[cas-user] CAS 6.2.8 JoseException Warning message
Hi,
We are currently running a clustered CAS 6.2.8 environment with tomcat 9 and
hazelcast ticketing, intermittently we are seeing the following warning in the
logs
WARN [org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] -
^[[m
java.lang.IllegalArgumentException: org.jose4j.lang.JoseException: A JWS
Compact Serialization must have exactly 3 parts separated by period ('.')
characters
I saw a thread for this related to CAS 4.1.7 but didn't really see any solution
or fix, has anyone encountered this warning?
Thanks!
___
Juan Quintanilla
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB3474BB60E519A1AC607F0EF086EA9%40BN6PR05MB3474.namprd05.prod.outlook.com.
[cas-user] CAS 6.3 High CPU on Tomcat
Hi, We are running CAS 6.3 with tomcat 9 and Java 11, and have SAML2 and oauth dependencies installed with hazelcast as ticket registry and json files for service registry. We have noticed that after a few days of running the CPU usage for tomcat spikes to above 100% and requires a restart for it to come back down. When we check the load on the server there isn't to many authentications happening. We had a similar tomcat configuration when running CAS 5.3 with tomcat 8.5 and didn't really see this issue. What we notice in the CAS logs is the metadata being loaded on several occasions over 10 times for a single authentication. [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade] - (AbstractXMLObject.java:48) at org.opensaml.saml.saml2.metadata.impl.EndpointImpl.(EndpointImpl.java:59) at org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceImpl.(SingleSignOnServiceImpl.java:40) at org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder.buildObject(SingleSignOnServiceBuilder.java:49) at org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceBuilder.buildObject(SingleSignOnServiceBuilder.java:31) at org.opensaml.core.xml.AbstractXMLObjectBuilder.buildObject(AbstractXMLObjectBuilder.java:58) at org.opensaml.core.xml.AbstractXMLObjectBuilder.buildObject(AbstractXMLObjectBuilder.java:73) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.buildXMLObject(AbstractXMLObjectUnmarshaller.java:182) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:104) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshallChildElement(AbstractXMLObjectUnmarshaller.java:337) at org.opensaml.core.xml.io.AbstractXMLObjectUnmarshaller.unmarshall(AbstractXMLObjectUnmarshaller.java:128) at org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver.initMetadataResolver(DOMMetadataResolver.java:68) at org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver.initMetadataResolver(SamlIdPMetadataResolver.java:64) at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:289) at net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:65) - locked <0x0005850f62c0> (a org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataResolver) .. Has anyone noticed something similar? Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB3474E121288FEA5212432C27861A9%40BN6PR05MB3474.namprd05.prod.outlook.com.
[cas-user] Re: CAS 6.3 WS-FED Dependency Issue
Hi, We are trying to implement CAS 6.3 with ws-idp dependency but does not seem to generate the keystores or metadata has anybody been able to get this to work? Thanks! Juan Quintanilla From: Juan Quintanilla Sent: Wednesday, April 21, 2021 11:15 AM To: CAS Community Subject: CAS 6.3 WS-FED Dependency Issue Hi Everyone, We are testing out CAS 6.3 and while adding the different dependencies we are noticing that after starting up CAS it doesn't seem to generate the keystores or service files for ws-fed. We added the dependency cas-server-support-ws-idp to our gradle build and we see the different library files and after adding the fields to our cas.properties file we can also reach /ws/sts endpoint. For some reason the /ws/idp/metadata endpoint is not found nor are the keystores being generated. We have configured other protocols and have had no problem but for some reason we can't get the ws-idp to work. We also have the SAML2 dependency configured, not sure if this would conflict. Has anyone encountered a similar issue? Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB347493A117FCB638C03DF06186429%40BN6PR05MB3474.namprd05.prod.outlook.com.
[cas-user] CAS 6.3 WS-FED Dependency Issue
Hi Everyone, We are testing out CAS 6.3 and while adding the different dependencies we are noticing that after starting up CAS it doesn't seem to generate the keystores or service files for ws-fed. We added the dependency cas-server-support-ws-idp to our gradle build and we see the different library files and after adding the fields to our cas.properties file we can also reach /ws/sts endpoint. For some reason the /ws/idp/metadata endpoint is not found nor are the keystores being generated. We have configured other protocols and have had no problem but for some reason we can't get the ws-idp to work. We also have the SAML2 dependency configured, not sure if this would conflict. Has anyone encountered a similar issue? Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB347445073949AB33680546B286479%40BN6PR05MB3474.namprd05.prod.outlook.com.
Re: [cas-user] CAS 5.3 with tomcat 8.5.57 User logged in sees another user information
Thank Ray for your input. We only encountered one case that we know of, we are enabling more logging in the access logs to capture sessionid and also planning to update to the 8.5.61 as we did see some bugs fixes. We are not sure not where the issue or if this was just an isolated issue but our guess is the Web servlet as we encountered something similar in a previous version tomcat. The only difference now is that we don't see any errors related to this event. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: cas-user@apereo.org on behalf of Ray Bon Sent: Thursday, January 14, 2021 12:02 PM To: cas-user@apereo.org Cc: Noemi Valle Subject: Re: [cas-user] CAS 5.3 with tomcat 8.5.57 User logged in sees another user information Note: This message originated from outside the FIU Faculty/Staff email system. Juan, I worked on a [non cas] project years ago where this type of behaviour would happen in a classroom setting. I suspected it was some network hardware that could not distinguish the requests - response pairs, and 'guessed' which response matched which client request. I never had a chance to solve this problem, so I am not much help. Ray On Wed, 2021-01-13 at 22:13 +0000, Juan Quintanilla wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, We are running CAS 5.3, and tomcat 8.5.57 and experienced a scenario were a user logged into a saml2 service and saw another users information. They logged out and logged back in and saw their information. We encountered something similar in the past when we had CAS 3.6 and Tomcat 8.0 and it had to do with Tomcat using the same jsessionid for the user who authenticated a few seconds before and the user coming in after was given the same jsessionid. We would have to bounce the environment completely. We have haveged installed on the VM to help, has anyone encountered a similar issue, we had one user report the issue unfortunately we don't see a way to capture this information in the logs and nothing in the logs stands out for this particular case. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__apereo.github.io_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=2qS3ASf8rhNS16pLIXCs6dZTHCNQ7Q-6dTQB1rh2YgI&s=6gFKGfbOYTRAvhyAc35iNBiDG-QqzsSgG5Ml1oxn-X4&e=> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitter.im_apereo_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=2qS3ASf8rhNS16pLIXCs6dZTHCNQ7Q-6dTQB1rh2YgI&s=qCee8HVAtq8AwHXA2Ei3TqrIhmkzCcUHS_u6wImcMF8&e=> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_1VRrw7&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=2qS3ASf8rhNS16pLIXCs6dZTHCNQ7Q-6dTQB1rh2YgI&s=aMvF3zR68srfk_MfrRfWho_RaFFanTHt8tu49hQcYts&e=> - Contributions: https://goo.gl/mh7qDG<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_mh7qDG&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=2qS3ASf8rhNS16pLIXCs6dZTHCNQ7Q-6dTQB1rh2YgI&s=9cGO90qVqH0kVg9f5TyJAamLU665e-U-Gl62NHWNJwE&e=> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4fe6f2d625ce3eff1326171606ab024bdef006e4.camel%40uvic.ca<https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_apereo.org_d_msgid_cas-2Duser_4fe6f2d625ce3eff1326171606ab024bdef006e4.camel-2540uvic.ca-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=2qS3ASf8rhNS16pLIXCs6dZTHCNQ7Q-6dTQB1rh2YgI&s=YPrc5XgNkfkKLAzrGKTCm1Gucey4lXn_e_tKMplj99U&e=>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group.
[cas-user] CAS 5.3 with tomcat 8.5.57 User logged in sees another user information
Hello, We are running CAS 5.3, and tomcat 8.5.57 and experienced a scenario were a user logged into a saml2 service and saw another users information. They logged out and logged back in and saw their information. We encountered something similar in the past when we had CAS 3.6 and Tomcat 8.0 and it had to do with Tomcat using the same jsessionid for the user who authenticated a few seconds before and the user coming in after was given the same jsessionid. We would have to bounce the environment completely. We have haveged installed on the VM to help, has anyone encountered a similar issue, we had one user report the issue unfortunately we don't see a way to capture this information in the logs and nothing in the logs stands out for this particular case. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR05MB5042A1FBC70AF09CFBFD294D86A90%40BL0PR05MB5042.namprd05.prod.outlook.com.
[cas-user] CAS 5.3 Support for external hazelcast.xml config
Hi, We are using CAS 5.3 and wanted to make use of the hazelcast management center, on 5.1. we did this by specifying an external hazelcast.xml config file with the property value cas.ticket.registry.hazelcast.configLocation. Was this taken out in CAS 5.3, we get an error when we try to use that field? Is there a work around to be able to tell CAS to use a different config. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB310747C0FCA40A6117419C8D86040%40BN6PR05MB3107.namprd05.prod.outlook.com.
[cas-user] CAS Error principal cannot be null
Hi, We are running into an interesting issue when load testing our CAS implementation. It seems that after about 3 hours of load testing we begin to encounter the following error: 2019-05-16 12:57:30,074 WARN [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver] - <'principal' cannot be null. Check the correctness of @Audit annotation at the following audit point: execution(public org.apereo.cas.authentication.Authentication org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(org.apereo.cas.authentication.AuthenticationTransaction))> java.lang.IllegalArgumentException: 'principal' cannot be null. Once we encounter this error we cannot log into CAS anymore we are just left on the login page. After a restart of Tomcat it start working again. When checking the logs we can see that the authentication piece is working as the attributes are being returned and the user is authenticated. 2019-05-16 12:57:29,855 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - 2019-05-16 12:57:29,855 DEBUG [org.apereo.cas.authentication.AbstractAuthenticationManager] - We are running CAS 5.1.9 with Tomcat 8.5.41, Java 8 update 211, and hazelcast for ticket registry we have also tested with Mongodb running on the webserver and we encounter the same issue. I have also encountered the same issue when testing CAS 5.3. We have checked Memory and it doesn't seem to be the case were it runs out of memory. If we have mongodb running on a different server then we don't encounter the issue the same goes for an Oracle Database. It only happens when running on the same server as the CAS Application. Has anyone encountered anything similar to this? Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB51828093EAE4F7A4E1D098E5860A0%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] Re: CAS 5.1.9 Mongodb ticket cleanup
Never mind I found that in CAS 5.3 you have the cleanup process working with mongodb. Thanks! ___ Juan Quintanilla Enterprise Systems Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: cas-user@apereo.org on behalf of Juan Quintanilla Sent: Thursday, April 4, 2019 11:32 AM To: cas-user@apereo.org Subject: [cas-user] CAS 5.1.9 Mongodb ticket cleanup Hi, We are testing CAS 5.1.9 with mongodb for the ticket registry and wanted know if someone can provide some guidance on how your are performing ticket cleanup. Appreciate any suggestions on this setup. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__apereo.github.io_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=ig8Ze1RfuDupjeajagG9P30SgudQm_rk7ArurG53YRA&s=JH0hbkRdqUdF5MT8lINn8_HzY7dO3WN-EZ5tW8rO_7Y&e=> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitter.im_apereo_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=ig8Ze1RfuDupjeajagG9P30SgudQm_rk7ArurG53YRA&s=wOtPt_62ioC__pHrCrnEXAtRw6W7ZYiSOulpJ0BtQCg&e=> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_1VRrw7&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=ig8Ze1RfuDupjeajagG9P30SgudQm_rk7ArurG53YRA&s=rvGf8ZtG0BtD9CYB46nhJ6nnYvK2hK6CpWxDIiewBog&e=> - Contributions: https://goo.gl/mh7qDG<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_mh7qDG&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=ig8Ze1RfuDupjeajagG9P30SgudQm_rk7ArurG53YRA&s=49CxodTAhjNFHXnNS7d1nP5KUZHzGJ6Sv2_anY9zDA0&e=> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5182704CB9156950025D0C7386500%40SN6PR05MB5182.namprd05.prod.outlook.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_apereo.org_d_msgid_cas-2Duser_SN6PR05MB5182704CB9156950025D0C7386500-2540SN6PR05MB5182.namprd05.prod.outlook.com-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=ig8Ze1RfuDupjeajagG9P30SgudQm_rk7ArurG53YRA&s=52gBtE45iIXMannLaO_dT2zTdC_e6EZD91DW998awLY&e=>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5182C3DF8A68FE4F0B7F94B086500%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] CAS 5.1.9 Mongodb ticket cleanup
Hi, We are testing CAS 5.1.9 with mongodb for the ticket registry and wanted know if someone can provide some guidance on how your are performing ticket cleanup. Appreciate any suggestions on this setup. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5182704CB9156950025D0C7386500%40SN6PR05MB5182.namprd05.prod.outlook.com.
Re: [cas-user] Re: CAS 5.1.2 Database Deadlock
Hi Nathaniel, We had to disable to the defaultticketcleaner for JPA because it was not cleaning up the tickets, after disabling the cleaner we no longer experienced the Deadlock issue but we had to setup some external scripts to perform the cleanup on the tickets. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: cas-user@apereo.org on behalf of Nathaniel Petersen Sent: Friday, March 29, 2019 4:20 PM To: CAS Community Subject: [cas-user] Re: CAS 5.1.2 Database Deadlock Juan, Where you able to identify the cause or implement a fix for this issue? I'm experiencing a similar issue in 5.2.6. On Monday, January 28, 2019 at 10:58:02 AM UTC-6, jquin014 wrote: Hi, We are running CAS 5.1.2 with Oracle 12 as the backend database for ticketing/audit logs and while load testing the environment we started running into issues with the database being deadlocked. In our oracle trace logs we are seeing the following: delete from TICKETGRANTINGTICKET where ticketGrantingTicket_ID=:1 In the cas logs we have the following: 2019-01-25 16:55:27,127 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.TerminateSessionAction@23fdf9ec in state 'terminateSession' of flow 'logout' -- action execution attributes were 'map[[empty]]' Caused by: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement Caused by: java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource It seems to only be occurring during logout requests and not does seem to happen to all the requests. Has anyone encountered something similar with deadlocks on the Database. Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__apereo.github.io_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=cyOeqej4p1BB2zz4j8oh0W1zcE3WsGSXIStnW4RhnZ4&s=rSSUycZV1m8y61vIvH-uMLUqfDn4n4sGSkhyaUHeqro&e=> - Gitter Chatroom: https://gitter.im/apereo/cas<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitter.im_apereo_cas&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=cyOeqej4p1BB2zz4j8oh0W1zcE3WsGSXIStnW4RhnZ4&s=5SU0QikProVtP8cX7ys_en5gRVIM62ftp0n49vHOkzE&e=> - List Guidelines: https://goo.gl/1VRrw7<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_1VRrw7&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=cyOeqej4p1BB2zz4j8oh0W1zcE3WsGSXIStnW4RhnZ4&s=rnMqRzq3_dspV8eZeUQnquFbujxqmf5J54bkkiJzMWU&e=> - Contributions: https://goo.gl/mh7qDG<https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_mh7qDG&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=cyOeqej4p1BB2zz4j8oh0W1zcE3WsGSXIStnW4RhnZ4&s=5K5a4RCvLttOQ1NWqE33a119AbFYSOnoUb8UmnIfzOg&e=> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a9b11052-8ef5-41cb-8c7b-cba03c659ee6%40apereo.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_apereo.org_d_msgid_cas-2Duser_a9b11052-2D8ef5-2D41cb-2D8c7b-2Dcba03c659ee6-2540apereo.org-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=DwMFaQ&c=lhMMI368wojMYNABHh1gQQ&r=hk-s-5x_MvcAfVeF-O0-CA&m=cyOeqej4p1BB2zz4j8oh0W1zcE3WsGSXIStnW4RhnZ4&s=9IfTn1B40VWaE_chBua464D4wmf5bqEmgSJ1siI5nmM&e=>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB518283459A77009013AD063E86550%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] Re: CAS 5.1.9 DefaultTicketRegistryCleaner fails when TGT not found
Hello, So after some testing with the DefaultTicketRegistryCleaner on CAS 5.1.9 with JPA ticket registry we have had to disable the DefaultTicketRegistryCleaner because it would take long to remove tickets from the Oracle Database. We noticed that it would take some time to attempt a cleanup and when it would finally attempt to commit the transactions we would sometimes encounter the error below: ERROR [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - mailto:jquin...@fiu.edu> From: Juan Quintanilla Sent: Tuesday, March 19, 2019 11:51 AM To: cas-user@apereo.org Subject: CAS 5.1.9 DefaultTicketRegistryCleaner fails when TGT not found Hello, We are running 2 CAS 5.1.9 instances with ORacle 12 for the JPA ticket registry and we seeing the following error in the logs: ERROR [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB51824F9C4F1F21E74F35A05D86590%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] CAS 5.1.9 DefaultTicketRegistryCleaner fails when TGT not found
Hello, We are running 2 CAS 5.1.9 instances with ORacle 12 for the JPA ticket registry and we seeing the following error in the logs: ERROR [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB518214A166A91403497A292F86400%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] CAS SSO Issue with Warn User Checkbox
Hi, We are currently using CAS 5.1.9 with Custom Themes and testing the Warn User Checkbox option, but ran into a few issues. When we successfully login into a CAS client after checking the option to Warn the user and then go to a second site we are presented with the CAS Page saying do you want to continue and check box to ignore future warnings. After click continue we are not directed to the application instead we stay in a CAS Server url with /cas/login?execution= followed by a very long string. We are not seeing any errors in the logs, has anybody encountered this issue before. Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN6PR05MB5182A52B48F14AA76F6ED35786730%40SN6PR05MB5182.namprd05.prod.outlook.com.
[cas-user] CAS 5.1.2 ConcurrentModificationException at login
Hi, We are running CAS 5.1.2 with Mongodb for ticketing and ldap for authentication and have been seeing the following error every so often during heavy load test which seems to give 500:Internal Server Error and a ConcurrentModificationException in the logs. We have not done any changes to the login webflow so we were wondering if anybody has encountered something similar. 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.ActionState] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.execution.ActionExecutor] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2019-01-31 14:53:35,958 DEBUG [org.springframework.webflow.engine.impl.FlowExecutionImpl] - 2019-01-31 14:53:35,959 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.ServiceAuthorizationCheck@31103215 in state 'serviceAuthorizationCheck' of flow 'login' -- action execution attributes were 'map[[empty]]' at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE] at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE] at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE] at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.4.4.RELEASE.jar:2.4.4.RELEASE] THanks! Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB2807DD1FC6B9FDC6D5B3391886970%40CY4PR05MB2807.namprd05.prod.outlook.com.
[cas-user] CAS 5.1.2 Database Deadlock
Hi, We are running CAS 5.1.2 with Oracle 12 as the backend database for ticketing/audit logs and while load testing the environment we started running into issues with the database being deadlocked. In our oracle trace logs we are seeing the following: delete from TICKETGRANTINGTICKET where ticketGrantingTicket_ID=:1 In the cas logs we have the following: 2019-01-25 16:55:27,127 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.TerminateSessionAction@23fdf9ec in state 'terminateSession' of flow 'logout' -- action execution attributes were 'map[[empty]]' Caused by: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement Caused by: java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource It seems to only be occurring during logout requests and not does seem to happen to all the requests. Has anyone encountered something similar with deadlocks on the Database. Thanks! ___ Juan Quintanilla -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB2807D8B6D010AEE47A2F1AF286960%40CY4PR05MB2807.namprd05.prod.outlook.com.
[cas-user] CAS SSO User logged in as another user
Hi, We are running CAS 3.6 with tomcat 8 and in some instances when 2 users are logging in user A is logged in as User B on the client application. So the session information for the first user ends up being used. We noticed that in the tomcat access logs both users shared the same Jsessionid. It appears that a unique Jsessionid was not generated for the second user when they arrived on the login page. Has anyone encountered a similar issue? If so any suggestions. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR05MB28148A5469C89AAF6F4B1DA786020%40MWHPR05MB2814.namprd05.prod.outlook.com.
[cas-user] CAS SSO User logged in as another user
Hi, We recently encountered an interesting issue with our CAS Implementation, in a few rare cases we have had some users report when logging into a client application (Canvas) they were logged in as another user In brief User A attempts to login with auto saved password and user B was also logging in around same time as user A. When user A is logged in they see Users B information. After taking a look at the audit logs we noticed that when User A was logging in there was no Login entry they were given a Service ticket with their IP and user B username as if they had already authenticated. User B we did see the login authentication and ST and TGT ticket created under their IP, but we later saw that the TGT was destroyed under user A ip. Also looking in the access logs I found that for this particular case the 2 users had the same JSESSIONID. 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/login?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas HTTP/1.1" 200 5830 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/app.js HTTP/1.1" 200 526 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/cas.css HTTP/1.1" 200 8796 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/images/fiu_logo.png HTTP/1.1" 200 12186 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:28 -0400] "GET /cas/favicon.ico;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69 HTTP/1.1" 200 3262 c-98-254-138-84.hsd1.fl.comcast.net - - [02/Sep/2018:12:20:30 -0400] "POST /cas/login;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas HTTP/1.1" 302 - - - - [31/Dec/1969:18:59:59 -0500] "-" 505 - So my question would be what might cause this to happen? Could the fact that they had the same jsessionid cause the use to login as the other user? ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB28077911DE2B218088B73AE286030%40CY4PR05MB2807.namprd05.prod.outlook.com.
[cas-user] Issue configuring JPA ticket registry
Hi,
I'm running CAS 5.1.2 using tomcat 8.5 and java 8 and trying to configure the
Oracle JPA ticket registry but running into issues. I have been able to
configure this with CAS 4 and CAS 3 in the past but for some reason I'm
encountering the error below:
2017-12-11 13:07:04,885 WARN [com.zaxxer.hikari.util.DriverDataSource] -
2017-12-11 13:07:05,463 ERROR [com.zaxxer.hikari.pool.PoolBase] -
2017-12-11 13:07:05,465 ERROR [com.zaxxer.hikari.pool.HikariPool] -
java.sql.SQLSyntaxErrorException: ORA-00923: FROM keyword not found where
expected
at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:494)
~[ojdbc8-12.2.0.1.0.jar:12.2.0.1.0]
I verified that the ojdbc8 is in both the tomcat lib folder and in the cas lib
folder.
I have configured my pom.xml as follows and setup the cas.properties file with
the configuration below:
pom.xml
org.apereo.cas
cas-server-support-jpa-ticket-registry
${cas.version}
com.oracle
ojdbc8
12.2.0.1.0
runtime
org.apereo.cas
cas-server-support-jdbc-drivers
${cas.version}
cas.properties
cas.serviceRegistry.jpa.isolateInternalQueries=false
cas.serviceRegistry.jpa.url=jdbc:oracle:thin:
cas.serviceRegistry.jpa.failFast=true
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.Oracle12cDialect
cas.serviceRegistry.jpa.leakThreshold=10
cas.serviceRegistry.jpa.batchSize=1
cas.serviceRegistry.jpa.user=
cas.serviceRegistry.jpa.ddlAuto=create-drop
cas.serviceRegistry.jpa.password=
cas.serviceRegistry.jpa.autocommit=false
cas.serviceRegistry.jpa.driverClass=oracle.jdbc.driver.OracleDriver
cas.serviceRegistry.jpa.idleTimeout=5000
cas.serviceRegistry.jpa.dataSourceName=
cas.serviceRegistry.jpa.dataSourceProxy=false
cas.serviceRegistry.jpa.pool.suspension=false
cas.serviceRegistry.jpa.pool.minSize=6
cas.serviceRegistry.jpa.pool.maxSize=18
cas.serviceRegistry.jpa.pool.maxWait=2000
Just wanted to see if anyone else has run into a similar issue.
Thanks!
___
Juan Quintanilla
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB3634493DE6A1C5C479F9441286370%40BN6PR05MB3634.namprd05.prod.outlook.com.
[cas-user] CAS 4.2.7 Error when deleting tickets using JPATicketRegistry
Hi, We are running CAS 4.2.7 using Tomcat 8, we added the configuration to use the JPATicketRegistry but noticed that every time it tried to perform a cleanup of the TGT Tickets an error would be thrown: 2017-05-23 16:50:35,131 ERROR [org.jasig.cas.ticket.registry.JpaTicketRegistry] - javax.persistence.TransactionRequiredException: No EntityManager with actual transaction available for current thread - cannot reliably process 'remove' call at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:278) ~[spring-orm-4.2.8.RELEASE.jar:4.2.8.RELEASE] at com.sun.proxy.$Proxy82.remove(Unknown Source) ~[?:?] at org.jasig.cas.ticket.registry.JpaTicketRegistry.removeTicket(JpaTicketRegistry.java:89) ~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteTicketsFromResultList(JpaTicketRegistry.java:211) ~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteTicketGrantingTickets(JpaTicketRegistry.java:241) ~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:167) ~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:98) ~[cas-server-core-tickets-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.AbstractTicketRegistry$$FastClassBySpringCGLIB$$b70f3271.invoke() ~[cas-server-core-tickets-4.2.7.jar:4.2.7] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.2.8.RELEASE.jar:4.2.8.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651) ~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE] at org.jasig.cas.ticket.registry.JpaTicketRegistry$$EnhancerBySpringCGLIB$$a717405.deleteTicket() ~[cas-server-support-jpa-ticket-registry-4.2.7.jar:4.2.7] at sun.reflect.GeneratedMethodAccessor93.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302) ~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE] at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) ~[spring-aop-4.2.8.RELEASE.jar:4.2.8.RELEASE] at com.sun.proxy.$Proxy83.deleteTicket(Unknown Source) ~[?:?] at org.jasig.cas.ticket.registry.TicketRegistryCleaner$1.apply(TicketRegistryCleaner.java:126) ~[cas-server-core-tickets-4.2.7.jar:4.2.7] at org.jasig.cas.ticket.registry.TicketRegistryCleaner$1.apply(TicketRegistryCleaner.java:1) ~[cas-server-core-tickets-4.2.7.jar:4.2.7] at com.google.common.collect.Iterators$8.transform(Iterators.java:799) ~[guava-18.0.jar:?] at com.google.common.collect.TransformedIterator.next(TransformedIterator.java:48) ~[guava-18.0.jar:?] at org.jasig.cas.ticket.registry.TicketRegistryCleaner.execute(TicketRegistryCleaner.java:139) ~[cas-server-core-tickets-4.2.7.jar:4.2.7] at org.quartz.core.JobRunShell.run(JobRunShell.java:202) ~[quartz-2.2.1.jar:?] at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) ~[quartz-2.2.1.jar:?] Are there any suggestions for resolving this error, is there a possible fix? Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB3634C872AE6CF1A955686B2F86FE0%40BN6PR05MB3634.namprd05.prod.outlook.com.
[cas-user] CAS Service Ticket not Created
Hi Everyone, We are running CAS 3.6 and everything has been working great, on occasions though we have seen the following in the catalina.out logs "ticket no found" and it relates to the users Service Ticket. The user is able to authenticate and once the application goes to validate the service ticket I see that message. In the DB I see the entry action_service_ticket_not_created. This recently came up with a particular user that was trying to access an application on their computer and was getting this message from the application but were able to login when they tried it from their phone. Has anyone encountered something similar with the service ticket not being created in the database or possibly it being removed before validation can occur. I will be enabling debug mode to see if something might be happening before that is causing the ticket not to be created. Thanks! ___ Juan Quintanilla Enterprise Systems Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BLUPR0501MB17167C08AE298E1344D92E9986E50%40BLUPR0501MB1716.namprd05.prod.outlook.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Re: [cas-user] Re: CAS Intermittent SSO logins issues
Hi, thanks for your response. We are using tomcat for the session replication and all the Tickets are stored Oracle Db which both CAS servers access. When we have encountered the issue the user hits the same CAS Server during all the login attempts because of the sticky sessions. Its happened on both our CAS servers when we have stopped tomcat 8 for a while and start it up again, but once we reboot again it seems to goes away, if I took the load balancer out of the loop and configured the client applications to hit one of the CAS servers having the issue I also encounter the problem. Our session time out in our web.xml is set to 5 minutes but all the attempts were made within the 5 minutes so there was really no delay between the attempts. We have verified with the client applications that they are not using the renew=true and have SSO set in the service registry. Its just strange that it happens during startup and fixed when we restart tomcat again. What triggers in the log4j.xml would be best for troubleshooting why the login attempts are forced, its almost as if the TGT is not stored in the browser or can't be verified. thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: cas-user@apereo.org on behalf of Christopher Myers Sent: Thursday, January 14, 2016 9:05 AM To: cas-user@apereo.org Subject: Re: [cas-user] Re: CAS Intermittent SSO logins issues Out of curiosity, what happens if you take the load balancer out of the picture - does the required re-authentication happen? Also, do you have any kind of session replication set up between your CAS nodes, such as hazelcast? Also, what frequency does this happen? Eg., if someone logs into a CAS application, then immediately into another application? Or is there some delay in between the login attempts? Some things to check: Session timeout in your web.xml file: 5 If there is more of a delay than X minutes in between logins, the users will have to re-authenticate. We have ours set to 120 (2 hours.) If your URL has "&renew=true" then this will always be the case; that forces the user to re-authenticate to CAS regardless of their current session status. This option can also be forced through your service registry, so you'll want to check that as well. Also, you may want to kick up your logging to DEBUG for additional details about what's going on during the login process. Cookies working correctly too? Ultimately to me, since "I was able to consistently reproduce the issue so after stopping tomcat 8 and rebooting the server it started working again." it sounds like one of your two boxes may be having an issue, because at that point, the connections should be failing over to the other one. Chris >>> Juan Quintanilla 01/14/16 7:29 AM >>> So wanted to send an update, it seems that the intermittent SSO issue also happened on our Second CAS server today. Once it was rebooted it seemed to not prompt the user to log in again to a CAS application once they had already authenticated to another CAS application. Below is a snippet from the logs showing ldap authentication request for each service even though I was already authenticated in the first service. When I took a look at the audit logs it seems that its generating a new TGT for each service, so for some reason CAS was not recognizing that a TGT already existed for the user. The client applications point to a load balanced address which directs the traffic to either of the 2 CAS servers using sticky sessions, I was able to consistently reproduce the issue so after stopping tomcat 8 and rebooting the server it started working again. 2016-01-14 07:27:33,286 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:27:33,287 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:27:33,298 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 2016-01-14 07:28:22,804 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,902 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,903 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,912 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 2016-01-14 07:29:59,697 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,795 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,795 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,803 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> ____ From: cas-user@ap
[cas-user] Re: CAS Intermittent SSO logins issues
So wanted to send an update, it seems that the intermittent SSO issue also happened on our Second CAS server today. Once it was rebooted it seemed to not prompt the user to log in again to a CAS application once they had already authenticated to another CAS application. Below is a snippet from the logs showing ldap authentication request for each service even though I was already authenticated in the first service. When I took a look at the audit logs it seems that its generating a new TGT for each service, so for some reason CAS was not recognizing that a TGT already existed for the user. The client applications point to a load balanced address which directs the traffic to either of the 2 CAS servers using sticky sessions, I was able to consistently reproduce the issue so after stopping tomcat 8 and rebooting the server it started working again. 2016-01-14 07:27:33,286 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:27:33,287 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:27:33,298 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 2016-01-14 07:28:22,804 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,902 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,903 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:28:22,912 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - 2016-01-14 07:29:59,697 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,795 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,795 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2016-01-14 07:29:59,803 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: cas-user@apereo.org on behalf of Juan Quintanilla Sent: Wednesday, January 13, 2016 8:33 PM To: cas-user@apereo.org Subject: [cas-user] CAS Intermittent SSO logins issues Hi, We are running CAS 3.6.0 and its been working fine but on occasions we are seeing issues where a user logs into a CAS application and then goes to another CAS application and is prompted to log in again. The applications are not configured to renew or force a new login. The 2 CAS servers point to the same oracle database and running tomcat 8 both having the same configuration. We see this more consistent on the first CAS server during tomcat startup where if we point an application to the 1st CAS server directly we are forced to login to each application no matter if we have set a CAS Session. Once the server is restarted again the issue goes away. This time we see it very intermittently so we are not sure where to look, the second CAS server does not seem to have the issue, but like I said they have the same config and after a tomcat restart its fine. Any help would really be appreciated. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/<https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_a_apereo.org_group_cas-2Duser_&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=ln1EbsiEzl4LQiMHly2iyH5O241FsKou2bix9oGIOwM&s=5V8H2qUDQamw54CK9TDzjWXoQHPQO25X_3Om6nWl1Tg&e=>. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
[cas-user] CAS Intermittent SSO logins issues
Hi, We are running CAS 3.6.0 and its been working fine but on occasions we are seeing issues where a user logs into a CAS application and then goes to another CAS application and is prompted to log in again. The applications are not configured to renew or force a new login. The 2 CAS servers point to the same oracle database and running tomcat 8 both having the same configuration. We see this more consistent on the first CAS server during tomcat startup where if we point an application to the 1st CAS server directly we are forced to login to each application no matter if we have set a CAS Session. Once the server is restarted again the issue goes away. This time we see it very intermittently so we are not sure where to look, the second CAS server does not seem to have the issue, but like I said they have the same config and after a tomcat restart its fine. Any help would really be appreciated. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
