[cas-user] Deadlocks and Uncommited Transaction

2018-10-05 Thread Trevor Fong 
Hi There, 

We've trying out CAS 5.2.4 in a clustered environment with the ticket 
registry in an Oracle 12c database.  We've been seeing tons of persistent 
deadlock errors after a load test - you kill one locker and another 
deadlock springs up.
Our DBA tells us that deadlocks were seen against the tables LOCKS, 
SERVICETICKET, TICKETGRANTINGTICKET
Checking the catalina.out log, tons of messages like this:

2018-10-04 22:45:06,347 WARN 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - 
2018-10-04 22:45:06,347 ERROR 
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - 
2018-10-04 22:45:06,347 ERROR 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - 

javax.persistence.PersistenceException: 
org.hibernate.exception.LockAcquisitionException: could not execute 
statement
at 
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:149)
 
~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
at 
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:157)
 
~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
at 
org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1514)
 
~[hibernate-core-5.2.13.Final.jar:5.2.13.Final]
at 
org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteTicketGrantingTickets(JpaTicketRegistry.java:177)
 
~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
at 
org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:145)
 
~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
at 
org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:126)
 
~[cas-server-core-tickets-5.2.4.jar:5.2.4]
at 
org.apereo.cas.ticket.registry.AbstractTicketRegistry$$FastClassBySpringCGLIB$$d3c67a11.invoke()
 
~[cas-server-core-tickets-5.2.4.jar:5.2.4]
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) 
~[spring-core-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:669)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.apereo.cas.ticket.registry.JpaTicketRegistry$$EnhancerBySpringCGLIB$$45967896.deleteTicket()
 
~[cas-server-support-jpa-ticket-registry-5.2.4.jar:5.2.4]
at sun.reflect.GeneratedMethodAccessor351.invoke(Unknown Source) 
~[?:?]
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
~[?:1.8.0_172]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_172]
at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
 
~[spring-aop-4.3.16.RELEASE.jar:4.3.16.RELEASE]
at com.sun.proxy.$Proxy104.deleteTicket(Unknown Source) ~[?:?]
at 
org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.cleanTicket(DefaultTicketRegistryCleaner.java:78)
 
~[cas-server-core-tickets-5.2.4.jar:5.2.4]
at 
java.util.stream.ReferencePipeline$4$1.accept(ReferencePipeline.java:210) 
~[?:1.8.0_172]
at 
java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) 
~[?:1.8.0_172]
at java.util.Iterator.forEachRemaining(Iterator.java:116) 
~[?:1.8.0_172]
at 
java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
 
~[?:1.8.0_172]
at 
java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580) 
~[?:1.8.0_172]
at 
java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:270) 
~[?:1.8.0_172]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 
~[?:1.8.0_172]
at 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 
~[?:1.8.0_172]
at 
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) 
~[?:1.8.0_172]
at

[cas-user] CAS 5.3 Management JPA Service Registry Oracle, column too long?

2018-10-05 Thread Yan Zhou 
Hello!

We run CAS 5.3 Management wit JPA service registry, the tables are on 
Oracle, the management app. is failing because some of the columns have 
long names that does not work for Oracle. 

Is this something we can change in CAS 5.3 Management?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41fe623-b66a-48a5-a9a9-fedb66b0b974%40apereo.org.

[cas-user] CAS 5.2.6 - Delegated Authentication against Azure AD (SAML) - How to map the attributes into cas client

2018-10-05 Thread Raghavan TV 

>
> Hi all

We are able to successfully integrate the CAS 5.2.6 in delegated 
authentication mode against Azure AD as SAML Idp

Post integration the CAS Server Response looks as follows

Azure SAML Response

https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML";
ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/



https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
http://www.w3.org/2000/09/xmldsig#";>
http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmlenc#sha256"/>

BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=


...


...




nY16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud66
https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/>




spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695



http://schemas.microsoft.com/identity/claims/tenantid";>

522b3803-a001-4675-b3b5-1d727d43585a

http://schemas.microsoft.com/identity/claims/objectidentifier";>

8fa1e8a3-41b8-440e-91cf-fafa246ab571

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";>
xx...@.onmicrosoft.com

http://schemas.microsoft.com/identity/claims/displayname";>
Firstname Lastname

http://schemas.microsoft.com/identity/claims/identityprovider";>

https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/

http://schemas.microsoft.com/claims/authnmethodsreferences";>

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

http://schemas.microsoft.com/claims/multipleauthn





urn:oasis:names:tc:SAML:2.0:ac:classes:Password








CAS Client Response


nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88

true

8fa1e8a3-41b8-440e-91cf-fafa246ab571

2018-10-04T13:22:05.643Z[Etc/UTC]
MY_SAML

ClientAuthenticationHandler

Firstname
 
Lastname
2018-10-04T13:17:05.275Z
ClientCredential

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

http://schemas.microsoft.com/claims/multipleauthn

522b3803-a001-4675-b3b5-1d727d43585a

myuse...@mydomain.onmicrosoft.com

ClientAuthenticationHandler

https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
2018-10-04T14:17:05.275Z

false

_337eded3-a927-4674-b78a-77259cfbf784





Now, this response parsing is failing in WildFly or Jboss-EAP because the 
underlying XML parser xercesImpl does not allow XML element starting with 
numeric data

So, to make it more standard, we are trying to use attributeResolver on the 
cas server side (e.g. /etc/cas/service/app-200.json)
However, we are not able to rename the SAML response attribute sent into 
CAS client

We have tried
1)  MappedAttributePolicy
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "name" : "username",
  "displayname" : "userdisplayname"
}
}




2) via Groovy config
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
  "@class" : "java.util.TreeMap",
  "name" : "username",
  "displayname" : "userdisplayname"
  "someattributename": "groovy { return attributes['name']}"
 }
}

Any pointers on how to configure the attribute name translation is deeply 
appreciated


Thanks
-Raghav



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/807

[cas-user] CAS 5.2.6 + Delegated Authentication + Microsoft Azure AD + How to map attributes

2018-10-05 Thread Raghavan TV 
Hi All

We were able to successfully integrate CAS 5.2.6 using delegated 
authentication agianst Azure AD (SAML Idp)

We are now looking to map the SAML (claims) attributes to more meaningful 
names 

Azure SAML Response

https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML";
ID="_6a00b756-53f4-4702-b329-7a6af0145fa0" 
InResponseTo="_d5nkosrzkcj29rlldngsuozq3uwtb5znanfm616"
IssueInstant="2018-10-04T13:22:05.275Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/



https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
http://www.w3.org/2000/09/xmldsig#";>
http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmlenc#sha256"/>

BkenglDOQwAFlKJ3hLrZ4vUzAg9gOD9EFUjGKH9hsI4=



HAKazQ1ApJ5w0NtxJs5E/qECDRz8C5xYjHtGDJtuuuULrM07HUjkoenQ4L34UhSO4qm6Jgo0roIP1bQAGDlq0DWmPu7P9nyPSaQbKiBMtDAO759rM/g0neTWWfYYuNfDFauA+CBuu1N2W15h/oYU85z2D//W8RJQDMB7JvkycPgKF9BY0RON+Rlo2qOFsZ8Z6TxNJgyDxPCQG5natKgVoAZ57lC4+giarBQJQgCFGjy5uckKx4tq2qDuSGnyxqpxqSSm0WNhRR4AqY+kMtNLvEv0aimLX5ezzeOTy7yGmnWNf+l8+FAai2US19Fu/G9xeMH9c3MjZ69MujIkFGqc3A==



MIIDBTCCAe2gAwIBAgIQWOnQG5bZiIFAbuSzrxjvbDANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDgwMTAwMDAwMFoXDTIwMDgwMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM5fWyNaHwYqnCfxVBEqhfDHKWnNhqmVHH9McYM+bsRs9xl7DkuwsbvD6vOb4rANtVOuly+Eiv/fYhhwn8UFE4kzTRXWREIH+uoFCUDyItwtT8vNn253XzXuFiIeHEkSoHM4vckdP+G7lPEQRZtQjV2TTB/76eBrtnLdP/AAgp4KE4/kjSuKEvn4lwiKtQWYPmCBPh18erwmIFwBramK5CzNKT31ycTYpi3LZpjbIljzW7gzvX9P6/U+dmTmpOufKzJbAnnXKveMcRUZl7wXWxQpyKGAZ0q+8FKIcVbrO0mlbyPuQGynAOofsnhqPQVeO4lbsEgcmL9QXWdxdn6kYsCAwEAAaMhMB8wHQYDVR0OBBYEFMXZ+lF0trQrd4uWs+lQ7h0mls63MA0GCSqGSIb3DQEBCwUAA4IBAQAA/TRp5Cx6WWA04dCvoJNTd80KSO8uGrM2V4VhTlIU1zf8cjMocmBXSA0v+P3onkBHHwnMJs6fWuwcBL4vhqZ4jonPcgl3tUIGgDwywM3V4mC1JLZJXlBZASsAuKmHm6qwge6RVs+Ub1fcpOIViMgW/1Wj1tZm/v/NGHQ+EEJV1UXtE5OnFnzD+9TrfOTI/l855ryKNS6I+XNbtcIJUL87OWkMRgNgjOhBnmldA27sWWkFWfvxB0J7FvOkyWaLlyNe/jqCL3jYXzz0XBNGMbatmeKS3fgIihVUJ32Vt7GXI4ed0HuvhhZ6d+fvMnBPWdfteu018YHKeXyk/c2aegcj




nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88
https://somedomain.cloudapp.azure.com:8443/cas/login?client_name=MY_SAML"/>




spn:8b4fcc4d-6781-4da0-acc9-0c28a3317695



http://schemas.microsoft.com/identity/claims/tenantid";>

522b3803-a001-4675-b3b5-1d727d43585a

http://schemas.microsoft.com/identity/claims/objectidentifier";>

8fa1e8a3-41b8-440e-91cf-fafa246ab571

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";>
xx...@.onmicrosoft.com

http://schemas.microsoft.com/identity/claims/displayname";>
Firstname Lastname

http://schemas.microsoft.com/identity/claims/identityprovider";>

https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/

http://schemas.microsoft.com/claims/authnmethodsreferences";>

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

http://schemas.microsoft.com/claims/multipleauthn





urn:oasis:names:tc:SAML:2.0:ac:classes:Password






CAS Client Response



nX16LJA-9igFhluTHQGlDUOK0CNPy_XfliMDJ3iud88

true

8fa1e8a3-41b8-440e-91cf-fafa246ab571

2018-10-04T13:22:05.643Z[Etc/UTC]
MY_SAML

ClientAuthenticationHandler

Firstname
 
Lastname
2018-10-04T13:17:05.275Z
ClientCredential

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

http://schemas.microsoft.com/claims/multipleauthn

522b3803-a001-4675-b3b5-1d727d43585a

myuse...@mydomain.onmicrosoft.com

ClientAuthenticationHandler

https://sts.windows.net/522b3803-a001-4675-b3b5-1d727d43585a/
2018-10-04T14:17:05.275Z

false

_337eded3-a927-4674-b78a-77259cfbf784






We tried to use the AttributeResolver on the cas server side configuration 
but not working now.




Any pointers on what is wrong the way we are trying the attribute mapping ?

Sample attribute resolution mapping tha

Re: [cas-user] 5.1.2 to 5.2 CAS migration

2018-10-05 Thread Yan Zhou 
Hi, 

How do you get cas-mangement to create tables?

I have an overlay of CAS-management 5.3.3, the following are 
management.properties,  when I start it up, I do not see tables being 
created, cas-management fails because there is not any table.

cas.serviceRegistry.jpa.url=jdbc:oracle:thin:@.
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
cas.serviceRegistry.jpa.ddlAuto=create 
cas.serviceRegistry.jpa.driverClass=oracle.jdbc.OracleDriver


Yan

On Thursday, December 21, 2017 at 2:36:24 PM UTC-5, Man H wrote:
>
> Hi again David
>
> I have to complement my previous answer.
>
> Previous table attributes are create by cas-server, but if you install 
> cas-management following table is created, which is also read by cas 
> server. 
>
>
>
> Regards
>
>
> CREATE TABLE `RegexRegisteredService` ( 
>   `expression_type` varchar(50) NOT NULL DEFAULT 'regex', 
>   `id` bigint(20) NOT NULL AUTO_INCREMENT, 
>   `access_strategy` longblob, 
>   `attribute_release` longblob, 
>   `description` varchar(255) DEFAULT NULL, 
>   `evaluation_order` int(11) NOT NULL, 
>   `expiration_policy` longblob, 
>   `informationUrl` varchar(255) DEFAULT NULL, 
>   `logo` varchar(255) DEFAULT NULL, 
>   `logout_type` int(11) DEFAULT NULL, 
>   `logout_url` varchar(255) DEFAULT NULL, 
>   `mfa_policy` longblob, 
>   `name` varchar(255) NOT NULL, 
>   `privacyUrl` varchar(255) DEFAULT NULL, 
>   `proxy_policy` longblob, 
>   `public_key` longblob, 
>   `required_handlers` longblob, 
>   `serviceId` varchar(255) NOT NULL, 
>   `theme` varchar(255) DEFAULT NULL, 
>   `username_attr` longblob, 
>   `bypassApprovalPrompt` bit(1) DEFAULT NULL, 
>   `clientId` varchar(255) DEFAULT NULL, 
>   `clientSecret` varchar(255) DEFAULT NULL, 
>   `generateRefreshToken` bit(1) DEFAULT NULL, 
>   `jsonFormat` bit(1) DEFAULT NULL, 
>   `supported_grants` longblob, 
>   `supported_responses` longblob, 
>   `DYNAMIC_REG_TIME` datetime DEFAULT NULL, 
>   `dynamicallyRegistered` bit(1) DEFAULT NULL, 
>   `encryptIdToken` bit(1) DEFAULT NULL, 
>   `idTokenEncryptionAlg` varchar(255) DEFAULT NULL, 
>   `idTokenEncryptionEncoding` varchar(255) DEFAULT NULL, 
>   `implicit` bit(1) DEFAULT NULL, 
>   `jwks` varchar(255) DEFAULT NULL, 
>   `scopes` longblob, 
>   `sectorIdentifierUri` varchar(255) DEFAULT NULL, 
>   `signIdToken` bit(1) DEFAULT NULL, 
>   `subjectType` varchar(255) DEFAULT NULL, 
>   `addressingNamespace` varchar(255) DEFAULT NULL, 
>   `appliesTo` varchar(255) DEFAULT NULL, 
>   `namespace` varchar(255) DEFAULT NULL, 
>   `policyNamespace` varchar(255) DEFAULT NULL, 
>   `protocol` varchar(255) DEFAULT NULL, 
>   `realm` varchar(255) DEFAULT NULL, 
>   `tokenType` varchar(255) DEFAULT NULL, 
>   `wsdlEndpoint` varchar(255) DEFAULT NULL, 
>   `wsdlLocation` varchar(255) DEFAULT NULL, 
>   `wsdlService` varchar(255) DEFAULT NULL, 
>   `encryptAssertions` bit(1) DEFAULT NULL, 
>   `metadataCriteriaDirection` varchar(255) DEFAULT NULL, 
>   `metadataCriteriaPattern` varchar(255) DEFAULT NULL, 
>   `metadataCriteriaRemoveEmptyEntitiesDescriptors` bit(1) DEFAULT NULL, 
>   `metadataCriteriaRemoveRolelessEntityDescriptors` bit(1) DEFAULT NULL, 
>   `metadataCriteriaRoles` varchar(255) DEFAULT NULL, 
>   `metadataExpirationDuration` varchar(255) DEFAULT NULL, 
>   `metadataLocation` varchar(255) DEFAULT NULL, 
>   `metadataMaxValidity` bigint(20) DEFAULT NULL, 
>   `metadataSignatureLocation` varchar(255) DEFAULT NULL, 
>   `nameIdQualifier` varchar(255) DEFAULT NULL, 
>   `requiredAuthenticationContextClass` varchar(255) DEFAULT NULL, 
>   `requiredNameIdFormat` varchar(255) DEFAULT NULL, 
>   `serviceProviderNameIdQualifier` varchar(255) DEFAULT NULL, 
>   `signAssertions` bit(1) DEFAULT NULL, 
>   `signResponses` bit(1) DEFAULT NULL, 
>   `signingCredentialType` varchar(255) DEFAULT NULL, 
>   `skipGeneratingAssertionNameId` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationInResponseTo` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationNotBefore` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationNotOnOrAfter` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationRecipient` bit(1) DEFAULT NULL, 
>   PRIMARY KEY (`id`) 
> )
>
> 2017-12-15 17:45 GMT-03:00 Maxwell, Gary  >:
>
>> Ok I just wanted to make sure. Thanks!
>>
>>  
>>
>> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
>> ] *On Behalf Of *Man H
>> *Sent:* Friday, December 15, 2017 9:39 AM
>> *To:* cas-...@apereo.org 
>> *Subject:* Re: [cas-user] 5.1.2 to 5.2 CAS migration
>>
>>  
>>
>> this is what I have in 5.2.0
>>
>> CREATE TABLE `RegexRegisteredService` ( 
>>   `expression_type` varchar(50) NOT NULL DEFAULT 'regex', 
>>   `id` bigint(20) NOT NULL AUTO_INCREMENT, 
>>   `access_strategy` longblob, 
>>   `attribute_release` longblob, 
>>   `description` varchar(255) DEFAULT NULL, 
>>   `evaluation_order` int(11) NOT NULL, 
>>   `expiration_policy` longblob, 
>>   `informationUrl` varchar(255) DEFAULT NULL, 
>>   `logo`

Re: [cas-user] CAS logout immediately after login succeed

2018-10-05 Thread Ray Bon 
You should set up https. It is needed for ticket validation (but not needed in 
a default CAS install and no service=...).
You can use browser developer tools to see if there is an attempt to log in to 
the service with SSO.

Ray

On Fri, 2018-10-05 at 07:44 -0700, Hoang Anh Duc wrote:
I can login my CAS. If I access the url  `http://cas_server/cas/login` (without 
`?service=...`) , the session still keep, I can go dashboard without loging in 
again. But when I access some URL like 
`http://cas_server/cas/login?service=...` , I need to login again.
What happen with my SSO config?
Thanks!

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538759260.2852.51.camel%40uvic.ca.

Re: [cas-user] RegexUriLogoutValve not working as expected

2018-10-05 Thread Ray Bon 
Jaume,

logging.properties is for tomcat itself.
You can add a log4j2.xml file to your application. To it, add a logger for 
org.apereo. I think I started by copying the one that comes with CAS server.

Ray

On Fri, 2018-10-05 at 00:13 -0700, Jaume Moral wrote:
Ok, I will turn on debug and check the logs.

What is the right way to do it? All the documentation I find is to enable in 
CAS server. I try to enable it in logging.properties in /conf folder but I 
doesn't work. It seems it uses a different cofiguration file.

Can you help me?

Thanks!

El divendres, 5 octubre de 2018 1:51:10 UTC+2, rbon va escriure:
Jaume,

If test.jsp requires login and you can access it after app1/logout, I agree 
that you are not logged out.
https://github.com/apereo/java-cas-client/blob/master/cas-client-integration-tomcat-common/src/main/java/org/jasig/cas/client/tomcat/AbstractLogoutHandler.java

If you turn on debugging for the cas client, you will see the log out happen.

If you do not want CAS to log user out of all apps, you can turn off single 
sign out.

Ray

On Thu, 2018-10-04 at 23:26 +0200, Jaume Moral wrote:
Yes, redirection happens and CAS server forgets the logged user

My flow is:

* http://localhost:8080/app1/test.jsp
-> redirects to CAS login
* login in cas server with username and password
-> redirects to /app1/test.jsp, showing my username and a _const_cas_assertion_
* http://localhost:8080/app1/logout
-> redirects to CAS server logout url (and it really forgets the authentication)
* http://localhost:8080/app1/test.jsp
-> It shows my username! I'm not logged out of app1 !! But there is not a 
_const_cas_assertion_

I think that logout valve deletes the cas assertion in session, but perhaps the 
user is also stored in session and is not deleted. I thought that the user 
exposed to the application via pageContext.remoteUser was the one in 
cas_assertion, but in the last step, there is no cas assertion, but the user 
remains.

Perhaps your answer will be. "ok, you can invalidate your session and then go 
to CAS logout", but the reason I'm doing this is that i want to logout from all 
applications in same tomcat. I can't invalidate other contexts sessions, as far 
as I know.

Any ideas?

El jue., 4 oct. 2018 a las 22:47, Ray Bon (>) 
escribió:
Jaume,

Does the redirect to CAS happen?
If CAS does not terminate the session but your application does (i.e. the valve 
works), then when you access your application, it will go to CAS and create a 
new session using the previous single sign on.
If this is happening you will see the redirect in your developer tools and new 
service tickets issued in CAS logs.
Is there a way to tell if tomcat ends the sessions?

Ray

On Thu, 2018-10-04 at 22:05 +0200, Jaume Moral wrote:
Ok. I can use the single sign out request on cas logout, but this is not what 
I'm looking for.

I thaught that logoutvalve would do a logout in all applications on same 
tomcat, without the need of a single sign out request from cas server.

Am I wrong?

El dj., 4 oct. 2018 19.24, Ray Bon > va escriure:
Jaume,

cas/logout will end the CAS session. It is up to your application to end its 
own session. If tomcat is redirecting on your application logout, then your 
application will never know to end the session.
Perhaps your cas client can perform the right steps (end session and redirect 
to cas/logout).

You can add logout url to service definition. CAS will then send a request when 
cas/logout is visited.

Ray

On Thu, 2018-10-04 at 09:38 -0700, Jaume Moral wrote:

Hi!


I have a problem using RegexUriLogoutValve to achieve global logout in a tomcat 
server.


I have two applications (app1 and app2) in the same tomcat protected with 
org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator. Single Sign On works 
perfect, but I have troubles with logout.


I have this in global context.xml


 https://mycasserver.edu/cas/logout";
/>


When I go to http://localhost:8080/app1/logout, it seems fine but none of my 
applications forget the logged user.


Inside my applications, I have


web.xml



Protected Area
/*


user





And one jsp for testing


Logged user: ${pageContext.request.remoteUser}



I was expecting that after visit /app1/logout, both application forget the CAS 
user. Is this correct? Or am I missing something?

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an

[cas-user] CAS 6.0.0-RC3-SNAPSHOT Could not find spring-boot-gradle-plugin:2.1.0.M4

2018-10-05 Thread Jon Anderson 
It seems that bintray does not host the spring-boot-gradle-plugin milestones. 
2.0.5.RELEASE is the most recent version that I see there.

How do I build CAS 6?  (I've spent days in the docs recently, but mostly the 
5.3 docs. 5.3 isn't doing SAML IdP + delegated auth for me so I want to see if 
things are improved in 6.)

Thanks,
Jon

~/git/cas-overlay-template$ ./build.sh run
Starting a Gradle Daemon (subsequent builds will be faster)

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring root project 'cas-overlay-template'.
> Could not resolve all artifacts for configuration ':classpath'.
   > Could not find org.springframework.boot:spring-boot-gradle-plugin:2.1.0.M4.
 Searched in the following locations:
   - 
file:/home/janderso/.m2/repository/org/springframework/boot/spring-boot-gradle-plugin/2.1.0.M4/spring-boot-gradle-plugin-2.1.0.M4.pom
   - 
file:/home/janderso/.m2/repository/org/springframework/boot/spring-boot-gradle-plugin/2.1.0.M4/spring-boot-gradle-plugin-2.1.0.M4.jar
   - 
https://jcenter.bintray.com/org/springframework/boot/spring-boot-gradle-plugin/2.1.0.M4/spring-boot-gradle-plugin-2.1.0.M4.pom
   - 
https://jcenter.bintray.com/org/springframework/boot/spring-boot-gradle-plugin/2.1.0.M4/spring-boot-gradle-plugin-2.1.0.M4.jar
 Required by:
 project :


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0A9BC9099B13904AA1708A7F1B6C8404E6C05704%40Ntsrv75.int.oru.edu.

Re: [cas-user] cas-management ldap upgrade to 5.3.3 problems

2018-10-05 Thread Travis Schmidt 
An oversight on my part.  A 5.3.4-SNAPSHOT of the CAS Management should be
available later today with this jar restored.  Full release will be coming
soon.

Travis

On Fri, Oct 5, 2018 at 3:44 AM Ian Wright  wrote:

> Hi,
>
> I'm trying to upgrade from 5.2 to 5.3 and I get an exception about missing
> CasManagementLdapAuthorizationConfiguration.class
>
> I can see that it's in cas-management-webapp-support-ldap-5.2.3.jar but
> not cas-management-webapp-support-ldap-5.3.3.jar
>
> As an aside I think the properties need to change from cas.mgmt.xxx to
> mgmt.xxx but I've done that
>
> Any ideas?
>
> Thanks
>
> P.S. I find the lack of upgrade guides extremely frustrating!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00442525-a943-4947-9a06-7943a2fe3e66%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZxka1eiH4jZ2Lez5GRpp14_nAHniQipcRCvMBvqf4T0w%40mail.gmail.com.

[cas-user] CAS logout immediately after login succeed

2018-10-05 Thread Hoang Anh Duc 
I can login my CAS. If I access the url  `http://cas_server/cas/login` 
(without `?service=...`) , the session still keep, I can go dashboard 
without loging in again. But when I access some URL like 
`http://cas_server/cas/login?service=...` , I need to login again.  
What happen with my SSO config?
Thanks!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e54d675-783f-409d-815a-e84538142157%40apereo.org.

[cas-user] cas-management ldap upgrade to 5.3.3 problems

2018-10-05 Thread Ian Wright 
Hi,

I'm trying to upgrade from 5.2 to 5.3 and I get an exception about missing 
CasManagementLdapAuthorizationConfiguration.class

I can see that it's in cas-management-webapp-support-ldap-5.2.3.jar but not 
cas-management-webapp-support-ldap-5.3.3.jar

As an aside I think the properties need to change from cas.mgmt.xxx to 
mgmt.xxx but I've done that

Any ideas?

Thanks

P.S. I find the lack of upgrade guides extremely frustrating!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00442525-a943-4947-9a06-7943a2fe3e66%40apereo.org.

Re: [cas-user] Re: CAS 5.2.0 How to configure cas in that way so that it listen to HTTP?

2018-10-05 Thread Jozef Kotlár 
Hello,

for testing purposes you have to emulate your load balancer, using httpd or
nginx, or any other tool and point your CAS client in example.org to that
HTTPS URL.
I am usually using for testing generated certificate for
https://localhost.localdomain and locally deployed CAS protected service
from https://github.com/cas-projects/cas-sample-java-webapp

Jozef

On Thu, Oct 4, 2018 at 1:37 PM Pedro Rosas 
wrote:

> Hi all,
>
> I'm currently building a cas-overlay instance (based on CAS 5.3.3) that
> will be deployed to a standalone Tomcat 9 server.
> Our production environment will have a load balancer that will offload the
> SSL certificates.
> Between the load balancer and the Tomcat server communication will be
> using HTTP only.
>
> So, we want to have CAS running on http ONLY.
> On my development machine, I have it running on http.
> If I navigate to the login page "
> http://localhost:8080/cas-overlay/login?service=https://www.example.org";
> everything seems to be working fine.
> Typing the correct credentials, gets me redirected to the example.org
> domain with a ticket as a GET parameter "
> https://www.example.org/?ticket=ST-1-kP1yT6Q8VVBPlpi0NEBWi7mV0gUL-BR-PEDROR01
> "
>
> But... if I navigate to the standard login page "
> http://localhost:8080/cas-overlay/login"; the page includes the
> "Non-Secure Connection" warning - "*You are currently accessing CAS over
> a non-secure connection. Single Sign On WILL NOT WORK. In order to have
> single sign on work, you MUST log in over HTTPS.*"
>
> What does it mean that single sign on WILL NOT WORK?
> Am I missing something, or is my setup running fine?
> Can I simply safely ignore the warning?
>
>
> Thanks.
> Best Regards,
>   Pedro Rosas
>
>
> On Tuesday, December 19, 2017 at 4:46:07 PM UTC, Jozef Kotlar - EEA.sk
> wrote:
>>
>> And? That doesn't work?
>> It was just my guess. I am actually using another configuration to proxy
>> standalone CAS behind Apache HTTP Server . Following configuration allows
>> me to define both AJP (for proxying) and HTTP (for local monitoring) ports.
>>
>> $ cat /etc/cas/config/application.yml
>> info:
>>   description: CAS Configuration
>>
>> # Embedded tomcat
>> cas.server:
>>   http:
>> enabled: true
>> port: 8480
>>   ajp:
>> secure: true
>> enabled: true
>> proxyPort: 443
>> scheme: https
>> port: 8409
>>
>>
>> On Tuesday, December 19, 2017 at 3:46:37 AM UTC+1, casuser wrote:
>>>
>>>
>>> Hello Jozef that's my current configuration:
>>>
>>> cas.server.httpProxy.enabled=true
>>> cas.server.httpProxy.secure=true
>>> cas.server.httpProxy.protocol=AJP/1.3
>>> cas.server.httpProxy.scheme=http
>>> cas.server.httpProxy.redirectPort=8080
>>> cas.server.httpProxy.proxyPort=8080
>>> cas.server.httpProxy.attributes.attributeName=attributeValue
>>>
>>>
>>>
>>>
>>>
>>> On Friday, December 15, 2017 at 10:20:48 PM UTC+8, Jozef Kotlar - EEA.sk
>>> wrote:

 I think you should leave cas.server.httpProxy.secure=true, this is
 actually setting on container connector the CAS is checking.


 --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/aey5xVaTLGI/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b225a201-5aad-41db-b65c-5783ea4838eb%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACKWwDh3YLvC_5CrLmYmqRw8fuWiVbDb2MOfnMzS_edYiEqcKw%40mail.gmail.com.

Re: [cas-user] RegexUriLogoutValve not working as expected

2018-10-05 Thread Jaume Moral 
Ok, I will turn on debug and check the logs.

What is the right way to do it? All the documentation I find is to enable 
in CAS server. I try to enable it in logging.properties in /conf folder but 
I doesn't work. It seems it uses a different cofiguration file.

Can you help me?

Thanks!

El divendres, 5 octubre de 2018 1:51:10 UTC+2, rbon va escriure:
>
> Jaume,
>
> If test.jsp requires login and you can access it after app1/logout, I 
> agree that you are not logged out.
>
> 
> https://github.com/apereo/java-cas-client/blob/master/cas-client-integration-tomcat-common/src/main/java/org/jasig/cas/client/tomcat/AbstractLogoutHandler.java
>  
>
> If you turn on debugging for the cas client, you will see the log out 
> happen.
>
> If you do not want CAS to log user out of all apps, you can turn off 
> single sign out.
>
> Ray
>
> On Thu, 2018-10-04 at 23:26 +0200, Jaume Moral wrote:
>
> Yes, redirection happens and CAS server forgets the logged user
>
> My flow is:
>
> * http://localhost:8080/app1/test.jsp 
> -> redirects to CAS login
> * login in cas server with username and password
> -> redirects to /app1/test.jsp, showing my username and a 
> _const_cas_assertion_
> * http://localhost:8080/app1/logout
> -> redirects to CAS server logout url (and it really forgets the 
> authentication)
> * http://localhost:8080/app1/test.jsp
> -> It shows my username! I'm not logged out of app1 !! But there is not a 
> _const_cas_assertion_
>
> I think that logout valve deletes the cas assertion in session, but 
> perhaps the user is also stored in session and is not deleted. I thought 
> that the user exposed to the application via pageContext.remoteUser was the 
> one in cas_assertion, but in the last step, there is no cas assertion, but 
> the user remains.
>
> Perhaps your answer will be. "ok, you can invalidate your session and then 
> go to CAS logout", but the reason I'm doing this is that i want to logout 
> from all applications in same tomcat. I can't invalidate other contexts 
> sessions, as far as I know.
>
> Any ideas?
>
> El jue., 4 oct. 2018 a las 22:47, Ray Bon (>) 
> escribió:
>
> Jaume,
>
> Does the redirect to CAS happen?
> If CAS does not terminate the session but your application does (i.e. the 
> valve works), then when you access your application, it will go to CAS and 
> create a new session using the previous single sign on.
> If this is happening you will see the redirect in your developer tools and 
> new service tickets issued in CAS logs.
> Is there a way to tell if tomcat ends the sessions?
>
> Ray
>
> On Thu, 2018-10-04 at 22:05 +0200, Jaume Moral wrote:
>
> Ok. I can use the single sign out request on cas logout, but this is not 
> what I'm looking for. 
>
> I thaught that logoutvalve would do a logout in all applications on same 
> tomcat, without the need of a single sign out request from cas server.
>
> Am I wrong?
>
> El dj., 4 oct. 2018 19.24, Ray Bon > va 
> escriure:
>
> Jaume,
>
> cas/logout will end the CAS session. It is up to your application to end 
> its own session. If tomcat is redirecting on your application logout, then 
> your application will never know to end the session.
> Perhaps your cas client can perform the right steps (end session and 
> redirect to cas/logout).
>
> You can add logout url to service definition. CAS will then send a request 
> when cas/logout is visited.
>
> Ray
>
> On Thu, 2018-10-04 at 09:38 -0700, Jaume Moral wrote:
>
> Hi!
>
>
> I have a problem using RegexUriLogoutValve to achieve global logout in a 
> tomcat server.
>
>
> I have two applications (app1 and app2) in the same tomcat protected with 
> org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator. Single Sign On works 
> perfect, but I have troubles with logout.
>
>
> I have this in global context.xml
>
>
>   className="org.jasig.cas.client.tomcat.v7.RegexUriLogoutValve"
> logoutUriRegex="/.*/logout" 
> redirectUrl="https://mycasserver.edu/cas/logout";
> />
>  
>
> When I go to http://localhost:8080/app1/logout, it seems fine but none of 
> my applications forget the logged user.
>
>
> Inside my applications, I have
>
>
> web.xml
>
>
> 
> 
> Protected Area
> /*
> 
> 
> user
> 
> 
>
> And one jsp for testing
>
> Logged user: ${pageContext.request.remoteUser}
>
> I was expecting that after visit /app1/logout, both application forget the 
> CAS user. Is this correct? Or am I missing something?
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subs