[cas-user] Re: principal attributes from ldap in CAS 4.2

[jack matton]

hello. I have come trouble when intergrate openLdap with 4.2. Can u show 
your detail deployerConfigContext.xml ?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/44e0f525-0730-496b-b9e2-5cd7973de847%40apereo.org.

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Misagh Moayyed]

Not unless you are doing OAuth or OpenID Connect and not unless you switch to a 
server-back session storage for webflow (which you probably can’t in 4 anyways)


So, session affinity is NOT required for CAS to work correctly.

Thx!


On 1/5/2017 2:19 PM, Misagh Moayyed wrote:
1. Keys must be the same across all nodes. 
2. Your previous error says something about webflow decryption. Your config has 
no keys defined for that purpose. 

-- 
Misagh

From: Yan Zhou 
Reply: cas-user@apereo.org 
Date: January 5, 2017 at 10:25:09 PM
To: CAS Community 
Subject:  Re: [cas-user] CAS4 flow decode execution error, is this an issue?

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.586ea436.6b428831.1271%40unicon.net.

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

I see.  There are two sets of keys. I am missing  webflow..key

ALL nodes SHARE the same key. For some reason, I thought each node will 
have a unique key, but obviously I was wrong.


So, session affinity is NOT required for CAS to work correctly.

Thx!


On 1/5/2017 2:19 PM, Misagh Moayyed wrote:

1. Keys must be the same across all nodes.
2. Your previous error says something about webflow decryption. Your 
config has no keys defined for that purpose.


--
Misagh

From: Yan Zhou  
Reply: cas-user@apereo.org  


Date: January 5, 2017 at 10:25:09 PM
To: CAS Community  
Subject: Re: [cas-user] CAS4 flow decode execution error, is this an 
issue?




Hi,

this is one server's cas.properties.  the other server is very 
similar other than host name is dcasde02, and it has different 
signing key and encryption key, since they are unique per server.


Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value 
encrypted by another server using a different key?


Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:

Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the
issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou  wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow
execution
> error”. For a long time, I have been struggling as to why this
happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have
multiple
> active CAS4 servers. They each has a different signing key.  The
webflow
> values are encrypted by the CAS server handling request and sent
back to CAS
> login form, when form is submitted, the encrypted value comes
back to CAS
> server.  Without session affinity, one server can sign the data,
but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I
did verify
> that when server cannot decrypt data, it results in null value,
which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR
[org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly
extract the
> Initialization Vector or ciphertext.
>
> at
> 
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
> at
> 
org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
> at
> 
org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
> at
> 
org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
> at
> 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
> at
> 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
> at
> 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>
> at
> 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>
> at javax.servlet.http.HttpServlet.service(Unknown Source)
>
> at
> 
org.springframework.web.servl

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Misagh Moayyed]

1. Keys must be the same across all nodes. 
2. Your previous error says something about webflow decryption. Your config has 
no keys defined for that purpose. 

-- 
Misagh

From: Yan Zhou 
Reply: cas-user@apereo.org 
Date: January 5, 2017 at 10:25:09 PM
To: CAS Community 
Subject:  Re: [cas-user] CAS4 flow decode execution error, is this an issue?  


Hi, 

this is one server's cas.properties.  the other server is very similar other 
than host name is dcasde02, and it has different signing key and encryption 
key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work without 
session affinity, how does one server decrypt a value encrypted by another 
server using a different key?

Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:
Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou  wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow execution
> error”. For a long time, I have been struggling as to why this happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have multiple
> active CAS4 servers. They each has a different signing key.  The webflow
> values are encrypted by the CAS server handling request and sent back to CAS
> login form, when form is submitted, the encrypted value comes back to CAS
> server.  Without session affinity, one server can sign the data, but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I did verify
> that when server cannot decrypt data, it results in null value, which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly extract the
> Initialization Vector or ciphertext.
>
>         at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
>         at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
>         at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
>         at
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
>         at
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
>         at
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
>         at
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
>         at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>
>         at javax.servlet.http.HttpServlet.service(Unknown Source)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>
>         at javax.servlet.http.HttpServlet.service(Unknown Source)
>
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
>         at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown
> Source)
>
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
>         at
> org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)
>
>        at
> org.apache.catal

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

Hi, 

this is one server's cas.properties.  the other server is very similar 
other than host name is dcasde02, and it has different signing key and 
encryption key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value encrypted by 
another server using a different key?

Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:
>
> Hello Yan, 
>
>  you would have missed some configurations in cas.properties. Please 
> share properties so that can we can review and let you know the issue. 
>
> Thanks 
> Seshu 
>
> On 5 January 2017 at 20:17, Yan Zhou > 
> wrote: 
> > Hello, 
> > 
> > When you submit CAS4 login page, sometimes you got “Decode flow 
> execution 
> > error”. For a long time, I have been struggling as to why this happens. 
> I 
> > think we have an answer. 
> > 
> > 
> > This most likely happens in a cluster environment when you have multiple 
> > active CAS4 servers. They each has a different signing key.  The webflow 
> > values are encrypted by the CAS server handling request and sent back to 
> CAS 
> > login form, when form is submitted, the encrypted value comes back to 
> CAS 
> > server.  Without session affinity, one server can sign the data, but the 
> > other server won’t decrypt it, because the keys are different. 
> > 
> > 
> > 
> > That is my theory, do you think that would cause this error?   I did 
> verify 
> > that when server cannot decrypt data, it results in null value, which 
> causes 
> > the following exception. 
> > 
> > 
> > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] 
> - 
> > Unable to correctly extract the Initialization Vector or ciphertext. 
> > 
> > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
> > Initialization Vector or ciphertext. 
> > 
> > at 
> > 
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) 
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) 
>
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) 
>
> > 
> > at 
> > 
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>  
>
> > 
> > at javax.servlet.http.HttpServlet.service(Unknown Source) 
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>  
>
> > 
> > at javax.servlet.http.HttpServlet.service(Unknown Source) 
> > 
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> > Source) 
> > 
> > at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
> > Source) 
> > 
> > at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown 
> > Source) 
> > 
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> > Source) 
> > 
> > at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
> > Source) 
> > 
> > at 
> > 
> org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHead

Re: [cas-user] Re: CAS 5.0.0 JDBC authentication question

[mrcasa bengaluru]

Are you using the gradle or maven overlay method?

If so, you have add the cas jdbc dependencies in your cas/build.gradle of
pom.xml file

cas-server-support-jdbc

cas-server-support-jdbc-drivers



On Tue, Dec 27, 2016 at 8:04 AM, bob  wrote:

> Hello MVK, I met the same problem, you solve now ?
>
> 在 2016年12月21日星期三 UTC+8上午5:49:51，mvk写道：
>
>> Hi All.
>> I am trying to setup CAS 5.0.0.
>>
>> So I installed CAS 5.0.0 per instructions and all works and now I am
>> trying to add a simple mysql authentication.
>>
>> This is the code I added to the application.properties. I tried to run
>> search function as well as query with and without [], I changed the
>> password with different encoding options. Nothing seem to make a
>> difference. Note: the name of the user database is called "user", it is not
>> a type :)
>>
>> cas.authn.jdbc.query.fieldUser=username
>>
>> cas.authn.jdbc.query.sql=SELECT password FROM user WHERE username=?
>>
>> cas.authn.jdbc.query.healthQuery=SELECT 1 FROM db_example.user
>>
>> cas.authn.jdbc.query.tableUsers=user
>>
>> cas.authn.jdbc.query.fieldPassword=password
>>
>> cas.authn.jdbc.query.passwordEncoder.type=DEFAULT
>>
>>
>>
>> cas.authn.jdbc.query.url=jdbc:mysql://localhost:3306/db_example
>>
>>
>>
>> cas.authn.jdbc.query.user=dbuser
>>
>> cas.authn.jdbc.query.password=dbpassword
>>
>> cas.authn.jdbc.query.driverClass=com.mysql.jdbc.Driver
>>
>> This is the error I am getting
>>
>> > find authentication handler that supports [admin] of type
>> [UsernamePasswordCredential], which suggests a configuration problem.>
>>
>> I am missing something not sure what it is. Any pointers and tips are
>> greatly appreciated.
>>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/ef395ee1-0951-4325-94c3-
> c8541ca9c34e%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALpZ%2BOS9Hp3LRUxn_n9f9cbn-AwZ9H9UW%2BAXG-3jqz6FZxjK2g%40mail.gmail.com.

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[sesharaju sv]

Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou  wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow execution
> error”. For a long time, I have been struggling as to why this happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have multiple
> active CAS4 servers. They each has a different signing key.  The webflow
> values are encrypted by the CAS server handling request and sent back to CAS
> login form, when form is submitted, the encrypted value comes back to CAS
> server.  Without session affinity, one server can sign the data, but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I did verify
> that when server cannot decrypt data, it results in null value, which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly extract the
> Initialization Vector or ciphertext.
>
> at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
> at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
> at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
> at
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
> at
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
> at
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
> at
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
> at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>
> at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>
> at javax.servlet.http.HttpServlet.service(Unknown Source)
>
> at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>
> at javax.servlet.http.HttpServlet.service(Unknown Source)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown
> Source)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)
>
>at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
>
>
> at
> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
>
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain

Re: [cas-user] Service Ticket Validation

[Andrew Morgan]

As defined by the CAS protocol, Service Tickets can only be validated 
once.  They cannot be reused.


Andy

On Thu, 5 Jan 2017, Gokhan Mansuroglu wrote:


I am asking how to prevent someone reusing a ST from a different client IP.

5 Ocak 2017 Perşembe 19:50:03 UTC+3 tarihinde Ray Bon yazdı:


Gokhan,

Are you ask how to reuse a ST or are you asking how to prevent someone
reusing a ST?

I will answer the second. ST lifetime is short (10 seconds by default, I
think). Once a ST has been submitted to CAS for validation (step 4 below)
or ticket lifetime has passed, CAS will mark the ST as expired and it can
no longer be used.

Ray

On 2017-01-05 04:14, Gokhan Mansuroglu wrote:

Hi,

I have an additional requirement for Cas protocol. I will simplify the
protocol just to explain my case;

1. Client tries to access *https://app.example.com
*
2. Browser redirected to 
*https://cas.example.com/cas/login?service=https://app.example.com
*
3. User authenticates with username and password and redirected to 
*https://app.examle.com
?ticket=ST-xxx*
4. The app send a validation request and gets the authentication
information.

Lets say you want to be able to use the service ticket multiple times.
Then whoever has the link *https://app.examle.com?ticket=ST-xxx
* can successfully log in the
application which results in very risky situation.

What is your solution to this problem ?

Thank you very much.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+u...@apereo.org .
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org

.


--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE C023 | rb...@uvic.ca 




--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c838e85f-b08b-4bcb-a384-5972cb3aaf47%40apereo.org.

Re: [cas-user] Service Ticket Validation

[Gokhan Mansuroglu]

I am asking how to prevent someone reusing a ST from a different client IP.

5 Ocak 2017 Perşembe 19:50:03 UTC+3 tarihinde Ray Bon yazdı:
>
> Gokhan,
>
> Are you ask how to reuse a ST or are you asking how to prevent someone 
> reusing a ST?
>
> I will answer the second. ST lifetime is short (10 seconds by default, I 
> think). Once a ST has been submitted to CAS for validation (step 4 below) 
> or ticket lifetime has passed, CAS will mark the ST as expired and it can 
> no longer be used.
>
> Ray
>
> On 2017-01-05 04:14, Gokhan Mansuroglu wrote:
>
> Hi,
>
> I have an additional requirement for Cas protocol. I will simplify the 
> protocol just to explain my case;
>
> 1. Client tries to access *https://app.example.com 
> *
> 2. Browser redirected to 
> *https://cas.example.com/cas/login?service=https://app.example.com 
> *
> 3. User authenticates with username and password and redirected to 
> *https://app.examle.com 
> ?ticket=ST-xxx*
> 4. The app send a validation request and gets the authentication 
> information.
>
> Lets say you want to be able to use the service ticket multiple times. 
> Then whoever has the link *https://app.examle.com?ticket=ST-xxx 
> * can successfully log in the 
> application which results in very risky situation.
>
> What is your solution to this problem ?
>
> Thank you very much.
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: 
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org
>  
> 
> .
>
>
> -- 
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE C023 | rb...@uvic.ca 
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c838e85f-b08b-4bcb-a384-5972cb3aaf47%40apereo.org.

Re: [cas-user] Service Ticket Validation

[Ray Bon]

Gokhan,

Are you ask how to reuse a ST or are you asking how to prevent someone
reusing a ST?

I will answer the second. ST lifetime is short (10 seconds by default, I
think). Once a ST has been submitted to CAS for validation (step 4
below) or ticket lifetime has passed, CAS will mark the ST as expired
and it can no longer be used.

Ray

On 2017-01-05 04:14, Gokhan Mansuroglu wrote:
> Hi,
>
> I have an additional requirement for Cas protocol. I will simplify the
> protocol just to explain my case;
>
> 1. Client tries to access /https://app.example.com/
> ||2. Browser redirected to
> /https://cas.example.com/cas/login?service=https://app.example.com/
> 3. User authenticates with username and password and redirected to
> /https://app.examle.com?*ticket=ST-xxx*/
> 4. The app send a validation request and gets the authentication
> information.
>
> Lets say you want to be able to use the service ticket multiple times.
> Then whoever has the link */https://app.examle.com?ticket=ST-xxx/* can
> successfully log in the application which results in very risky situation.
>
> What is your solution to this problem ?
>
> Thank you very much.
>
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cas-user+unsubscr...@apereo.org
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org
> .

-- 
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE C023 | r...@uvic.ca

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/042d215c-c5b8-ef54-908a-d889d87a2285%40uvic.ca.

Re: [cas-user] inspektr-jdbc-audit-config.xml

[Uxío]

Is the new data base being served from the same host URL and port that served 
the original one?

In case not, have you checked JDBC connectivity to that target destination host 
from the desired source host using another JDBC tool (not Apereo CAS) like a 
CLI client (the SQL*plus like alternative Microsoft provides for connecting to 
the data base they license) or the lovely SchemaSpy tool?

Hope that helped,

Sent from my iPhone

> On 03 Jan 2017, at 17:59, carlos maddaleno cuellar 
>  wrote:
> 
> Hi i need some help im trying to configure my audit to sql server data base 
> on my orale is working fine but when i change the cas.properties to my sql 
> server the log says
> 
> org.springframework.beans.factory.BeanCreationException: Error creating bean 
> with name 'inspektrAuditEntityManagerFactory' defined in class path resource 
> [inspektr-jdbc-audit-config.xml]: Invocation of init method failed; nested 
> exception is javax.persistence.PersistenceException: [PersistenceUnit: 
> default] Unable to build Hibernate SessionFactory
> 
> Caused by: javax.persistence.PersistenceException: [PersistenceUnit: default] 
> Unable to build Hibernate SessionFactory
> 
> 
> Caused by: org.hibernate.exception.GenericJDBCException: Unable to obtain 
> JDBC Connection
> 
> the params on my cas.properties are this:
> 
> #cas.audit.max.agedays=
> #cas.audit.database.dialect=
> #cas.audit.database.batchSize=
> cas.audit.database.ddl.auto=validate
> cas.audit.database.gen.ddl=false
> cas.audit.database.show.sql=true
> cas.audit.database.driverClass=com.microsoft.sqlserver.jdbc.SQLServerDriver
> cas.audit.database.url=jdbc:sqlserver://172.18.141.81\DESA;databaseName=SEGURIDAD_BOLSA_EMPLEO
> cas.audit.database.user=sa_desarrollo
> cas.audit.database.password=EPXV5AA9BQ
> #cas.audit.database.pool.minSize=
> #cas.audit.database.pool.minSize=
> #cas.audit.database.pool.maxSize=
> #cas.audit.database.pool.maxIdleTime=
> #cas.audit.database.pool.maxWait=
> #cas.audit.database.pool.acquireIncrement=
> #cas.audit.database.pool.acquireRetryAttempts=
> #cas.audit.database.pool.acquireRetryDelay=
> #cas.audit.database.pool.idleConnectionTestPeriod=
> #cas.audit.database.pool.connectionHealthQuery=
> 
> 
> cas.audit.database.dialect=org.hibernate.dialect.SQLServerDialect
> 
> 
> 
> -- 
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANEG9%2BcvcYkq1hay-2mZcpia1y%2BOaYBuOLKLMVNWEfvE9knYbw%40mail.gmail.com.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8FB8614F-05FC-43D8-A56B-EFC868671998%40madiva.com.

[cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

Hello, 

When you submit CAS4 login page, sometimes you got “Decode flow execution 
error”. For a long time, I have been struggling as to why this happens. I 
think we have an answer. 


This most likely happens in a cluster environment when you have multiple 
active CAS4 servers. They each has a different signing key.  The webflow 
values are encrypted by the CAS server handling request and sent back to 
CAS login form, when form is submitted, the encrypted value comes back to 
CAS server.  Without session affinity, one server can sign the data, but 
the other server won’t decrypt it, because the keys are different.

 

That is my theory, do you think that would cause this error?   I did verify 
that when server cannot decrypt data, it results in null value, which 
causes the following exception. 


2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - 
Unable to correctly extract the Initialization Vector or ciphertext.

org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
Initialization Vector or ciphertext.

at 
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)

at 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)

at 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)

at 
org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)

at 
org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)

at 
org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)

at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)

at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)

at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)

at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)

at javax.servlet.http.HttpServlet.service(Unknown Source)

at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)

at javax.servlet.http.HttpServlet.service(Unknown Source)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown 
Source)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

 

at 
org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)

at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown 
Source)

at org.apache.catalina.core.StandardContextValve.invoke(Unknown 
Source)

at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)

at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)

at org.apache.catalina

[cas-user] Service Ticket Validation

[Gokhan Mansuroglu]

Hi,

I have an additional requirement for Cas protocol. I will simplify the 
protocol just to explain my case;

1. Client tries to access *https://app.example.com*
2. Browser redirected to 
*https://cas.example.com/cas/login?service=https://app.example.com*
3. User authenticates with username and password and redirected to 
*https://app.examle.com?ticket=ST-xxx*
4. The app send a validation request and gets the authentication 
information.

Lets say you want to be able to use the service ticket multiple times. Then 
whoever has the link *https://app.examle.com?ticket=ST-xxx* can 
successfully log in the application which results in very risky situation.

What is your solution to this problem ?

Thank you very much.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org.