[cas-user] Re: CAS7 bean creation override question
Finally figured this out. The bean seems incorrectly named in the CAS
source code.
I will see if I can submit a fix.
Yan
On Monday, May 6, 2024 at 9:49:45 PM UTC-4 Yan Zhou wrote:
> My thought is that this bean ( jdbcPasswordChangeService) is already
> created somehow, see below logs, but I do not know how to find it who
> created it, I set a breakpoint in the only occurrence of this bean
> definition, JdbcPasswordManagementConfiguration, the method does not
> appear invoked in debugger.
>
> 2024-05-06 12:23:41,783 DEBUG [restartedMain]
> [org.springframework.beans.factory.support.DefaultListableBeanFactory] -
>
> <== i have my class re-defined this and breakpoint is invoked successfully
>
> 2024-05-06 12:23:41,804 DEBUG [restartedMain]
> [org.springframework.beans.factory.support.DefaultListableBeanFactory] -
>
> <== do Not know who created it.
>
> 2024-05-06 12:23:41,836 DEBUG [restartedMain]
> [org.springframework.beans.factory.support.DefaultListableBeanFactory] -
>
>
> any idea to find out who created this instance?
>
> On Monday, May 6, 2024 at 11:53:07 AM UTC-4 Yan Zhou wrote:
>
>> Hi,
>>
>> CAS 7.1.0 overlay, I need to override password change implementation,
>> using my own PasswordManagementService.
>>
>> I basically want to provide my own impl. of
>> JdbcPasswordManagementConfiguration.
>> See below QuestCasConfiguration,
>>
>> also defined in META-INF/spring/...AutoImports
>> org.apereo.cas.config.CasOverlayOverrideConfiguration
>> org.apereo.cas.config.QuestCasConfiguration
>>
>>
>> @EnableTransactionManagement(proxyTargetClass = false)
>> @EnableConfigurationProperties(CasConfigurationProperties.class)
>> @Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false)
>> public class QuestCasConfiguration {
>>
>> @Bean(name = "jdbcPasswordChangeService")
>> public PasswordManagementService passwordChangeService(
>> ...
>> final PasswordHistoryService passwordHistoryService) {
>> return new
>> QuestJdbcPasswordManagementService(passwordManagementCipherExecutor,
>> casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(),
>> jdbcPasswordManagementDataSource,
>> jdbcPasswordManagementTransactionTemplate, passwordHistoryService,
>> encoder); <=== this is Not called
>> }
>>
>> @Bean(name = "jdbcPasswordManagementDataSource")
>> public DataSource jdbcPasswordManagementDataSource(final
>> CasConfigurationProperties
>> casProperties) {
>> return JpaBeans.newDataSource
>> (casProperties.getAuthn().getJdbc().getQuery().get(0)); <=== this is
>> called
>> }
>> }
>>
>> the problem is that the two bean methods, one (
>> jdbcPasswordManagementDataSource) is called but the other(
>> passwordChangeService) is not, not sure why. I set a breakpoint in my
>> class to see how the code is invoked.
>>
>> This means passwordChangeService is already created somewhere else, but I
>> cannot figure that out, either.
>>
>> I set a breakpoint in CAS source code: JdbcPasswordManagementConfiguration,
>> I do not see any method stopped during debug when CAS starts up.
>>
>> what did I miss? here are related logs
>>
>> 2024-05-06 10:49:55,104 DEBUG [restartedMain]
>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] -
>> > definition: replacing [Root bean: class [null]; scope=; abstract=false;
>> lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true;
>> primary=false;
>> factoryBeanName=org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration;
>>
>> factoryMethodName=localeResolver; initMethodNames=null;
>> destroyMethodNames=[(inferred)]; defined in class path resource
>> [org/springframework/boot/autoconfigure/web/servlet/WebMvcAutoConfiguration$EnableWebMvcConfiguration.class]]
>>
>> with [Root bean: class [null]; scope=refresh; abstract=false;
>> lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true;
>> primary=false; factoryBeanName=CasWebAppConfiguration;
>> factoryMethodName=localeResolver; initMethodNames=null;
>> destroyMethodNames=[(inferred)]; defined in class path resource
>> [org/apereo/cas/config/CasWebAppConfiguration.class]]>
>> 2024-05-06 10:49:55,107 DEBUG [restartedMain]
>> [org.springframework.beans.factory.support.DefaultListableBeanFactory] -
>> > with a different definition: replacing [Root bean: class [null];
>> scope=refresh; abstract=false; lazyInit=null; autowireMode=3;
>> dependencyCheck=0; autowireCandidate=true; primary=false;
>> factoryBeanName=JdbcPasswordManagementDataConfiguration;
>> factoryMethodName=jdbcPasswordManagementDataSource; initMethodNames=null;
>> destroyMethodNames=[(inferred)]; defined in class path resource
>> [org/apereo/cas/config/JdbcPasswordManagementConfiguration$JdbcPasswordManagementDataConfiguration.class]]
>>
>> with [Root bean: class [null]; scope=; abstract=false; lazyInit=null;
>> autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false
[cas-user] Re: Error parsing incommon metadata
Tried the suggested change, now the error is:
*ERROR
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- https://mdq.incommon.org/entities/{0}
to locate [EntityIdCriterion
[id=https://conncoll.reclaimhosting.com
]*
But the upside it fails faster.
On Fri, Feb 23, 2024 at 4:03 PM atilling wrote:
> This is an attempt to use "serviceId": ".+" as per the blog post. because
> it needs to be able to match any service it would need to load the whole
> metadata I would think. I can try to add the {0} but I was going off the
> example in https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/
> On Friday, February 23, 2024 at 11:22:42 AM UTC-5 David Gelhar wrote:
>
>> Rather than fetching the entire (huge) InCommon metadata aggregate for
>> each service, it might work better to use the metadata query
>>
>> capability
>> in your service definitions to do a dynamic query for just the specific
>> service.
>>
>> For incommon, you would put this in your service definition:
>>
>> "metadataLocation" : "https://mdq.incommon.org/entities/{0}";,
>>
>>
>>
>> On Monday, February 19, 2024 at 11:34:11 AM UTC-5 atilling wrote:
>>
>>> Clarification attempting to follow
>>> https://fawnoos.com/2019/01/18/cas61-saml2-idp-incommon/+
>>>
>>> Now have 3 SPs working using the incommon metadata all with the same
>>> metadataLocation, those 3 are working fine (Equivalent to the Almond and
>>> Coco in the example) but when attempting to add the "All Others" section
>>> getting an error that the metadata can't be parsed. Is there an issue with
>>> memory or something similar?
>>> On Friday, February 2, 2024 at 1:42:16 PM UTC-5 atilling wrote:
>>>
Trying to add a service provider from incommon, have one service
provider working getting an error when trying to access a second one:
2024-02-02 11:49:20,456 INFO
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolver]
- >>> path
[/etc/cas/saml/idp/metadata-backups/382b60a9f8c9677793e7711043ee8d9805fe2572.xml].>
2024-02-02 11:49:23,410 INFO
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
- >>> https://md.incommon.org/InCommon/InCommon-metadata.xml]; metadata
signature validation will not be invoked>
2024-02-02 11:49:42,961 INFO
[org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver]
- >>> https://md.incommon.org/InCommon/InCommon-metadata.xml]>
2024-02-02 11:49:43,080 WARN
[org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver]
- >>> [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver] obtained
from the cache is unable to produce/resolve valid metadata from [
https://md.incommon.org/InCommon/InCommon-metadata.xml]. Metadata
resolver cache entry with key
[ec3dbe763cb47bb5fb789f5daa2842e8fb8c7a8d76ae088017c5c20b2cdfe23d0406b562f2b6af931fbe2e4dce97fd1f7e2edf784be65dcc4c652eab1b37d147]
has been invalidated. Retry attempt: [2]>
*2024-02-02 11:49:43,080 ERROR
[org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade]
- >>> https://md.incommon.org/InCommon/InCommon-metadata.xml
to locate
[EntityRoleCriterion
[role={urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor],
EntityIdCriterion [id=https://pa4078.peopleadmin.com/shibboleth
]]*
*
SamlRegisteredServiceDefaultCachingMetadataResolver.java:lambda$resolve$1:94*
* RetryTemplate.java:doExecute:329*
* RetryTemplate.java:execute:209*
*>*
2024-02-02 11:49:43,080 WARN
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
- >>> https://pa4078.peopleadmin.com/shibboleth]>
2024-02-02 11:49:43,080 WARN
[org.apereo.cas.util.function.FunctionUtils] - >>> to https://pa4078.peopleadmin.com/shibboleth
AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493
AbstractSamlIdPProfileHandlerController.java:initiateAuthenticationRequest:311
AbstractSamlIdPProfileHandlerController.java:lambda$handleSsoPostProfileRequest$4:648
>
*2024-02-02 11:49:43,081 ERROR [org.apereo.cas.web.support.WebUtils] -
https://pa4078.peopleadmin.com/shibboleth
*
*
AbstractSamlIdPProfileHandlerController.java:verifySamlAuthenticationRequest:493*
*
AbstractSamlIdPProfileHa
Re: [cas-user] Re: CAS7 bean creation override question
Yan,
Configuration classes are driven by spring. Perhaps this class runs before the
debugger can connect to the [starting] app.
For your Configuration class to be called, it needs to be added to
src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
Ray
On Mon, 2024-05-06 at 10:04 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
My thought is that this bean ( jdbcPasswordChangeService) is already created
somehow, see below logs, but I do not know how to find it who created it, I
set a breakpoint in the only occurrence of this bean definition,
JdbcPasswordManagementConfiguration, the method does not appear invoked in
debugger.
2024-05-06 12:23:41,783 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
<==
i have my class re-defined this and breakpoint is invoked successfully
2024-05-06 12:23:41,804 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
<==
do Not know who created it.
2024-05-06 12:23:41,836 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
any idea to find out who created this instance?
On Monday, May 6, 2024 at 11:53:07 AM UTC-4 Yan Zhou wrote:
Hi,
CAS 7.1.0 overlay, I need to override password change implementation, using my
own PasswordManagementService.
I basically want to provide my own impl. of
JdbcPasswordManagementConfiguration. See below QuestCasConfiguration,
also defined in META-INF/spring/...AutoImports
org.apereo.cas.config.CasOverlayOverrideConfiguration
org.apereo.cas.config.QuestCasConfiguration
@EnableTransactionManagement(proxyTargetClass = false)
@EnableConfigurationProperties(CasConfigurationProperties.class)
@Configuration(value = "QuestCasConfiguration", proxyBeanMethods = false)
public class QuestCasConfiguration {
@Bean(name = "jdbcPasswordChangeService")
public PasswordManagementService passwordChangeService(
...
final PasswordHistoryServicepasswordHistoryService) {
return new QuestJdbcPasswordManagementService(passwordManagementCipherExecutor,
casProperties.getServer().getPrefix(), casProperties.getAuthn().getPm(),
jdbcPasswordManagementDataSource,
jdbcPasswordManagementTransactionTemplate, passwordHistoryService, encoder);
<=== this is Not called
}
@Bean(name = "jdbcPasswordManagementDataSource")
public
DataSourcejdbcPasswordManagementDataSource(finalCasConfigurationProperties
casProperties) {
return
JpaBeans.newDataSource(casProperties.getAuthn().getJdbc().getQuery().get(0));
<=== this is called
}
}
the problem is that the two bean methods, one
(jdbcPasswordManagementDataSource) is called but the
other(passwordChangeService) is not, not sure why. I set a breakpoint in my
class to see how the code is invoked.
This means passwordChangeService is already created somewhere else, but I
cannot figure that out, either.
I set a breakpoint in CAS source code:JdbcPasswordManagementConfiguration, I do
not see any method stopped during debug when CAS starts up.
what did I miss? here are related logs
2024-05-06 10:49:55,104 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
2024-05-06 10:49:55,107 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
2024-05-06 10:49:55,257 DEBUG [restartedMain]
[org.springframework.beans.factory.support.DefaultListableBeanFactory] -
JdbcPasswordHistoryManagementConfiguration matched:
- Requested features [PasswordManagementHistory] are enabled
(CasFeatureEnabledCondition)
JdbcPasswordManagementConfiguration matched:
- Requested features [PasswordManagement] are enabled
(CasFeatureEnabledCondition)
JdbcPasswordManagementConfiguration.JdbcPasswordManagementDataConfiguration#jdbcPasswordManagementDataSource
matched:
- @ConditionalOnMissingBean (names: jdbcPasswordManagementDataSource;
SearchStrategy: all) did not find any beans (OnBeanCondition)
JdbcPasswordManagementConfiguration.JdbcPasswordManagementServiceConfiguration#passwordChangeService
matched:
- @ConditionalOnMissingBean (names: jdbcPasswordChangeService;
SearchStrategy: all) did not find any beans (OnBeanCondition)
JdbcPasswordManagementConfiguration.JdbcPasswordManagementTransactionConfiguration#jdbcPasswordManagementTransactionTemplate
matched:
- @ConditionalOnMissingBean (names:
jdbcPasswordManagementTransactionTemplate; SearchStrategy: all) did not find
any beans (OnBeanCondition)
thanks!
Yan
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" g
Re: [cas-user] Enforce MFA without authentication (active SSO session)
Tom,
Could it be that the groovy script is returning null or a value that cas does
not understand?
Ray
On Tue, 2024-05-07 at 06:49 -0700, tjan...@gmail.com wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello!
I'm trying to trigger MFA even if the user is authenticated and the TGT
participates in the existing SSO session, but somehow the behavior is
inconsistent. I'm using OAuth authorization code flow and already somehow
managed to execute a flow where after a call to /authorize, the user was NOT
requested to authenticate (due to active SSO), but still the MFA policy was
triggered as expected.
Now I'm unable to reproduce that. Instead whenever I send a request to
/authorize, I get redirected to the service redirect URL with an OAuth code in
the query parameters. Instead I would like the MFA provider to get triggered on
each call to /authorize for this specific service.
In the service configuration I have defined:
"multifactorPolicy":{
"@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"script":"classpath:groovy/forceMfaPolicy.groovy",
"bypassEnabled":"false",
"forceExecution":"true"
}
What might be the correct way to enforce MFA even if an SSO session is active
and being participated in?
Thank you!
Tom
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/981f2f1d17a6f914050cc8e1882464dc52c81275.camel%40uvic.ca.
Re: [cas-user] Enforce MFA without authentication (active SSO session)
Hi, thanks for the response!
Actually what seems to happen is that when */authorize* is called, the CAS
*OAuth20HandlerInterceptorAdapter.preHandle() *is invoked which in turn
invokes the pac4j *SecurityInterceptor*. Eventually the
*org.pac4j.core.engine.DefaultSecurityLogic
*gets called and it checks (via DefaultAuthorizationChecker) if an active
pac4j profile can be found in the session store. It seems like if I call
/authorize within some time (~10min?) after a successful login to CAS, then
there is an active profile in the session and the authentication &
authorization is considered valid and access is granted.
However after waiting for some time, when I call */authorize*, then there
is no profile in the session store and eventually we end up in the MFA
step.
Is anyone able to explain how this works and if there is some way to affect
the profile expiration in the session store, so that the pac4j engine would
NOT consider the request authorized? I suppose we would want to otherwise
keep the default functionality, but for some specific oauth clients we
would want MFA be triggered on EVERY request to /authorize.
I might be completely lost too, would be happy to receive some insight on
this if someone is aware :)
Many thanks!
Tom
On Wednesday 8 May 2024 at 03:39:51 UTC+3 Ray Bon wrote:
> Tom,
>
> Could it be that the groovy script is returning null or a value that cas
> does not understand?
>
> Ray
>
> On Tue, 2024-05-07 at 06:49 -0700, tjan...@gmail.com wrote:
>
> Notice: This message was sent from outside the University of Victoria
> email system. Please be cautious with links and sensitive information.
>
>
> Hello!
>
> I'm trying to trigger MFA even if the user is authenticated and the TGT
> participates in the existing SSO session, but somehow the behavior is
> inconsistent. I'm using OAuth authorization code flow and already somehow
> managed to execute a flow where after a call to /authorize, the user was
> NOT requested to authenticate (due to active SSO), but still the MFA policy
> was triggered as expected.
>
> Now I'm unable to reproduce that. Instead whenever I send a request to
> /authorize, I get redirected to the service redirect URL with an OAuth code
> in the query parameters. Instead I would like the MFA provider to get
> triggered on each call to /authorize for this specific service.
>
> In the service configuration I have defined:
> "multifactorPolicy":{
> "@class":"
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
> "script":"classpath:groovy/forceMfaPolicy.groovy",
> "bypassEnabled":"false",
> "forceExecution":"true"
> }
>
> What might be the correct way to enforce MFA even if an SSO session is
> active and being participated in?
>
> Thank you!
> Tom
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/322d64e1-caf0-41a0-a7d9-c783b3166d4cn%40apereo.org.
[cas-user] CAS 7.0.3 Office365 Integration and attributes problem
Hello, We actually migrating from CAS 6.5 to 7.0. We are integrated with Office365 but in version 7.0.3 is problem that We dont get family_name and given_name attributes. Our configuration in scope we have set: "openid profile email" Anyone have similar problem ? Thanks, Lukas -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1ec055a-30d4-4f67-a857-2c5f05ce90d8n%40apereo.org.
