on the tickets 
themselves seem strange to me - When I log in 10 times, that's 10 TGTs and 10 
STs, correct? So I should expect 20 tickets to be cleaned up, rather than 15. 
If it's only counting TGTs, then I should have 10 tickets total.

I've turned on debugging, and will be monitoring this issue for when it happens 
again, and let you know what I see in the logs. Meanwhile, can you confirm or 
correct my understanding of the current ticket cleanup log? It looks pretty 
strange from my end.

On Thursday, July 21, 2016 at 11:24:12 PM UTC-7, Misagh Moayyed wrote:
All expired tickets are removed by the cleaner, regardless of type. Come to 
think of it, do you use CAS for its proxy authentication features? That *might* 
have something to do with it, if you do.

I personally don’t know if I’d recommend switching, because I don’t know what 
the problem is. Generally, switching to something more robust and distributed 
is a good idea, but if the problem is something else, it will simply repeat and 
your new registry will have done nothing to fix it. I would instead turn up 
logs, load test as much as possible and keep it running under test for some 
time. Observe.  

-- 
Misagh

From: Jeffrey Wong 
Reply: Jeffrey Wong 
Date: July 20, 2016 at 3:27:17 PM
To: CAS Community 
Cc: mmoa...@unicon.net 
Subject:  Re: [cas-user] After a month, no tickets created in 4.2.2?

Grepping through what I have, I can confirm that the tickets are being removed, 
as I do have log statements like the following:

catalina.out.2.gz:2016-07-08 22:19:31,948 INFO 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <1 expired tickets 
found and removed.>
catalina.out.2.gz:2016-07-08 22:21:32,004 INFO 
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <2 expired tickets 
found and removed.>

I'm using the default in memory registry, the default 
tgt.maxTimeToLiveInSeconds + tgt.timeToKillInSeconds. st.timeToKillInSeconds=60.

Other pretty bare bones defaults:

                     
                                                                                
                                           
              
                                                                                
                                           
                   
                                                                                
                                           


           
                                                                                
                                           


Would you recommend perhaps a different ticket registry at this point perhaps? 
I don't think I'm hitting the maximum amount of tickets that the default ticket 
registry can hold by any means, since the maximum amount of tickets I'm seeing 
expire is 20. Mostly it's between 0-2 tickets that are expired, so I very much 
doubt the tickets being the memory bottleneck.

---

Before I posted the above, I dug a little and noticed a strange ~200 tickets 
being cleaned up a bit before the issue (an uptick in cleanup tickets). Perhaps 
moving to a more robust ticket registry (not just in memory) might actually

Re: [cas-user] Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT

2016-08-22 Thread Misagh Moayyed 

When you say "cannot use a ProxyTicket after submitting a ProxyGrantingTicket 
to the "/proxy” endpoint”:

Your logs don’t show this. There is no validation failure for a given PT 
because it’s expired. In fact, all your STs and PTs are validated successfully.

-- 
Misagh

From: William 
Reply: William 
Date: August 22, 2016 at 1:47:27 PM
To: CAS Community 
Subject:  [cas-user] Possible Bug With Proxy Tickets In CAS 5.0.0.RC1-SNAPSHOT

I am running the following test on the latest CAS 5.0.0.RC1-SNAPSHOT build: 
https://github.com/wcrowell/cas-functional-tests/blob/5.0.x/src/test/groovy/org/apereo/cas/test/validation/MultiLevelProxySpec.groovy

I have run this test successfully against CAS 4.2.2, 4.2.4, 4.2.5-SNAPSHOT.

This test generates proxy tickets to access a really simple web app called 
protected-web-app which is a CAS client.

I noticed a behavior where I cannot use a ProxyTicket after submitting a 
ProxyGrantingTicket to the "/proxy" endpoint.  

For some reason CAS thinks it has already been used:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy] - 

and then it removes it:

2016-08-22 16:06:44,947 DEBUG 
[org.apereo.cas.ticket.registry.DefaultTicketRegistry] - 

I am not able to attach files in Google Groups for some reason.  Therefore, 
here is the link to the log: 
https://raw.githubusercontent.com/wcrowell/cas-functional-tests/5.0.x/logs/catalina.out

Did something change in CAS 5 with the ticket usage for Proxy Tickets or is 
this potentially a bug?

Thank you.
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70c35ab9-9823-43b4-bb85-5694307d3e27%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57bbdde3.194155c6.2850%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] What is the best way to handle multiple web app SSO with CAS ?

2016-08-22 Thread Jayaranga Subasinghe 
Hi,
Im having multiple web apps deployed in different web containers.
eg :

Web Apps 

App A : ( angularJs + Spring)  :  Deployed in tomcat T1
App B :( Spring Rest services) : deployed in tomcat T2
App C :( WebServices ) : Deployed in Tomcat T3

My requirement is to log in to App A and interact with App B and App C 
using the authentication information on App A's context.


1. What is the best way to achieve this ? 
2. What is the recommended solution for mobile apps ? Is proxy mechanism 
appropriate ? 

Thank You




-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/011e8e9c-80ba-4246-a2da-bb2aa7e76325%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.