Re: [cas-user] Cannot deploy cas-overlay 6.4 in external Tomcat 9.0.59

2022-03-15 Thread Ray Bon 
Adam,

I do not have cas-server-webapp in my build.gradle. Try removing it. The 
project should be functional without having to make any modifications.

Note, if you are just starting a deployment, use version 6.5

Ray


On Tue, 2022-03-15 at 03:59 -0700, Adam Cooney wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hi,

We're having some trouble deploying the v6.4 of the overlay in an external 
tomcat. Currently we have:

Added to the gradle dependencies:
implementation "org.apereo.cas:cas-server-webapp:${project.'cas.version'}"

Modified gradle.properties to remove the embedded container:

appServer=

Ran "./gradlew clean build" to make the war and then put it into the Tomcat 
webapps directory. At the moment, the output is:

Mar 11, 2022 12:57:59 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive 
[/home/adam/ApacheTomcat/webapps/cas.war]
Mar 11, 2022 12:58:06 PM org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug 
logging for this logger for a complete list of JARs that were scanned but no 
TLDs were found in them. Skipping unneeded JARs during scanning can improve st
artup time and JSP compilation time.
Mar 11, 2022 12:58:07 PM org.apache.catalina.core.ApplicationContext log
INFO: 1 Spring WebApplicationInitializers detected on classpath
Mar 11, 2022 12:58:07 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive 
[/home/adam/ApacheTomcat/webapps/cas.war] has finished in [7,782] ms
Mar 11, 2022 1:01:47 PM org.apache.catalina.users.MemoryUserDatabase 
backgroundProcess

I have limited experience so far using spring boot but it looks to me like 
spring boot isn't even running. If I go to the application at 
localhost:PORT/cas/ I see a 404 page:


Type Status Report

Message The requested resource [/cas/] is not available

Description The origin server did not find a current representation for the 
target resource or is not willing to disclose that one exists.

The application does run fine using the embedded Tomcat, but we would like to 
run them in externalised ones. Are we missing something obvious? I also noted 
the MANIFEST.MF contains:

Manifest-Version: 1.0
Main-Class: org.springframework.boot.loader.WarLauncher
Start-Class: org.apereo.cas.web.CasWebApplication
Spring-Boot-Version: 2.5.4
Spring-Boot-Classes: WEB-INF/classes/
Spring-Boot-Lib: WEB-INF/lib/
Spring-Boot-Layers-Index: WEB-INF/layers.idx

Any help would be appreciated - we have also tried in Tomcat 10.0.17 but have 
not tried any other CAS versions of the overlay other than 6.4. We were 
following these instructions: 
https://apereo.github.io/cas/6.4.x/installation/Configuring-Servlet-Container-External.html

Regards

Adam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/eac8bb0ff8e8d5bc026bb6bf3555b6c458a6b26d.camel%40uvic.ca.

[cas-user] Cannot deploy cas-overlay 6.4 in external Tomcat 9.0.59

2022-03-15 Thread Adam Cooney 
Hi,

We're having some trouble deploying the v6.4 of the overlay in an external 
tomcat. Currently we have:

Added to the gradle dependencies:
implementation "org.apereo.cas:cas-server-webapp:${project.'cas.version'}"

Modified gradle.properties to remove the embedded container:

appServer=

Ran "./gradlew clean build" to make the war and then put it into the Tomcat 
webapps directory. At the moment, the output is:

Mar 11, 2022 12:57:59 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive 
[/home/adam/ApacheTomcat/webapps/cas.war]
Mar 11, 2022 12:58:06 PM org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable 
debug logging for this logger for a complete list of JARs that were scanned 
but no TLDs were found in them. Skipping unneeded JARs during scanning can 
improve st
artup time and JSP compilation time.
Mar 11, 2022 12:58:07 PM org.apache.catalina.core.ApplicationContext log
INFO: 1 Spring WebApplicationInitializers detected on classpath
Mar 11, 2022 12:58:07 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive 
[/home/adam/ApacheTomcat/webapps/cas.war] has finished in [7,782] ms
Mar 11, 2022 1:01:47 PM org.apache.catalina.users.MemoryUserDatabase 
backgroundProcess

I have limited experience so far using spring boot but it looks to me like 
spring boot isn't even running. If I go to the application at 
localhost:PORT/cas/ I see a 404 page:

*Type* Status Report

*Message* The requested resource [/cas/] is not available

*Description* The origin server did not find a current representation for 
the target resource or is not willing to disclose that one exists.

The application does run fine using the embedded Tomcat, but we would like 
to run them in externalised ones. Are we missing something obvious? I also 
noted the MANIFEST.MF contains:

Manifest-Version: 1.0
Main-Class: org.springframework.boot.loader.WarLauncher
Start-Class: org.apereo.cas.web.CasWebApplication
Spring-Boot-Version: 2.5.4
Spring-Boot-Classes: WEB-INF/classes/
Spring-Boot-Lib: WEB-INF/lib/
Spring-Boot-Layers-Index: WEB-INF/layers.idx
Any help would be appreciated - we have also tried in Tomcat 10.0.17 but 
have not tried any other CAS versions of the overlay other than 6.4. We 
were following these instructions: 
https://apereo.github.io/cas/6.4.x/installation/Configuring-Servlet-Container-External.html

Regards

Adam

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5372ff7-f6a5-4249-917f-7c8a71a4db63n%40apereo.org.

[cas-user] Re: Cas v6.4+ exception with mfa-webauthn

2022-03-15 Thread John 
I got the same error too for web-authn, although we haven't deployed 
web-authn because I cannot seem to get multiple providers to work and let 
the user decide, at all, using any type of triggers

On Sunday, March 13, 2022 at 11:36:15 PM UTC-5 Benjamin Somers wrote:

> Hi,
> I am configuring CAS for the webauthn MFA and as soon as a user tries to 
> do the registration, they receive an error. You can find below the 
> stacktrace corresponding to the error (the exception occurs as soon as the 
> user clicks on the webauthn button on the provider selection screen). I 
> have tried both v6.4 and v6.5. Am I missing something?
> Thanks in advance
> Ben
>
> mars 13 22:18:51 casimir cas.war[15255]: 
> =
> mars 13 22:18:51 casimir cas.war[15255]: WHO: audit:unknown
> mars 13 22:18:51 casimir cas.war[15255]: WHAT: {principal=XX, 
> execution=true, provider=mfa-webauthn}
> mars 13 22:18:51 casimir cas.war[15255]: ACTION: 
> MULTIFACTOR_AUTHENTICATION_BYPASS
> mars 13 22:18:51 casimir cas.war[15255]: APPLICATION: CAS
> mars 13 22:18:51 casimir cas.war[15255]: WHEN: Sun Mar 13 22:18:51 CET 2022
> mars 13 22:18:51 casimir cas.war[15255]: CLIENT IP ADDRESS: XX.XX.XX.XX
> mars 13 22:18:51 casimir cas.war[15255]: SERVER IP ADDRESS: YY.YY.YY.YY
> mars 13 22:18:51 casimir cas.war[15255]: 
> =
> mars 13 22:18:51 casimir cas.war[15255]: >
> mars 13 22:18:51 casimir cas.war[15255]: 2022-03-13 22:18:51,791 WARN 
> [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - 
> 
> mars 13 22:18:51 casimir cas.war[15255]: java.io.NotSerializableException: 
> java.util.Optional
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1185) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.util.HashMap.internalWriteEntries(HashMap.java:1858) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.util.HashMap.writeObject(HashMap.java:1412) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.GeneratedMethodAccessor149.invoke(Unknown Source) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1145) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1497) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1433) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1179) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1553) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:442) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> org.springframework.webflow.core.collection.LocalAttributeMap.writeObject(LocalAttributeMap.java:333)
>  
> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.GeneratedMethodAccessor187.invoke(Unknown Source) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1145) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1497) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1433) 
> ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1179) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:349) ~[?:?]
> mars 13 22:18:51 casimir cas.war[15255]: at 
> org.springframework.webflow.engine.impl.FlowSessionImpl.writeExternal(FlowSessionImpl.java:162)
>  
> ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
>

Re: [cas-user] Re: CAS 6.4.0, CAS 6.4.0-RC6 and CAS 6.4.0-RC5 : Issues with OIDC

2022-03-15 Thread Catalin 
Hi,

I'm having the same problem with:* java.lang.IllegalArgumentException: 
Unable to locate authentication profile*

*In cas properties: *

cas.authn.oidc.core.issuer=*https://catalin-pc.local/cas/oidc*

*the json service registry (I have only this)*

{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"clientId": "*client_id*",
"clientSecret": "*client_secret*",
"serviceId" : "*^(https?)://.**",
"name" : "Oauth2OIDC",
"id" : 103935657744184,
"evaluationOrder" : 1,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}


The client app/service is using spring boot (2.5.5) /spring security

The application.yml (please ignore the formatting of the yml)

debug: false
spring:
 security:
 oauth2:
client:
registration:
*cas*:
   client-id: *client_id*
   client-secret: *client_secret*
   authorization-grant-type: authorization_code
   client-authentication-method: client_secret_basic
   scope: openid, profile
   *github*:
client-id: 
client-secret: .
provider:
  cas:
  issuer-uri: *https://catalin-pc.local/cas/oidc*


Spring security config below (simple as possible)

@*Configuration*
@*EnableWebSecurity*
public class WebPortalSecurity extends *WebSecurityConfigurerAdapter *{


@Autowired
private ClientRegistrationRepository clientRegistrationRepository;

@Override
public void configure(HttpSecurity http) throws Exception {

*// I tried here to specify the CAS login page (here I'm getting that the 
service is not authorized to use CAS*)
// http.authorizeRequests(authorizeRequests -> 
authorizeRequests.anyRequest().authenticated())
// .oauth2Login(oauth2-> 
oauth2.loginPage("https://catalin-pc.local/cas/login?service=https://catalin-pc.local/web-portal;));

*// with this code will redirect me to as 
/oidc/oidcAuthorize?response_type=code and will endup in the profile not 
found error* -> debugging into the code I was seeing that this profile is 
somehow pac4j related??? (I also tried to integrate pac4j when doing the 
log in, but did not help)
http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest()
.authenticated()).oauth2Login();
}
}


On CAS side I have a dumb implementation of: 
*AbstractUsernamePasswordAuthenticationHandler*

@Override
protected AuthenticationHandlerExecutionResult 
authenticateUsernamePasswordInternal(UsernamePasswordCredential upc, String 
s) throws GeneralSecurityException, PreventedException {
   final String username = upc.getUsername();
   final String password = upc.getPassword();

   final HashMap> attributes = new HashMap<>();
   final ArrayList value = new ArrayList<>();
*   //put some dummy attributes here*
   attributes.put("profile", value);
   value.add("oidc profile");

   return createHandlerResult(upc, this.principalFactory.createPrincipal
(username, attributes));
}



this.context.getRequestAttribute("*pac4jUserProfiles*").ifPresent((requestAttribute)
 
-> {
profiles.putAll((Map)requestAttribute);
});
here that attribute definitely is not present on my flow, hence ending up 
in the error...

The profile will try to be returned like this: (this is pac4j related 
code). I tried to integrate a pac4j authentication like this: 
https://apereo.github.io/cas/development/authentication/Pac4j-Authentication.html#overview
I'm only interested now in the happy flow, so that with that dumb 
authenticator, similar with my simplified one that does no checks

Things to note:


   - I tried to minimize things so I removed any pages changes we had or 
   other custom things to keep CAS as close to the overlay template that is 
   being provided
   - I tried some 6.4.X versionsm, 6.5.1, and 6.6.0-RC1 (same issue), I 
   wanted to try latest version of 6.3.X but there were some issues with 
   java17 and spring version
   - From the above app/service spring security configuration, I'm able to 
   do a login with github (the flow seems to be similar, it goes to that 
   authorize, and if I'm not logged in in github, I'm seeing the github login 
   page)
   - I can authenticate to *https://.../cas/login *-> with the code 
   provided above, as well I'm seeing those attribute in the principal and I'm 
   seeing the authentication
   - If I try to authenticate like this: 
*https://.../cas/login?service=https:// 
   *then I'm getting  *Application Not Authorized to Use CAS, *even though 
   in the service registry I added a broader pattern to match the service id:  
   *^(https?)://.**
   - If I try to access directly the app, then i get this: 
   - .well-known works properly,
   - java.lang.IllegalArgumentException: *Unable to locate authentication 
   profile* at

Re: [cas-user] Could not locate LDAP attribute [phone] for ......

2022-03-15 Thread Frédéric Lohier 
Hello,

I also had this issue in 6.4.x. I had to set the property
*cas.authn.pm.reset.sms.attribute-name=* to fix this even if I do not use the
SMS reset feature. It feels like a bug but I did investigate any further.

-Frederic

On Tue, Mar 15, 2022 at 3:56 PM stonej  wrote:

> Hello,
>
> Using CAS 6.5.1, active directory authentication.  Trying to get password
> reset working and showing this error :
>
> WARN [org.apereo.cas.pm.LdapPasswordManagementService] -  LDAP attribute [phone] for
> [CN=user1,OU=x,DC=test,DC=test,DC=test,DC=test]>
>
> My config details are:
>
> cas.authn.pm.reset.mail.attribute-name=mail
> cas.authn.pm.reset.mail.from=x@xx
> cas.authn.pm.reset.mail.subject=Password Reset Request
> # Used to sign/encrypt the password-reset link
> cas.authn.pm.reset.crypto.enabled=true
> cas.authn.pm.reset.crypto.encryption.key-size=512
> cas.authn.pm.reset.crypto.signing.key-size=512
> cas.authn.pm.reset.crypto.strategy-type=ENCRYPT_AND_SIGN
>
> Ldap Attributes :
>
> cas.authn.ldap[0].principalAttributeList=mail,sn,sAMAccountName:eppn,givenName,OU,cn,sn
>
>
> I cannot see where it is finding Phone, am I missing something ?
>
> Thanks
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/35ded547-fb88-4f5a-81e2-68cd03a4c5abn%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qSYcwuKCHd6o3o2i-7ZT_PpCoTfX%3DNKYT63wmmSVChag%40mail.gmail.com.

[cas-user] Could not locate LDAP attribute [phone] for ......

2022-03-15 Thread stonej 
Hello,

Using CAS 6.5.1, active directory authentication.  Trying to get password 
reset working and showing this error :

WARN [org.apereo.cas.pm.LdapPasswordManagementService] - 

My config details are:

cas.authn.pm.reset.mail.attribute-name=mail
cas.authn.pm.reset.mail.from=x@xx
cas.authn.pm.reset.mail.subject=Password Reset Request
# Used to sign/encrypt the password-reset link
cas.authn.pm.reset.crypto.enabled=true
cas.authn.pm.reset.crypto.encryption.key-size=512
cas.authn.pm.reset.crypto.signing.key-size=512
cas.authn.pm.reset.crypto.strategy-type=ENCRYPT_AND_SIGN

Ldap Attributes :
cas.authn.ldap[0].principalAttributeList=mail,sn,sAMAccountName:eppn,givenName,OU,cn,sn


I cannot see where it is finding Phone, am I missing something ?

Thanks


-- 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/35ded547-fb88-4f5a-81e2-68cd03a4c5abn%40apereo.org.

[cas-user] how can i hide metadata which was listed in Authentication tab ?

2022-03-15 Thread artur mis 
Dear Buddys,

  I have got v6.4.x  and i'm seeking solution how to  hide via 
cas.propierties  some metadata i.e serverIpAddress ?

Regards AM

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/48eaf503-4b86-408f-b3d5-34a4e6c4f62an%40apereo.org.

Re: [cas-user] Password does not match the password policy requirement.

2022-03-15 Thread stonej 
I did upgrade from 6.5.0 but have updated the policy pattern to :

cas.authn.pm.core.password-policy-pattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[$@$!%*?&])[A-Za-z\d$@$!%*?&]{8,20}

Also having issues with emailing from password management, but may have to 
log that as a seperate query

Thanks

On Tuesday, March 15, 2022 at 8:33:50 AM UTC Łukasz Woźniak wrote:

> You've upgrade or have new fresh version? I've got similar problem but I'm 
> upgrading instance from 6.3.7. And there was change in the template and 
> policyPattern was null, because it was changed to passwordPolicyPattern. 
> Check the template if You override it.
>
> wt., 15 mar 2022 o 00:25 stonej  napisał(a):
>
>> Hello All,
>>
>> I am using CAS 6.5.1 and using the password management add on.  It all 
>> works fine with picking up the AD password expired setting, but I cannot 
>> seem to get a good password.
>>
>> It asks for 1 lowercase, 1 uppercase, 1 number and 1 special character 
>> but no matter what I try i comes up that the password does not match 
>> requirements.
>>
>> Any help ?
>> Thanks
>>
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7842071e-ad46-420d-b3f1-6fef11247c44n%40apereo.org
>>  
>> 
>> .
>>
>
-- 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/dfc6d495-7312-4116-b25b-1800a9c736c9n%40apereo.org.

Re: [cas-user] How to configure TST ticket used in reset password management workflow for high availability ?

2022-03-15 Thread Jérôme Steve 
Lukas,

Thanks for your reply and confirmation ! I will do that.
Last question, is your redis cluster in Sentinel mode ?

Jérôme.

Le mar. 15 mars 2022 à 09:35, Łukasz Woźniak  a
écrit :

> We have CAS on 5 pods in K8s and We using Spring session in Redis. It work
> good.
>
> Lukas
>
> sob., 12 mar 2022 o 09:50 Jérôme Steve 
> napisał(a):
>
>> Ray,
>>
>> Thank you for your reply. Unfortunately not.
>> Maybe I should have cached the webflow session ? But I'm not sure if this
>> ticket is stored inside it or not.
>>
>> Jérôme.
>>
>> Le ven. 11 mars 2022 à 20:01, Ray Bon  a écrit :
>>
>>> Jérôme,
>>>
>>> Is it possible for you to set your load balancer to sticky sessions for
>>> cas?
>>>
>>> Ray
>>>
>>> On Fri, 2022-03-11 at 08:52 -0800, ste wrote:
>>>
>>> Notice: This message was sent from outside the University of Victoria
>>> email system. Please be cautious with links and sensitive information.
>>>
>>> Hi,
>>>
>>> TST ticket used in reset password management workflow is store in
>>> session (webflow ?).
>>>
>>> So, isn't working in a multi node architecture for hight availability.
>>> Is there a way to store it in cached storage like other tickect ? Or change
>>> it to use other ticket ?
>>>
>>> Thanks,
>>> Jérôme.
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a232087d7dde67c7bc81c6eed6e219554123802.camel%40uvic.ca
>>> 
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbzCu_ZqgDDS3GW-Vtq4eU75Eoj--yH8E4OSfag6raxW%2BA%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jfnTn76bo1ODUipPHZu2g8LWyQKA5TxXrMfZg9XzZxZg%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbyXqTO9O9%3Dr9fY80ZdpoVh%2B%3DtU8y21PNumyj13RGkF%2BtQ%40mail.gmail.com.

[cas-user] redirect to CAS cache control

2022-03-15 Thread Kapetanakis Giannis 
Hi,

We've recently moved our CAS server to a new server/URL.

We've updated our web-sites/application to point to the new URL.

However we're still seeing clients hitting the old CAS server.
My guess is that the 302 redirect is cached on the client's web browser. Does 
this stand?

How do you manage this on your applications?

In at least one site (apache) I've added
   Header unset Pragma
   Header unset Cache-Control

but this does not affect some of the clients.

G

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8045fc0-9a95-693c-a59d-0e414fab3176%40edu.physics.uoc.gr.

[cas-user] Re: CAS v6.4 problem with OIDC claim name mappings in the ID Token

2022-03-15 Thread Jae Liu 
Hi John,

I removed the claims-map in config and following are my 
attributeReleasePolicy

  attributeReleasePolicy:
  {
@class: org.apereo.cas.services.ChainingAttributeReleasePolicy
policies:
[
  java.util.ArrayList
  [
{
  @class: 
org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
  principalAttributesRepository:
  {
@class: 
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
mergingStrategy: REPLACE
ignoreResolvedAttributes: false
  }
  order: 0
  allowedAttributes:
  [
java.util.ArrayList
[
  mail
  displayName
  sAMAccountName
  userPrincipalName
]
  ]
}
{
  @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
  allowedAttributes:
  {
@class: java.util.TreeMap
email: groovy { return attributes[ 'mail' ].get(0) }
email_verified: groovy { if(!attributes[ 'mail' 
].isEmpty() && attributes[ 'mail' ].get(0).endsWith('@.com')){ return 
true } else { return false } }
name: groovy { return attributes[ 'displayName' 
].get(0) }
nickname: groovy { return attributes[ 
'sAMAccountName' ].get(0) }
preferred_username: groovy { return attributes[ 
'userPrincipalName' ].get(0) }
  }
  principalAttributesRepository:
  {
@class: 
org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
mergingStrategy: REPLACE
ignoreResolvedAttributes: false
  }
  order: 1
}
  ]
]
mergingPolicy: REPLACE
order: 0
  }

*also removed the scopes*

  scopes:
  [
java.util.HashSet
[]
  ]


在2022年3月9日星期三 UTC+8 23:47:15 写道:

> Hi Jae,
>
> Thanks for the reply, are you able to share any of your config?
>
> In my case both the IDToken and the userinfo endpoint contain claims such 
> as `mail` and `cn`. But the `claims-map` only seems to work for the 
> userinfo endpoint, which returns both claims `mail` and `email` and `cn` 
> and `name`, though I would have not expected it to include both the 
> original CAS attribute (from LDAP such as cn) and the mapped claim (such as 
> email) and think in versions prior to v6.4 it returned only `email` as a 
> claim name for that particular value.
>
> so the attributes in your claims-map do not have value, so the IDToken 
>> does have value.
>
>
> In my claim-map I'm mapping `cn` to `name`. The IDToken we receive does 
> include `cn` as a claim. Based on my mapping settings, I would have 
> expected the claim name to be `name` and not `cn` both in the IDToken and 
> in the userinfo endpoint and this is how it worked prior to v6.4.
>
> John
>
> On Tue, Mar 8, 2022 at 5:55 PM Jae Liu  wrote:
>
>> I used CAS v6.4 it's ok for me.
>>
>> I think there something wrong with your configuration. You defined the 
>> scopes (scopes=openid,profile,emai), CAS will use these as attributes 
>> release policy, the scopes email will only release attributes email and 
>> email_verified, profile will release name, given_name. family_name, so the 
>> attributes in your claims-map do not have value, so the IDToken does have 
>> value.
>>
>> 在2022年1月11日星期二 UTC+8 12:28:01 写道:
>>
>>> In CAS v6.3 (up to and including v6.3.7.4) we used the 
>>> `cas.authn.oidc.claims-map` properties to map our LDAP attribute names to 
>>> the standard claim names. This mapping worked for both the ID Token and the 
>>> UserInfo (`/profile`) endpoint.
>>>
>>> Here are the relevant properties we have set:
>>>
>>> ```
>>> cas.authn.oidc.discovery.scopes=openid,profile,email
>>> cas.authn.oidc.discovery.claims=sub,name,family_name,given_name,email
>>> cas.authn.oidc.core.claims-map.email=mail
>>> cas.authn.oidc.core.claims-map.name=cn
>>> cas.authn.oidc.core.claims-map.family_name=sn
>>> cas.authn.oidc.core.claims-map.given_name=givenName
>>> ```
>>>
>>> This mapping is no longer working in CAS v6.4 (and also tested in the 
>>> latest v6.4.4.2) for the generated ID Token. Our ID Token claims no longer 
>>> contain the mapped names but instead contain the LDAP attribute names such 
>>> as `mail`, `cn`, etc. The UserInfo endpoint does correctly contain the 
>>> mapped claim names.
>>>
>>> As a possible workaround, I tried using a service definition that 
>>> included an `attributeReleasePolicy` using the 
>>> `ReturnMappedAttributeReleasePolicy` class but that had no affect on the ID 
>>> Token claim names.
>>>
>>> I have reviewed all the OIDC settings and didn't spot anything that 
>>> looks like it would address this issue.
>>>
>>> Any help/advice would be appreciated,
>>> John
>>>
>>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom:

Re: [cas-user] How to configure TST ticket used in reset password management workflow for high availability ?

2022-03-15 Thread Łukasz Woźniak 
We have CAS on 5 pods in K8s and We using Spring session in Redis. It work
good.

Lukas

sob., 12 mar 2022 o 09:50 Jérôme Steve  napisał(a):

> Ray,
>
> Thank you for your reply. Unfortunately not.
> Maybe I should have cached the webflow session ? But I'm not sure if this
> ticket is stored inside it or not.
>
> Jérôme.
>
> Le ven. 11 mars 2022 à 20:01, Ray Bon  a écrit :
>
>> Jérôme,
>>
>> Is it possible for you to set your load balancer to sticky sessions for
>> cas?
>>
>> Ray
>>
>> On Fri, 2022-03-11 at 08:52 -0800, ste wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>> Hi,
>>
>> TST ticket used in reset password management workflow is store in session
>> (webflow ?).
>>
>> So, isn't working in a multi node architecture for hight availability. Is
>> there a way to store it in cached storage like other tickect ? Or change it
>> to use other ticket ?
>>
>> Thanks,
>> Jérôme.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a232087d7dde67c7bc81c6eed6e219554123802.camel%40uvic.ca
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD6KnbzCu_ZqgDDS3GW-Vtq4eU75Eoj--yH8E4OSfag6raxW%2BA%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jfnTn76bo1ODUipPHZu2g8LWyQKA5TxXrMfZg9XzZxZg%40mail.gmail.com.

Re: [cas-user] Password does not match the password policy requirement.

2022-03-15 Thread Łukasz Woźniak 
You've upgrade or have new fresh version? I've got similar problem but I'm
upgrading instance from 6.3.7. And there was change in the template and
policyPattern was null, because it was changed to passwordPolicyPattern.
Check the template if You override it.

wt., 15 mar 2022 o 00:25 stonej  napisał(a):

> Hello All,
>
> I am using CAS 6.5.1 and using the password management add on.  It all
> works fine with picking up the AD password expired setting, but I cannot
> seem to get a good password.
>
> It asks for 1 lowercase, 1 uppercase, 1 number and 1 special character but
> no matter what I try i comes up that the password does not match
> requirements.
>
> Any help ?
> Thanks
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7842071e-ad46-420d-b3f1-6fef11247c44n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD1CM_jKgw3nnrXpEP%2BTc1q2gGV8wL6SKudaCOWghFHh4EXqFA%40mail.gmail.com.