Re: [cas-user] Re: CAS documentation for a new user is terrible
There are a lot of areas that it needs some serious improvement. I'm slowly writing a document on organizational issues related to the documentation, so that I can share it with everyone. The biggest issue is that it makes you jump around a lot. For example, having one MASSIVE properties document isn't helpful. The properties related to a specific module that you must enable should be in the document for that module. For example, the following document has documentation on enabling LDAP authentication, yet no information on how to configure it, it forces you to click out to the properties document for that. https://apereo.github.io/cas/5.2.x/installation/LDAP-Authentication.html Furthermore, ldap password management is a separate topic from authentication, and should be in it's own document entirely. At some point, I could probably take some time to adjust some docs, but I'd need to be assured they will be the way that the devs find acceptable, or I'd just be wasting my time. :D Plus, I'm not sure how everything would conflict with the master branch. Anyhow, I found the docs to be "mostly" complete, just very disconnected. If all individual components had their own documentation page, with everything needed to get that one single piece working, life would be beautiful. :D Not only would that be nice, but it would also end up being a printable document. On 2018-07-20 06:44 PM, Elendrys Yagami wrote: I was totally thinking about posting a complain about the doc. I spent hours a year ago to understand how to setup the soft. I am deploying the latest version now and while I forgot a lot about what I did and what I got, I also see that it grew. We can easily get "you want to do that, compile the module and add the settings". And I'd like to congratulate CAS developers to move from XML Land to a readable property file. But it's also true that the thousands lines long config page mixes everything in a messy way. You may not see the sentence with a link to extended explanations and get lost. You may use resources to make the project more attractive by giving a good doc. The payed solution should be an engeneering assistance, not a "hey we develop it for free but the doc is so odd that you may not successfully deploy it on your own". Look at Docker, opensource, easy, clear, and then they add paid improvments for enterprise class services. They a -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/10a8adf7-8beb-429a-8785-19b5791f2864%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/10a8adf7-8beb-429a-8785-19b5791f2864%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d27bd236-16ed-6aa5-0ad3-fbdcd791a3f2%40athabascau.ca.
[cas-user] security questions read but not managed?
Hi Guys, I'm a bit confused about something. It appears that CAS does not support management of challenge questions, but only using them, is that true? Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b59ea99-b6eb-dd79-9403-8ad737ad0798%40athabascau.ca.
Re: [cas-user] security questions read but not managed?
That's just odd. I do not understand why a feature using challenge questions would be added without the ability to manage those questions. So, should I be writing this feature completely separate from CAS then? I'm thinking probably yes, because CAS does seem to change significantly over time. On 2018-08-09 02:40 PM, Misagh Moayyed wrote: That is true. --Misagh - Original Message - From: "Trenton D. Adams" To: "CAS Community" Sent: Thursday, August 9, 2018 1:17:04 PM Subject: [cas-user] security questions read but not managed? Hi Guys, I'm a bit confused about something. It appears that CAS does not support management of challenge questions, but only using them, is that true? Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b59ea99-b6eb-dd79-9403-8ad737ad0798%40athabascau.ca. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/79abcd19-33fa-9086-7806-b53cbfe27a74%40athabascau.ca.
[cas-user] Interrupted Messages - for logged in users - CAS 5.2.x
Good day, Is there a way of interrupting users being directed through CAS if they've already been previously authenticated? We were hoping to use the interrupted messaging system as a way of displaying outage messages for specific services, but I'm finding that it only works if the user is first authenticating. I'm currently using this json example... { "trenta" : { "message" : "Announcement message goes here.", "links" : { "Go to Location1" : "https://www.location1.com";<https://www.location1.com>, "Go to Location2" : "https://www.location2.com";<https://www.location2.com> }, "block" : false, "ssoEnabled" : true, "interrupt" : true, "autoRedirect" : false, "autoRedirectAfterSeconds" : -1 } } Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/84a8d876-7e8e-9640-0af3-9350a00286a7%40athabascau.ca.
Re: [cas-user] Deploying Apereo CAS document updated (finally)!
Would it maybe be better to re-integrate that into the CAS docs themselves? Then it can be maintained long term with the CAS project. On 10/18/2018 01:14 PM, David Curry wrote: For those of you who have been waiting (and waiting, and waiting, ...) for me to update my Deploying Apereo CAS documentation, I have finally gotten enough time to do that. Aside from dozens of minor updates and corrections accumulated over the last 8 or 9 months, the following major sections have been completed/added: * Customizing the CAS user interface * How CAS themes work * How Thymeleaf layouts work * Add a new theme to the overlay * Build and deploy the overlay * Develop the custom theme * Google Apps (G Suite) integration * Generate keys and certificates * Configure Google single sign-on * Moving to production * Configuration changes * Problems encountered As always, the documentation can be found here: https://dacurry-tns.github.io/deploying-apereo-cas/ This pretty much does it for now -- the document more or less reflects what we're running in production (CAS 5.2.x), and we don't plan to go to CAS 5.3 unless something forces us to. The next major release for us will be CAS 6.something. I will almost certainly be updating the document once we start working on that, since we use it internally as a reference as well. But that probably won't happen until the end of this year or the beginning of next year at the earliest (sorry). Enjoy, --Dave -- DAVID A. CURRY, CISSP DIRECTOR OF INFORMATION SECURITY INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu<mailto:david.cu...@newschool.edu> [The New School] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO_O%2B9v2_Owur%2B95%2B6YE3%3DRjhQJB3SjvhpU0o1BbzH9JQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO_O%2B9v2_Owur%2B95%2B6YE3%3DRjhQJB3SjvhpU0o1BbzH9JQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a534ec0-fa84-fb27-209d-71744acc4d10%40athabascau.ca.
[cas-user] Login without CSRF token return http 200
Good day, It would be nice if CAS returned 400 bad request or something like that when submitting a username/password without an execution token. I was running the locust bench-marking tool, and it was returning 200 OK even though an authentication never happened due to a missing execution token. The following would show that the HTTP request was successful when it really was not. curl -v -d "@./tmp.passwd" https://cas.example.com/cas/login Also, it would be nice if one could make an API call to grab the token. It's my understanding that this should not be a security issue because XSS is handled by the same origin policy, so a request from a foreign site still would not be able to obtain the token. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/79797657-5e7c-9b90-9cd6-20bdb221e6be%40athabascau.ca.
[cas-user] encryption/signing key on single instance
Good day folks, I just wanted to confirm. We're starting out with a single instance of the newer cas. CAS is generating new encryption/signing keys on each start. I think that's totally fine for single instance, and I don't actually have to store those in the configs, correct? It just implies that a restart will create new keys, resulting in the invalidation of existing tickets. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1965877-9473-cc5c-5f15-50102943e354%40athabascau.ca.
Re: [cas-user] encryption/signing key on single instance
Our next phase is to move to multiple nodes, so we'll work on that as part of that phase. Thanks Ray! On 2/11/19 10:57 AM, Ray Bon wrote: Trenton, You are correct. If you are using an in memory ticket store, they would be lost anyway. It is not too difficult to add them to the config (copy paste) and it removes the nag ;) Ray On Mon, 2019-02-11 at 10:51 -0700, Trenton D. Adams wrote: Good day folks, I just wanted to confirm. We're starting out with a single instance of the newer cas. CAS is generating new encryption/signing keys on each start. I think that's totally fine for single instance, and I don't actually have to store those in the configs, correct? It just implies that a restart will create new keys, resulting in the invalidation of existing tickets. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1549907876.3634.2.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1549907876.3634.2.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c91c670-ef97-020e-b4d1-cbe9029c5d7e%40athabascau.ca.
Re: [cas-user] Re: interfacing CAS with angular 7 applications
Do you know if this is a client side library only Ian? On 3/12/19 2:54 AM, Ian Wright wrote: Short answer is yes. I'm currently using "angular-oauth2-oidc": "^4.0.3", with CAS 5.3.7 I'm using oauth rather than oidc, mainly because I wanted to bypass the approval prompt which, at least when I tried it, could be configured for oauth but not oidc but IIRC oidc worked fine. On Monday, 11 March 2019 18:03:54 UTC, maxwell_g wrote: Has anyone been successful at setting up “angular-oauth2-oidc” library to interface with CAS? We are currently using version CAS 5.2.2 and would like to authenticate Angular 7 applications using Oauth and OpenId connect. Would the “angular-oauth2-oidc” component be compatible or is there alternative? Thanks Gary -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/038fedec-1913-32ab-8149-a547549a9bc3%40athabascau.ca.
Re: [cas-user] Re: interfacing CAS with angular 7 applications
So, I mean, as in browser client side. So are you saying that this module is passing cas validation to the server side for the server to do the ticket validation? On 3/12/19 10:21 AM, Ian Wright wrote: I'm not quite sure what you mean but yes it's client only. For context I have an openapi based application using the generator for typescript-angular on the client side. The angular-oauth2-oidc component allows a bearer token to be passed through to the server side My server side is also generated from the openapi spec - I'm using python-flask for development and AWS lambda elsewhere - the python-flask generated code works out of the box and it's a little more effort for the lambdas but not much. The openapi 3 spec is as follows: securitySchemes: OAuthSecurity: type: oauth2 x-tokenInfoUrl: .../oauth2.0/profile flows: authorizationCode: authorizationUrl: .../oauth2.0/authorize tokenUrl: .../oauth2.0/accessToken scopes: myscope: Access all areas On Tuesday, 12 March 2019 16:08:34 UTC, Trenton D. Adams wrote: Do you know if this is a client side library only Ian? On 3/12/19 2:54 AM, Ian Wright wrote: Short answer is yes. I'm currently using "angular-oauth2-oidc": "^4.0.3", with CAS 5.3.7 I'm using oauth rather than oidc, mainly because I wanted to bypass the approval prompt which, at least when I tried it, could be configured for oauth but not oidc but IIRC oidc worked fine. On Monday, 11 March 2019 18:03:54 UTC, maxwell_g wrote: Has anyone been successful at setting up “angular-oauth2-oidc” library to interface with CAS? We are currently using version CAS 5.2.2 and would like to authenticate Angular 7 applications using Oauth and OpenId connect. Would the “angular-oauth2-oidc” component be compatible or is there alternative? Thanks Gary -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2502fa8d-47f6-9166-c832-12d587ce25cc%40athabascau.ca.
Re: [cas-user] Re: interfacing CAS with angular 7 applications
It sounds very much like it's open to an easy exploit, where an attacker just says "I'm person X, give me access", by overriding the javascript on the client side. Anything done in the browser cannot be trusted, especially when it comes to authentication. On 3/13/19 3:28 AM, Ian Wright wrote: Yes it is browser client side and does authenticate the client side app against CAS without any server side interactions. What it also allows is, once you've auth'ed the client app, that you can use the bearer token to auth against a server side app as well. On Tuesday, 12 March 2019 22:39:46 UTC, Trenton D. Adams wrote: So, I mean, as in browser client side. So are you saying that this module is passing cas validation to the server side for the server to do the ticket validation? On 3/12/19 10:21 AM, Ian Wright wrote: I'm not quite sure what you mean but yes it's client only. For context I have an openapi based application using the generator for typescript-angular on the client side. The angular-oauth2-oidc component allows a bearer token to be passed through to the server side My server side is also generated from the openapi spec - I'm using python-flask for development and AWS lambda elsewhere - the python-flask generated code works out of the box and it's a little more effort for the lambdas but not much. The openapi 3 spec is as follows: securitySchemes: OAuthSecurity: type: oauth2 x-tokenInfoUrl: .../oauth2.0/profile flows: authorizationCode: authorizationUrl: .../oauth2.0/authorize tokenUrl: .../oauth2.0/accessToken scopes: myscope: Access all areas On Tuesday, 12 March 2019 16:08:34 UTC, Trenton D. Adams wrote: Do you know if this is a client side library only Ian? On 3/12/19 2:54 AM, Ian Wright wrote: Short answer is yes. I'm currently using "angular-oauth2-oidc": "^4.0.3", with CAS 5.3.7 I'm using oauth rather than oidc, mainly because I wanted to bypass the approval prompt which, at least when I tried it, could be configured for oauth but not oidc but IIRC oidc worked fine. On Monday, 11 March 2019 18:03:54 UTC, maxwell_g wrote: Has anyone been successful at setting up “angular-oauth2-oidc” library to interface with CAS? We are currently using version CAS 5.2.2 and would like to authenticate Angular 7 applications using Oauth and OpenId connect. Would the “angular-oauth2-oidc” component be compatible or is there alternative? Thanks Gary -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f38bc4f7-59e8-4441-acf5-af490c8adcfe%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain
[cas-user] Re: CAS Slow Load Time
Tomcat starts up in about 5 seconds for our application which is 80,000 lines of code, but for CAS it takes a long time, so I can't imagine it's a tomcat issue. Our health check shows tomcat is up in about 3 seconds or so, but the CAS context has no response for several minutes. But, I'll take a look at the info you provided either way. On 4/15/19 2:05 PM, Igor Babalich wrote: Hi Trenton, as recommended in the documentation for Servlet containers https://apereo.github.io/cas/5.3.x/installation/Configuring-Servlet-Container.html, try to review several recommendations on how to make web applications and Apache Tomcat as a whole to start up faster : https://wiki.apache.org/tomcat/HowTo/FasterStartUp Igor On Monday, April 15, 2019 at 1:25:57 PM UTC-4, Trenton Adams wrote: So, with the features we're using, CAS 5.2.x, tomcat startup takes 4 minutes on a single core, and 1 minute on a quad core system. So, every single change I make to the config takes a long time to try it out. Why does it take so long? It seems like maybe it's Spring Bloat, no? I can't imagine a service like CAS taking that long to load. Is there any way of making it not take that long? e.g. Maybe I can somehow exclude a bunch of dependencies we don't need. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Navy Penguins at your service! Athabasca University (780) 675-6195 :wq! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. Le présent courrier électronique (ainsi que les pièces qui y sont annexées, le cas échéant) s’adresse au destinataire indiqué et peut contenir des renseignements privilégiés, confidentiels et/ou dispensés de divulgation. Si vous n’êtes pas le destinataire de ce document, nous vous signalons qu’il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. Si ce message vous a été transmis par erreur, veuillez en aviser l’expéditeur et le supprimer sans délai. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/deca06e7-4993-a648-94e6-b77023e8ee1f%40athabascau.ca.
[cas-user] CAS logging analysis
Hi Guys, When it comes to system administration and diagnostics, it is quite common to use standard Linux utilities for debugging. Things like grep, awk, sed, cut, etc. The CAS logs make this quite difficult. Could we maybe start composing the logs into single line "records" of a sort? for example, the following is not easily processed using the cli... = WHO: someone WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Aug 26 15:27:53 MDT 2019 CLIENT IP ADDRESS: 123.123.123.123 SERVER IP ADDRESS: server.example.com = I've been working around it in a somewhat clunky way by doing the following, but this really is just a hack. tail -f /var/log/cas/cas.log | egrep 'CLIENT IP ADDRESS|ACTION|WHAT' Also, for service ticket validations it would be nice if they included the service url. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48ee54ab-c7b3-469d-f25e-3d826846edd9%40athabascau.ca.
Re: [cas-user] Re: CAS logging analysis
Interesting, thanks for the note. I will see if we can use that. On 8/26/19 4:54 PM, Matthew Uribe wrote: Trenton, What version of CAS are you on? When we were on 5.2, we had a line in our cas.properties which made the logging all on one line: cas.audit.useSingleLine=true However, since having gone to CAS 5.3, that property seems to have gone away. I've yet to dig into log4j2.xml to get the same result: one line log entries. It does make audits much easier. If you're still on 5.2 that property should take care of you. On Monday, August 26, 2019 at 3:35:30 PM UTC-6, Trenton D. Adams wrote: Hi Guys, When it comes to system administration and diagnostics, it is quite common to use standard Linux utilities for debugging. Things like grep, awk, sed, cut, etc. The CAS logs make this quite difficult. Could we maybe start composing the logs into single line "records" of a sort? for example, the following is not easily processed using the cli... = WHO: someone WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Aug 26 15:27:53 MDT 2019 CLIENT IP ADDRESS: 123.123.123.123 SERVER IP ADDRESS: server.example.com<http://server.example.com> = I've been working around it in a somewhat clunky way by doing the following, but this really is just a hack. tail -f /var/log/cas/cas.log | egrep 'CLIENT IP ADDRESS|ACTION|WHAT' Also, for service ticket validations it would be nice if they included the service url. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d250ff7-c261-4e16-8055-a64dc13f4495%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6d250ff7-c261-4e16-8055-a64dc13f4495%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfd33660-974f-2ea0-6fbb-1598dd0d8396%40athabascau.ca.
[cas-user] Re: CAS logging analysis
No, I was thinking along those lines as well, but didn't know it had that feature. I know log4j2 has that feature, but then you'd get a bunch of newlines wrapped as '\n'. I'll look into it, thanks! On 8/27/19 9:23 AM, Fabrice Bacchella wrote: Did you try to set 'cas.audit.slf4j.auditFormat' to 'JSON' ? The service URL/id is missing indeed. Le lundi 26 août 2019 23:35:30 UTC+2, Trenton D. Adams a écrit : Hi Guys, When it comes to system administration and diagnostics, it is quite common to use standard Linux utilities for debugging. Things like grep, awk, sed, cut, etc. The CAS logs make this quite difficult. Could we maybe start composing the logs into single line "records" of a sort? for example, the following is not easily processed using the cli... = WHO: someone WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Aug 26 15:27:53 MDT 2019 CLIENT IP ADDRESS: 123.123.123.123 SERVER IP ADDRESS: server.example.com<http://server.example.com> = I've been working around it in a somewhat clunky way by doing the following, but this really is just a hack. tail -f /var/log/cas/cas.log | egrep 'CLIENT IP ADDRESS|ACTION|WHAT' Also, for service ticket validations it would be nice if they included the service url. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc6c5b6f-81ee-0ed9-7856-7470fbadeb45%40athabascau.ca.
Re: [cas-user] Re: CAS logging analysis
Interesting, thanks Ray! I was thinking more along the lines of audit info only, but outputting exceptions in one line might be useful too. I wonder if my IDE would auto-link to the source code lines if it was all jumbled into one line, I'll have to take a look. :D On 9/3/19 12:06 PM, Ray Bon wrote: Auditing should be converted to a single line with the property given by Daniel. If you have other multi line log output (I am looking at you exception stack traces), one of our logging experts came up with this (you will have to look up the specifics of %replace but I think in this case it just removes them): <%level{WARN=28, DEBUG=31, ERROR=27, TRACE=31, INFO=30, FATAL=25}>%d{MMM dd HH:mm:ss} ${hostName} CAS: %c %replace{%m}{\n+}{<31>CAS: TRACE: }%n Ray On Tue, 2019-08-27 at 22:11 +0200, Fabrice Bacchella wrote: The JSON is generated directly by CAS and generated in a single log4j event. So perhaps if you play with the log4j and use a separator that is not a new line, a \0 for example, it might do the trick. I'm using mpsgack to remotely send them and so I have no separator problems. Le 27 août 2019 à 21:49, Trenton D. Adams mailto:tre...@athabascau.ca>> a écrit : No, I was thinking along those lines as well, but didn't know it had that feature. I know log4j2 has that feature, but then you'd get a bunch of newlines wrapped as '\n'. I'll look into it, thanks! On 8/27/19 9:23 AM, Fabrice Bacchella wrote: Did you try to set 'cas.audit.slf4j.auditFormat' to 'JSON' ? The service URL/id is missing indeed. Le lundi 26 août 2019 23:35:30 UTC+2, Trenton D. Adams a écrit : Hi Guys, When it comes to system administration and diagnostics, it is quite common to use standard Linux utilities for debugging. Things like grep, awk, sed, cut, etc. The CAS logs make this quite difficult. Could we maybe start composing the logs into single line "records" of a sort? for example, the following is not easily processed using the cli... = WHO: someone WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Aug 26 15:27:53 MDT 2019 CLIENT IP ADDRESS: 123.123.123.123 SERVER IP ADDRESS: server.example.com<http://server.example.com/> = I've been working around it in a somewhat clunky way by doing the following, but this really is just a hack. tail -f /var/log/cas/cas.log | egrep 'CLIENT IP ADDRESS|ACTION|WHAT' Also, for service ticket validations it would be nice if they included the service url. Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, a
Re: [cas-user] Re: Too many LDAP connections with 6.0.5
This is also happening on Java 8 and 5.2.x I'll have to look into whether that's valid for 5.2.x. On 11/6/19 7:16 AM, n99 wrote: For anyone else who finds themselves scratching their head over this cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider is the magic setting if you are using open JDK 9, 11, 12, 13. https://bugs.openjdk.java.net/browse/JDK-8217606 and "The JNDI provider is broken in Java version 9 and later. It is recommend that you use the UnboundID provider with newer versions of Java and ldaptive v1.x" at https://www.ldaptive.org/v1/ (not easy to find on the ldaptive site) finally got us there. Shame this is not highlighted as an issue on the CAS 6.0.x docsesp at the fix with jdk 14 is not out until next year! On Thursday, 31 October 2019 14:12:04 UTC, n99 wrote: Hi We are seeing issues with CAS 6.0.5 running against our OPEN Ldap where we are seeing too many connections being made to LDAP. . We have the following settings. cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].poolPassivator=NONE cas.authn.ldap[0].baseDn=[BASE_DN] cas.authn.ldap[0].searchFilter=[FILTER] cas.authn.ldap[0].bindDn=[LDAP_BIND_USER] cas.authn.ldap[0].bindCredential=[LDAP_BIND_CREDENTIAL] cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].ldapUrl=[CAS_AUTHN_LDAP_LDAPURL] cas.monitor.ldap.ldapUrl=[CAS_AUTHN_LDAP_LDAPURL] cas.monitor.ldap.useSsl=false cas.monitor.ldap.poolPassivator=NONE Also I guess minPoolSize=3 maxPoolSize=10 are on by default. Using netstat to monitor the ESTABLISHED connections to our LDAP, I can see that CAS starts up with 18 connections that are then pruned down to 9. These remain after the periodic "validate task" process I can then see each login creates a new connection to LDAP, even if I login/logout as the same user each time in my browser. I increased the number of connections, testing this simple way, to 55 connections before stopping. I could see that these ESTABLISHED connections dropped away over time and eventually, after a few periodic "validate task" scheduled processes I got back down to 9 connections and 3 pools. I was wondering what behaviour I am seeing here? Why are there 3 connection pools sitting dormant? Is there anything to limit the number of connection pools and thus connections being created? Why do I see no apparent ldap connection re-use? Am I misunderstanding expected behaviour or have things configured incorrectly? We've not really changed default settings. (Although I did add poolPassivator=NONE which changed it from the default value of BIND, I believe. Under BIND, I was seeing 4 new connections being created per login!) I can post more info on our OPEN LDAP if that would be useful? Many thanks for any advice. cheers -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bdb832b9-0fd1-4987-9a61-9d61719a8422%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/bdb832b9-0fd1-4987-9a61-9d61719a8422%40apereo.org?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/911f48cf-2f13-f826-229b-fba396d619ca%40athabascau.ca.
[cas-user] cas 5.2.x leaking connections
Good day, We are having some problems with CAS 5.2.x leaking connections in our production environment. We're not sure how or why this is happening. What we do know is that they are no longer part of the pool, because if they were we'd run out of connections in the pool. However, there is a limit to the number of connections an LDAP server can handle, so it requires a CAS restart regularly. Below is the configuration we're using for both LDAP and the password manager. We were hoping someone understand why this could be happening, as the CAS documentation is not very good for these settings, and neither are the javadoc or Ldaptive docs. I hope someone with more CAS experience, such as a dev, might be able to help? cas.authn.ldap[0].type=ANONYMOUS cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com:389 cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].baseDn=ou=Student,ou=People,dc=example,dc=com cas.authn.ldap[0].userFilter=uid={user} cas.authn.ldap[0].principalAttributeId=uid cas.authn.ldap[0].principalAttributeList=uid,udcid:UDC_IDENTIFIER cas.authn.ldap[1].type=ANONYMOUS cas.authn.ldap[1].ldapUrl=ldap://ldap.example.ca:389 cas.authn.ldap[1].useSsl=false cas.authn.ldap[1].baseDn=ou=Staff,ou=People,dc=example,dc=com cas.authn.ldap[1].userFilter=uid={user} cas.authn.ldap[1].principalAttributeId=uid cas.authn.ldap[1].principalAttributeList=uid,udcid:UDC_IDENTIFIER cas.authn.pm.ldap.type=GENERIC cas.authn.pm.ldap.ldapUrl=ldap://ldap.example.com:389 cas.authn.pm.ldap.connectionStrategy=ACTIVE_PASSIVE cas.authn.pm.ldap.useSsl=false cas.authn.pm.ldap.useStartTls=false cas.authn.pm.ldap.connectTimeout=5000 cas.authn.pm.ldap.baseDn=ou=People,dc=example,dc=com cas.authn.pm.ldap.userFilter=uid={user} cas.authn.pm.ldap.subtreeSearch=true cas.authn.pm.ldap.bindDn=cn=Manager,dc=example,dc=com cas.authn.pm.ldap.bindCredential= cas.authn.pm.ldap.trustCertificates= cas.authn.pm.ldap.poolPassivator=BIND cas.authn.pm.ldap.minPoolSize=3 cas.authn.pm.ldap.maxPoolSize=10 cas.authn.pm.ldap.validateOnCheckout=true cas.authn.pm.ldap.validatePeriodically=true cas.authn.pm.ldap.validatePeriod=600 cas.authn.pm.ldap.validateTimeout=5000 cas.authn.pm.ldap.failFast=false cas.authn.pm.ldap.idleTime=500 cas.authn.pm.ldap.prunePeriod=600 cas.authn.pm.ldap.blockWaitTime=5000 cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.authn.pm.ldap.securityQuestionsAttributes.challengeQuestion=challengeResponse cas.authn.pm.ldap.validator.type=SEARCH cas.authn.pm.ldap.validator.baseDn=ou=Staff,ou=People,dc=example,dc=com cas.authn.pm.ldap.validator.searchFilter=(uid=some-user) cas.authn.pm.ldap.validator.scope=ONELEVEL cas.authn.pm.ldap.validator.attributeName=cn cas.authn.pm.ldap.validator.attributeValues=Some Name cas.authn.pm.ldap.validator.dn= -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a565299-d009-ea66-8a01-b3b8bdb4146d%40athabascau.ca.
Re: [cas-user] cas 5.2.x leaking connections
We are using Java 8 though, and we are using the UnboundIDProvider. On 2020-01-11 8:25 a.m., Daniel Fisher wrote: On Fri, Jan 10, 2020 at 5:40 PM Trenton D. Adams mailto:tre...@athabascau.ca>> wrote: Below is the configuration we're using for both LDAP and the password manager. We were hoping someone understand why this could be happening, as the CAS documentation is not very good for these settings, and neither are the javadoc or Ldaptive docs. I hope someone with more CAS experience, such as a dev, might be able to help? There is a JNDI bug in java versions >= 9 that leaks connections. Switching to the UnboundID provider is the simplest solution. cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider I thought that CAS used the UnboundID provider by default, so I'm curious why you were impacted by this bug. (Another solution is to use Java 8) --Daniel Fisher -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwR3Enjmvqt-rsYAiUJhbJN5aQ3aScqdYbT9rRa_mA5eYg%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFC6YwR3Enjmvqt-rsYAiUJhbJN5aQ3aScqdYbT9rRa_mA5eYg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Athabasca University (780) 675-6195 It is only when you are surrounded by a supportive team, that you can achieve your best. Instead of tearing people down, try building them up! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1667ca8b-4446-1699-cc55-b27b70158595%40athabascau.ca.
Re: [cas-user] SAML support in CAS
Yes, CAS supports SAML. https://wiki.jasig.org/display/CASUM/SAML+1.1 Trenton D. Adams Senior Systems Analyst/Web Software Developer Navy Penguins at your service! Athabasca University (780) 675-6195 :wq! - "Mitch Chang" wrote: > From: "Mitch Chang" > To: "CAS Community" > Sent: Monday, March 7, 2016 1:17:57 PM GMT -07:00 US/Canada Mountain > Subject: [cas-user] SAML support in CAS > > Hi, we are exploring solutions to a request in hand for CAS. We are running CAS 3.5.3. > So far we believe one potential solution is to use Proxy Granting Ticket and Proxy Ticket in CAS, but the client would like to know whether there is a potential CAS SAML solution. Here is a description of the request: > There are 2 services involved: One is a CASified service, Dashboard, and the other, API Gateway, is not CASified (and the client does not want it to be CASified). Dashboard needs to access API Gateway on behalf of the user. Naturally, using PGT and PT seems to be a decent solution and the workflow shall be similar to the following: > Dashboard obtains a service ticket when a user signs in through CAS. Dashboard obtains a PGTID upon validating the service ticket. Dashboard obtains a PT for API Gateway using the PGTID. Dashboard passes the PT to API Gateway to request an access token. API Gateway validates the PT with CAS to obtain a CAS response that contains some user information (user id for instance). API Gateway then returns an access token to Dashboard. Dashboard uses the access token to access API Gateway on behalf of the user. > However, since API Gateway already knows how to handle SAML tokens, and the client prefers not having to write custom code in Dashboard to handle the pgtUrl for storing PGTIOU and PGTID, we are looking to see whether there is a similar solution by using the SAML support in CAS. I suppose Dashboard would obtain a SAML token from CAS when a user signs in, passes the SAML token to API Gateway, which then verifies the authenticity of the SAML token. Once the SAML token has been verified, API Gateway then returns an access token to Dashboard. Dashboard uses the access token to access API Gateway on behalf of the user. > I have checked out a number of discussion threads and online documents, including https://wiki.jasig.org/display/CASUM/SAML+1.1 and https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4 but I still cannot conclude for sure the SAML support in CAS is sufficient or not. Does anyone have any insights or have done something similar? > Thanks, Mitch > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org . > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ . > -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
[cas-user] security updates
Good day, Where would I find a list of historical security updates? Thanks. -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Applications Unit - ITS Navy Penguins at your service! Athabasca University (780) 675-6195 :wq! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/14ecdb2d-9376-e9e7-ba94-ca2c13521a60%40athabascau.ca.