[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi, cas is not supposed at all to internally validate the JWT, since it should be generated by cas only after the ST is internally validated, (as its shown on the documentation flow diagram). When it happened to me, it was because i was using a cas client which was applying the cas protocol providing back the ticket argument to the validation endpoint of cas. Could you check that you are not using any cas client and provide your app code that you are using to validate the jwt? regards Michele On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: > > Hi Michele, > > I have gone through the link. But before I implement reading the token on > client side, i need to disable the validation happening on cas side. Could > you help me how to disable the validation that's happening on cas as it's > doing JWTvalidation like ST ticket ? It looks like after JWT is generated, > it's getting validated on cas. The generated URL has > redirected=true&ticket=JWT-ticket. May be that's causing the automatic > validation ? It looks like the jwt ticket is not even reaching client. So > can you please suggest how to stop the validation ? > > Thank you for your help. > > Regards, > srmudiganti > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/adf9ce56-345e-4ec7-a03b-5747ed23fab2%40apereo.org.
[cas-user] CAS Overlay Template missing resources for version 6.1.0-RC2-SNAPSHOT
Hello, When I try tu build the latest version of the overlay template (6.1.0-RC2 -SNAPSHOT) with *./gradlew clean build* the resulting *cas.war* contains only the file *log4j2.xml* in the folder */WEB-INF/classes* Somehow the rest of the "resources" files are missing and the gradle tasks *getResource, **listTemplateViews* are returning empty responses. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b7ccca1-21b8-4c06-84f6-9da77b3577d7%40apereo.org.
[cas-user] Anybody have password expiration warnings working?
Does anybody have the password expiration support ("Your password will expire in N days") working? I'm talking about these settings: cas.authn.ldap[0].passwordPolicy.enabled: true cas.authn.ldap[0].passwordPolicy.type: AD cas.authn.ldap[0].passwordPolicy.strategy: DEFAULT cas.authn.ldap[0].passwordPolicy.warningDays: 7 cas.authn.ldap[0].passwordPolicy.warnAll: true and the view page that displays the warning. If you have it working, I'd be interested to know what settings you're using and what (if any) dependencies you have in your pom.xml to get it working. Thanks, --Dave -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/370d4065-a77f-40cf-adf1-055c56eb0672%40apereo.org.
[cas-user] Re: CAS JWT Service ticket validation getting failed
Hi Michele, Yes you are right, cas is not internally validating the JWT. The cas client which in my case is spring boot based web app which is using cas-client-autoconfig-support and with @EnableCasClient annotation. I am using the validation-type: CAS3 in the client. And when I authenticate against cas server, the cas is generating the JWT but the client is trying to validate the JWT like ST by sending it back to cas. Looks like the client is using Cas20ServiceTicketValidator to validate the JWT ticket which I think it should not. What changes did you do in client to not send it back to cas for validating ? Thanks, srmudiganti On Wednesday, February 6, 2019 at 3:50:04 AM UTC-5, Michele Melluso wrote: > > Hi, > > cas is not supposed at all to internally validate the JWT, since it should > be generated by cas only after the ST is internally validated, (as its > shown on the documentation flow diagram). > > When it happened to me, it was because i was using a cas client which was > applying the cas protocol providing back the ticket argument to the > validation endpoint of cas. > Could you check that you are not using any cas client and provide your app > code that you are using to validate the jwt? > > regards > Michele > > On Monday, February 4, 2019 at 7:24:23 PM UTC+1, srmudigan wrote: >> >> Hi Michele, >> >> I have gone through the link. But before I implement reading the token on >> client side, i need to disable the validation happening on cas side. Could >> you help me how to disable the validation that's happening on cas as it's >> doing JWTvalidation like ST ticket ? It looks like after JWT is generated, >> it's getting validated on cas. The generated URL has >> redirected=true&ticket=JWT-ticket. May be that's causing the automatic >> validation ? It looks like the jwt ticket is not even reaching client. So >> can you please suggest how to stop the validation ? >> >> Thank you for your help. >> >> Regards, >> srmudiganti >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5e85a0e-bedb-4fb5-a722-1067430ac784%40apereo.org.
[cas-user] lose service parameter when incorrect credential entered
Hi there, I extended CAS 5.3.4. The app. redirects to CAS login page with service parameter. When I type incorrect credential, I saw the invalid credential message, but I lost service parameter, the screen refreshes to have only the CAS url. What could be missing in my code? Thx! -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6f4857f-59fd-4a5a-af62-615bae273089%40apereo.org.
Re: [cas-user] lose service parameter when incorrect credential entered
Yan, Can you post your code? Ray On Wed, 2019-02-06 at 10:00 -0800, Yan Zhou wrote: Hi there, I extended CAS 5.3.4. The app. redirects to CAS login page with service parameter. When I type incorrect credential, I saw the invalid credential message, but I lost service parameter, the screen refreshes to have only the CAS url. What could be missing in my code? Thx! -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1549478153.3601.91.camel%40uvic.ca.
Re: [cas-user] lose service parameter when incorrect credential entered
Hi, I made some customization on the login flow, see all login related code/configuration below. I read this in CAS 5.3.X documentation: If “service” was specified to */login*, “service” MUST also be a parameter of the form, containing the value originally passed to */login*. Is this saying the Form in casLoginView.html should have "service" parameter, along with username & password? With the sample overlay project, I did not see "service" parameter in the form, but this works fine, i.e., if credential is incorrect, it keeps "service" parameter. This is my complete login webflow. http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://www.springframework.org/schema/webflow"; xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd";> package org.apereo.cas.config; import javax.sql.DataSource; import org.apereo.cas.adaptors.jdbc.QuestAuthenticationHandler; import org.apereo.cas.authentication.AuthenticationEventExecutionPlan; import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer; import org.apereo.cas.authentication.AuthenticationHandler; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.services.ServicesManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.AutoConfigureAfter; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.transaction.annotation.EnableTransactionManagement; import com.quest.hub.cas.entity.UserRepository; @Configuration("QuestAuthenticationEventExecutionPlanConfiguration") @AutoConfigureAfter(QuestDatabaseConfiguration.class) @EnableConfigurationProperties(CasConfigurationProperties.class) @EnableTransactionManagement(proxyTargetClass = true) public class QuestAuthenticationEventExecutionPlanConfiguration implements AuthenticationEventExecutionPlanConfigurer { private static final Logger logger = LoggerFactory.getLogger(QuestAuthenticationEventExecutionPlanConfiguration.class); @Autowired private CasConfigurationProperties casProperties; @Autowired @Qualifier("servicesManager") private ServicesManager servicesManager; @Autowired @Qualifier("casDataSource") DataSource dataSource; @Autowired private UserRepository userRepository; @Bean public AuthenticationHandler questAuthenticationHandler() { final QuestAuthenticationHandler handler = new QuestAuthenticationHandler("questAuthHandler", servicesManager, null, 0, dataSource, userRepository); return handler; } @Override public void configureAuthenticationExecutionPlan(final AuthenticationEventExecutionPlan plan){ plan.registerAuthenticationHandler(questAuthenticationHandler()); } } package org.apereo.cas.adaptors.jdbc; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.HashMap; import java.util.Map; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.sql.DataSource; import org.apache.commons.lang3.time.DateUtils; import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.BasicCredentialMetaData; import org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.UsernamePasswordCredential; import org.apereo.cas.authentication.exceptions.AccountDisabledException; import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException; import org.apereo.cas.authentication.exceptions.AccountTemporaryLockedException; import org.apereo.cas.authentication.exceptions.OneMoreAttemptLoginException; import org.apereo.cas.authentication.exceptions.TwoMoreAttemptLoginException; import org.apereo.cas.authentication.principal.PrincipalFactory; import org.apereo.cas.services.ServicesManager; import org.apereo.cas.util.PasswordDigest; import org.springframework.dao.DataAccessException; import com.quest.hub.cas.entity.User; import com.quest.hub.cas.entity.UserRepository; import lombok.extern.slf4j.Slf4j; /** */ @Slf4j public class QuestAuthenticationHandler extends AbstractJdbcUsernamePasswordAuthenticationHandler { private U
Re: [cas-user] lose service parameter when incorrect credential entered
Yan, The log in flow that exists when CAS is running is considerably more complex than the xml file that is in the code base. A number of features will modify the flow. It may be possible that your 'checkLoginUser' is not being executed where/when in the flow you think. I have a gist, https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74, that will format the login flow during startup. Use this to see what the flow looks like when your custom configuration is being configured. Where is 'checkLoginUserAction' defined? Ray On Wed, 2019-02-06 at 11:02 -0800, Yan Zhou wrote: Hi, I made some customization on the login flow, see all login related code/configuration below. I read this in CAS 5.3.X documentation: If “service” was specified to /login, “service” MUST also be a parameter of the form, containing the value originally passed to /login. Is this saying the Form in casLoginView.html should have "service" parameter, along with username & password? With the sample overlay project, I did not see "service" parameter in the form, but this works fine, i.e., if credential is incorrect, it keeps "service" parameter. This is my complete login webflow. http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://www.springframework.org/schema/webflow"; xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd";> package org.apereo.cas.config; import javax.sql.DataSource; import org.apereo.cas.adaptors.jdbc.QuestAuthenticationHandler; import org.apereo.cas.authentication.AuthenticationEventExecutionPlan; import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer; import org.apereo.cas.authentication.AuthenticationHandler; import org.apereo.cas.configuration.CasConfigurationProperties; import org.apereo.cas.services.ServicesManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.AutoConfigureAfter; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.transaction.annotation.EnableTransactionManagement; import com.quest.hub.cas.entity.UserRepository; @Configuration("QuestAuthenticationEventExecutionPlanConfiguration") @AutoConfigureAfter(QuestDatabaseConfiguration.class) @EnableConfigurationProperties(CasConfigurationProperties.class) @EnableTransactionManagement(proxyTargetClass = true) public class QuestAuthenticationEventExecutionPlanConfiguration implements AuthenticationEventExecutionPlanConfigurer { private static final Logger logger = LoggerFactory.getLogger(QuestAuthenticationEventExecutionPlanConfiguration.class); @Autowired private CasConfigurationProperties casProperties; @Autowired @Qualifier("servicesManager") private ServicesManager servicesManager; @Autowired @Qualifier("casDataSource") DataSource dataSource; @Autowired private UserRepository userRepository; @Bean public AuthenticationHandler questAuthenticationHandler() { final QuestAuthenticationHandler handler = new QuestAuthenticationHandler("questAuthHandler", servicesManager, null, 0, dataSource, userRepository); return handler; } @Override public void configureAuthenticationExecutionPlan(final AuthenticationEventExecutionPlan plan){ plan.registerAuthenticationHandler(questAuthenticationHandler()); } } package org.apereo.cas.adaptors.jdbc; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; import java.util.Date; import java.util.HashMap; import java.util.Map; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.sql.DataSource; import org.apache.commons.lang3.time.DateUtils; import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.BasicCredentialMetaData; import org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult; import org.apereo.cas.authentication.UsernamePasswordCredential; import org.apereo.cas.authentication.exceptions.AccountDisabledException; import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException; import org.apereo.cas.authentication.exceptions.AccountTemporaryLockedException; import org.apereo.cas.authentication.exceptions.OneMo
Re: [cas-user] lose service parameter when incorrect credential entered
I think the log may help better. I do not believe CheckLoginUserAction has anything to do with it, because it only comes into the picture if authN is successful. I just enabled debug logging, the stacktrace below is only because I entered incorrect credential. Notice that my URL had service parameter, but at the end, it is gone. Yan 2019-02-06 17:13:43,958 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:43,975 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:43,975 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:47,047 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.cors.DefaultCorsProcessor] - 2019-02-06 17:13:47,049 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.Flow] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.Flow] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,092 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,092 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,110 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.ViewState] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.Transition] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.Transition] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.ActionState] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,121 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2019-02-06 17:13:47,121 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - https://test.com, originalUrl=https://test.com, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] from the request context> 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,123 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2019-02-06 17:13:47,292 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2019-02-06 17:13:47,293 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[questAuthHandler]: []> 2019-02-06 17:13:47,304 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2019-02-06 17:13:47,313 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <1 errors, 0 successes> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:391) ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4] at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:371) ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4] at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:144) ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4] at org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke() ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4]
Re: [cas-user] lose service parameter when incorrect credential entered
Yan, Fix the error first. It could be eating the parameters. Return to default login flow and try again. Are you sure your authentication handler is correct? Ray On Wed, 2019-02-06 at 14:28 -0800, Yan Zhou wrote: I think the log may help better. I do not believe CheckLoginUserAction has anything to do with it, because it only comes into the picture if authN is successful. I just enabled debug logging, the stacktrace below is only because I entered incorrect credential. Notice that my URL had service parameter, but at the end, it is gone. Yan 2019-02-06 17:13:43,958 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:43,975 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:43,975 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:47,047 DEBUG [org.springframework.web.servlet.DispatcherServlet] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerMapping] - 2019-02-06 17:13:47,048 DEBUG [org.springframework.web.cors.DefaultCorsProcessor] - 2019-02-06 17:13:47,049 DEBUG [org.springframework.webflow.executor.FlowExecutorImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.Flow] - 2019-02-06 17:13:47,076 DEBUG [org.springframework.webflow.engine.Flow] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,077 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,092 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,092 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,110 DEBUG [org.springframework.webflow.mvc.view.AbstractMvcView] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.ViewState] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.Transition] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.Transition] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.engine.ActionState] - 2019-02-06 17:13:47,119 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - 2019-02-06 17:13:47,120 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-02-06 17:13:47,121 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2019-02-06 17:13:47,121 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - https://test.com, originalUrl=https://test.com, artifactId=null, principal=null, source=service, loggedOutAlready=false, format=XML, attributes={})] from the request context> 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,122 DEBUG [org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver] - 2019-02-06 17:13:47,123 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2019-02-06 17:13:47,292 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 2019-02-06 17:13:47,293 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[questAuthHandler]: []> 2019-02-06 17:13:47,304 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2019-02-06 17:13:47,313 DEBUG [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <1 errors, 0 successes> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:391) ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4] at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:371) ~[cas-server-core-authentication-api-5.3.4.jar:5.3.4] at org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:144) ~[cas-server-
[cas-user] Re: lose service parameter when incorrect credential entered
Hi Yan, As Ray correct pointed out the XML webflow defined is a basic starting point, if search through the you find alot of class extending Cas*Webflow*Configurer this include the DefaultLoginWebflowConfigurer. During our upgrade from I noticed the same issue that at times the service parameter was going missing, but the page worked fine as long as I did NOT do a refresh. From my investigation the service parameter is stored upon entry into CAS and as long as the page is not force refresh from the user without the service parameter then CAS should work fine. During my investigation I found the following redirect, They redirect without the query parameters. There is also a redirectToLogin as well. Given that you have started invalid credentials then its more than likely going down the "" code and not even hitting your code. Regards, Colin On Thursday, 7 February 2019 05:00:05 UTC+11, Yan Zhou wrote: > > Hi there, > > I extended CAS 5.3.4. The app. redirects to CAS login page with service > parameter. > > When I type incorrect credential, I saw the invalid credential message, > but I lost service parameter, the screen refreshes to have only the CAS url. > > What could be missing in my code? > > Thx! > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/90d3d5d5-e32f-4cdd-a817-083cea2d689f%40apereo.org.
[cas-user] Re: CAS 5.3.7 Issue Pac4J OIDC + SAML2 Delegation
Hi Kyra, After reading your problem and if I am not mistaken, I think your problem is mostly *not related* to https://github.com/apereo/cas/pull/3664 (I will reference it as #3664 ), hence studying the fix from #3664 most likely won't help you. In #3664, the problem occurs when using SAML 2 authentication with attribute consent, and no additional delegation is involved. In your case, the problem occurs when using OIDC authentication with OAuth consent, and there is SAML 2 delegation used. As you can see from the color, the triggers for the above 2 issues are very different, so looking at #3664 are likely not going to give your the fix you need. As for how to find your fix: OIDC authentication have a big revamp from 5.2.x to 5.3.x especially how the flow works, so I think you should actually look at what changed in OIDC authentication, that is more likely to help you find the fix. One more thing, if you can also provide the debug log to the group, that might also help finding out the issue. And unfortunately I don't have an SAML 2 delegation setup on my PC, so I can help debug your problem. Need to see if other in this group can help you. - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/25ae3754-a0de-4d68-9074-62b1b368be2e%40apereo.org.
[cas-user] CAS 5.3.7 IDP Metadata creation
Hi, We are in the process of trying to migrated so of our SAML related logins across to CAS when noticed that not all the end points are actually defined in the metadata file. Upon further investigation we found that the template file that is used to generate the metadata file is missing the two endpoint as well. These two endpoints are missing from both the generated metadata file and the template file. /idp/profile/SAML2/Redirect/SLO /idp/profile/SAML2/Unsolicited/SSO Is there any reason why these are missing from the template file? The now is that the template file is stored with a jar and the location is hard coded to be on the class path. Can the template xml be externalised. We would prefer not to have to alter to the metadata file once generated. Regards, Colin -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/745ccb2e-4119-4578-a3b7-c8df58ca32aa%40apereo.org.