[cas-user] cas-management support for CAS v6.4+?

[Pavlos Drandakis]

Dear CAS maintainers/developers,

are there any plans for cas-management application to support CAS v6.4+?

Thank you, in advance,
Pavlos

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg1%2Bejvp6mt1NC_n3hicma6wYbTqU_81n%3DvuCHe%2B2j9aaA%40mail.gmail.com.

Re: [cas-user] CAS 6.3.x problem with style?

[Pavlos Drandakis]

Hi Bartek,

We had the same issue and it seems that it was caused by jsessionid that it
was appended in the URL...
Adding in web.xml (in
),COOKIE, solved the problem
for us.

Best Regards,
Pavlos


On Thu, Apr 1, 2021 at 12:32 PM Bartosz Nitkiewicz 
wrote:

> Hi,
> We have a problem with proper loading CAS style during first use by a new
> user.
> There is an error log:
> 2021-04-01 11:24:51,539 ERROR
> [org.springframework.boot.web.servlet.support.ErrorPageFilter] -
> org.springframework.security.web.firewall.RequestRejectedException: The
> request was rejected because the URL contained a potentially malicious
> String ";"
>
> 2021-04-01 11:24:51,540 ERROR
> [org.springframework.boot.web.servlet.support.ErrorPageFilter] -
>  [/webjars/bootstrap/4.5.3/css/bootstrap-grid.min.css] due to exception [The
> request was rejected because the URL contained a potentially malicious
> String ";"]>
> org.springframework.security.web.firewall.RequestRejectedException: The
> request was rejected because the URL contained a potentially malicious
> String ";"
>
> 2021-04-01 11:24:51,541 ERROR
> [org.springframework.boot.web.servlet.support.ErrorPageFilter] -
>  [/webjars/material-components-web/8.0.0/dist/material-components-web.css]
> due to exception [The request was rejected because the URL contained a
> potentially malicious String ";"]>
> org.springframework.security.web.firewall.RequestRejectedException: The
> request was rejected because the URL contained a potentially malicious
> String ";"
>
> 2021-04-01 11:24:51,542 ERROR
> [org.springframework.boot.web.servlet.support.ErrorPageFilter] -
>  [/webjars/mdi__font/5.0.45/css/materialdesignicons.css] due to exception
> [The request was rejected because the URL contained a potentially malicious
> String ";"]>
> org.springframework.security.web.firewall.RequestRejectedException: The
> request was rejected because the URL contained a potentially malicious
> String ";"
>
> And few errors more.
>
>
> After refresh CAS is working fine, probably browser cache style file or
> something. The error does not occur during further use of the application.
> Does anyone have something similar?
> Regards
> Bartek
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ec1ccff8-f49d-4fdb-91a6-a59db34051c9n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg3%2BuE7VqOhDbYk5UJjXnpBtAnW-YmOuH%2BteGFXXz_7s6Q%40mail.gmail.com.

Re: [cas-user] CAS 6.3.2 Google Auth OTP Validation Issue

[Pavlos Drandakis]

Hi Philippe,

it seems that gauth validation, is now fixed (
https://github.com/apereo/cas/commit/e7cb3b8b44867addcb6b8510cbbed45cbc9b265f
).

Pavlos

On Tue, Mar 9, 2021 at 10:19 PM 'Philippe MARASSE' via CAS Community <
cas-user@apereo.org> wrote:

> Folks,
>
> Since we've installed our new cas v6.3.0 with MFA (gauth or u2f), we've
> ran into a strange issue :
>   - TOTP registering works fine, first check of TOTP code is verified ok
> (a bad code is rejected, as expected)
>   - TOTP input before accessing a service is asked, but whatever
> numerical input can be sent, it will always be accepted ??
>
> In other words : Google authenticator TOTP does not work for us.
>
> I've set trace level on org.apereo.cas.gauth package, then used 1234 as
> TOTP token (expected tokens are 6 digit long) :
>
> 2021-03-09 20:59:30,214 DEBUG
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  [GoogleAuthenticatorAuthenticationHandler]>
> 2021-03-09 20:59:30,215 TRACE
>
> [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
> - 
> 2021-03-09 20:59:30,215 TRACE
>
> [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
> -  credential repository...>
> 2021-03-09 20:59:30,215 TRACE
>
> [org.apereo.cas.gauth.credential.RedisGoogleAuthenticatorTokenCredentialRepository]
> -  [RedisGoogleAuthenticatorTokenCredentialRepository:testuser:*]>
> 2021-03-09 20:59:30,218 TRACE
>
> [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
> -  [testuser]...>
> 2021-03-09 20:59:30,219 TRACE
> [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
>  [GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
> 2021-03-09 20:59:30,220 DEBUG
>
> [org.apereo.cas.gauth.credential.GoogleAuthenticatorOneTimeTokenCredentialValidator]
> - 
> 2021-03-09 20:59:30,232 DEBUG
> [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
>  userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]
> successfully for [testuser]>
> 2021-03-09 20:59:30,232 TRACE
> [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
>  userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)] using key
> [GoogleAuthenticatorRedisTokenRepository:testuser:1234]>
> 2021-03-09 20:59:30,281 TRACE
> [org.apereo.cas.gauth.token.GoogleAuthenticatorRedisTokenRepository] -
>  userId=testuser, issuedDateTime=2021-03-09T20:59:30.224663)]>
> 2021-03-09 20:59:30,282 DEBUG
> [org.apereo.cas.gauth.GoogleAuthenticatorAuthenticationHandler] -
> 
> 2021-03-09 20:59:30,282 DEBUG
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>  successfully authenticated
>
> [GoogleAuthenticatorTokenCredential(super=OneTimeTokenCredential(token=1234),
> accountId=1614873350660)]>
>
> our dependencies :
>
> dependencies {
> implementation
> "org.apereo.cas:cas-server-support-ldap:${project.'cas.version'}"
> implementation
>
> "org.apereo.cas:cas-server-support-json-service-registry:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-reports:${project.'cas.version'}"
>
> implementation
> "org.apereo.cas:cas-server-support-u2f:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-u2f-redis:${project.'cas.version'}"
>
> implementation
> "org.apereo.cas:cas-server-support-gauth:${project.'cas.version'}"
> implementation
> "org.apereo.cas:cas-server-support-gauth-redis:${project.'cas.version'}"
>
> implementation
> "org.apereo.cas:cas-server-support-saml:${project.'cas.version'}"
>
> implementation
>
> "org.apereo.cas:cas-server-support-redis-ticket-registry:${project.'cas.version'}"
> }
>
> And relevant configuation in cas.properties :
>
> cas.authn.mfa.gauth.code-digits=6
> cas.authn.mfa.gauth.time-step-size=30
> cas.authn.mfa.gauth.rank=2
>
> Any idea ?
>
> Regards.
>
> --
> Philippe MARASSE
>
> Responsable pôle Infrastructures - DSIO
> Centre Hospitalier Henri Laborit
> CS 10587 - 370 avenue Jacques Cœur
> 86021 Poitiers Cedex
> Tel : 05.49.44.57.19
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc1587ac-f726-9fc1-00fb-bf37260690c0%40ch-poitiers.fr
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, sen

Re: [cas-user] 6.2.x Gradle Compilation

[Pavlos Drandakis]

By default, systemd, allows tomcat to write only under the following
directories:
/etc/tomcat9/Catalina/
/var/lib/tomcat9/webapps/
/var/log/tomcat9/

So, you should override systemd - tomcat settings, to allow writing to any
other directory (/var/log/ in your case).

Add the following in /etc/systemd/system/tomcat9.service.d/override.conf
file (if it's not already there, just create it)

[Service]
ReadWritePaths=/var/log/

If you want to add more directories add more ReadWritePaths=xxx entries

Pavlos




On Tue, Feb 11, 2020 at 8:18 PM Ray Bon  wrote:

> tomcat user will need write access to those files. If the files do not
> exist, create them:
> # touch /var/log/cas.log
> # chgrp tomcat /var/log/cas.log
>
> My /var/log has these permissions
> drwxrwxr-x 18 root syslog   4096 Feb 11 00:00 log
>
> so tomcat user can not create those files, it must be done beforehand.
>
> Ray
>
> On Tue, 2020-02-11 at 10:05 -0800, Jérémie Pilette wrote:
>
> I work with Debian 10 / Tomcat 9.0.16
>
> To start : systemctl start tomcat9
>
> root@debian10:~# ps aux | grep tomcat
> tomcat9793  1.9  3.6 14146344 1197524 ?Ssl  17:07   1:06 /usr/lib/
> jvm/java-11-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/
> lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache
> .juli.ClassLoaderLogManager -Djava.awt.headless=true -Djdk.tls.
> ephemeralDHKeySize=2048 
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.
> endorsed.dirs= -classpath /usr/share/tomcat9/bin/bootstrap.jar:/usr/share/
> tomcat9/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat9 -Dcatalina.
> home=/usr/share/tomcat9 -Djava.io.tmpdir=/tmp
> org.apache.catalina.startup.Bootstrap start
> root 10085  0.0  0.0   6144   896 pts/0S+   18:03   0:00 grep
> tomcat
>
>
> Jérémie
>
>
> Le mardi 11 février 2020 19:00:21 UTC+1, rbon a écrit :
>
> How are you starting tomcat?
> Is catalina.out being written to /var/log or is it in TOMCAT_HOME/logs?
>
> To see process owner:
> $ ps aux | grep tomcat
>
> Ray
>
> On Tue, 2020-02-11 at 09:06 -0800, Jérémie Pilette wrote:
>
> Sorry, it is
>
>- cas.log
>- cas_audit.log
>
> of course...
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1fb4904d98bd038ef7614a1ba3fd6e33f4963c4.camel%40uvic.ca
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg0YD2nnt_KBZuGrr8mt3vrzs4fvhVd2XS_DPz%3DMcv%2BwKA%40mail.gmail.com.

[cas-user] discoveryProfile xml parse error

[Pavlos Drandakis]

 Hi all,

when accessing the dicoveryProfile end point via browser, I get the
following error message:
XML Parsing Error: not well-formed Location:
https://cas.example.com/actuator/discoveryProfile Line Number 1, Column 50:
org.apereo.cas.services.RegexRegisteredService...
^
Shouldn't this be a json response? Am I missing something?

Thanks in advance,
Pavlos

P.S.: When using chromium the error message is:
This page contains the following errors:
error on line 1 at column 50: Specification mandates value for attribute
Client
Below is a rendering of the page up to the first error.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg0LSQG%2BSKtyW7T_xT7Wxu5dDr1TT5nbUCJ%3D524Tz%2BOErA%40mail.gmail.com.

[cas-user] CAS 6.x NPE during ticket validation, when using adaptive mfa.

[Pavlos Drandakis]

Hi all,

it seems that in CAS 6.x (tested against latest 6.0.x and 6.1.0-RC4 tree),
adaptive mfa flow is triggered also during the ticket validation process.
As a consequence, when checking if agent matches the allowed pattern,
ticket validation fails with the following NPE, as agent is null

2019-05-27 10:07:42,181 WARN
[org.apereo.cas.web.AbstractServiceValidateController] - 
[2019-05-27 10:07:42] [info] java.lang.NullPointerException:
null[2019-05-27 10:07:42] [info] at
org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.checkUserAgentOrClientIp(AdaptiveMultifactorAuthenticationTrigger.java:99)
~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT][2019-05-27
10:07:42] [info] at
org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.isActivated(AdaptiveMultifactorAuthenticationTrigger.java:87)
~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT]
…

By checking if agent is null before calling checkUserAgentOrClientIp (or
before checking if agent matches the allowed pattern), the NPE goes away
and ticket validation succeeds. However, IMHO, I think that the adaptive
mfa flow shouldn’t be triggered at all when accessing ticketing validation
endpoints…

Any thoughts?

Thanks in advance,

Pavlos

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAKP%3DBg1ub4nCx3tu%3DoF%2B7_X0X-j%2BEo3e8gamQbD2gqhq6GKYKA%40mail.gmail.com.

Re: [cas-user] CAS 5.1.5 Login View Title

[Pavlos Drandakis]

Hi Mac,

I think that you have to change the title element in 
classes/templates/layout.html...


Cheers,

Pavlos


On 13/12/2017 06:43 μμ, Mac Reid wrote:

Hi all,

I am trying to modify the HTML title of the default theme. I have 
added a custom messages file 
(src/main/resources/custom_messages.properties) with a 
modified cas.login.pagetitle, but the title of the page shows up as My 
String - CAS - Central Authentication Service.


I then modified the default fragment for the header 
(src/main/resources/templates/fragments/head.html) to not insert a 
value to the title (comment out CAS - 
Central Authentication Service or set the inner string to 
something else). The page title still shows the - CAS - Central 
Authentication Service string regardless.


Lastly, even when setting the title element in the casLoginView.html 
itself, the resulting page /still /shows the - CAS - Central 
Authentication Service string after rebuilding the WAR. I have tried 
emptying my browser cache between attempts to no avail.


How do I get rid of the '- CAS - Central Authentication Service' 
addition to the page title?


Thanks,

Mac Reid
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cdaea65b-8b10-4885-8a43-aea14bac5e07%40apereo.org 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d734fb0b-5755-1a8c-3af5-6a00ec001386%40noc.edunet.gr.

Re: [cas-user] Re: Release Attributes from LDAP Authentication

[Pavlos Drandakis]

Hi,

have you enabled sso server to release attributes to your service 
(https://apereo.github.io/cas/5.1.x/integration/Attribute-Release-Policies.html) 
?


Pavlos
On 30/06/2017 03:27 μμ, Rafa wrote:

Hi,

I'm using CAS protocol and validating ST against the /p3/serviceValidate.

I'm not familiar with SAML protocol.

On Friday, June 30, 2017 at 2:08:58 PM UTC+2, vallee.romain wrote:

What is the client protocol ?
try with SAML

Le vendredi 30 juin 2017 13:39:55 UTC+2, Rafa a écrit :

Hi,

It's working for me, I've set also the property
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true
(although I think it's not needed) and the attributes list on
this two properties match:

cas.authn.ldap[0].principalAttributeList=cn,sn,mail
cas.authn.attributeRepository.defaultAttributesToRelease=cn,sn,mail

Maybe that's the issue in your case.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html

- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da92c394-a0f5-4f44-a4c7-03f76d199190%40apereo.org 
.



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6bb5e944-bbcd-2a30-4b5b-d07687a0a7e3%40noc.edunet.gr.

Re: [cas-user] Re: CAS 5.1 Risk Based Authentication issues

[Pavlos Drandakis]

Hi Ludovic,

I think that the purpose of this property is for "registering" 
risk-based authentication in authentication handlers and that its value 
is just a name, could be whatever. If none is specified, the default 
triggeredRiskBasedAuthentication, will be used.


Pavlos


On 26/06/2017 05:48 μμ, Ludovic Senecaux wrote:
Did you found the purpose of 
cas.authn.adaptive.risk.response.riskyAuthenticationAttribute ?


--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ffe57174-0d30-c1dd-429a-d793d0085f84%40noc.edunet.gr.

Re: [cas-user] Re: CAS 5.1 Risk Based Authentication issues

[Pavlos Drandakis]

Hi,

I just did a PR for this issue 
(https://github.com/apereo/cas/pull/2721), but there is no review yet.


Pavlos

On 26/06/2017 04:05 μμ, Ludovic Senecaux wrote:

I had an issue when I try to login...
Have you got an idea ?

|
WHO:foo
WHAT:org.hibernate.QueryException:could notresolve 
property:creationTime 
of:org.apereo.cas.support.events.dao.CasEvent[SELECT r 
fromorg.apereo.cas.support.events.dao.CasEventr wherer.type =:type 
andr.creationTime >=:creationTime andr.principalId =:principalId]

ACTION:EVALUATE_RISKY_AUTHENTICATION
APPLICATION:CAS
WHEN:MonJun2615:01:29CEST 2017
CLIENT IP ADDRESS:10.0.0.1
SERVER IP ADDRESS:cas5-test.test.lan
=

>
2017-06-2615:01:29,767WARN 
[org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]-notresolve property:creationTime 
of:org.apereo.cas.support.events.dao.CasEvent[SELECT r 
fromorg.apereo.cas.support.events.dao.CasEventr wherer.type =:type 
andr.creationTime >=:creationTime andr.principalId =:principalId]>
java.lang.IllegalArgumentException:org.hibernate.QueryException:could 
notresolve property:creationTime 
of:org.apereo.cas.support.events.dao.CasEvent[SELECT r 
fromorg.apereo.cas.support.events.dao.CasEventr wherer.type =:type 
andr.creationTime >=:creationTime andr.principalId =:principalId]

|

Thanks



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/88deb9e3-1bf4-12b3-dd98-1951aedf2d16%40noc.edunet.gr.

Re: [cas-user] Re: CAS 5.1 Risk Based Authentication issues

[Pavlos Drandakis]

Hi Ludovic,

yes, I finally understood what was wrong, see here: 
https://github.com/apereo/cas/pull/2716


To disable google-maps-library dependency, add an exclusion to your 
pom.xml like this:


org.apereo.cas
cas-server-support-electrofence
${cas.version}


org.apereo.cas
cas-server-support-geolocation-googlemaps




Regards,
Pavlos


On 26/06/2017 01:33 μμ, Ludovic Senecaux wrote:

Did you find a solution?
Moreover, when I add this library, the google-maps library is added in 
dependency whereas I already use that of maxmind for geolocation.


Regards,
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html

- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e72e5e7-93bb-4554-8ae4-198195c9d666%40apereo.org 
.



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f317898-b344-e077-e049-69abc816420b%40noc.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hello all,

just for future reference...

PPolicy issues are now fixed in v5.1.1. There is no need to add anything 
in the login-webflow.xml...


Pavlos

On 22/06/2017 08:31 μμ, Pavlos Drandakis wrote:


Hi Ben,

No, I hadn't, but I just did it: https://github.com/apereo/cas/issues/2703

Cheers,
Pavlos

On 22/06/2017 06:43 μμ, Ben Howell-Thomas wrote:

Regarding :

Eventually, everything seems to work ok, after adding in
login-webflow.xml the following (which is present in CAS v5.0.x
but not in CAS v5.1.0):















I don't know if it is the right way, but it seems to work...


Have you reported it as a bug or anything already?

It looks like the above states are being set up by 
DefaultWebflowConfigurer.createHandleAuthenticationFailureAction() 
but they aren't having any effect.


(Also, thanks for the workaround :)

On 17 June 2017 at 17:14, Pavlos Drandakis <mailto:pdra...@noc.edunet.gr>> wrote:


Eventually, everything seems to work ok, after adding in
login-webflow.xml the following (which is present in CAS v5.0.x
but not in CAS v5.1.0):

















I don't know if it is the right way, but it seems to work...

Pavlos
P.S.: In order to show expiredPassView messages I had to
a) copy fragments/pwdupdateform.html to
fragments/pwdexpiredform.html,
b) change the relevant th messages to screen.expiredpass.heading
and screen.expiredpass.message
c) change in casExpiredPassView.html
th:replace="fragments/pwdupdateform" to
th:replace="fragments/pwdexpiredform"



On 16/06/2017 12:22 μμ, Ludovic Senecaux wrote:

The logs provide the right information from the LDAP directory,
but the CAS does not seem to return the correct JSP page.

|
2017-06-0814:41:32,478DEBUG

[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-
2017-06-0814:41:32,478INFO

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed
authenticating [foo]>
2017-06-0814:41:32,479DEBUG

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception
details:[null]>
2017-06-0814:41:32,479WARN

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-
2017-06-0814:41:32,480INFO

[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-
2017-06-0815:15:35,859DEBUG

[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-
2017-06-0815:15:35,860INFO

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed
authenticating [foo]>
2017-06-0815:15:35,860DEBUG

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception
details:[null]>
2017-06-0815:15:35,861WARN

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-
2017-06-0815:15:35,862INFO

[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas

- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
<https://apereo.github.io/cas/Mailing-Lists.html>
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr?utm_medium=email&utm_source=footer>.



This email is sent on behalf of Northgate Public Services (UK) 
Limited and its associated companies including Rave Technologies 
(India) Pvt Limited (together "Northgate Public Services") and is 
strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use 
its contents in any way or you may be acting unlawfully;  (ii) 
contact Northgate Public Services immediately on +44(0)1908 264500 
quoting the name of the sender and the addressee then delete it from 
your system.
Northgate Public Services has taken reasonable precautions to ensure 
that n

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hi Ben,

No, I hadn't, but I just did it: https://github.com/apereo/cas/issues/2703

Cheers,
Pavlos

On 22/06/2017 06:43 μμ, Ben Howell-Thomas wrote:

Regarding :

Eventually, everything seems to work ok, after adding in
login-webflow.xml the following (which is present in CAS v5.0.x
but not in CAS v5.1.0):















I don't know if it is the right way, but it seems to work...


Have you reported it as a bug or anything already?

It looks like the above states are being set up by 
DefaultWebflowConfigurer.createHandleAuthenticationFailureAction() but 
they aren't having any effect.


(Also, thanks for the workaround :)

On 17 June 2017 at 17:14, Pavlos Drandakis <mailto:pdra...@noc.edunet.gr>> wrote:


Eventually, everything seems to work ok, after adding in
login-webflow.xml the following (which is present in CAS v5.0.x
but not in CAS v5.1.0):

















I don't know if it is the right way, but it seems to work...

Pavlos
P.S.: In order to show expiredPassView messages I had to
a) copy fragments/pwdupdateform.html to fragments/pwdexpiredform.html,
b) change the relevant th messages to screen.expiredpass.heading
and screen.expiredpass.message
c) change in casExpiredPassView.html
th:replace="fragments/pwdupdateform" to
th:replace="fragments/pwdexpiredform"



On 16/06/2017 12:22 μμ, Ludovic Senecaux wrote:

The logs provide the right information from the LDAP directory,
but the CAS does not seem to return the correct JSP page.

|
2017-06-0814:41:32,478DEBUG

[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-
2017-06-0814:41:32,478INFO

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed
authenticating [foo]>
2017-06-0814:41:32,479DEBUG

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception
details:[null]>
2017-06-0814:41:32,479WARN

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-
2017-06-0814:41:32,480INFO

[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-
2017-06-0815:15:35,859DEBUG

[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-
2017-06-0815:15:35,860INFO

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed
authenticating [foo]>
2017-06-0815:15:35,860DEBUG

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception
details:[null]>
2017-06-0815:15:35,861WARN

[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-
2017-06-0815:15:35,862INFO

[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas

- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
<https://apereo.github.io/cas/Mailing-Lists.html>
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr?utm_medium=email&utm_source=footer>.



This email is sent on behalf of Northgate Public Services (UK) Limited 
and its associated companies including Rave Technologies (India) Pvt 
Limited (together "Northgate Public Services") and is strictly 
confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use 
its contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1908 264500 quoting the 
name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure 
that no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted. 

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Yes, you are right, I 've only checked messages.properties...

I have no thymeleaf experience and surely someone else could help you 
more. Nevertheless I 've found that, perhaps, the following, is what you 
are looking for: 
"#{screen.mustchangepass.message(${@environment.getProperty('cas.authn.pm.changeUrl')})}"


I have no idea if this is the "right" way to do it...

Regards,
Pavlos

On 22/06/2017 01:25 μμ, Ludovic Senecaux wrote:

There is a {0} in messages_*XX*.properties but not in messages.properties
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html

- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/69f33989-931f-4b0b-9b51-82488b733373%40apereo.org 
.



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9824a488-6b7e-530e-1747-001ef8f8b84f%40noc.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Ok, now I understand what you are trying to do, but I don't think that 
you can do it without editing messages{_xx}.properties. 
screen.mustchangepass.message doesn't have a {0} in it, so there is 
nothing to replace... The url is hard coded in the message.


Regards,
Pavlos

On 21/06/2017 06:38 μμ, Ludovic Senecaux wrote:
I want to display a correct URL (defined in cas.properties) to users 
without modify messages.properties.
I put a parameter to #{screen.mustchangepass.message} inn 
pwdupdatepass.html file that override "{0}" variable in 
messages_XX.properties like it is explained here : 
http://www.thymeleaf.org/doc/tutorials/2.1/usingthymeleaf.html#variables


Regards,

Le 21 juin 2017 16:25, "Pavlos Drandakis" <mailto:pdra...@noc.edunet.gr>> a écrit :



On 21/06/2017 12:10 μμ, Ludovic Senecaux wrote:

Thanks Pavlos, it works !

Glad to hear it :-)


Have you found any workarouds for :

1/ the use of pwdGraceAuthNLimit

When pwdGraceAuthNLimit was enabled, I was keep getting NPE in
logs and nothing in login form. After this change:
https://github.com/apereo/cas/pull/2697
<https://github.com/apereo/cas/pull/2697> everything seems to
work, as expected (User is presented with the
password.expiration.loginsRemain message )

2/ customize URL for password update (I tried to set
"#{screen.mustchangepass.message(${cas.authn.pm
<http://cas.authn.pm>.changeUrl})}" in pwdupdateform.html, but
unsuccessfully)

I am not sure that I understand your question... Isn't editing
screen.mustchangepass.message in messages.properties what you need?


Regards,

Regards,
Pavlos





--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2526054-7475-b065-815b-c52b25694520%40noc.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

On 21/06/2017 12:10 μμ, Ludovic Senecaux wrote:

Thanks Pavlos, it works !

Glad to hear it :-)


Have you found any workarouds for :

1/ the use of pwdGraceAuthNLimit
When pwdGraceAuthNLimit was enabled, I was keep getting NPE in logs and 
nothing in login form. After this change: 
https://github.com/apereo/cas/pull/2697 everything seems to work, as 
expected (User is presented with the password.expiration.loginsRemain 
message )
2/ customize URL for password update (I tried to set 
"#{screen.mustchangepass.message(${cas.authn.pm.changeUrl})}" in 
pwdupdateform.html, but unsuccessfully)
I am not sure that I understand your question... Isn't editing 
screen.mustchangepass.message in messages.properties what you need?


Regards,

Regards,
Pavlos


--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9af1b388-06c2-8a3c-411c-d2a72933%40noc.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hi Ludovic,

it seems that adding the following in login-webflow.xml, solves the problem:



Cheers,
Pavlos

On 20/06/2017 10:37 πμ, Ludovic Senecaux wrote:

It works when I add "pwdAccountLockedTime" attribute for a user.
But when I add "pwdReset = TRUE", I got

2
|
017-06-2008:56:34,445ERROR 
[org.springframework.boot.web.support.ErrorPageFilter]-error page fromrequest [/login]due to exception [Exceptionthrown inst

ate 'handleAuthenticationFailure'of flow 'login']>
org.springframework.webflow.execution.FlowExecutionException:Exceptionthrown 
instate 'handleAuthenticationFailure'of flow 'login'

...
Causedby:java.lang.IllegalArgumentException:Cannotfind state withid 
'casMustChangePassView'inflow 'login'--Knownstate ids are 
'array['initialAuthenticationRequestValidationCheck', 
'ticketGrantingTicketCheck', 'initializeLoginForm', 'viewLoginForm', 
'realSubmit', 'showAuthenticationWarningMessages', 
'handleAuthenticationFailure', 'sendTicketGrantingTicket', 
'generateServiceTicket', 'viewRedirectToUnauthorizedUrlView', 
'viewServiceErrorView', 'redirectView', 'postView', 
'viewGenericLoginSuccess', 'showWarningView', 'finalizeWarning', 
'serviceUnauthorizedCheck', 'serviceCheck', 'warn', 
'gatewayRequestCheck', 'hasServiceCheck', 'renewRequestCheck', 
'terminateSession', 'gatewayServicesManagementCheck', 
'serviceAuthorizationCheck', 'redirect', 'mfa-gauth', 
'casAuthenticationBlockedView', 'casBadWorkstationView', 
'casBadHoursView', 'casAccountLockedView', 'casAccountDisabledView', 
'casPasswordUpdateSuccessView', 'passwordChangeAction', 
'casExpiredPassView', 'casResetPasswordSendInstructionsView', 
'sendInstructions', 'casResetPasswordSentInstructionsView']'

|

Have you got an idea ?



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f9982bf-defe-6e41-6305-0d883b0fe5d2%40noc.edunet.gr.

[cas-user] CAS 5.1 Risk Based Authentication issues

[Pavlos Drandakis]

Hello all,

I am trying to enable Risk Based Authentication in CAS 5.1.0. by following
the documentation
(https://apereo.github.io/cas/5.1.x/installation/Configuring-RiskBased-Authentication.html).
I have added cas-server-support-electrofence in pom.xml, I have enabled
tracking and recording authentication events and geolocating
authentication requests (maxmind) but I don't see any risk calculation
when authenticating users.

I have added in cas.properties the following:
cas.authn.adaptive.risk.response.mfaProvider=mfa-gauth
cas.authn.adaptive.risk.threshold=0.6
cas.authn.adaptive.risk.daysInRecentHistory=1
cas.authn.adaptive.risk.ip.enabled=true
cas.authn.adaptive.risk.agent.enabled=true
cas.authn.adaptive.risk.geoLocation.enabled=true
cas.authn.adaptive.risk.response.riskyAuthenticationAttribute=triggeredRiskBasedAuthentication
cas.authn.adaptive.risk.response.blockAttempt=false

In remote debugging, *Risk* code is never reached.
In cas.log there is nothing mentioning *risk* even though I have the
following in log4j.xml






What Am I missing?

Thanks, in advance,
Pavlos

P.S.: What is the meaning/purpose of
cas.authn.adaptive.risk.response.riskyAuthenticationAttribute? What are
its possible values?



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9092b55d35873efe0d93d3e3552e0281.squirrel%40webmail01.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Eventually, everything seems to work ok, after adding in 
login-webflow.xml the following (which is present in CAS v5.0.x but not 
in CAS v5.1.0):



expression="authenticationExceptionHandler.handle(currentEvent.attributes.error, 
messageContext)"/>
to="casAccountDisabledView"/>


to="casExpiredPassView"/>
to="casMustChangePassView"/>
to="casBadWorkstationView"/>



to="initializeLoginForm"/>
to="initializeLoginForm" />
to="initializeLoginForm"/>
to="casAuthenticationBlockedView"/>




I don't know if it is the right way, but it seems to work...

Pavlos
P.S.: In order to show expiredPassView messages I had to
a) copy fragments/pwdupdateform.html to fragments/pwdexpiredform.html,
b) change the relevant th messages to screen.expiredpass.heading and 
screen.expiredpass.message
c) change in casExpiredPassView.html 
th:replace="fragments/pwdupdateform" to 
th:replace="fragments/pwdexpiredform"



On 16/06/2017 12:22 μμ, Ludovic Senecaux wrote:
The logs provide the right information from the LDAP directory, but 
the CAS does not seem to return the correct JSP page.


|
2017-06-0814:41:32,478DEBUG 
[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-[ACCOUNT_LOCKED]>
2017-06-0814:41:32,478INFO 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed 
authenticating [foo]>
2017-06-0814:41:32,479DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception 
details:[null]>
2017-06-0814:41:32,479WARN 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-failed.Credentialsmay be incorrect orCAS cannot find authentication 
handler that supports [foo]of type [UsernamePasswordCredential],which 
suggests a configuration problem.>
2017-06-0814:41:32,480INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-record BEGIN

=
WHO:foo
WHAT:Suppliedcredentials:[foo]
ACTION:AUTHENTICATION_FAILED
APPLICATION:CAS
WHEN:ThuJun0814:41:32CEST 2017
CLIENT IP ADDRESS:10.199.2.7
SERVER IP ADDRESS:192.168.108.100
=
|


|
2017-06-0815:15:35,859DEBUG 
[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-based on pre-definedattributes>
2017-06-0815:15:35,859DEBUG 
[org.apereo.cas.authentication.support.DefaultAccountStateHandler]-[CHANGE_AFTER_RESET]>
2017-06-0815:15:35,860INFO 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]failed 
authenticating [foo]>
2017-06-0815:15:35,860DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-<[LdapAuthenticationHandler]exception 
details:[null]>
2017-06-0815:15:35,861WARN 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager]-failed.Credentialsmay be incorrect orCAS cannot find authentication 
handler that supports [foo]of type [UsernamePasswordCredential],which 
suggests a configuration problem.>
2017-06-0815:15:35,862INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager]-record BEGIN

=
WHO:foo
WHAT:Suppliedcredentials:[foo]
ACTION:AUTHENTICATION_FAILED
APPLICATION:CAS
WHEN:ThuJun0815:15:35CEST 2017
CLIENT IP ADDRESS:10.199.2.7
SERVER IP ADDRESS:unknown
=
|



--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr.

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hi Ben,

thanks for your answer, but that bug (which is already resolved, as you
said) was for AD and for version 5.1 RC1. The problem that I have is for
Generic (OpenLDAP) and the official CAS 5.1.0 version (I had the same
issue also with 5.1 RC4).

Is there anyone that has/could share a working configuration for CAS 5.1.0
- OpenLDAP - LPPE support?

Thanks, in advance,
Pavlos



> This bug https://github.com/apereo/cas/issues/2322 previously could stop
> the expired password being handled but it's fixed in 5.1 RC2.
>
> On 8 June 2017 at 15:10, Pavlos Drandakis  wrote:
>
>> Hi Ben,
>>
>> Thanks for your suggestion, but I have already tried it (and tried it
>> once
>> again, now). The problem still exists. This property, IIUC, only enables
>> in-place password management and has nothing to do with the missing
>> message/view/flow.
>>
>> In CAS v5.0.x the "same" configuration with the same OpenLDAP backend
>> worked as expected...
>>
>> handleAuthenticationFailure, as you said, should handle
>> CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD
>> (casExpireedPassView) but I don't see that happening. Perhaps, when
>> reaching that point, CredentialExpiredException is "lost" and a generic
>> AuthenticationException is thrown...
>>
>> Pavlos
>> > Have a look at :
>> >
>> > cas.authn.pm.enabled=true
>> >
>> >
>> > which I think you need to set.
>> >
>> > Also login-webflow.xml has a handleAuthenticationFailure step which
>> > handles
>> > all the different exceptions, including CredentialExpiredException.
>> >
>> >
>> > On 7 June 2017 at 13:54, Pavlos Drandakis 
>> wrote:
>> >
>> >> Hello all,
>> >>
>> >> I am trying to setup CAS 5.1 (using the maven overlay method) to
>> >> authenticate users against an OpenLDAP server. If user's password is
>> not
>> >> expired, everything works as expected. But, when user's password
>> >> expires,
>> >> all I get is the "Invalid credentials" error in login page instead of
>> >> the
>> >> password expired view.
>> >>
>> >> This is what I have in cas.properties:
>> >> cas.authn.ldap[0].type=AUTHENTICATED
>> >> cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com
>> >> cas.authn.ldap[0].useSsl=false
>> >> cas.authn.ldap[0].useStartTls=false
>> >> cas.authn.ldap[0].baseDn=dc=example,dc=com
>> >> cas.authn.ldap[0].userFilter=uid={user}
>> >> cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
>> >> cas.authn.ldap[0].bindCredential=secretpass
>> >>
>> >> cas.authn.ldap[0].passwordPolicy.type=GENERIC
>> >> cas.authn.ldap[0].passwordPolicy.enabled=true
>> >>
>> >> Am I missing something?
>> >> Thanks, in advance
>> >> Pavlos
>> >>
>> >> P.S.: Relevant log entries:
>> >> 2017-06-07 15:20:22,463 DEBUG
>> >> [org.apereo.cas.authentication.LdapAuthenticationHandler] - > >> password policy to
>> >> [[org.ldaptive.auth.AuthenticationResponse@1608121171::
>> >> authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
>> >> resolvedDn=uid=auser,ou=People,dc=example,dc=com,
>> >> ldapEntry=[dn=uid=auser,ou=People,dc=example,dc=com[]],
>> >> accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@
>> >> 1354577001::accountWarnings=null,
>> >> accountErrors=[PASSWORD_EXPIRED]], result=false,
>> >> resultCode=INVALID_CREDENTIALS,
>> >> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
>> >> Invalid Credentials],
>> >> controls=[[org.ldaptive.control.PasswordPolicyControl@
>> >> 655105816::criticality=false,
>> >> timeBeforeExpiration=0, graceAuthNsRemaining=0,
>> >> error=PASSWORD_EXPIRED>
>> >> 2017-06-07 15:20:22,464 DEBUG
>> >> [org.apereo.cas.authentication.support.DefaultAccountStateHandler] -
>> >> 
>> >> 2017-06-07 15:20:22,465 INFO
>> >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> >> <[LdapAuthenticationHandler] failed authenticating [auser]>
>> >> 2017-06-07 15:20:22,465 DEBUG
>> >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> >> <[LdapAuthenticationHandler] exception details: [null]>
>> >> 2017-06-

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hi Ben,

Thanks for your suggestion, but I have already tried it (and tried it once
again, now). The problem still exists. This property, IIUC, only enables
in-place password management and has nothing to do with the missing
message/view/flow.

In CAS v5.0.x the "same" configuration with the same OpenLDAP backend
worked as expected...

handleAuthenticationFailure, as you said, should handle
CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD
(casExpireedPassView) but I don't see that happening. Perhaps, when
reaching that point, CredentialExpiredException is "lost" and a generic
AuthenticationException is thrown...

Pavlos
> Have a look at :
>
> cas.authn.pm.enabled=true
>
>
> which I think you need to set.
>
> Also login-webflow.xml has a handleAuthenticationFailure step which
> handles
> all the different exceptions, including CredentialExpiredException.
>
>
> On 7 June 2017 at 13:54, Pavlos Drandakis  wrote:
>
>> Hello all,
>>
>> I am trying to setup CAS 5.1 (using the maven overlay method) to
>> authenticate users against an OpenLDAP server. If user's password is not
>> expired, everything works as expected. But, when user's password
>> expires,
>> all I get is the "Invalid credentials" error in login page instead of
>> the
>> password expired view.
>>
>> This is what I have in cas.properties:
>> cas.authn.ldap[0].type=AUTHENTICATED
>> cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com
>> cas.authn.ldap[0].useSsl=false
>> cas.authn.ldap[0].useStartTls=false
>> cas.authn.ldap[0].baseDn=dc=example,dc=com
>> cas.authn.ldap[0].userFilter=uid={user}
>> cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
>> cas.authn.ldap[0].bindCredential=secretpass
>>
>> cas.authn.ldap[0].passwordPolicy.type=GENERIC
>> cas.authn.ldap[0].passwordPolicy.enabled=true
>>
>> Am I missing something?
>> Thanks, in advance
>> Pavlos
>>
>> P.S.: Relevant log entries:
>> 2017-06-07 15:20:22,463 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - > password policy to
>> [[org.ldaptive.auth.AuthenticationResponse@1608121171::
>> authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
>> resolvedDn=uid=auser,ou=People,dc=example,dc=com,
>> ldapEntry=[dn=uid=auser,ou=People,dc=example,dc=com[]],
>> accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@
>> 1354577001::accountWarnings=null,
>> accountErrors=[PASSWORD_EXPIRED]], result=false,
>> resultCode=INVALID_CREDENTIALS,
>> message=javax.naming.AuthenticationException: [LDAP: error code 49 -
>> Invalid Credentials],
>> controls=[[org.ldaptive.control.PasswordPolicyControl@
>> 655105816::criticality=false,
>> timeBeforeExpiration=0, graceAuthNsRemaining=0,
>> error=PASSWORD_EXPIRED>
>> 2017-06-07 15:20:22,464 DEBUG
>> [org.apereo.cas.authentication.support.DefaultAccountStateHandler] -
>> 
>> 2017-06-07 15:20:22,465 INFO
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> <[LdapAuthenticationHandler] failed authenticating [auser]>
>> 2017-06-07 15:20:22,465 DEBUG
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> <[LdapAuthenticationHandler] exception details: [null]>
>> 2017-06-07 15:20:22,468 WARN
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> > find authentication handler that supports [auser] of type
>> [UsernamePasswordCredential], which suggests a configuration problem.>
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/
>> Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google
>> Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118
>> d6.squirrel%40webmail01.edunet.gr.
>>
>
> --
> This email is sent on behalf of Northgate Public Services (UK) Limited and
> its associated companies including Rave Technologies (India) Pvt Limited
> (together "Northgate Public Services") and is strictly confidential and
> intended solely for the addressee(s).
> If you are not the intended recipient of this email you must: (i) n

Re: [cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hi Ben,

Thanks for your suggestion, but I have already tried it (and tried it 
once again, now). The problem still exists. This property, IIUC, only 
enables in-place password management and has nothing to do with the 
missing message/view/flow.


In CAS v5.0.x the "same" configuration with the same OpenLDAP backend 
worked as expected...


handleAuthenticationFailure, as you said, should handle 
CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD 
(casExpireedPassView) but I don't see that happening. Perhaps, when 
reaching that point, CredentialExpiredException is "lost" and a generic 
AuthenticationException is thrown...


Pavlos

On 08/06/2017 01:17 μμ, Ben Howell-Thomas wrote:

Have a look at :

cas.authn.pm.enabled=true


which I think you need to set.

Also login-webflow.xml has a handleAuthenticationFailure step which 
handles all the different exceptions, including 
CredentialExpiredException.



On 7 June 2017 at 13:54, Pavlos Drandakis <mailto:pdra...@noc.edunet.gr>> wrote:


Hello all,

I am trying to setup CAS 5.1 (using the maven overlay method) to
authenticate users against an OpenLDAP server. If user's password
is not
expired, everything works as expected. But, when user's password
expires,
all I get is the "Invalid credentials" error in login page instead
of the
password expired view.

This is what I have in cas.properties:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com
<http://ldap.example.com>
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=dc=example,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
cas.authn.ldap[0].bindCredential=secretpass

cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true

Am I missing something?
Thanks, in advance
Pavlos

P.S.: Relevant log entries:
2017-06-07 15:20:22,463 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2017-06-07 15:20:22,464 DEBUG
[org.apereo.cas.authentication.support.DefaultAccountStateHandler] -

2017-06-07 15:20:22,465 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] failed authenticating [auser]>
2017-06-07 15:20:22,465 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] exception details: [null]>
2017-06-07 15:20:22,468 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
<https://apereo.github.io/cas/Mailing-Lists.html>
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user%2bunsubscr...@apereo.org>.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118d6.squirrel%40webmail01.edunet.gr

<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118d6.squirrel%40webmail01.edunet.gr>.



This email is sent on behalf of Northgate Public Services (UK) Limited 
and its associated companies including Rave Technologies (India) Pvt 
Limited (together "Northgate Public Services") and is strictly 
confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use 
its contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1908 264500 quoting the 
name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure 
that no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.


Northgate Public Services (UK) Limited, registered in England and 
Wales under number 00968498 with a registered address of 
Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel 
Hempstead, Hertfordshire, HP2 4NN.  Rave Technologies (India) Pvt 
Limited, registered in India under number 117068 with a registered 
address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, 
Mumbai, Maharashtra, India, 41.

--
- 

[cas-user] CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hello all,

I am trying to setup CAS 5.1 (using the maven overlay method) to
authenticate users against an OpenLDAP server. If user's password is not
expired, everything works as expected. But, when user's password expires,
all I get is the "Invalid credentials" error in login page instead of the
password expired view.

This is what I have in cas.properties:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=dc=example,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
cas.authn.ldap[0].bindCredential=secretpass

cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true

Am I missing something?
Thanks, in advance
Pavlos

P.S.: Relevant log entries:
2017-06-07 15:20:22,463 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - 
2017-06-07 15:20:22,464 DEBUG
[org.apereo.cas.authentication.support.DefaultAccountStateHandler] -

2017-06-07 15:20:22,465 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] failed authenticating [auser]>
2017-06-07 15:20:22,465 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] exception details: [null]>
2017-06-07 15:20:22,468 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118d6.squirrel%40webmail01.edunet.gr.