[cas-user] Cas Oauth client with mfa

2018-04-25 Thread Sean Ieong 
It is possible to trigger mfa after auth as an oauth client?
I have try to custom mfa trigger, but it not run after authentication by 
oauth client.
Any one can help?

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a996781-36db-48f3-a746-61d0aa3266cb%40apereo.org.

Re: [cas-user] [SSO] Is it possible to make a service completely separated from other SSO services without require login every time (i.e. renew=true)

2018-04-25 Thread Andy Ng 
Hi Ray,

Thank you for your response!

In the document [
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html
 
]
 
for ssoEnabled, pretty sure it is just "renew=true". 
Which is what I describe above (Service A needs to be login the next time 
it arrive CAS), not suitable in my case. 

However I do think if ssoEnabled is recommended, at least I should tried it 
in an actual CAS server instead of only theorizing. To see if it is what I 
want or not.

Also yes I have read about SSO Session Cookie, also read some CAS source 
code regarding SSO too (although not line by line).

Thanks you for helping me again.

- Andy

On Thursday, 26 April 2018 01:03:38 UTC+8, rbon wrote:
>
> Andy,
>
> Looks like you have already seen 
> https://apereo.github.io/cas/5.2.x/installation/Configuring-SSO-Session-Cookie.html
> .
> There is also ssoEnabled, 
> https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html
> ..
>
> Ray
>
> On Wed, 2018-04-25 at 02:20 -0700, Andy Ng wrote:
>
> Hi all, 
>
> So I have done some research on this group and still doesn't find other 
> with my use case, so I am asking for your help.
>
> Assume we have services A, B, C and D:
>
> B, C, D are normal SSO services, each one of them authenticate success, 
> all BCD will login success.
>
> As for A, I want that even when BCD is authenticated, user still needs to 
> authenticate once more before getting to A.
>
> At this point, theoretically all can be solved by* "renew=true"*. And the 
> new *createSsoCookieOnRenewAuthn = false on 5.3.0* (
> https://github.com/apereo/cas/blob/v5.3.0-RC3/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/sso/SsoProperties.java
> )
>
> However, the tricky part is that, next time when user go back to service A
>  , I want the user to *no need to authenticate again*.
>
> So it is basically like Service A is using another completely separated 
> CAS server. Without actually using a separated CAS server (I don't want to 
> make another server just for this).
>
> One more requirement would be to single logout all ABCD, but I know how to 
> do that so no advice is needed there.
>
>
> Any advice would be appreciated, Thanks!
>
> -Andy
>
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e4e8efc5-289b-4f1e-ab0f-dac399d7ec8a%40apereo.org.

Re: [cas-user] CAS5 - High thread counts

2018-04-25 Thread Man H 
see
https://groups.google.com/a/apereo.org/d/msgid/cas-user/63fc6bc3-31f9-46a6-8d14-a8f14d3a329c%40apereo.org?utm_medium=email&utm_source=footer


2018-04-25 16:11 GMT-03:00 Oscar Ruiz :

> Hi Ray,
>
> Thank you for your suggestion. We disabled EhCache in the dev environment
> and saw no improvement. We did notice that a new thread is spawned every
> time a login session is generated and the number of sleeping threads
> increases.
>
> Next step, we're going to deploy default CAS and see if we can replicate
> this issue.
>
>
>
> On Wednesday, April 25, 2018 at 12:15:10 PM UTC-5, rbon wrote:
>>
>> Oscar,
>>
>> We had similar difficulties with EhCache.
>> EhCache expiration is actually the frequency with which the cache is
>> reviewed. The entire cache is processed (which can be large on a busy
>> site). With a distributed cache, the one currently processing is sending
>> updates to its peers. This gets compounded because each peer will perform
>> the same task (usually slightly offset since servers do not start at the
>> exact same time).
>> We have been happy with hazelcast.
>>
>> Ray
>>
>> On Wed, 2018-04-25 at 08:44 -0700, Oscar Ruiz wrote:
>>
>> Hi,
>>
>> We noticed that our CAS5 installation is running out of memory because of
>> a high number of threads that are running on our server, this results in it
>> unable to process new request. Has anyone experienced this before?
>>
>> Here's our setup
>>
>> CAS5 - 5.1.6
>> Tomcat - 8.5.16 (We're currently trying 8.0.51 in our dev environment)
>> Java - 1.8.0_131
>> EHCache enabled for ticket registry (60s expiration in dev environment
>> for testing)
>> DB Service Registry
>>
>>
>> Thanks for any help.
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/618fe7f4-b56c-4bd3-88c6-
> d96eede8494d%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mif6TzBYeKqvpkEVqNb6QV3oeX7hWOyjq__WuaCmRkM1wQ%40mail.gmail.com.

Re: [cas-user] CAS5 - High thread counts

2018-04-25 Thread Oscar Ruiz 
Hi Ray,

Thank you for your suggestion. We disabled EhCache in the dev environment 
and saw no improvement. We did notice that a new thread is spawned every 
time a login session is generated and the number of sleeping threads 
increases.

Next step, we're going to deploy default CAS and see if we can replicate 
this issue.



On Wednesday, April 25, 2018 at 12:15:10 PM UTC-5, rbon wrote:
>
> Oscar,
>
> We had similar difficulties with EhCache.
> EhCache expiration is actually the frequency with which the cache is 
> reviewed. The entire cache is processed (which can be large on a busy 
> site). With a distributed cache, the one currently processing is sending 
> updates to its peers. This gets compounded because each peer will perform 
> the same task (usually slightly offset since servers do not start at the 
> exact same time).
> We have been happy with hazelcast.
>
> Ray
>
> On Wed, 2018-04-25 at 08:44 -0700, Oscar Ruiz wrote:
>
> Hi, 
>
> We noticed that our CAS5 installation is running out of memory because of 
> a high number of threads that are running on our server, this results in it 
> unable to process new request. Has anyone experienced this before?
>
> Here's our setup
>
> CAS5 - 5.1.6
> Tomcat - 8.5.16 (We're currently trying 8.0.51 in our dev environment)
> Java - 1.8.0_131
> EHCache enabled for ticket registry (60s expiration in dev environment for 
> testing)
> DB Service Registry
>
>
> Thanks for any help.
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/618fe7f4-b56c-4bd3-88c6-d96eede8494d%40apereo.org.

Re: [cas-user] CAS5 - High thread counts

2018-04-25 Thread Ray Bon 
Oscar,

We had similar difficulties with EhCache.
EhCache expiration is actually the frequency with which the cache is reviewed. 
The entire cache is processed (which can be large on a busy site). With a 
distributed cache, the one currently processing is sending updates to its 
peers. This gets compounded because each peer will perform the same task 
(usually slightly offset since servers do not start at the exact same time).
We have been happy with hazelcast.

Ray

On Wed, 2018-04-25 at 08:44 -0700, Oscar Ruiz wrote:
Hi,

We noticed that our CAS5 installation is running out of memory because of a 
high number of threads that are running on our server, this results in it 
unable to process new request. Has anyone experienced this before?

Here's our setup

CAS5 - 5.1.6
Tomcat - 8.5.16 (We're currently trying 8.0.51 in our dev environment)
Java - 1.8.0_131
EHCache enabled for ticket registry (60s expiration in dev environment for 
testing)
DB Service Registry


Thanks for any help.

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1524676504.1802.34.camel%40uvic.ca.

Re: [cas-user] [SSO] Is it possible to make a service completely separated from other SSO services without require login every time (i.e. renew=true)

2018-04-25 Thread Ray Bon 
Andy,

Looks like you have already seen 
https://apereo.github.io/cas/5.2.x/installation/Configuring-SSO-Session-Cookie.html.
There is also ssoEnabled, 
https://apereo.github.io/cas/5.2.x/installation/Configuring-Service-Access-Strategy.html..

Ray

On Wed, 2018-04-25 at 02:20 -0700, Andy Ng wrote:
Hi all,

So I have done some research on this group and still doesn't find other with my 
use case, so I am asking for your help.

Assume we have services A, B, C and D:

B, C, D are normal SSO services, each one of them authenticate success, all BCD 
will login success.

As for A, I want that even when BCD is authenticated, user still needs to 
authenticate once more before getting to A.

At this point, theoretically all can be solved by "renew=true". And the new 
createSsoCookieOnRenewAuthn = false on 5.3.0 
(https://github.com/apereo/cas/blob/v5.3.0-RC3/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/sso/SsoProperties.java)

However, the tricky part is that, next time when user go back to service A , I 
want the user to no need to authenticate again.

So it is basically like Service A is using another completely separated CAS 
server. Without actually using a separated CAS server (I don't want to make 
another server just for this).

One more requirement would be to single logout all ABCD, but I know how to do 
that so no advice is needed there.


Any advice would be appreciated, Thanks!

-Andy



--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1524675811.1802.23.camel%40uvic.ca.

[cas-user] CAS5 - High thread counts

2018-04-25 Thread Oscar Ruiz 
Hi,

We noticed that our CAS5 installation is running out of memory because of a 
high number of threads that are running on our server, this results in it 
unable to process new request. Has anyone experienced this before?

Here's our setup

CAS5 - 5.1.6
Tomcat - 8.5.16 (We're currently trying 8.0.51 in our dev environment)
Java - 1.8.0_131
EHCache enabled for ticket registry (60s expiration in dev environment for 
testing)
DB Service Registry


Thanks for any help.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ae4a6f3-e855-479b-9af1-03ae2a2cc018%40apereo.org.

[cas-user] Re: CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
Thanks everybody for replies.
I have solved my problem.
I looked into tcpdump on CAS server to see what happens when I issue a 
logout, and I've seen that it sends logout request to some strange ip 
address on 443 port, which was blocked on this address.
Upon furter envestigation i figured out that it was a proxy problem and i 
opened /etc/profile.d/proxy.sh and changed 443 port to port which our proxy 
uses.


понедельник, 23 апреля 2018 г., 16:05:20 UTC+2 пользователь Viacheslav 
Babanin написал:
>
> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2
>
> I am rather new cas user and probably i am missing something obvious.
>
> I am using folowing phpCAS client:
>
>  require_once 'phpcas/source/CAS.php';
> // Enable debugging
> phpCAS::setDebug('phpCAS.log');
> // Enable verbose error messages. Disable in production!
> phpCAS::setVerbose(true);
> // Initialize phpCAS
> $cas_host = 'cas-1.uek.krakow.pl';
> // Context of the CAS Server
> $cas_context = '/cas';
> // Port of your CAS server. Normally for a https server it's 443
> $cas_port = 443;
> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
> // For production use set the CA certificate that is the issuer of the cert
> // on the CAS server and uncomment the line below
> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
> // For quick testing you can disable SSL validation of the CAS server.
> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS 
> PROTOCOL!
> phpCAS::setNoCasServerValidation();
> // force CAS authentication
>
> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>
>
> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>
> phpCAS::forceAuthentication();
> // at this step, the user has been authenticated by the CAS server
> // and the user's login name can be read with phpCAS::getUser().
> // logout if desired
> // logout if desired
> if (isset($_REQUEST['logout'])) {
> phpCAS::logout();
> }
> ?>
> 
> 
> Advanced SAML 1.1 example
> 
> 
> 
> Advanced SAML 1.1 example
> 
>
> Authentication succeeded for user
> .
> User has attributes
>  echo 'true';
> }
> else {
> echo 'false';
> }
>
> ?>.
> User Attributes
> 
>  foreach (phpCAS::getAttributes() as $key => $value) {
> if (is_array($value)) {
> echo '', $key, ':';
> foreach ($value as $item) {
> echo '', $item, '';
> }
> echo '';
> } else {
> echo '', $key, ': ', $value, '' . 
> PHP_EOL;
> }
> }
> ?>
> 
> Logout
> 
> 
>
>
> Single sign in works like expected. If I have several CAS clients, when I 
> log in to one of them, I am authenticated in all, like expected.
>
> But Single Logout completely doesn't work for me. When I log out using CAS 
> logout endpoint "{cas-server}/cas/logout" i receive message that I am 
> logged out from CAS and I can see in SSO manager that CAS Session is 
> terminated.
> But all application sessions are still alive, I am allowed not only to 
> navigate client pages but also close\open tabs and I am still logged in.
>
> I have tried to configure service with client application with both 
> "BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.
>
> 1. If I use BACK_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/";,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "BACK_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
> looks like this: back.txt (see attachment)
>
> phpCAS.log doesn't log anything in this case. And application session 
> still lives untill I close browser.
>
> 2. If I use FRONT_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/";,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "FRONT_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : 
> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
> looks like this: front.txt (see attachment)
>
> And I see following message upon logout on endpoint page:
>
>
>

[cas-user] [SSO] Is it possible to make a service completely separated from other SSO services without require login every time (i.e. renew=true)

2018-04-25 Thread Andy Ng 
Hi all,

So I have done some research on this group and still doesn't find other 
with my use case, so I am asking for your help.

Assume we have services A, B, C and D:

B, C, D are normal SSO services, each one of them authenticate success, all 
BCD will login success.

As for A, I want that even when BCD is authenticated, user still needs to 
authenticate once more before getting to A.

At this point, theoretically all can be solved by* "renew=true"*. And the 
new *createSsoCookieOnRenewAuthn = false on 5.3.0*
 
(https://github.com/apereo/cas/blob/v5.3.0-RC3/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/sso/SsoProperties.java)

However, the tricky part is that, next time when user go back to service A , 
I want the user to *no need to authenticate again*.

So it is basically like Service A is using another completely separated CAS 
server. Without actually using a separated CAS server (I don't want to make 
another server just for this).

One more requirement would be to single logout all ABCD, but I know how to 
do that so no advice is needed there.


Any advice would be appreciated, Thanks!

-Andy


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1002b09-eb19-477d-a733-13a6d45bad26%40apereo.org.

[cas-user] Re: "FileNotFoundException" while Verifying Ticket. I don't get it!

2018-04-25 Thread Gena Batalski 
Hello, if i remember me correctly, this was an problem with mime type. 

you need to  override CASFilter.getTicketValidator() and add following 
extended url connection factory

// we need own connection factory enriching the connection by Accept: 
application/xml header
HttpURLConnectionFactory urlConnectionFactory = new 
XmlTypedURLConnectionFactory();
cas30ProxyTicketValidator.setURLConnectionFactory(urlConnectionFactory);

// replaces url connection factory also by proxy retriever
cas30ProxyTicketValidator.setProxyRetriever(new Cas20ProxyRetriever(serverUrl, 
null, urlConnectionFactory));



/**
 * Enriches the default {@link HttpsURLConnectionFactory}
 * by adding the "Accept: application/xml" header to {@link URLConnection}
 */
private static class XmlTypedURLConnectionFactory implements 
HttpURLConnectionFactory {
private final HttpURLConnectionFactory delegate = new 
HttpsURLConnectionFactory();

@Override
public HttpURLConnection buildHttpURLConnection(URLConnection url) {
url.setRequestProperty("Accept", "application/xml");
return delegate.buildHttpURLConnection(url);
}
}

Good luck!

Regards, Gena


On Friday, February 12, 2016 at 3:33:20 PM UTC+1, Klaus wrote:
>
> We recently upgraded one of our Application Servers which formerly worked 
> perfectly together with our CAS Server. Now, after we upgraded that Tomcat 
> Server it's impossible to Log into the Webapp on this Server using CAS 
> anymore. The Login Form from the CAS Server still appaers, but after 
> entering the credentials and submitting the Form there's only a blank, 
> white screen. 
>
> CAS itself still works fine with other Applications and Servers in our 
> Network. 
>
> When I log in to the Webapp on the upgraded Server, I see from the CAS 
> Servers Logs that these steps are successfull:
>
>
> ACTION: AUTHENTICATION_SUCCESS
> ...
> ACTION: TICKET_GRANTING_TICKET_CREATED
> ...
> ACTION: SERVICE_TICKET_CREATED
> ...
> But there is no more Message about Ticket Validation in the Logs of the 
> CAS Server.
>
> In the Logs of the App server on the other Hand I can see this:
>
> 14:24:38,828 ERROR [ajp-bio-8309-exec-1][CommonUtils:206] 
> https://www.my-company.de/cas/proxyValidate?&redirectAfterValidation=false&ticket=ST-12-FBwM6LOcDwVDdbmaB7po-www.my-company.de&service=https%3A%2F%2Fwww,my-company.de%2Fc%2Fportal%2Flogin%3Fp_l_id%3D12036&casServerUrlPrefix=https://www.my-company.de/cas&serverName=https://www.my-company.de&casServerLoginUrl=https://www.my-company.de/cas/login
> *java.io.FileNotFoundException:* 
> https://www.my-company.de/cas/proxyValidate?&redirectAfterValidation=false&ticket=ST-12-FBwM6LOcDwVDdbmaB7po-www.my-company.de&service=https%3A%2F%2Fwww.my-company.de%2Fc%2Fportal%2Flogin%3Fp_l_id%3D12036&casServerUrlPrefix=https://www.my-company.de/cas&serverName=https://www.my-company.de&casServerLoginUrl=https://www.my-company.de/cas/login
> at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1624)
> at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
> at 
> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:281)
> at 
> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:33)
> at 
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
> at 
> com.liferay.portal.servlet.filters.sso.cas.CASFilter.processFilter(CASFilter.java:194)
> at 
> com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
>
> I can't imagine were a FileNotFoundException may come from in the context 
> of Validating a CAS Ticket. Any hints about what may cause this Error and 
> prevents me to Log in to my Web App with CAS?
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8e092658-dc7a-46de-a10f-3b8345c7c01b%40apereo.org.

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
I have checked apache access.log on web server where client is placed and 
there is no POST requests on logout. 0 messages or requests completely. 
Thats while logging out with my cas 5.2.3
I have checked same log when i issue logout from cas 4.1.9 where SLO works 
on same client, and I can see POST request in access.log correctly.

вторник, 24 апреля 2018 г., 18:42:19 UTC+2 пользователь rbon написал:
>
> Check your Apache access.log to see if the request is getting through.
> I see this when CAS sends logout request:
>
> 2018-04-24T09:32:57.816-07:00 lo...@z.comp.uvic.ca  
> local2.notice httpd[2310]: access: coursespaces2d.uvic.ca: 
> 111.104.118.193 - - [24/Apr/2018:09:32:57 -0700] "POST /login/logout.php 
> HTTP/1.1" 200 26 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_121)" "__utma=-; 
> __utmb=-; __utmc=-; __utmk=-; __utmx=-; __utmz=-;"
>
> Ray
>
>
> On Tue, 2018-04-24 at 03:27 -0700, Viacheslav Babanin wrote:
>
> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
> Single logout doesn't work and from the logs it seems like CAS constructs 
> SAML logout request but not actually sends it. I am using examplary phpCAS 
> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
> administrator access to it) everything works great and phpCAS actually gets 
> logout request and correctly processes it. What should i look into? Please 
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал: 
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like