Re: [cas-user] Preventing removal of OAuth tokens upon TGT expiration for one service

['Caleb D' via CAS Community]

Hey Ray, thanks for responding.

Yes, the application frequently uses the OAuth access token and refresh 
token given to it after the user authenticates. During each application 
invocation, the application uses the access token it was given as 
authentication in some web service calls. If the access token is expired, 
it uses the refresh token to obtain a new access token (this is typical 
behavior in OAuth 2). However, if the refresh token is invalid (e.g. due to 
expired TGT), the application interaction is halted. The UX for this 
scenario is poor and this behavior is outside our control. This is for some 
hands free voice integration work, so even if we could somehow reprompt for 
authentication the user wouldn't be in a good position to provide 
credentials (or might not be able to because the hardware was configured by 
someone else).

That leads us to a solution of keeping refresh tokens alive for a long 
time, but we don't want to increase the TGT max life because that would 
affect other services as well and feels too broad with unknown implications.

We've set logoutType to NONE on the service definition for this 
application, but this only disables CAS' behavior of POSTing to a logout 
endpoint for the application. It doesn't change the behavior of expiring 
OAuth refresh tokens when the parent TGT expires. It looks like the way to 
change that behavior is to override the logoutExecutionPlan bean or to 
define our own LogoutManager and I was hoping to find or hear of an example 
of doing such.

The problematic code we want to work around can be seen in the CAS source, 
the method CasCoreLogoutConfiguration::configureLogoutExecutionPlan 
.
 
When a TGT is expired, all descendant tickets are also deleted. The default 
logoutExecutionPlan bean configures the behavior, so hence my questions 
regarding overriding it.

Thanks,
Caleb


On Monday, September 25, 2017 at 6:38:41 PM UTC-4, rbon wrote:
>
> Caleb,
>
> You can turn off single logout for that application (more accurately, not 
> turn it on).
> Or are you saying that this application periodically probes CAS to check 
> for a valid login?
>
> Ray
>
> On Mon, 2017-09-25 at 15:15 -0700, 'Caleb D' via CAS Community wrote:
>
> Hello, 
>
> We're trying to implement a special case behavior in CAS 5 concerning 
> OAuth. When a user authenticates, a TGT, refresh token, and access token 
> are generated. By default when the TGT expires, the refresh token and 
> access token are also removed (lambda defined by 
> CasCoreLogoutConfiguration::configureLogoutExecutionPlan). We'd like to 
> special case one of our services and change this behavior so that when a 
> TGT expires the refresh token and access token remain. This is because our 
> service expects a very long lifetime for the refresh token and currently 
> doesn't reprompt for authentication if the refresh token is invalid. We 
> don't want to increase the lifetime of all TGTs (via 
> cas.ticket.tgt.timeout.maxTimeToLiveInSeconds) because that would affect 
> other services and is too broad.
>
> Is there a recommended approach for implementing this behavior? It looks 
> like overriding the logoutExecutionPlan bean is one potential approach. 
> Has anyone tried overriding logoutExecutionPlan or DefaultLogoutManager?
>
> Or, if there is another approach that better fits what we're trying to 
> achieve, please do share. We aren't concerned with the SSO aspect of CAS 
> for this particular service, we just want a long lasting refresh token that 
> isn't governed by a parent TGT.
>
> Interested in any direction or help the community can provide.
>
> Thanks,
> Caleb
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d00767c-c328-47de-a8dd-5e4b9da33f13%40apereo.org.

Re: [cas-user] Preventing removal of OAuth tokens upon TGT expiration for one service

[Ray Bon]

Caleb,

You can turn off single logout for that application (more accurately, not turn 
it on).
Or are you saying that this application periodically probes CAS to check for a 
valid login?

Ray

On Mon, 2017-09-25 at 15:15 -0700, 'Caleb D' via CAS Community wrote:
Hello,

We're trying to implement a special case behavior in CAS 5 concerning OAuth. 
When a user authenticates, a TGT, refresh token, and access token are 
generated. By default when the TGT expires, the refresh token and access token 
are also removed (lambda defined by 
CasCoreLogoutConfiguration::configureLogoutExecutionPlan). We'd like to special 
case one of our services and change this behavior so that when a TGT expires 
the refresh token and access token remain. This is because our service expects 
a very long lifetime for the refresh token and currently doesn't reprompt for 
authentication if the refresh token is invalid. We don't want to increase the 
lifetime of all TGTs (via cas.ticket.tgt.timeout.maxTimeToLiveInSeconds) 
because that would affect other services and is too broad.

Is there a recommended approach for implementing this behavior? It looks like 
overriding the logoutExecutionPlan bean is one potential approach. Has anyone 
tried overriding logoutExecutionPlan or DefaultLogoutManager?

Or, if there is another approach that better fits what we're trying to achieve, 
please do share. We aren't concerned with the SSO aspect of CAS for this 
particular service, we just want a long lasting refresh token that isn't 
governed by a parent TGT.

Interested in any direction or help the community can provide.

Thanks,
Caleb

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1506379117.1759.10.camel%40uvic.ca.

[cas-user] Preventing removal of OAuth tokens upon TGT expiration for one service

['Caleb D' via CAS Community]

Hello,

We're trying to implement a special case behavior in CAS 5 concerning 
OAuth. When a user authenticates, a TGT, refresh token, and access token 
are generated. By default when the TGT expires, the refresh token and 
access token are also removed (lambda defined by 
CasCoreLogoutConfiguration::configureLogoutExecutionPlan). We'd like to 
special case one of our services and change this behavior so that when a 
TGT expires the refresh token and access token remain. This is because our 
service expects a very long lifetime for the refresh token and currently 
doesn't reprompt for authentication if the refresh token is invalid. We 
don't want to increase the lifetime of all TGTs (via 
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds) because that would affect 
other services and is too broad.

Is there a recommended approach for implementing this behavior? It looks 
like overriding the logoutExecutionPlan bean is one potential approach. Has 
anyone tried overriding logoutExecutionPlan or DefaultLogoutManager?

Or, if there is another approach that better fits what we're trying to 
achieve, please do share. We aren't concerned with the SSO aspect of CAS 
for this particular service, we just want a long lasting refresh token that 
isn't governed by a parent TGT.

Interested in any direction or help the community can provide.

Thanks,
Caleb

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a3b44314-dca0-4c27-a8ba-ec5cf479cba7%40apereo.org.

[cas-user] CAS 5.1.4 Server with JDBC and SAML - Deployment error on Wildfly 10

[SebastianU]

Hi,

I'm migrating to Wildfly 10 and CAS 5.x and I'm getting errors deploying 
default overlay template...

My pom.xml includes:



org.apereo.cas
cas-server-support-jdbc
${cas.version}


org.apereo.cas
cas-server-support-saml
${cas.version}


...
5.1.4

Deployment fails with following error:

22:16:43,264 WARN 
 
[org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext]
 
(ServerService Thread Pool -- 112) Exception encountered during context 
initialization - cancelling refresh attempt: 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'shibboleth.OpenSAMLConfig' defined in class path resource 
[org/apereo/cas/config/CoreSamlConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.support.saml.OpenSamlConfigBean]: Factory method 
'openSamlConfigBean' threw exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'shibboleth.ParserPool' defined in class path resource 
[org/apereo/cas/config/CoreSamlConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[net.shibboleth.utilities.java.support.xml.BasicParserPool]: Factory method 
'parserPool' threw exception; nested exception is 
java.lang.RuntimeException: java.lang.ClassNotFoundException: 
com.sun.org.apache.xerces.internal.util.SecurityManager from [Module 
"deployment.cas.war:main" from Service Module Loader]
22:16:43,279 ERROR [org.springframework.boot.SpringApplication] 
(ServerService Thread Pool -- 112) Application startup failed: 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'shibboleth.OpenSAMLConfig' defined in class path resource 
[org/apereo/cas/config/CoreSamlConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[org.apereo.cas.support.saml.OpenSamlConfigBean]: Factory method 
'openSamlConfigBean' threw exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'shibboleth.ParserPool' defined in class path resource 
[org/apereo/cas/config/CoreSamlConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[net.shibboleth.utilities.java.support.xml.BasicParserPool]: Factory method 
'parserPool' threw exception; nested exception is 
java.lang.RuntimeException: java.lang.ClassNotFoundException: 
com.sun.org.apache.xerces.internal.util.SecurityManager from [Module 
"deployment.cas.war:main" from Service Module Loader]
at 
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599)
...
Caused by: org.springframework.beans.BeanInstantiationException: Failed to 
instantiate [org.apereo.cas.support.saml.OpenSamlConfigBean]: Factory 
method 'openSamlConfigBean' threw exception; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating 
bean with name 'shibboleth.ParserPool' defined in class path resource 
[org/apereo/cas/config/CoreSamlConfiguration.class]: Bean instantiation via 
factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[net.shibboleth.utilities.java.support.xml.BasicParserPool]: Factory method 
'parserPool' threw exception; nested exception is 
java.lang.RuntimeException: java.lang.ClassNotFoundException: 
com.sun.org.apache.xerces.internal.util.SecurityManager from [Module 
"deployment.cas.war:main" from Service Module Loader]
at 
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)
at 
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)
... 37 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error 
creating bean with name 'shibboleth.ParserPool' defined in class path 
resource [org/apereo/cas/config/CoreSamlConfiguration.class]: Bean 
instantiation via factory method failed; nested exception is 
org.springframework.beans.BeanInstantiationException: Failed to instantiate 
[net.shibboleth.utilities.java.support.xml.BasicParserPool]: Factory method 
'parserPool' threw exception; nested exception is 
java.lang.RuntimeException: java.lang.ClassNotFoundException: 
com.sun.org.apache.xerces.internal.util.SecurityManager from [Module 
"deployment.cas.war:main" from Service Module Loader]


Do I need some special configuration I missed so far?
I followed https://apereo.github.io/cas/5.1.x/protocol/SAML-Protocol.html .

Any help appreciated!

[cas-user] CAS logout error

[Diego Andres carvajal Ruiz]

Hi, I have CAS running in wildfly 10, It works fine after a few hours, when 
users try to logout shows an error:




And here the stacktrace:


2017-09-15 09:33:49,437 ERROR [io.undertow.request] (default task-609) 
UT005023: Exception handling request to /cas/logout: 
org.springframework.web.util.NestedServletException: Request processing 
failed; nested exception is 
org.springframework.webflow.execution.ActionExecutionException: Exception 
thrown executing [AnnotatedAction@628ac17e targetAction = 
[EvaluateAction@a0cbc76 expression = 
terminateSessionAction.terminate(flowRequestContext), resultExpression = 
[null]], attributes = map[[empty]]] in state 'terminateSession' of flow 
'logout' -- action execution attributes were 'map[[empty]]'
at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:982)
at 
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at 
org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at 

[cas-user] Fwd: [apereo-announcements] Hold the Dates for Open Apereo 2018!

[Misagh Moayyed]

See below. 

- Forwarded Message -
> From: "Ian Dolphin" 
> To: announceme...@apereo.org, "Open" 
> Sent: Monday, September 25, 2017 7:26:50 AM
> Subject: [apereo-announcements] Hold the Dates for Open Apereo 2018!

> I am pleased to announce that Open Apereo 2018 will be held between Sunday 
> June
> 3rd and Thursday June 7th 2018, at the Delta Hotel by Marriott in downtown
> Montreal, Quebec.
> 
> The Open Apereo Conference Organizing Committee plays an invaluable role in
> ensuring Open Apereo continues to be a successful event. If you would like to
> help by volunteering for the committee, please drop me a line at the address
> below.
> 
> See you in Montreal!
> 
> Regards
> 
> Ian
> 
> —
> 
> Executive Director, Apereo Foundation
> ian.dolp...@apereo.org
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/614027210.3557377.1506364952987.JavaMail.zimbra%40unicon.net.

[cas-user] CAS 5.1.x Password reset link contains dot that breaks link on some devices/apps.

[William Jojo]

Is there a quick way to change the link sent from CAS PM? The link often 
contains multiple instances of a period which breaks the links in some 
readers/apps.

Changing the period to %2e works always works, but can this be done within 
CAS? Should I file this as a bug?

Thank you!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfdce48b-e19e-4339-8724-9644256eb3af%40apereo.org.

[cas-user] Re: CAS 5.1.x Custom template. Anyone get this working?

[William Jojo]

We did finally get this working. File placement was key!

Thank you!

On Tuesday, September 19, 2017 at 9:51:06 PM UTC-4, Andy Ng wrote:
>
> To my recall, there has been a lot of theme related posts in this group. I 
> also tried to make theme works on my project when I work on 5.1.x, which 
> lead to failed.
>
> However, when I updated my project to 5.2.0-RC3, I actually make theme 
> works, and here how the folder and file in my project is layout, maybe you 
> will find this useful. (The below method probably are not going to work on 
> 5.1.x, you can try it yourself tho)
>
>
> Let say our theme is called *jurassic*.
>
>
> What I have done is as such:
>
> [Project Layout] ( note: with [] = folder)
>
> -  src/main/resource
>
> n   jurassic.properties (A)
>
> n   application.properties (B) (Optional)
>
> n   [services]
>
> u  JurassicLogin-101.json (C)
>
> n   [templates]
>
> u  casLoginView.html (D)
>
> u  [jurassic]
>
> l   casLoginView.html (E)
>
> n   [statics]
>
> u  [themes]
>
> l   [jurassic]
>
> n   [css]
>
> u  cas.css (F)
>
> n   [js]
>
> u  cas.js (G)
>
> [What is inside each files]
>
> ** jurassic.properties (A)*
>
> #Note: even if you do not need css and js, you just want to place the 
> whole page with yours, you still need this
>
> standard.custom.css.file=/themes/jurassic/css/cas.css
>
> cas.javascript.file=/themes/jurassic/js/cas.js
>
>  
>
> ** application.properties (B)*
>
> #Making a default theme is easy, just do this:
> cas.theme.defaultThemeName=*j*urassic
>
> #However, if you just want to change the default login layout, you can 
> just tried to just replace the normal login pages casLoginView.html (D)
>
>  
>
> ** JurassicLogin-101.json (C)*
>
> {
>
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>
>   "serviceId" : "^https://dino.example.com;,
>
>   "name" : "Jurassic Login",
>
>   "id" : 101,
>
>   "description" : " Jurassic Login Page.",
>
>   "evaluationOrder" : ,
>
>   "theme" : " jurassic"
>
> }
>
>  
>
> ** casLoginView.html (D) (Normal Login Page)*
>
> 
> 
> Your normal login, you can skip making this if you want the look of 
> CAS in normal login
> 
>
>  
>
> ** casLoginView.html (E) (Login Page For the Dino)*
>
> 
>
> 
>
> 
>
> 
>
> You are at Jurassic Theme Park!!
>
>  
>
> 
>
> 
> In 5.2.0-RC3, these are the utmost necessary element in the html (You 
> can check and see if this is the case)
>
> 
>
>  th:object="${credential}">
>
> 
>
>  th:value="${flowExecutionKey}" />
>
> 
>
> 
>
> 
>
>  type="submit"/>
>
> 
>
> 
>
> 
>
> 
>
> 
>
> ** cas.css (F)*
>
> You can even just leave css blank, you do what you need
>
> ** cas.js (G)*
>
> You can even just leave js blank, you do what you want
>
>
> If you access your cas site using this:
> https://cas.sso.com/cas/login?service=https://dino.example.com
> The Jurassic theme should be triggered.
>
> At last, if you really cannot make the theme works on your version of CAS 
> 5, you can also use thymeleaf tricks (although not so elegant), in your 
> normal login page (D), just add the following at the beginning of your 
> casLoginView.html:
>
> https://dino.example.com ')}">
> 
>
> 
>
> See if this helps you!
> -Andy
>
> On Tuesday, 19 September 2017 22:14:00 UTC+8, William Jojo wrote:
>>
>> As the title suggests, we are unable to make this work. Cannot figure out 
>> what 
>> might be causing custom templates to be ignored. CSS/JS theming works fine, 
>> but custom templates are needed to make structural changes. The log shows 
>> the service recognizing the theme name, but our fragments are not being 
>> absorbed. 
>>
>> Can anyone shed light on this? Followed the following to the letter:
>>
>>
>> https://apereo.github.io/cas/5.1.x/installation/User-Interface-Customization-Themes.html
>>
>>
>> Thank you!
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de7d87ba-12f5-4c68-a42f-2f344ebdb2f6%40apereo.org.

Re: [cas-user] A new CAS Adopter

[David Curry]

You might find this helpful; it's the step-by-step documentation I've been
building to record our development environment for posterity. It's not the
only way to do it, but if you're completely new to everything, it will at
least get you off the ground with something you can then start to
experiment with on your own.

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

It's still a work in progress, so not everything is there, but you're
welcome to what is.

To answer your specific questions:

1. Yes, you need the CAS server before you can "CAS-ify" an application.

2. The out-of-the-box CAS deployment will take care of Tomcat and SSL if
you want to run in an embedded container. If you want to run with an
external Tomcat instance, you have to do those things yourself. It's a
trade-off, there are pros and cons to both approaches. The link above uses
external Tomcat, so if you want all those steps, there they are.

3. The apps would normally reside somewhere other than the CAS server.
You'll want to treat the CAS server as a key component of your security
infrastructure, so it should be protected in much the same way as you
protect your LDAP servers, etc.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Mon, Sep 25, 2017 at 11:20 AM, Geordie Carroll <
interiortechnologyincorpora...@gmail.com> wrote:

> Hello!  I am in the process of implementing my very first CAS server.  I
> have not gotten very far in except to download the source and attempt to
> build it.  I asked this question elsewhere and figured I would kind of ask
> it here too!  In terms of building CAS this should be the first thing in
> production before the applications which will depend upon this service?  I
> have been visiting the various documentation sites and yet to wrap my head
> around this.  One of my major battles is fronting tomcat with apache over
> ajp and SSL!  I have a small of maybe at least 3 tomcat standalone servers
> which I want to do this with including the server.  My other part of this
> question is: do the apps reside on the same server as the CAS server or are
> separate servers recommended? in my situation, I have only one production
> server and now have a development environment I am building at this time!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/46707cdd-f392-4aa6-bb88-
> d7b8a01ab405%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP9NDbkT0NmHeok976LE516vz-DSEC0acbt_PkacSATvA%40mail.gmail.com.

[cas-user] A new CAS Adopter

[Geordie Carroll]

Hello!  I am in the process of implementing my very first CAS server.  I 
have not gotten very far in except to download the source and attempt to 
build it.  I asked this question elsewhere and figured I would kind of ask 
it here too!  In terms of building CAS this should be the first thing in 
production before the applications which will depend upon this service?  I 
have been visiting the various documentation sites and yet to wrap my head 
around this.  One of my major battles is fronting tomcat with apache over 
ajp and SSL!  I have a small of maybe at least 3 tomcat standalone servers 
which I want to do this with including the server.  My other part of this 
question is: do the apps reside on the same server as the CAS server or are 
separate servers recommended? in my situation, I have only one production 
server and now have a development environment I am building at this time!  

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/46707cdd-f392-4aa6-bb88-d7b8a01ab405%40apereo.org.