[cas-user] Re: CAS 5.3.x, OpenID Connect, Getting 401 on token request

[Yan Zhou]

Looking further, do we think this maybe an issue?

when I go for ID-token directly (as oppose to get authorization code first, 
then token second), I am getting "Application Not Authorized to use CAS" 
error, but the URL is clearly in the JSON service file.

2019-03-12 15:23:26,171 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - 
2019-03-12 15:23:26,172 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://oidcdebugger.com/debug]>
2019-03-12 15:23:26,172 DEBUG 
[org.apereo.cas.services.AbstractServicesManager] - https://localhost:8543/cas5/oauth2.0/callbackAuthorize.*]>

here is my POST

https://localhost:8543/cas5/oidc/authorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug=openid_type=code%20id_token_mode=form_post=gb63gw2hmqk

Thanks!

On Tuesday, March 12, 2019 at 2:38:35 PM UTC-4, Yan Zhou wrote:
>
> hello,
>
> I set up CAS 5.3.x overlay for OpenId Connect for authorization code flow.
>
> When I do POST, CAS login page comes up, I enter credential and authorize 
> access, I successfully got the authorization code, but when I call POST or 
> GET to get access token or Id token, I keep getting 401, "No message 
> available" error. 
>
> What am I missing?
>
> Someone said I am missing Authorization header. What should goes in this 
> header? I tried putting Basic Auth with my user credentials, not working. 
>
> Thanks!
> Yan
>
> My request looks like this, content-type is: 
> application/x-www-form-urlencoded
>
> https://localhost:8543/cas5/oidc/token
>
> grant_type=authorization_code& code=OC-5-G5bbL-TKNHW-0xd9KWGUFeEcsycinjqI& 
> client_id=demoOIDC& client_secret=password& 
> redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/13107190-be42-413a-b5f2-3ac955c35f7d%40apereo.org.

[cas-user] CAS 5.3.x, OpenID Connect, Getting 401 on token request

[Yan Zhou]

hello,

I set up CAS 5.3.x overlay for OpenId Connect for authorization code flow.

When I do POST, CAS login page comes up, I enter credential and authorize 
access, I successfully got the authorization code, but when I call POST or 
GET to get access token or Id token, I keep getting 401, "No message 
available" error. 

What am I missing?

Someone said I am missing Authorization header. What should goes in this 
header? I tried putting Basic Auth with my user credentials, not working. 

Thanks!
Yan

My request looks like this, content-type is: 
application/x-www-form-urlencoded

https://localhost:8543/cas5/oidc/token

grant_type=authorization_code& code=OC-5-G5bbL-TKNHW-0xd9KWGUFeEcsycinjqI& 
client_id=demoOIDC& client_secret=password& 
redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/06db6dbe-53ba-4efe-9624-668dcf0e1b26%40apereo.org.

[cas-user] CAS SSO with OpenID Connect and CAS protocol

[Yan Zhou]

Hello,

CAS5, one client uses OpenID connect and the other client uses CAS 
protocol. Can they achieve SSO?  

With CAS protocol, the TGT is in a cookie on the browser side, that is how 
SSO is achieved. With OpenID Connect, is there a cookie being generated, 
having the same TGT?

Thx!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8db21b8a-a3cb-4d03-9cb4-72f99b69dd03%40apereo.org.

[cas-user] CAS5, OpenID connect flow newbie question

[Yan Zhou]

Hello,

I am experimenting with CAS5  OpenID connect support with the overlay 
project of 5.3.8.

I put this url in browser, CAS login page comes up, after I enter 
user/password, the next screen is:  http://localhost:8180/   (this is where 
my CAS5 runs).

https://localhost:8543/cas5/oidc/authorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug=openid_type=code_mode=form_post=3lfs0f7i4jp

What should I see instead? The "Grant Access" or Consent form?  Or redirect 
to the redirectUrl?  It is not doing either, I do not seem to get the 
authorization code in URL, either.

Here is cas.properties. I just want to access the openid scope.

Thanks!
Yan


cas.serviceRegistry.json.location=file:///C:/gitworkspace/nextcas-suite/cas5-server/etc/cas/services
cas.authn.oidc.issuer=https://localhost:8543/cas5/oidc
cas.authn.oidc.jwksFile=file:///C:/yzhou/casprojects/certstore/keystore.jwks
cas.authn.oidc.scopes=openid

Here is the service json file:

{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "demoOIDC",
  "clientSecret": "password",
  "serviceId": "^https://oidcdebugger.com/debug;,
  "signIdToken": true,
  "implicit": true,
  "bypassApprovalPrompt": false,
  "name": "Demo app",
  "id": 207929965088748,
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
   },  
  "evaluationOrder": 100,
  "encryptIdToken": false,
  "scopes": [ "java.util.HashSet",
[ "openid"]
  ]
}


here are the logs.

2019-03-01 14:49:25,743 DEBUG 
[org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - https://oidcdebugger.com/debug] to participate in the 
existing SSO session>
2019-03-01 14:49:25,765 INFO 
[org.apereo.cas.DefaultCentralAuthenticationService] - http://localhost:8180/cas5/oauth2.0/callbackAuthorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdeb...]
 
and principal [casuser]>
2019-03-01 14:49:25,767 INFO 
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - http://localhost:8180/cas5/oauth2.0/callbackAuthorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdeb...
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Mar 01 14:49:25 EST 2019
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=

>
2019-03-01 14:49:25,768 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2019-03-01 14:49:25,774 DEBUG 
[org.apereo.cas.authentication.principal.DefaultResponse] - http://localhost:8180/cas5/oauth2.0/callbackAuthorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug_type=code_name=CasOAuthClient]>
2019-03-01 14:49:25,837 DEBUG 
[org.apereo.cas.authentication.principal.DefaultResponse] - http://localhost:8180/cas5/oauth2.0/callbackAuthorize?client_id=demoOIDC_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug_type=code_name=CasOAuthClient=ST-1-hwOlrmdWivnsKOg-7AJHxsAw07YCINWLC0J1UTU]>
2019-03-01 14:49:26,083 DEBUG 
[org.apereo.cas.authentication.PseudoPlatformTransactionManager] - 

2019-03-01 14:49:26,086 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 
https://oidcdebugger.com/debug] defined by registered service 
[^https://oidcdebugger.com/debug]...>
2019-03-01 14:49:26,087 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,087 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,088 DEBUG 
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
- <[DefaultPrincipalAttributesRepository] will return the collection of 
attributes directly associated with the principal object which are [{}]>
2019-03-01 14:49:26,121 DEBUG 
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
 
- 
2019-03-01 14:49:26,121 DEBUG 
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
 
- 
2019-03-01 14:49:26,121 DEBUG 
[org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository]
 
- 
2019-03-01 14:49:26,123 DEBUG 
[org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] 
- 
2019-03-01 14:49:26,123 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,123 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,124 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,124 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,124 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,125 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

2019-03-01 14:49:26,125 DEBUG 
[org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - 

[cas-user] why is ST added twice? cas 4.1.9 and hazelcast ticket registry

[Yan Zhou]

Hello, 

I am debugging an issue that CAS intermittently says that a ST does not 
exist, and therefore /serviceValidate fails.  I am running cas 4.1.9 on 
hazelcast ticket registry. I have multiple instances of CAS running behind 
a load balancer, each CAS process also runs hazelcast embedded as part of 
CAS.  

I already verified that the time of /serviceValidate is immediately after 
the ST is granted, and that is the only time ST is validated. Still, 
intermittently, CAS says ST does not exist. 

I enabled debugging, noticed that the log shows a ST is added twice, first 
when ST is granted and 2nd when /serviceValidate is called. Why is the 2nd 
one added again?

Thx!

This is where it shows ST seems to be added twice after enable debug 
logging. 

casoverlay.log:2019-02-28 18:30:30,233 DEBUG 
[org.jasig.cas.ticket.registry.HazelcastTicketRegistry] - Adding ticket 
[ST-1-3t7LPYKicasSiVBs6Rhd-qacasnext03.qa.medplus.com] with ttl [60s]
casoverlay.log:2019-02-28 18:30:30,260 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted ticket 
[ST-1-3t7LPYKicasSiVBs6Rhd-qacasnext03.qa.medplus.com] for service 
[https://care360-auto3.qa.medplus.com/care360-admin/Care360SecurityCheck] 
for user [castempadmin]


casoverlay.log:2019-02-28 18:30:40,018 DEBUG 
[org.jasig.cas.ticket.registry.HazelcastTicketRegistry] - Adding ticket 
[ST-1-3t7LPYKicasSiVBs6Rhd-qacasnext03.qa.medplus.com] with ttl [60s]
casoverlay.log:2019-02-28 18:30:40,106 DEBUG 
[org.jasig.cas.web.QuestServiceValidateController] - Successfully validated 
service ticket ST-1-3t7LPYKicasSiVBs6Rhd-qacasnext03.qa.medplus.com for 
service 
[https://care360-auto3.qa.medplus.com/care360-admin/Care360SecurityCheck]


This following one is my problem, ST does not exist, even though it was 
just granted. 

casoverlay.log:2019-02-26 17:20:04,362 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted ticket 
[ST-19-LDMqVJYUuNcgyeisy3F7-qacasnext03.qa.medplus.com] for service 
[https://care360-auto3.qa.medplus.com/care360-admin/Care360SecurityCheck] 
for user [asmitaauto3sa]

 


casoverlay.log:2019-02-26 17:20:04,474 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Service ticket 
[ST-19-LDMqVJYUuNcgyeisy3F7-qacasnext03.qa.medplus.com] does not exist.

 

Notice /serviceValidate was called immediately after the ST is granted


localhost_access_log.2019-02-26.txt:172.18.52.60 - - [26/Feb/2019:17:20:04 
+] "GET 
/cas/serviceValidate?ticket=ST-19-LDMqVJYUuNcgyeisy3F7-qacasnext03.qa.medplus.com=https%3A%2F%2Fcare360-auto3.qa.medplus.com%2Fcare360-admin%2FCare360SecurityCheck
 
HTTP/1.1" 200 274 "-" "Java/1.6.0_71"



Thx!

Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ed122fc-9a37-40ab-9773-70cd301e9b88%40apereo.org.

Re: [cas-user] CAS is Federated SSO?

[Yan Zhou]

We have both CAS 4.1.9 and CAS 5.3.5. 

True, we could support, but I do not see any benefit with all the extra 
work.

I am reading about Open ID Connect, other than the flow/payload, CAS 
protocol has very similar concepts. Technically, we can replace OpenID 
Connect with CAS protcol, and it should be just as secure, is not it?

Yan

On Wednesday, February 13, 2019 at 10:41:30 AM UTC-5, oneill wrote:
>
> Yan,
>
>  
>
> Sounds like you’re on the right track and CAS can probably continue to 
> meet your SSO needs.
>
>  
>
> What version of CAS are you on now? With the right modules and 
> configuration, a CAS server could support Open ID and SAML 2.0, in addition 
> to CAS.
>
>  
>
> Tom
>
>  
>
> *From:* cas-...@apereo.org  > 
> *On Behalf Of *Yan Zhou
> *Sent:* Wednesday, February 13, 2019 10:28 AM
> *To:* CAS Community >
> *Subject:* [cas-user] CAS is Federated SSO?
>
>  
>
> Hello!
>
>  
>
> We have been using CAS in our enterprise quite well. Various apps inside 
> our corporation use the CAS protocol to achieve SSO.
>
>  
>
> A vendor wants to integrate with us and they agree that CAS is the single 
> identity provider. But, they want Open ID Connect or SAML2, not CAS 
> protocol. It is true that using standards is better, CAS protocol is very 
> light-weight, but it is not an industry standard. 
>
>  
>
> As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided 
> that CAS is the only identity provider). Does that sound right?   If there 
> is one single identity provider, user does not authenticate against any 
> app., and app talks to CAS server.  It all sound Federated SSO to me. 
>
>  
>
> In this particular context, I do not know what Open ID Connect or SAML2 
> will offer that CAS protocol does not, other than we would be using a 
> standard protocol but a lot more complicated.
>
>  
>
> Thx!
>
> Yan
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org?utm_medium=email_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4bdc40a1-8ce7-4381-b43b-5b900fb71b12%40apereo.org.

[cas-user] CAS is Federated SSO?

[Yan Zhou]

Hello!

We have been using CAS in our enterprise quite well. Various apps inside 
our corporation use the CAS protocol to achieve SSO.

A vendor wants to integrate with us and they agree that CAS is the single 
identity provider. But, they want Open ID Connect or SAML2, not CAS 
protocol. It is true that using standards is better, CAS protocol is very 
light-weight, but it is not an industry standard. 

As far as I can tell, CAS4 and CAS5 does provide federated SSO (provided 
that CAS is the only identity provider). Does that sound right?   If there 
is one single identity provider, user does not authenticate against any 
app., and app talks to CAS server.  It all sound Federated SSO to me. 

In this particular context, I do not know what Open ID Connect or SAML2 
will offer that CAS protocol does not, other than we would be using a 
standard protocol but a lot more complicated.

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87a9ab48-0fd0-45d8-a492-8b671ea11abd%40apereo.org.

Re: [cas-user] Re: lose service parameter when incorrect credential entered

[Yan Zhou]

Thanks Ray for staying on this!!

I finally figured this out. My Login page is loading some JS and CSS file. 
One of the JS does not exist, returning 404. That apparently caused the 
problem.  Once I removed that non-existing JS, it works!

Yan

On Thursday, February 7, 2019 at 7:31:02 PM UTC-5, rbon wrote:
>
> Yan,
>
> Use your browser development tools to see if there is an unexpected 
> redirect. If there is, that would be where the service param is lost.
> The service is part of the url and not a form variable.
>
> Ray
>
> On Thu, 2019-02-07 at 16:04 -0800, Yan Zhou wrote:
>
> Thanks for reading through such long logs. I appreciate it! 
>
> I am getting closer. With the one missing service parameter, it is because 
> when the login form submits, it is missing service parameter to begin 
> with.  CAS code confirmed the behavior.
>
> the FORM POST did not have service parameter to begin with
>
> 127.0.0.1 - - [07/Feb/2019:18:47:09 -0500] "POST /cas5/login HTTP/1.1" 401 
> 18021 <== this happens to my form when I submit login form after 
> entering incorrect credential
>
> 127.0.0.1 - - [07/Feb/2019:18:52:43 -0500] "POST /cas5/login?service=
> https://test.com HTTP/1.1" 401 18184 <==  this happens at the 
> simple overlay app
>
> Now the question is, how did I get here?  I am using essentially the same 
> form, not sure why one appends service parameter but the other does not. 
>
>  _lpchecked="1" > 
>
> 
> Username
>  id="username" class="qd-text-input md-input ng-not-empty ng-dirty 
> ng-valid-parse ng-valid ng-valid-required ng-touched" autocomplete="off" 
> tabindex="1" value="" aria-invalid="false" style="background-image: 
> url(data:image/png;base64,iVBORw0KGgoNSUhEUgAAABASCAYAAABSO15qAXNSR0IArs4c6QAAAUBJREFUOBGVVE2ORUAQLvIS4gwzEysHkHgnkMiEc4zEJXCMNwtWTmDh3UGcYoaFhZUFCzFVnu4wIaiE+vvq6+6qTgthGH6O4/jA7x1OiCAIPwj7CoLgSXDxSjEVzAt9k01CBKdWfsFf/2WNuEwc2YqigKZpK9glAlVVwTTNbQJZlnlCkiTAZnF/mePB2biRdhwHdF2HJEmgaRrwPA+qqoI4jle5/8XkXzrCFoHg+/5ICdpm13UTho7Q9/0WnsfwiL/ouHwHrJgQR8WEwVG+oXpMPaDAkdzvd7AsC8qyhCiKJjiRnCKwbRsMw9hcQ5zv9maSBeu6hjRNYRgGFuKaCNwjkjzPoSiK1d1gDDecQobOBwswzabD/D3Np7AHOIrvNpHmPI+Kc2RZBm3bcp8wuwSIot7QQ0PznoR6wYSK0Xb/AGVLcWwc7Ng3AElFTkSuQmCC);
>  
> background-repeat: no-repeat; background-attachment: scroll; 
> background-size: 16px 18px; background-position: 98% 50%; cursor: 
> auto;">
> 
>
> 
> Password
>  id="password" class="qd-text-input md-input ng-not-empty ng-dirty 
> ng-valid-parse ng-valid ng-valid-required ng-touched" autocomplete="off" 
> tabindex="2" value="" aria-invalid="false" style="background-image: 
> url(data:image/png;base64,iVBORw.3AElFTkSuQmCC); 
> background-repeat: no-repeat; background-attachment: scroll; 
> background-size: 16px 18px; background-position: 98% 50%; cursor: 
> auto;">
> Password is case-sensitive
> 
>
>  type="submit" ng-transclude="" tabindex="6" ng-disabled="!vm.username || 
> !vm.password" aria-label="Login"> class="ng-scope">Login
>
>  name="execution" 
> value="27f6679d-4caf-4671-bf76-...">
> 
> 
>
>
>
> On Thursday, February 7, 2019 at 5:12:32 PM UTC-5, rbon wrote: 
>
> Yan,
>
> In the preserved parameter log, checkForPswdResetToken exists between 
> initializeLoginForm and viewLoginForm. It is missing in yours.
>
> Ray
>
> On Thu, 2019-02-07 at 12:04 -0800, Yan Zhou wrote:
>
> Hi, 
>
> thanks for the help, I have not used the customized webflow class Ray 
> provided, because I do not know how to yet.   I was looking into this by 
> comparing debug level logging. 
>
> What I did is to compare the two projects, one is a simple cas5.3.x 
> overlay and the other is mine (after removing any customization of login 
> flow).  Still the simple overlay preserves service parameter, and mine does 
> not, even after I removed all customization done to the flow (apparently 
> there must be still some subtle changes to the flow, I just do not know 
> what it is). 
>
> For some reason, my flowExecutionUrl lost service parameter.
>
> *This is mine that lost service parameter after incorrect user credential.*
>
> 2019-02-07 10:42:08,403 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>  [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>  
> for this context>
> 2019-02-07 10:42:08,404 DEBU

Re: [cas-user] Re: lose service parameter when incorrect credential entered

[Yan Zhou]

Thanks for reading through such long logs. I appreciate it!

I am getting closer. With the one missing service parameter, it is because 
when the login form submits, it is missing service parameter to begin 
with.  CAS code confirmed the behavior.

the FORM POST did not have service parameter to begin with

127.0.0.1 - - [07/Feb/2019:18:47:09 -0500] "POST /cas5/login HTTP/1.1" 401 
18021 <== this happens to my form when I submit login form after 
entering incorrect credential

127.0.0.1 - - [07/Feb/2019:18:52:43 -0500] "POST 
/cas5/login?service=https://test.com HTTP/1.1" 401 18184 <==  
this happens at the simple overlay app

Now the question is, how did I get here?  I am using essentially the same 
form, not sure why one appends service parameter but the other does not. 

 


Username




Password

Password is case-sensitive


Login







On Thursday, February 7, 2019 at 5:12:32 PM UTC-5, rbon wrote:
>
> Yan,
>
> In the preserved parameter log, checkForPswdResetToken exists between 
> initializeLoginForm and viewLoginForm. It is missing in yours.
>
> Ray
>
> On Thu, 2019-02-07 at 12:04 -0800, Yan Zhou wrote:
>
> Hi, 
>
> thanks for the help, I have not used the customized webflow class Ray 
> provided, because I do not know how to yet.   I was looking into this by 
> comparing debug level logging. 
>
> What I did is to compare the two projects, one is a simple cas5.3.x 
> overlay and the other is mine (after removing any customization of login 
> flow).  Still the simple overlay preserves service parameter, and mine does 
> not, even after I removed all customization done to the flow (apparently 
> there must be still some subtle changes to the flow, I just do not know 
> what it is). 
>
> For some reason, my flowExecutionUrl lost service parameter.
>
> *This is mine that lost service parameter after incorrect user credential.*
>
> 2019-02-07 10:42:08,403 DEBUG 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
>  [org.apereo.cas.web.flow.resolver.impl.InitialAuthenticationAttemptWebflowEventResolver]
>  
> for this context>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  executing 
> org.apereo.cas.web.flow.actions.InitialAuthenticationAction@1d082ed8; 
> result = authenticationFailure>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.execution.AnnotatedAction] -  execution attributes map[[empty]]>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  executing [EvaluateAction@1c04a306 expression = 
> authenticationViaFormAction, resultExpression = [null]]; result = 
> authenticationFailure>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.engine.Transition] -  [Transition@69b93ff2 on = authenticationFailure, to = 
> handleAuthenticationFailure]>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.engine.Transition] -  'realSubmit'>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.engine.ActionState] -  'handleAuthenticationFailure' of flow 'login'>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  [EvaluateAction@5a7334d4 expression = authenticationExceptionHandler, 
> resultExpression = [null]]>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction@76e88b6>
> 2019-02-07 10:42:08,404 DEBUG 
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 
> 
> 2019-02-07 10:42:08,404 DEBUG 
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 
>  org.apereo.cas.authentication.AuthenticationException] with message [1 
> errors, 0 successes] from the current event>
> 2019-02-07 10:42:08,406 DEBUG 
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 
>  [org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 
> successes]. Returning [UNKNOWN]>
> 2019-02-07 10:42:08,409 DEBUG 
> [org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction] - 
> 
> 2019-02-07 10:42:08,410 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  executing 
> org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction@76e88b6; 
> result = UNKNOWN>
> 2019-02-07 10:42:08,410 DEBUG 
> [org.springframework.webflow.execution.ActionExecutor] -  executing [EvaluateAction@5a7334d4 expression = 
> authenticationExceptionHandler, resultExpression = [null]]; result = 
> UNKNOWN>
> 2019-02-07 10:42:08,410 DEBUG 
> [org.springframework.webflow.engine.Transition] -  [Transition@4b9fecdf on = *, to = i

[cas-user] Re: lose service parameter when incorrect credential entered

[Yan Zhou]

bflow.mvc.view.AbstractMvcView] - https://test.com, 
originalUrl=https://test.com, artifactId=null, principal=null, 
source=service, loggedOutAlready=false, format=XML, 
attributes={}), ticketGrantingTicketId=null, 
googleAnalyticsTrackingId=null, trackGeoLocation=false, 
flashScope=map[[empty]], 
registeredService=AbstractRegisteredService(serviceId=^https?://.*, 
name=CAS-Management3, theme=hcp, informationUrl=null, privacyUrl=null, 
responseType=null, id=1, 
description=Management3, 
expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
 
notifyWhenDeleted=false, expirationDate=null), 
proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
evaluationOrder=1, 
usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
 
logoutType=BACK_CHANNEL, requiredHandlers=[], 
attributeReleasePolicy=ReturnAllAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
 
principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
excludedAttributes=null, includeOnlyAttributes=null), 
authorizedToReleaseCredentialPassword=false, 
authorizedToReleaseProxyGrantingTicket=false, 
excludeDefaultAttributes=false, 
authorizedToReleaseAuthenticationAttributes=true, 
principalIdAttribute=null)), 
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
 
failureMode=NOT_SET, principalAttributeNameTrigger=null, 
principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, 
logoutUrl=https://localhost:8543/ssvenroll/logout, 
accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[]),
 
requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, 
caseInsensitive=false), publicKey=null, properties={}, contacts=[]), 
doChangePassword=false}]>




On Wednesday, February 6, 2019 at 6:12:52 PM UTC-5, Colin Wilkinson wrote:
>
> Hi Yan,
>
> As Ray correct pointed out the XML webflow defined is a basic starting 
> point, if search through the you find alot of class extending 
> Cas*Webflow*Configurer 
> this include the DefaultLoginWebflowConfigurer.
>
> During our upgrade from I noticed the same issue that at times the service 
> parameter was going missing, but the page worked fine as long as I did NOT 
> do a refresh. From my investigation the service parameter is stored upon 
> entry into CAS and as long as the page is not force refresh from the user 
> without the service parameter then CAS should work fine.
>
> During my investigation I found the following redirect,
> 
>
> They redirect without the query parameters. There is also a 
> redirectToLogin as well.
> 
>
> Given that you have started invalid credentials then its more than likely 
> going down the " to="handleAuthenticationFailure"/>" code and not even hitting your code.
>
>
> Regards,
> Colin
>
> On Thursday, 7 February 2019 05:00:05 UTC+11, Yan Zhou wrote:
>>
>> Hi there,
>>
>> I extended CAS 5.3.4.  The app. redirects to CAS login page with service 
>> parameter.
>>
>> When I type incorrect credential, I saw the invalid credential message, 
>> but I lost service parameter, the screen refreshes to have only the CAS url.
>>
>> What could be missing in my code?
>>
>> Thx!
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c971a99-eb54-4bf8-a47c-1d1aae99c776%40apereo.org.

Re: [cas-user] lose service parameter when incorrect credential entered

[Yan Zhou]

> where/when in the flow you think.
>
> I have a gist, 
> https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74, that 
> will format the login flow during startup. Use this to see what the flow 
> looks like when your custom configuration is being configured.
>
> Where is 'checkLoginUserAction' defined?
>
> Ray
>
> On Wed, 2019-02-06 at 11:02 -0800, Yan Zhou wrote:
>
> Hi, 
>
> I made some customization on the login flow, see all login related 
> code/configuration below.   
>
> I read this in CAS 5.3.X documentation:  If “service” was specified to 
> */login*, “service” MUST also be a parameter of the form, containing the 
> value originally passed to */login*.  
>
> Is this saying the Form in casLoginView.html should have "service" 
> parameter, along with username & password?  With the sample overlay 
> project, I did not see "service" parameter in the form, but this works 
> fine, i.e., if credential is incorrect, it keeps "service" parameter. 
>
> This is my complete login webflow. 
>
> 
> http://www.w3.org/2001/XMLSchema-instance;
>   xmlns="http://www.springframework.org/schema/webflow;
>   xsi:schemaLocation="http://www.springframework.org/schema/webflow
>   
> http://www.springframework.org/schema/webflow/spring-webflow.xsd;>
>
> 
> 
> 
> 
>
> 
> 
> 
> 
> 
>  to="realSubmit" history="invalidate"/>
> 
> 
>
> 
> 
> 
> 
>  to="showAuthenticationWarningMessages"/>
>  to="handleAuthenticationFailure"/>
> 
> 
>   
>   
>   
>/>
>   
>   
>   
>   
>model="emailAddressValue">
>   
> 
> 
> 
> 
>
> 
>   
> 
> 
> 
> 
> 
>
>
> package org.apereo.cas.config;
>
> import javax.sql.DataSource;
>
> import org.apereo.cas.adaptors.jdbc.QuestAuthenticationHandler;
> import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
> import 
> org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
> import org.apereo.cas.authentication.AuthenticationHandler;
> import org.apereo.cas.configuration.CasConfigurationProperties;
> import org.apereo.cas.services.ServicesManager;
> import org.slf4j.Logger;
> import org.slf4j.LoggerFactory;
> import org.springframework.beans.factory.annotation.Autowired;
> import org.springframework.beans.factory.annotation.Qualifier;
> import org.springframework.boot.autoconfigure.AutoConfigureAfter;
> import 
> org.springframework.boot.context.properties.EnableConfigurationProperties;
> import org.springframework.context.annotation.Bean;
> import org.springframework.context.annotation.Configuration;
> import 
> org.springframework.transaction.annotation.EnableTransactionManagement;
>
> import com.quest.hub.cas.entity.UserRepository;
>
> @Configuration("QuestAuthenticationEventExecutionPlanConfiguration")
> @AutoConfigureAfter(QuestDatabaseConfiguration.class)
> @EnableConfigurationProperties(CasConfigurationProperties.class)
> @EnableTransactionManagement(proxyTargetClass = true)
> public class QuestAuthenticationEventExecutionPlanConfiguration implements 
> AuthenticationEventExecutionPlanConfigurer {
> private static final Logger logger = 
> LoggerFactory.getLogger(QuestAuthenticationEventExecutionPlanConfiguration.class);
> @Autowired
> private CasConfigurationProperties casProperties;
> 
> @Autowired
> @Qualifier("servicesManager")
> private ServicesManager servicesManager;
> 
> @Autowired
> @Qualifier("casDataSource")
> DataSource dataSource;
> 
> @Autowired
> private UserRepository userRepository;
> 
> @Bean
> public AuthenticationHandler questAuthenticationHandler() {
> final QuestAuthenticationHandler handler = new 
> QuestAuthenticationHandler("questAuthHandler", 
> servicesManager, null, 0, dataSource, userRepository);
> return handler;
> }
>
> @Override
> public void configureAuthenticationExecutionPlan(final 
> AuthenticationEventExecutionPlan plan){
> plan.registerAuthenticationHandler(questAuthenticationHandler());
> }
> }
>
>
> package org.apereo.cas.adaptors.jdbc;
>
> import java.security.GeneralSecurityException;
> import java.security.NoSuchAlgorithmException;
> imp

Re: [cas-user] lose service parameter when incorrect credential entered

[Yan Zhou]

enticationHandler extends 
AbstractJdbcUsernamePasswordAuthenticationHandler {

private UserRepository userRepo;
public QuestAuthenticationHandler(String name, ServicesManager 
servicesManager, PrincipalFactory principalFactory,
Integer order, DataSource dataSource, UserRepository userRepo) {
super(name, servicesManager, principalFactory, order, dataSource);
this.userRepo = userRepo;
}

protected final AuthenticationHandlerExecutionResult 
authenticateUsernamePasswordInternal(final UsernamePasswordCredential 
credential, final String originalPassword)
throws GeneralSecurityException {
try {
User user = 
userRepo.findByLoginNameIgnoreCase(credential.getUsername());
validateUser(user);
if (!user.isEmployee()) {
return authenticateNonEmployee(credential, user);
} else {
throw new FailedLoginException("Login failed: do not support employee login 
yet."); 
}
} catch (DataAccessException ex) {
 LOGGER.error("Looking up user error: " + credential.getUsername(), ex);
throw new FailedLoginException("Login failed: cannot find user");
}
}


org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
  org.apereo.cas.config.QuestAuthenticationEventExecutionPlanConfiguration,\
  org.apereo.cas.config.EmbeddedTomcatDatabaseConfiguration,\
  org.apereo.cas.config.QuestDatabaseConfiguration,\
  org.apereo.cas.config.EnvironmentConfig,\
  org.apereo.cas.config.CollaborationConfiguration,\
  org.apereo.cas.config.pm.JdbcPasswordManagementConfiguration,\
  org.apereo.cas.web.config.QuestCasSupportActionsConfiguration

Thx!


On Wednesday, February 6, 2019 at 1:35:57 PM UTC-5, rbon wrote:
>
> Yan,
>
> Can you post your code?
>
> Ray
>
> On Wed, 2019-02-06 at 10:00 -0800, Yan Zhou wrote:
>
> Hi there, 
>
> I extended CAS 5.3.4.  The app. redirects to CAS login page with service 
> parameter.
>
> When I type incorrect credential, I saw the invalid credential message, 
> but I lost service parameter, the screen refreshes to have only the CAS url.
>
> What could be missing in my code?
>
> Thx!
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca 
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/df650307-43c9-421c-be67-46ad4cad60aa%40apereo.org.

[cas-user] lose service parameter when incorrect credential entered

[Yan Zhou]

Hi there,

I extended CAS 5.3.4.  The app. redirects to CAS login page with service 
parameter.

When I type incorrect credential, I saw the invalid credential message, but 
I lost service parameter, the screen refreshes to have only the CAS url.

What could be missing in my code?

Thx!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6f4857f-59fd-4a5a-af62-615bae273089%40apereo.org.

[cas-user] CAS5 flow state transition lose service parameter in URL?

[Yan Zhou]

Hello,

When an app directs to CAS, the CAS login URL is appended "service" 
parameter for later redirect.

In CAS4., state transition from Login page preserves the "service" 
parameter, the URL does not change as the flow transitions to different 
states. 

But in CAS5, any state transition from Login page removes the "service" 
parameter from URL, the URL becomes /cas/login. 

We have additional flow that we would want to keep the originating URL with 
"service" parameter, how can I enable that in CAS5?

Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/406d7ad7-80f9-48af-bdf1-387c5ed49a95%40apereo.org.

[cas-user] CAS5, Log4j2 and SpringBoot 1.5.x, Error creating converter for xwEx java.lang.reflect.InvocationTargetException

[Yan Zhou]

Hello!

This is a known issue:  
https://github.com/spring-projects/spring-boot/issues/9172

I am seeing that with CAS5.3.4 overlay, which defaults to log4j2  version 
2.11.x  and Spring Boot 1.5.16,  Is this just me or a known issue with CAS?

When you start up CAS5, does it complain about this?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b582b607-6df2-4914-a24d-e333bb2115af%40apereo.org.

[cas-user] how does Single Log Out work?

[Yan Zhou]

Hello, 

I am under the impression that, if I type /cas/logout in browser, it logs 
me out of CAS, then, CAS goes through all services, look for LOGOUT_URL and 
LOGOUT_TYPE.

Any service has a LOGOUT_URL and LOGOUT_TYPE defined (e.g., Back Channel), 
CAS will POST to that URL. 

Is that how it works?  But, I do not see it happening.  I am running CAS 
4.1.x overlay.

Thx!
Yan 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/83e51b20-b20b-4433-b82f-3c550c0f9872%40apereo.org.

[cas-user] CAS Management 5.3.4 UI does not show LOGOUT_TYPE

[Yan Zhou]

Hello, 

I have CAS Management 5.3.4 overlay, just Oracle database as service 
registry.

REGEXREGISTEREDSERVICE table LOGOUT_TYPE is a NUMBER column, has value 1.

When I login to CAS Management, LOGOUT_TYPE drop down does not show 
anything.  What should be the valid value?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9da922b-5fa4-484a-9a52-fc3bac65d3f3%40apereo.org.

[cas-user] Re: CAS 5.3, cannot find self-defined bean?

[Yan Zhou]

never mind, some problem with build, the old class file was not cleared.

Yan

On Tuesday, November 6, 2018 at 2:08:02 PM UTC-5, Yan Zhou wrote:
>
> Hi,
>
> This is a big strange, defining a bean is one of the simplest thing in 
> Spring Boot projects, but I seem to have problem in CAS 5.3.3 overlay.
>
> I defined the following configuration class, specified in 
> META-INF/spring.factories.  The UrlHandlerMapping works, as I can see code 
> stops there as I debug.  But the one on MyUtility is never called, 
> therefore, when I try to do @autowired elsewhere, it cannot find the 
> "MyUtility" bean. 
>
> Caused by: 
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
> creating bean with name 'scopedTarget.confirmEmailAddressAction': 
> Unsatisfied
>  dependency expressed through field 'myUtility'; nested exception is 
> org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
> qualifying bean of typ
> e 'org.apereo.cas.web.flow.login.MyUtility' available: expected at least 1 
> bean which qualifies as autowire candidate. Dependency annotations: 
> {@org.springfram
> ework.beans.factory.annotation.Autowired(required=true)}
> at 
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.j
> ava:588)
> at 
> org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87)
> at 
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java
> :366)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551)
>
> What am i missing?
>
> Yan
>
> @Configuration("CollaborationConfiguration")
> public class CollaborationConfiguration {
>
> @Bean
> public SimpleUrlHandlerMapping handlerMapping() {
> final SimpleUrlHandlerMapping simpleUrlHandlerMapping = new 
> SimpleUrlHandlerMapping();
>
> Map urlMap = new HashMap<>();
> urlMap.put("/updatepassword", collaboration());
> simpleUrlHandlerMapping.setUrlMap(urlMap);
>  
> return simpleUrlHandlerMapping;
> }
> 
> @Bean
> public CollaborationController collaboration() {
> return new CollaborationController();
> }
>
> @Bean
> public MyUtility utility() {
> return new MyUtility();
> }
> 
> }
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/69b2270a-6664-4c0d-a762-038b1591f3fd%40apereo.org.

[cas-user] CAS 5.3, cannot find self-defined bean?

[Yan Zhou]

Hi,

This is a big strange, defining a bean is one of the simplest thing in 
Spring Boot projects, but I seem to have problem in CAS 5.3.3 overlay.

I defined the following configuration class, specified in 
META-INF/spring.factories.  The UrlHandlerMapping works, as I can see code 
stops there as I debug.  But the one on MyUtility is never called, 
therefore, when I try to do @autowired elsewhere, it cannot find the 
"MyUtility" bean. 

Caused by: 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'scopedTarget.confirmEmailAddressAction': 
Unsatisfied
 dependency expressed through field 'myUtility'; nested exception is 
org.springframework.beans.factory.NoSuchBeanDefinitionException: No 
qualifying bean of typ
e 'org.apereo.cas.web.flow.login.MyUtility' available: expected at least 1 
bean which qualifies as autowire candidate. Dependency annotations: 
{@org.springfram
ework.beans.factory.annotation.Autowired(required=true)}
at 
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.j
ava:588)
at 
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:87)
at 
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java
:366)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551)

What am i missing?

Yan

@Configuration("CollaborationConfiguration")
public class CollaborationConfiguration {

@Bean
public SimpleUrlHandlerMapping handlerMapping() {
final SimpleUrlHandlerMapping simpleUrlHandlerMapping = new 
SimpleUrlHandlerMapping();

Map urlMap = new HashMap<>();
urlMap.put("/updatepassword", collaboration());
simpleUrlHandlerMapping.setUrlMap(urlMap);
 
return simpleUrlHandlerMapping;
}

@Bean
public CollaborationController collaboration() {
return new CollaborationController();
}

@Bean
public MyUtility utility() {
return new MyUtility();
}

}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/33f8e1f8-dc16-4d54-add3-8f06d491700d%40apereo.org.

[cas-user] @Column ignored in CAS 5.3.3 management app

[Yan Zhou]

Hi, 

I have application.properties read like this:

spring.jpa.hibernate.naming_strategy=org.hibernate.cfg.EJB3NamingStrategy
spring.jpa.hibernate.naming.implicit-strategy=org.hibernate.boot.model.naming.ImplicitNamingStrategyLegacyJpaImpl
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl

Still, @Column  are ignored in CAS 5.3.3 management, I see that in tables 
used by SAML dependencies.

2018-10-15 15:45:35,466 DEBUG [org.hibernate.SQL] - 

2018-10-15 15:45:35,473 DEBUG [org.hibernate.SQL] - <



create table RegexRegisteredService (

   expression_type VARCHAR(50) DEFAULT 'regex' not null,

metadataCriteriaDirection varchar2(255 char),

metadataCriteriaPattern varchar2(255 char),

metadataCriteriaRemoveEmptyEntitiesDescriptors number(1,0),

metadataCriteriaRemoveRolelessEntityDescriptors number(1,0),

skipGeneratingSubjectConfirmationInResponseTo number(1,0),

skipGeneratingSubjectConfirmationNotBefore number(1,0),

skipGeneratingSubjectConfirmationNotOnOrAfter number(1,0),

skipGeneratingSubjectConfirmationRecipient number(1,0),

primary key (id)

)>




These columns do not fit in Oracle 11g, note that @Column in code is 
ignored.


What am I missing?  Thanks!

Yan


@Column(name = "skipGenAssertionNameId")

private boolean skipGeneratingAssertionNameId;

 

@Column(name = "skipGenSubConfInRespTo")

private boolean skipGeneratingSubjectConfirmationInResponseTo;

 

@Column(name = "skipGenSubConNotOnOrAfter")

private boolean skipGeneratingSubjectConfirmationNotOnOrAfter;

 

@Column(name = "skipGenSubConRecipient")

private boolean skipGeneratingSubjectConfirmationRecipient;

 

@Column(name = "skipGenSubConfNotBefore")

private boolean skipGeneratingSubjectConfirmationNotBefore = true;

 

@Column

private String metadataCriteriaRoles = 
SPSSODescriptor.DEFAULT_ELEMENT_LOCAL_NAME;

 

@Column(name = "mdCriteriaRmEmptyEntities")

private boolean metadataCriteriaRemoveEmptyEntitiesDescriptors = true;

 

@Column(name = "mdCriteriaRmRolelessEntities")

private boolean metadataCriteriaRemoveRolelessEntityDescriptors = true;

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/13fe53c8-da99-40c4-a072-a0518e2f8ed4%40apereo.org.

[cas-user] SAML dependencies in CAS 5.3.4 management issue

[Yan Zhou]

Hello, 

I seem to have a catch-22 problem with CAS 5.3.4 management overlay.

I am using JPA service registry on Oracle, the SAML dependencies in CAS 
5.3.4 management is introducing column names longer than 30 characters, 
that is not support on Oracle 11. 

After I removed SAML dependencies, CAS management is working, but when I 
try to add a new service, I am getting error.  

Suggestions?

2018-10-11 10:20:02,335 ERROR 
[org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
org.springframework.web.util.NestedServletException: Handler dispatch 
failed; nested exception is java.lang.NoClassDefFoundError: 
org/apereo/cas/support/saml/se
rvices/SamlRegisteredService


Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b99610b6-ccaf-48cc-ad6e-f79fefcd139b%40apereo.org.

[cas-user] CAS 5.3.3 overlay, How do I override "base href" in manage.html

[Yan Zhou]

Hello,

I need to run cas5.3.3 management app on a context root, different from the 
default cas-management.

I think I need to have a local manage.html in my cas 5.3.3 management app 
overlay, but I do not know where do I place it.  It seems to have a 
different building process.

Suggestions?

Thx!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0d7a12a-9494-4a6c-b947-47add25bba78%40apereo.org.

[cas-user] CAS 5.3.3 management failed to save edits

[Yan Zhou]

Hello,

CAS 5.3.3 management app is loading service registry in database. That 
works correctly. But when edit and save, got error.

this is my management.properties. 

mgmt.enableVersionControl=false
mgmt.enableDiscoveryEndpointCall=false
cas.serviceRegistry.initFromJson=false
cas.serviceRegistry.jpa...

I do not understand why the app. is trying to access directory, when my 
service registry is in database and I have version control set to false?


2018-10-08 15:28:56,436 DEBUG 
[org.apereo.cas.mgmt.authentication.CasUserProfileFactory] - 
2018-10-08 15:28:56,436 DEBUG 
[org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] - 
2018-10-08 15:28:56,438 DEBUG [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:28:59,109 DEBUG [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:28:59,111 ERROR 
[org.apereo.cas.mgmt.services.web.AbstractManagementController] - 
<\etc\cas\services-repo\ssv-1.json>
java.nio.file.NoSuchFileException: \etc\cas\services-repo\ssv-1.json


Anyway, I tried defining serviceRepo like below, but it fails as well.   I 
am on windows.

mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services

why does it say Repository not found?

018-10-08 15:41:27,658 DEBUG 
[org.apereo.cas.mgmt.authentication.CasUserProfileFactory] - 
2018-10-08 15:41:27,658 DEBUG 
[org.apereo.cas.mgmt.services.web.factory.RepositoryFactory] - 
2018-10-08 15:41:27,658 DEBUG [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:41:27,660 DEBUG [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:41:30,199 ERROR [org.apereo.cas.mgmt.GitUtil] - 
2018-10-08 15:41:30,200 ERROR 
[org.apereo.cas.mgmt.services.web.AbstractManagementController] - 

java.lang.RuntimeException: repository not found: 
c:\gitworkspace\quest-cas5\cas5-server\etc\cas\services\.git
at org.apereo.cas.mgmt.GitUtil.initializeGitRepository(GitUtil.java:1225) 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at org.apereo.cas.mgmt.GitUtil.(GitUtil.java:100) 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at 
org.apereo.cas.mgmt.services.web.factory.RepositoryFactory.buildGitUtil(RepositoryFactory.java:81)
 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at 
org.apereo.cas.mgmt.services.web.factory.RepositoryFactory.masterRepository(RepositoryFactory.java:70)
 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at 
org.apereo.cas.mgmt.services.web.factory.RepositoryFactory.from(RepositoryFactory.java:53)
 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at 
org.apereo.cas.mgmt.services.web.factory.RepositoryFactory.from(RepositoryFactory.java:40)
 
~[cas-management-webapp-support-5.3.3.jar:5.3.3]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
~[?:1.8.0_121]

Thx!
Yan


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac9f0009-c180-4e3e-b6dc-e83a0aab76d1%40apereo.org.

[cas-user] CAS 5.3, where is LOGGER defined with @Slf4j?

[Yan Zhou]

Hello,

Looking at CAS 5.3 source code,   I need to customize action class, so I 
create a class with the same name/package in my overlay, but I cannot 
resolve compile error on LOGGER.

I understand with Lombok and @Slf4j, I get object: log  for free. But, I do 
not know how LOGGER is defined in CAS code.

Thx!
Yan


in action classes, I see this:


@Slf4j
public class SendPasswordResetInstructionsAction extends AbstractAction {

LOGGER.debug(...)   <== this is how logging is done, is this referring to 
the same logger object in parent?

In AbstractAction, i see this.

protected final Log logger = LogFactory.getLog(getClass());

Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce7fb5fb-4cfe-4926-a14c-be5a18cb44b1%40apereo.org.

[cas-user] CAS 5.3 Management JPA Service Registry Oracle, column too long?

[Yan Zhou]

Hello!

We run CAS 5.3 Management wit JPA service registry, the tables are on 
Oracle, the management app. is failing because some of the columns have 
long names that does not work for Oracle. 

Is this something we can change in CAS 5.3 Management?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41fe623-b66a-48a5-a9a9-fedb66b0b974%40apereo.org.

Re: [cas-user] 5.1.2 to 5.2 CAS migration

[Yan Zhou]

Hi, 

How do you get cas-mangement to create tables?

I have an overlay of CAS-management 5.3.3, the following are 
management.properties,  when I start it up, I do not see tables being 
created, cas-management fails because there is not any table.

cas.serviceRegistry.jpa.url=jdbc:oracle:thin:@.
cas.serviceRegistry.jpa.dialect=org.hibernate.dialect.Oracle10gDialect
cas.serviceRegistry.jpa.ddlAuto=create 
cas.serviceRegistry.jpa.driverClass=oracle.jdbc.OracleDriver


Yan

On Thursday, December 21, 2017 at 2:36:24 PM UTC-5, Man H wrote:
>
> Hi again David
>
> I have to complement my previous answer.
>
> Previous table attributes are create by cas-server, but if you install 
> cas-management following table is created, which is also read by cas 
> server. 
>
>
>
> Regards
>
>
> CREATE TABLE `RegexRegisteredService` ( 
>   `expression_type` varchar(50) NOT NULL DEFAULT 'regex', 
>   `id` bigint(20) NOT NULL AUTO_INCREMENT, 
>   `access_strategy` longblob, 
>   `attribute_release` longblob, 
>   `description` varchar(255) DEFAULT NULL, 
>   `evaluation_order` int(11) NOT NULL, 
>   `expiration_policy` longblob, 
>   `informationUrl` varchar(255) DEFAULT NULL, 
>   `logo` varchar(255) DEFAULT NULL, 
>   `logout_type` int(11) DEFAULT NULL, 
>   `logout_url` varchar(255) DEFAULT NULL, 
>   `mfa_policy` longblob, 
>   `name` varchar(255) NOT NULL, 
>   `privacyUrl` varchar(255) DEFAULT NULL, 
>   `proxy_policy` longblob, 
>   `public_key` longblob, 
>   `required_handlers` longblob, 
>   `serviceId` varchar(255) NOT NULL, 
>   `theme` varchar(255) DEFAULT NULL, 
>   `username_attr` longblob, 
>   `bypassApprovalPrompt` bit(1) DEFAULT NULL, 
>   `clientId` varchar(255) DEFAULT NULL, 
>   `clientSecret` varchar(255) DEFAULT NULL, 
>   `generateRefreshToken` bit(1) DEFAULT NULL, 
>   `jsonFormat` bit(1) DEFAULT NULL, 
>   `supported_grants` longblob, 
>   `supported_responses` longblob, 
>   `DYNAMIC_REG_TIME` datetime DEFAULT NULL, 
>   `dynamicallyRegistered` bit(1) DEFAULT NULL, 
>   `encryptIdToken` bit(1) DEFAULT NULL, 
>   `idTokenEncryptionAlg` varchar(255) DEFAULT NULL, 
>   `idTokenEncryptionEncoding` varchar(255) DEFAULT NULL, 
>   `implicit` bit(1) DEFAULT NULL, 
>   `jwks` varchar(255) DEFAULT NULL, 
>   `scopes` longblob, 
>   `sectorIdentifierUri` varchar(255) DEFAULT NULL, 
>   `signIdToken` bit(1) DEFAULT NULL, 
>   `subjectType` varchar(255) DEFAULT NULL, 
>   `addressingNamespace` varchar(255) DEFAULT NULL, 
>   `appliesTo` varchar(255) DEFAULT NULL, 
>   `namespace` varchar(255) DEFAULT NULL, 
>   `policyNamespace` varchar(255) DEFAULT NULL, 
>   `protocol` varchar(255) DEFAULT NULL, 
>   `realm` varchar(255) DEFAULT NULL, 
>   `tokenType` varchar(255) DEFAULT NULL, 
>   `wsdlEndpoint` varchar(255) DEFAULT NULL, 
>   `wsdlLocation` varchar(255) DEFAULT NULL, 
>   `wsdlService` varchar(255) DEFAULT NULL, 
>   `encryptAssertions` bit(1) DEFAULT NULL, 
>   `metadataCriteriaDirection` varchar(255) DEFAULT NULL, 
>   `metadataCriteriaPattern` varchar(255) DEFAULT NULL, 
>   `metadataCriteriaRemoveEmptyEntitiesDescriptors` bit(1) DEFAULT NULL, 
>   `metadataCriteriaRemoveRolelessEntityDescriptors` bit(1) DEFAULT NULL, 
>   `metadataCriteriaRoles` varchar(255) DEFAULT NULL, 
>   `metadataExpirationDuration` varchar(255) DEFAULT NULL, 
>   `metadataLocation` varchar(255) DEFAULT NULL, 
>   `metadataMaxValidity` bigint(20) DEFAULT NULL, 
>   `metadataSignatureLocation` varchar(255) DEFAULT NULL, 
>   `nameIdQualifier` varchar(255) DEFAULT NULL, 
>   `requiredAuthenticationContextClass` varchar(255) DEFAULT NULL, 
>   `requiredNameIdFormat` varchar(255) DEFAULT NULL, 
>   `serviceProviderNameIdQualifier` varchar(255) DEFAULT NULL, 
>   `signAssertions` bit(1) DEFAULT NULL, 
>   `signResponses` bit(1) DEFAULT NULL, 
>   `signingCredentialType` varchar(255) DEFAULT NULL, 
>   `skipGeneratingAssertionNameId` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationInResponseTo` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationNotBefore` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationNotOnOrAfter` bit(1) DEFAULT NULL, 
>   `skipGeneratingSubjectConfirmationRecipient` bit(1) DEFAULT NULL, 
>   PRIMARY KEY (`id`) 
> )
>
> 2017-12-15 17:45 GMT-03:00 Maxwell, Gary  >:
>
>> Ok I just wanted to make sure. Thanks!
>>
>>  
>>
>> *From:* cas-...@apereo.org  [mailto:cas-...@apereo.org 
>> ] *On Behalf Of *Man H
>> *Sent:* Friday, December 15, 2017 9:39 AM
>> *To:* cas-...@apereo.org 
>> *Subject:* Re: [cas-user] 5.1.2 to 5.2 CAS migration
>>
>>  
>>
>> this is what I have in 5.2.0
>>
>> CREATE TABLE `RegexRegisteredService` ( 
>>   `expression_type` varchar(50) NOT NULL DEFAULT 'regex', 
>>   `id` bigint(20) NOT NULL AUTO_INCREMENT, 
>>   `access_strategy` longblob, 
>>   `attribute_release` longblob, 
>>   `description` varchar(255) DEFAULT NULL, 
>>   `evaluation_order` int(11) NOT NULL, 
>>   `expiration_policy` longblob, 
>>   `informationUrl` varchar(255) DEFAULT NULL, 
>>   `logo` 

[cas-user] How to enable this in 5.3, forgotten password may receive a secure link?

[Yan Zhou]

Hello,

CAS 5.3 has "forgot password" link on the login page, that link takes to an 
external site that does not yet exist. 

On the other hand, CAS 5.3 doc says this: Those who have forgotten their 
account password may receive a secure link with a time-based expiration 
policy at their registered email address and/or phone.

How do I enable this? in other words, when user clicks "forgot password", 
it triggers a subflow that sends a link to user's email address, etc.?  Is 
this already part of CAS?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/80f28412-715e-4a19-bf17-f07927cf6d29%40apereo.org.

Re: [cas-user] Re: CAS 5.3 build erro

[Yan Zhou]

: CAS 5.3 build error
>
> The issue with google zxing and ANDROID_HOME seems to only happen when 
> building on Windows. I couldn't find a solid answer as to the impact on the 
> final build or any workarounds. I ended up moving my build environment to 
> linux to get building working much more smoothly and without errors.
>
>
> On Thursday, September 27, 2018 at 12:22:15 PM UTC-4, Yan Zhou wrote:
>>
>> Hello,
>> I followed the build process on CAS page,  doing the build on Windows. 
>>
>> This is my command, running from cas-server directory:  gradlew build 
>> install --parallel -x test -x javadoc -x check -offline
>>
>> Here is the error.
>>
>> > Task :webapp:cas-server-webapp-eureka-server:compileJava
>> Errors occurred while build effective model from 
>> C:\Users\zhou_y\.m3\repository\com\google\zxing\core\3.3.2\core-3.3.2.pom:
>> 'dependencyManagement.dependencies.dependency.systemPath' for 
>> com.google.android:android:jar must specify an absolute path but is 
>> /${env.ANDROID_HOME}/platf
>> orms/android-22/android.jar in com.google.zxing:core:3.3.2
>>
>> > Task :webapp:cas-server-webapp-bootadmin-server:war FAILED
>> > Task :webapp:cas-server-webapp-eureka-server:compileJava UP-TO-DATE
>>
>> > Task :api:cas-server-core-api-configuration-model:compileJava
>> Note: Some input files use unchecked or unsafe operations.
>> Note: Recompile with -Xlint:unchecked for details.
>>
>> FAILURE: Build failed with an exception.
>>
>> * What went wrong:
>> Could not resolve all files for configuration 
>> ':webapp:cas-server-webapp-bootadmin-server:runtimeClasspath'.
>> > Could not resolve com.google.code.findbugs:annotations:2.0.0.
>>   Required by:
>>   project :webapp:cas-server-webapp-bootadmin-server > 
>> com.netflix.zuul:zuul-core:1.3.0 > com.netflix.archaius:archaius-core:0.6.0
>>   project :webapp:cas-server-webapp-bootadmin-server > 
>> com.netflix.zuul:zuul-core:1.3.0 > com.netflix.servo:servo-core:0.7.2
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>> No cached version of com.google.code.findbugs:annotations:2.0.0 
>> available for offline mode.
>>
>> * Try:
>> Run with --stacktrace option to get the stack trace. Run with --info or 
>> --debug option to get more log output. Run with --scan to get full insights.
>>
>> * Get more help at https://help.gradle.org
>>
>> BUILD FAILED in 3m 30s
>> 1040 actionable tasks: 12 executed, 1028 up-to-date
>>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a30e80f-8ef7-461d-b476-d977c523126c%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a30e80f-8ef7-461d-b476-d977c523126c%40apereo.org?utm_medium=email_source=footer>
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cff8cb19-2c27-4a25-b609-59b6eb5d76c4%40apereo.org.

[cas-user] CAS 5.3 build error

[Yan Zhou]

Hello,

I followed the build process on CAS page,  doing the build on Windows. 

This is my command, running from cas-server directory:  gradlew build 
install --parallel -x test -x javadoc -x check -offline

Here is the error.

> Task :webapp:cas-server-webapp-eureka-server:compileJava
Errors occurred while build effective model from 
C:\Users\zhou_y\.m3\repository\com\google\zxing\core\3.3.2\core-3.3.2.pom:
'dependencyManagement.dependencies.dependency.systemPath' for 
com.google.android:android:jar must specify an absolute path but is 
/${env.ANDROID_HOME}/platf
orms/android-22/android.jar in com.google.zxing:core:3.3.2

> Task :webapp:cas-server-webapp-bootadmin-server:war FAILED
> Task :webapp:cas-server-webapp-eureka-server:compileJava UP-TO-DATE

> Task :api:cas-server-core-api-configuration-model:compileJava
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

FAILURE: Build failed with an exception.

* What went wrong:
Could not resolve all files for configuration 
':webapp:cas-server-webapp-bootadmin-server:runtimeClasspath'.
> Could not resolve com.google.code.findbugs:annotations:2.0.0.
  Required by:
  project :webapp:cas-server-webapp-bootadmin-server > 
com.netflix.zuul:zuul-core:1.3.0 > com.netflix.archaius:archaius-core:0.6.0
  project :webapp:cas-server-webapp-bootadmin-server > 
com.netflix.zuul:zuul-core:1.3.0 > com.netflix.servo:servo-core:0.7.2
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.
   > No cached version of com.google.code.findbugs:annotations:2.0.0 
available for offline mode.

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or 
--debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 3m 30s
1040 actionable tasks: 12 executed, 1028 up-to-date

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d78ddb84-dfca-4272-b649-fa2c0e5b5741%40apereo.org.

[cas-user] Re: CAS 5.3, how to get TGT?

[Yan Zhou]

Figured out, the cookie is secure, so it is only sent via TLS.  I was 
running CAS on Plain HTTP.

Yan

On Tuesday, September 25, 2018 at 2:54:17 PM UTC-4, Yan Zhou wrote:
>
> Hello,
>
> I need to extend my overlay of CAS 5.3.3, to support an additional 
> endpoint.
>
> MyController looks like this.  User login to CAS already. I want to get 
> the authenticated user Id when user comes to this endpoint.
>
> But, I am unable to get TGT below.  What would be the right approach?
>
> Thx!
> Yan
>
> @Autowired
> CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
> @Autowired
> private TicketRegistry ticketRegistry;
>
> @RequestMapping(value = "/xyz", method = RequestMethod.GET)
> public ModelAndView doSomething(HttpServletRequest httpRequest) {
>
> TicketGrantingTicket ticket = 
> CookieUtils.getTicketGrantingTicketFromRequest(ticketGrantingTicketCookieGenerator,
>  
> ticketRegistry, httpRequest); 
> Principal principal = ticket.getAuthentication().getPrincipal();
>
>  }
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f02911f6-483b-4300-b2aa-9e6abc365cdc%40apereo.org.

[cas-user] CAS 5.3, how to get TGT?

[Yan Zhou]

Hello,

I need to extend my overlay of CAS 5.3.3, to support an additional endpoint.

MyController looks like this.  User login to CAS already. I want to get the 
authenticated user Id when user comes to this endpoint.

But, I am unable to get TGT below.  What would be the right approach?

Thx!
Yan

@Autowired
CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
@Autowired
private TicketRegistry ticketRegistry;

@RequestMapping(value = "/xyz", method = RequestMethod.GET)
public ModelAndView doSomething(HttpServletRequest httpRequest) {

TicketGrantingTicket ticket = 
CookieUtils.getTicketGrantingTicketFromRequest(ticketGrantingTicketCookieGenerator,
 
ticketRegistry, httpRequest); 
Principal principal = ticket.getAuthentication().getPrincipal();

 }

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d82476a-7831-4b42-abe8-49837bd22456%40apereo.org.

[cas-user] How does CAS load log4j2.xml based on cas.properties

[Yan Zhou]

Hello!

I wish to figure out how CAS 5.x loads an externalized log4j2.xml based on 
the setting in cas.properties.

logging.config=file:///... some location... /config/log4j2.xml

As far as Spring doc., it says:  An ApplicationContextInitializer that 
configures a logging framework depending on what it finds on the classpath 
and in the Environment. If the environment contains a property 
logging.config then that will be used to initialize the logging system, 
otherwise a default location is used. 

This is why, when I tries to use the same approach for my web application 
(NOT related to CAS). it does not work.  the externalized log4j2.xml is not 
loaded because it is not in classpath, nor is it specified in an 
environment property. 

I deploy multiple web apps (Spring Boot apps) on the same host, each Web 
app has its own Log4j2.xml file, so I want to find a approach that is 
specific to the app., not a global one.

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f17a31b4-7d5a-48dc-b3dc-28e420081539%40apereo.org.

[cas-user] CAS 5.3 error defining custom login exceptions

[Yan Zhou]

Hello, 

CAS 5.3.3 overlay on tomcat8.  I wish to display an error message on CAS 
login that says you have one more attempt or two more attempts to login, 
before get locked out.

I defined two new exception classes below in cas.properties.

cas.authn.exceptions.exceptions=org.apereo.cas.authentication.exceptions.OneMoreAttempLoginException,org.apereo.cas.authentication.exceptions.TwoMoreAttempLoginException

In message.properties, I provided the message.  When CAS starts up, I got 
this error. 

What am I missing?  Is this not the correct way to define a list of 
exception classes?

Thx!

Caused by: org.springframework.beans.factory.BeanCreationException: Error 
creating bean with name 
'cas-org.apereo.cas.configuration.CasConfigurationProperties':
 Could not bind properties to CasConfigurationProperties (prefix=cas, 
ignoreInvalidFields=false, ignoreUnknownFields=false, 
ignoreNestedProperties=false); neste
d exception is org.springframework.validation.BindException: 
org.springframework.boot.bind.RelaxedDataBinder$RelaxedBeanPropertyBindingResult:
 
1 errors
Field error in object 'cas' on field 'authn.exceptions.exceptions': 
rejected value 
[org.apereo.cas.authentication.exceptions.OneMoreAttempLoginException,org.ape
reo.cas.authentication.exceptions.TwoMoreAttempLoginException]; codes 
[typeMismatch.cas.authn.exceptions.exceptions,typeMismatch.authn.exceptions.exceptions,typ
eMismatch.exceptions,typeMismatch.java.util.List,typeMismatch]; arguments 
[org.springframework.context.support.DefaultMessageSourceResolvable: codes 
[cas.authn.
exceptions.exceptions,authn.exceptions.exceptions]; arguments []; default 
message [authn.exceptions.exceptions]]; default message [Failed to convert 
property va
lue of type 'java.lang.String' to required type 'java.util.List' for 
property 'authn.exceptions.exceptions'; nested exception is 
java.lang.IllegalArgumentExcept
ion: Could not find class 
[org.apereo.cas.authentication.exceptions.OneMoreAttempLoginException]]
at 
org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor.postProcessBeforeInitialization(ConfigurationPropertiesBindin
gPostProcessor.java:336)
at 
org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor.postProcessBeforeInitialization(ConfigurationPropertiesBindin
gPostProcessor.java:292)
at 
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanF
actory.java:409)

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/40887506-0820-4bef-857b-4d8bc4b0290e%40apereo.org.

Re: [cas-user] cas 5.3.3 management webapp overlay issue

[Yan Zhou]

OK, good to know.

Is it possible to allow CAS and CAS management App deployed on the same 
host, without the order of which one starts first?  I can do that with 
CAS4, that makes our deployment a lot simpler, without such dependencies.  
Can we turn off discovery mode in CAS 5.3 management to allow that?

In addition, did something change from 5.3.1 to 5.3.3?  I am using CAS 
5.3.3, and Management App for 5.3.1 (because there is not one for 5.3.3)

I am using JPA service registry on CAS and CAS management.

Got this error when starting management app. on a separate tomcat, that is 
probably because the JPA service registry in Management App is still 5.3.1 
based, but the CAS schema already moved to 5.3.3?

SQLSyntaxErrorException: ORA-00904: "ABSTRACTRE0_"."SUBJECTTYPE": invalid 
identifier


Thx!
Yan

On Wednesday, September 12, 2018 at 4:23:05 PM UTC-4, Travis Schmidt wrote:
>
> What I meant to go on and say is that the management app tries to call the 
> discovery endpoint on the configured cas server when trying to startup.  If 
> you are running both the server and the management app on the same server, 
> I think it is stalling cause it can't reach the CAS server, because it is 
> not up yet.  Looks like I have neglected to put an option in to not try and 
> call the cas server during startup.  Maybe try starting the app server with 
> only CAS server, then add the management war to the started service.  
>
> Hoping to give management app some attention next week.
>
> On Wed, Sep 12, 2018 at 1:00 PM Travis Schmidt  > wrote:
>
>> Looks like you have configured your CAS server and the management app to 
>> run on the same host and the same port.
>>
>> On Wed, Sep 12, 2018, 12:52 PM Yan Zhou > 
>> wrote:
>>
>>> Hello,
>>>
>>> I am running CAS 5.3.3, but latest management web app is 5.3.1.
>>>
>>> My management web app will not start up. It just hangs there.  What did 
>>> I miss?
>>>
>>> Here is the log file.
>>>
>>> 2018-09-12 15:48:11,936 INFO 
>>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>>>  
>>> - >> t-cas5\cas5-server\etc\cas\config] are 
>>> [[C:\gitworkspace\quest-cas5\cas5-server\etc\cas\config\application.yml, 
>>> C:\gitworkspace\quest-cas5\cas5-server\etc\cas\c
>>> onfig\management.properties]] under profile(s) [[standalone]]>
>>> 2018-09-12 15:48:12,245 INFO 
>>> [org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] - 
>>> 
>>> 2018-09-12 15:48:18,924 DEBUG 
>>> [org.apereo.cas.config.CasCoreUtilSerializationConfiguration] - 
>>> >> nConfiguration]>
>>> 2018-09-12 15:48:20,795 DEBUG 
>>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - 
>>> >> ng at [http://localhost:8080]>
>>> 2018-09-12 15:48:20,843 DEBUG 
>>> [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - 
>>> >> ; no pattern is defined>
>>>
>>> --- nothing else ---
>>>
>>> Following is my externalized management.properties. My services are 
>>> defined in a local directory.
>>>
>>> cas.server.name=http://localhost:8080
>>> cas.server.prefix=${cas.server.name}/cas5
>>>
>>> #
>>> # is this how I tell Management App where the services are defined at?
>>> #
>>>
>>> mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services
>>>
>>> mgmt.adminRoles[0]=ROLE_ADMIN
>>>
>>> mgmt.userPropertiesFile=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-users.properties
>>>
>>> mgmt.serverName=http://localhost:8080
>>>
>>> server.context-path=/cas5manage
>>> server.port=8080
>>>
>>>
>>> logging.config=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-log4j2.xml
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org
>>>  
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb1ef9ef-9cc8-42c5-92e6-f5241e952a02%40apereo.org.

[cas-user] cas 5.3.3 management webapp overlay issue

[Yan Zhou]

Hello,

I am running CAS 5.3.3, but latest management web app is 5.3.1.

My management web app will not start up. It just hangs there.  What did I 
miss?

Here is the log file.

2018-09-12 15:48:11,936 INFO 
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] 
- 
2018-09-12 15:48:12,245 INFO 
[org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] - 

2018-09-12 15:48:18,924 DEBUG 
[org.apereo.cas.config.CasCoreUtilSerializationConfiguration] - 

2018-09-12 15:48:20,795 DEBUG 
[org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - 
http://localhost:8080]>
2018-09-12 15:48:20,843 DEBUG 
[org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - 


--- nothing else ---

Following is my externalized management.properties. My services are defined 
in a local directory.

cas.server.name=http://localhost:8080
cas.server.prefix=${cas.server.name}/cas5

#
# is this how I tell Management App where the services are defined at?
#
mgmt.servicesRepo=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/services

mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.userPropertiesFile=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-users.properties

mgmt.serverName=http://localhost:8080

server.context-path=/cas5manage
server.port=8080

logging.config=file:///c:/gitworkspace/quest-cas5/cas5-server/etc/cas/config/management-log4j2.xml

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d51a950-2e51-4921-bc07-6b34a82358f8%40apereo.org.

Re: [cas-user] CAS5.3.3 Service Registry is always empty?

[Yan Zhou]

that was it!!

i changed spring.application.name without realizing it has an impact on 
property loading.

Thx so much.

Yan

On Friday, September 7, 2018 at 1:24:18 PM UTC-4, rbon wrote:
>
> Yan,
>
> Have you changed spring.application.name (should be cas by default)? See 
> https://apereo.github.io/cas/5.3.x/installation/Configuration-Server-Management.html#standalone
> In default 5.3, I do not see application.yml. Do you need it? Does 
> cas.properties load if you delete application.yml?
>
> Ray
>
> On Fri, 2018-09-07 at 07:44 -0700, Yan Zhou wrote:
>
> Thanks for the suggestion, I figured out something that is strange to me.  
> I am building cas.war and deploy to tomcat8.  
>
> I have externalized a directory containing three configuration files: 
> application.yml, log4j2.xml and cas.properties. 
>
> if I put this following in cas.properties, it does not load my service 
> definitions. 
>
> cas.serviceRegistry.json.location=file:///C:/mydir/cas5-server/etc/cas/services
>   
>   
> #
> #  
> cas.serviceRegistry.json.location=c:/mydir/cas5-server/etc/cas/services
>   // this does not work, either. 
> #
>
> but if I put this in application.yml, it does work.
>
> cas:
>   serviceRegistry:
> json:
>   location: file:///C:/mydir/cas5-server/etc/cas/services
>
>
> Why is cas.properties not loaded, but application.yml is loaded (even 
> though two files are in the same directory, specified 
> by -Dcas.standalone.configurationDirectory?
>
> Thanks,
> Yan
>
> On Thursday, September 6, 2018 at 3:28:57 PM UTC-4, Jon Hawkesworth wrote: 
>
> Hmm, is your customized cas.properties even getting loaded? 
>
> Worth checking is where you are running cas from. If you are developing 
> say on D: drive it might be looking for the cas.properties in 
> D:\etc\cas\config. 
>
> To debug, I recommend upping the log level to debug in your log4j2.xml for 
> the core cas packages. 
>
> Hope this helps, 
>
> Jon
> On 6 Sep 2018 19:26, "Yan Zhou"  wrote:
>
>
> Yes, I do have the dependency.  
>
> I also removed   cas.serviceRegistry.initFromJson   from cas.properties, 
> so that it default to false.
>
> I am still not loading any service definition.  How can I debug this in 
> CAS?
>
> Yan 
>
>
> On Thursday, September 6, 2018 at 2:19:51 PM UTC-4, David Curry wrote:
>
> Do you have this in pom.xml: 
>
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${cas.version}
> 
>
> (you should)? 
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>
> [image: The New School]
>
>
> On Thu, Sep 6, 2018 at 2:13 PM Yan Zhou  wrote:
>
> Hello,  
>
> This is my external cas.properties, 
>
> ## windows
> cas.serviceRegistry.json.location=file:///C:/mydir/cas/services  
> cas.serviceRegistry.initFromJson=true
>
> Here is my QuestLocal-1001.json under  c:/mydir/cas/services, But I am 
> not loading any service definition.  See below for logs.
>
> {
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>   "serviceId" : "^https?://.*",
>   "name" : "QuestLocal",
>   "id" : 1001,
>   "description" : "This service definition",
>   "evaluationOrder" : 1,
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>},   
>   "properties" : {
> "@class" : "java.util.HashMap",
> "jwtAsServiceTicket" : {
>   "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>   "values" : [ "java.util.HashSet", [ "true" ] ]
> }
>   }  
> }
>
> What am I missing?
>
> Thx!
> Yan
>
> 2018-09-06 13:47:47,711 WARN 
> [org.apereo.cas.config.CasCoreServicesConfiguration] -  used as the persistence storage for retrieving and persis
> ting service definitions. Changes that are made to service definitions 
> during runtime WILL be LOST when the web server is restarted. Ideally for 
> production, you
>  need to choose a storage option (JDBC, etc) to store and track service 
> definitions.>
> 2018-09-06 13:47:47,711 DEBUG 
> [org.apereo.cas.services.DefaultServiceRegistryExecutionPlan] - 
>  xecution plan>
> 2018-09-06 13:47:47,710 DEBUG 
> [org.apereo.cas.services.AbstractServicesManager] -  reg

[cas-user] CAS client changes required to use JWT service ticket in CAS 5.3?

[Yan Zhou]

Hello,

I am enabling JWT Service Ticket in CAS 5.3 server.  My flow stops here: 

http://localhost:8080/myapp/login/cas?redirect=true=

I suppose the client (myapp) has to change something in order to read the 
JWT ticket?  But I did not see any documentation on that, does App need to 
include a different CAS-client library for JWT service ticket?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f47908a3-5f41-494f-bb8e-af8fa3215eb0%40apereo.org.

Re: [cas-user] CAS5.3.3 Service Registry is always empty?

[Yan Zhou]

Thanks for the suggestion, I figured out something that is strange to me.  
I am building cas.war and deploy to tomcat8. 

I have externalized a directory containing three configuration files: 
application.yml, log4j2.xml and cas.properties. 

if I put this following in cas.properties, it does not load my service 
definitions. 

cas.serviceRegistry.json.location=file:///C:/mydir/cas5-server/etc/cas/services 
 
  
#
#  cas.serviceRegistry.json.location=c:/mydir/cas5-server/etc/cas/services  
// this does not work, either. 
#

but if I put this in application.yml, it does work.

cas:
  serviceRegistry:
json:
  location: file:///C:/mydir/cas5-server/etc/cas/services


Why is cas.properties not loaded, but application.yml is loaded (even 
though two files are in the same directory, specified 
by -Dcas.standalone.configurationDirectory?

Thanks,
Yan

On Thursday, September 6, 2018 at 3:28:57 PM UTC-4, Jon Hawkesworth wrote:
>
> Hmm, is your customized cas.properties even getting loaded? 
>
> Worth checking is where you are running cas from. If you are developing 
> say on D: drive it might be looking for the cas.properties in 
> D:\etc\cas\config. 
>
> To debug, I recommend upping the log level to debug in your log4j2.xml for 
> the core cas packages. 
>
> Hope this helps, 
>
> Jon
> On 6 Sep 2018 19:26, "Yan Zhou" > wrote:
>
>
> Yes, I do have the dependency. 
>
> I also removed   cas.serviceRegistry.initFromJson   from cas.properties, 
> so that it default to false.
>
> I am still not loading any service definition.  How can I debug this in 
> CAS?
>
> Yan
>
>
> On Thursday, September 6, 2018 at 2:19:51 PM UTC-4, David Curry wrote:
>
>> Do you have this in pom.xml:
>>
>> 
>> org.apereo.cas
>> cas-server-support-json-service-registry
>> ${cas.version}
>> 
>>
>> (you should)? 
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>>
>> On Thu, Sep 6, 2018 at 2:13 PM Yan Zhou  wrote:
>>
>>> Hello, 
>>>
>>> This is my external cas.properties, 
>>>
>>> ## windows
>>> cas.serviceRegistry.json.location=file:///C:/mydir/cas/services  
>>> cas.serviceRegistry.initFromJson=true
>>>
>>> Here is my QuestLocal-1001.json under  c:/mydir/cas/services, But I 
>>> am not loading any service definition.  See below for logs.
>>>
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "^https?://.*",
>>>   "name" : "QuestLocal",
>>>   "id" : 1001,
>>>   "description" : "This service definition",
>>>   "evaluationOrder" : 1,
>>>   "attributeReleasePolicy" : {
>>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>},   
>>>   "properties" : {
>>> "@class" : "java.util.HashMap",
>>> "jwtAsServiceTicket" : {
>>>   "@class" : 
>>> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>>>   "values" : [ "java.util.HashSet", [ "true" ] ]
>>> }
>>>   }  
>>> }
>>>
>>> What am I missing?
>>>
>>> Thx!
>>> Yan
>>>
>>> 2018-09-06 13:47:47,711 WARN 
>>> [org.apereo.cas.config.CasCoreServicesConfiguration] - >> used as the persistence storage for retrieving and persis
>>> ting service definitions. Changes that are made to service definitions 
>>> during runtime WILL be LOST when the web server is restarted. Ideally for 
>>> production, you
>>>  need to choose a storage option (JDBC, etc) to store and track service 
>>> definitions.>
>>> 2018-09-06 13:47:47,711 DEBUG 
>>> [org.apereo.cas.services.DefaultServiceRegistryExecutionPlan] - 
>>> >> xecution plan>
>>> 2018-09-06 13:47:47,710 DEBUG 
>>> [org.apereo.cas.services.AbstractServicesManager] - >> registry [InMemoryServiceRegistry] into the execution pla
>>> norg.apereo.cas.services.ChainingServiceRegistry@e311f93]>
>>> 2018-09-06 13:47:47,713 INFO 
>>> [org.apereo.cas.services.AbstractServicesManager] - >> from [In

Re: [cas-user] CAS5.3.3 Service Registry is always empty?

[Yan Zhou]

Yes, I do have the dependency. 

I also removed   cas.serviceRegistry.initFromJson   from cas.properties, so 
that it default to false.

I am still not loading any service definition.  How can I debug this in CAS?

Yan

On Thursday, September 6, 2018 at 2:19:51 PM UTC-4, David Curry wrote:
>
> Do you have this in pom.xml:
>
> 
> org.apereo.cas
> cas-server-support-json-service-registry
> ${cas.version}
> 
>
> (you should)? 
>
> --
>
> DAVID A. CURRY, CISSP
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.cu...@newschool.edu 
>
> [image: The New School]
>
>
> On Thu, Sep 6, 2018 at 2:13 PM Yan Zhou > 
> wrote:
>
>> Hello, 
>>
>> This is my external cas.properties, 
>>
>> ## windows
>> cas.serviceRegistry.json.location=file:///C:/mydir/cas/services  
>> cas.serviceRegistry.initFromJson=true
>>
>> Here is my QuestLocal-1001.json under  c:/mydir/cas/services, But I 
>> am not loading any service definition.  See below for logs.
>>
>> {
>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>   "serviceId" : "^https?://.*",
>>   "name" : "QuestLocal",
>>   "id" : 1001,
>>   "description" : "This service definition",
>>   "evaluationOrder" : 1,
>>   "attributeReleasePolicy" : {
>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>},   
>>   "properties" : {
>> "@class" : "java.util.HashMap",
>> "jwtAsServiceTicket" : {
>>   "@class" : 
>> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>>   "values" : [ "java.util.HashSet", [ "true" ] ]
>> }
>>   }  
>> }
>>
>> What am I missing?
>>
>> Thx!
>> Yan
>>
>> 2018-09-06 13:47:47,711 WARN 
>> [org.apereo.cas.config.CasCoreServicesConfiguration] - > used as the persistence storage for retrieving and persis
>> ting service definitions. Changes that are made to service definitions 
>> during runtime WILL be LOST when the web server is restarted. Ideally for 
>> production, you
>>  need to choose a storage option (JDBC, etc) to store and track service 
>> definitions.>
>> 2018-09-06 13:47:47,711 DEBUG 
>> [org.apereo.cas.services.DefaultServiceRegistryExecutionPlan] - 
>> > xecution plan>
>> 2018-09-06 13:47:47,710 DEBUG 
>> [org.apereo.cas.services.AbstractServicesManager] - > registry [InMemoryServiceRegistry] into the execution pla
>> norg.apereo.cas.services.ChainingServiceRegistry@e311f93]>
>> 2018-09-06 13:47:47,713 INFO 
>> [org.apereo.cas.services.AbstractServicesManager] - > from [InMemoryServiceRegistry].>
>> 2018-09-06 13:48:47,715 DEBUG 
>> [org.apereo.cas.services.AbstractServicesManager] - > [org.apereo.cas.services.ChainingServiceRegistry@e311f9
>> 3]>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/905510e3-9497-4029-8df2-e025291026d7%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/905510e3-9497-4029-8df2-e025291026d7%40apereo.org?utm_medium=email_source=footer>
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/021e8dbe-5d1c-4b11-ae65-bec30fe39fef%40apereo.org.

[cas-user] CAS 5.3.x spring-boot:run not working after customizing

[Yan Zhou]

Hello,

I got CAS 5.3.3 overlay,  this works:  mvn spring-boot:run. 

However, I need to customize CAS, so I had to add additional dependencies, 
and "mvn spring-boot:run" no longer works.  Is this by design?

I finally see this in README of CAS build.

Be careful with this method of deployment. `bootRun` is not designed to 
work with already executable WAR artifacts such that CAS server web 
application. YMMV. Today, uses of this mode ONLY work when there is **NO 
OTHER** dependency added to the build script and the `cas-server-webapp` is 
the only present module. See [this 
issue](https://github.com/spring-projects/spring-boot/issues/8320) for more 
info.


Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da78dd14-fd32-4446-b582-9eb0f8c705d8%40apereo.org.

[cas-user] CAS 5.3.3 /cas does not redirect to /cas/login

[Yan Zhou]

Hello,

With previous CAS4.x and 5.2.x,  go to /cas will redirect to /cas/login 
automatically.  That is quite nice. 

But, with 5.3.3, this is no longer happening, it comes up with an "Access 
Denied" page and provides a link to /cas/login. 

How do I configure the auto-redirect?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ff546714-aa79-4cc5-9d8a-eb9b95d535fd%40apereo.org.

[cas-user] CAS5 error out on: server.connection-timeout=PT20S

[Yan Zhou]

Hello!

I am using CAS 5.3.3 overlay, but got this error on application.properties.

It has:  server.connection-timeout=PT20S,  this is default but giving this 
error.  What did I miss?

Binding to target 
org.springframework.boot.autoconfigure.web.ServerProperties@109952a1 failed:

Property: server.connectionTimeout
Value: PT20S
Reason: Failed to convert property value of type 'java.lang.String' to 
required type 'java.lang.Integer' for property 'connectionTimeout'; nested 
exception is org.springframework.core.convert.ConverterNotFoundException: 
No converter found capable of converting from type [java.lang.String] to 
type [java.lang.Integer]

Thanks!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/17a826d8-b9ec-4616-b972-9d9a8a0098dd%40apereo.org.

[cas-user] CAS5.2.x, how to set up JNDI entry for embedded tomcat

[Yan Zhou]

Hi,  

CAS 5.2.X has embedded tomcat, but it does not have JDNI enabled.  How do I 
add the customization of making an jndi entry available?

Thx!
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8905a4-9f48-4c98-b897-26d0cbb829d6%40apereo.org.

Re: [cas-user] CAS 4.1.9 overlay consumes SAML 2.0 and 1.x assertions

[Yan Zhou]

OK, We do not have an IDP yet.  CAS 5.2 would be able to do that without 
relying delegate-authentication, right?

Yan


On Thursday, April 12, 2018 at 3:42:26 PM UTC-4, Misagh Moayyed wrote:
>
> You want to start with something like this:
> https://apereo.github.io/cas/4.1.x/integration/Delegate-Authentication.html
>
> External identity providers are referred to as "Clients", in the sense 
> that CAS is a client of that identity provider. Build the one for SAML and 
> proceed. IIRC, only SAML2 and only specific variants of are supported 
> there. 
>
> Skip backporting. It's only going to make you age faster...and not like 
> Clooney. 
>
> --Misagh
>
> --
>
> *From: *"Yan Zhou" <yana...@gmail.com >
> *To: *"CAS Community" <cas-...@apereo.org >
> *Sent: *Thursday, April 12, 2018 12:16:47 PM
> *Subject: *[cas-user] CAS 4.1.9 overlay consumes SAML 2.0 and 1.x 
> assertions
>
> Hello,
> We are running CAS 4.1.9.  An external vendor wants to do SSO with us. 
> User login on their side, and they will send us SAML assertion, so that 
> user can SSO to our App. without login again. 
>
> Can CAS (without Shibboleth) consume such SAML 1.x and/or 2.0 assertion?
>
> I think CAS 5.x can, is that correct?  We are not in a position to upgrade 
> CAS 4 yet.  Is it possible to give me the implementation in CAS 5.x and I 
> can port that into my CAS 4.1.9?
>
> Thanks,
> Yan
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fecb154a-908e-4253-8368-69aa3f2eab8c%40apereo.org
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fecb154a-908e-4253-8368-69aa3f2eab8c%40apereo.org?utm_medium=email_source=footer>
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4eecf37-f6f2-44c6-b623-7655a7cf4eb7%40apereo.org.

[cas-user] CAS 4.1.9 overlay consumes SAML 2.0 and 1.x assertions

[Yan Zhou]

Hello,

We are running CAS 4.1.9.  An external vendor wants to do SSO with us. User 
login on their side, and they will send us SAML assertion, so that user can 
SSO to our App. without login again. 

Can CAS (without Shibboleth) consume such SAML 1.x and/or 2.0 assertion?

I think CAS 5.x can, is that correct?  We are not in a position to upgrade 
CAS 4 yet.  Is it possible to give me the implementation in CAS 5.x and I 
can port that into my CAS 4.1.9?

Thanks,
Yan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fecb154a-908e-4253-8368-69aa3f2eab8c%40apereo.org.

Re: [cas-user] Issue handling Browser Back button in CAS UI flow

[Yan Zhou]

Hello, 

I am using this as an example that CAS flow does not support BACK button. 
That is not the real problem I am facing. 

We have added a couple more screens in the login flow, such as requiring 
user to change password if it expires, setting up user when login to CAS 
for the first time.  Our BACK button is broken right now. Spring Web Flow 
should support it by default.  

I understand the double-submit problem, that is why there is 
POST-REDIRECT-GET pattern.

What is in CAS that it overrides Spring Web Flow default behavior and does 
not support Back button, and I will have to implement "Back" myself on 
every screen individually?

Yan

On Wednesday, April 11, 2018 at 4:59:06 AM UTC-4, Uxío Prego wrote:
>
> Yeah take control of the browser back button and send the user to wherever 
> you find appropriate: https://stackoverflow.com/questions/25806608/.
>
> Regards,
>
> Uxío Prego
>
>  
>
> Madiva Soluciones
> CL / SERRANO GALVACHE 56
> BLOQUE ABEDUL PLANTA 4
> 28033 MADRID
> +34 917 56 84 94
> www.madiva.com
> www.bbva.com
>
> The activity of email inboxes can be systematically tracked by colleagues, 
> business partners and third parties. Turn off automatic loading of images 
> to hamper it.
>
> 2018-04-10 15:59 GMT+00:00 Ray Bon <rb...@uvic.ca >:
>
>> Yan,
>>
>> Accept User Agreement is shown after Login Screen form is POSTed. You can 
>> not go back to it from Success Page because that would require resubmitting 
>> the login form.
>> If you really want to be able to go back to Accept User Agreement, you 
>> could have a link on Success Page or perform some redirection/javascript 
>> reloading of Accept User Agreement. 
>>
>> Ray
>>
>> On Mon, 2018-04-09 at 10:50 -0700, Yan Zhou wrote:
>>
>> Hello,  
>>
>> I built CAS 4.1.9 overlay webapp. In order to test transition among the 
>> UI screens using browser Back button, I enabled AUP flow just so I can have 
>> a couple screens to navigate with. 
>>
>> Login Screen -> Accept User Agreement -> Success Page. 
>>
>> When I am in the 2nd screen, I can use Browser Back button to go back to 
>> the 1st screen,  but when I am at the last screen (success page), hitting 
>> browser BACK button results in an "expired page" or a cache-miss, 
>> basically, browser cannot find the page in the cache. 
>>
>> Any suggestion?
>>
>> Thx!
>>
>> -- 
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | rb...@uvic.ca 
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375951.1822.11.camel%40uvic.ca
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1523375951.1822.11.camel%40uvic.ca?utm_medium=email_source=footer>
>> .
>>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcf2d122-e937-49c4-bd8b-85ef8ef5a385%40apereo.org.

[cas-user] Issue handling Browser Back button in CAS UI flow

[Yan Zhou]

Hello, 

I built CAS 4.1.9 overlay webapp. In order to test transition among the UI 
screens using browser Back button, I enabled AUP flow just so I can have a 
couple screens to navigate with. 

Login Screen -> Accept User Agreement -> Success Page. 

When I am in the 2nd screen, I can use Browser Back button to go back to 
the 1st screen,  but when I am at the last screen (success page), hitting 
browser BACK button results in an "expired page" or a cache-miss, 
basically, browser cannot find the page in the cache. 

Any suggestion?

Thx!

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6f1b070-f0d7-4b69-8e56-f179d5112c7e%40apereo.org.

[cas-user] Hazelcast configuration on CAS 4.1.9 overlay

[Yan Zhou]

Hi,

CAS 4.1.9 overlay with Hazelcast as ticket registry.  Two instances of CAS 
running on each server. With two servers, four instances of CAS, and 
request round robin to the four CAS servers.

in cas.properties on each CAS instance:

hz.cluster.members=server1.com,server2.com

First of all, is that a proper configuration (everything else on Hazelcast 
is default value)?

In cas log, I see this.  What does this mean, why does the members go down 
from 4 to 3 and to 2?  And, it seems that members on 5702 are being 
dropped. 

Thanks,
Yan

Members [4] {
Member [server1.com]:5701 this
Member [server2.com]:5701
Member [server1.com]:5702
Member [server2.com]:5702
}



Members [3] {
Member [server1.com]:5702 
Member [server1.com]:5701 this
Member [server2.com]:5701
}

2017-11-16 15:03:34,161 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[scasapp001.stage.cin.mp-emaxx.com]:5701 [dev] [3.5.3] Connecting to 
scasapp001.stage.cin.mp-emaxx.com/10.128.61.23:5702, timeout: 0, bind-any: 
true

2017-11-16 15:03:34,162 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[scasapp001.stage.cin.mp-emaxx.com]:5701 [dev] [3.5.3] Could not connect 
to: scasapp001.stage.cin.mp-emaxx.com/10.128.61.23:5702. Reason: 
SocketException[Connection refused to address 
scasapp001.stage.cin.mp-emaxx.com/10.128.61.23:5702]

2017-11-16 15:03:34,162 WARN [com.hazelcast.nio.tcp.TcpIpConnectionMonitor] 
- [scasapp001.stage.cin.mp-emaxx.com]:5701 [dev] [3.5.3] Removing 
connection to endpoint Address[scasapp001.stage.cin.mp-emaxx.com]:5702 
Cause => java.net.SocketException {Connection refused to address 
scasapp001.stage.cin.mp-emaxx.com/10.128.61.23:5702}, Error-Count: 5

2017-11-16 15:03:34,163 INFO [com.hazelcast.cluster.ClusterService] - 
[scasapp001.stage.cin.mp-emaxx.com]:5701 [dev] [3.5.3] Master 
Address[scasapp001.stage.cin.mp-emaxx.com]:5702 left the cluster. Assigning 
new master Member [scasapp001.stage.cin.mp-emaxx.com]:5701 this

2017-11-16 15:03:34,163 INFO [com.hazelcast.cluster.ClusterService] - 
[scasapp001.stage.cin.mp-emaxx.com]:5701 [dev] [3.5.3] Removing Member 
[scasapp001.stage.cin.mp-emaxx.com]:5702


Members [2] {
Member [server1.com]:5701 this
Member [server2.com]:5701
}

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a0cb5da-d34d-48ed-864f-446afce942a1%40apereo.org.

Re: [cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

[Yan Zhou]

Hello,

By default, TGC cookie does _not_ have HttpOnly.  If the app. (using CAS
for authentication) has XSS vulnerability, someone could inject JS and read
TGC cookie and submit to CAS server, even though it is encrypted and
signed, CAS server will not know this TGC cookie is from an attacker.  Is
that not an issue?

Granted, it maybe little an attacker could do, I guess he could request a
service ticket for his app., now that he has TGC cookie?

Thx!
Yan

On Fri, Mar 31, 2017 at 2:25 AM, Alejandro Rodriguez 
wrote:

>
> Misagh, Thank you very much for the clarification, I will try to issue a 
> problem as you advise me
> although I never did. Again, thank you very much.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/7513216f-2088-4c4e-b973-
> e385d37d99b7%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZemWs%3DEXP5YWr6_fVqBTVPPcy1CR1fzAcRPdzN6r1kVwsg%40mail.gmail.com.

[cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

[Yan Zhou]

I added httpOnly flag in the XML, that worked for me.Does this solution 
sound right?


> Hi there, 
>
> I have a CAS 4.1.X overlay, servlet API version 3 in POM.xml, and CAS 
> running on tomcat7. 
>
> I observed that TGC cookie is set to Secure, but NOT httpOnly.  Tomcat7 
> default to HttpOnly for session cookie but it does not know about CAS TGC 
> cookie, so the CAS web app's session cookie has HttpOnly set, but TGC 
> cookie does not.
>
> The source code in CookieRetrievingCookieGenerator.java shows, CAS would 
> set to HttpOnly if  "RememberMe" is on.
>
> Am I missing something, should not TGC cookie always have HttpOnly on all 
> the times? This URL explains how to customize CAS to do that. But I am 
> wondering why this would require customization. 
>
> http://daodecode.com/2013/03/25/castgc-cookie-and-httponly-flag/
>
> Thx!
> Yan
>
> public void addCookie(final HttpServletRequest request, final 
> HttpServletResponse response, final String cookieValue) {
> final String theCookieValue = 
> this.casCookieValueManager.buildCookieValue(cookieValue, request);
>
> if 
> (!StringUtils.hasText(request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME)))
>  
> {
> super.addCookie(response, theCookieValue);
> } else {
> final Cookie cookie = createCookie(theCookieValue);
> cookie.setMaxAge(this.rememberMeMaxAge);
> if (isCookieSecure()) {
> cookie.setSecure(true);
> }
> if (isCookieHttpOnly()) {
> final Method setHttpOnlyMethod = 
> ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
> if(setHttpOnlyMethod != null) {
> cookie.setHttpOnly(true);
> } else {
> logger.debug("Cookie cannot be marked as HttpOnly; 
> container is not using servlet 3.0.");
> }
> }
> response.addCookie(cookie);
> }
> }
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ffe7293-67ca-4bf6-be35-345614a1d005%40apereo.org.

[cas-user] CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

[Yan Zhou]

Hi there, 

I have a CAS 4.1.X overlay, servlet API version 3 in POM.xml, and CAS 
running on tomcat7. 

I observed that TGC cookie is set to Secure, but NOT httpOnly.  Tomcat7 
default to HttpOnly for session cookie but it does not know about CAS TGC 
cookie, so the CAS web app's session cookie has HttpOnly set, but TGC 
cookie does not.

The source code in CookieRetrievingCookieGenerator.java shows, CAS would 
set to HttpOnly if  "RememberMe" is on.

Am I missing something, should not TGC cookie always have HttpOnly on all 
the times? This URL explains how to customize CAS to do that. But I am 
wondering why this would require customization. 

http://daodecode.com/2013/03/25/castgc-cookie-and-httponly-flag/

Thx!
Yan

public void addCookie(final HttpServletRequest request, final 
HttpServletResponse response, final String cookieValue) {
final String theCookieValue = 
this.casCookieValueManager.buildCookieValue(cookieValue, request);

if 
(!StringUtils.hasText(request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME)))
 
{
super.addCookie(response, theCookieValue);
} else {
final Cookie cookie = createCookie(theCookieValue);
cookie.setMaxAge(this.rememberMeMaxAge);
if (isCookieSecure()) {
cookie.setSecure(true);
}
if (isCookieHttpOnly()) {
final Method setHttpOnlyMethod = 
ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
if(setHttpOnlyMethod != null) {
cookie.setHttpOnly(true);
} else {
logger.debug("Cookie cannot be marked as HttpOnly; 
container is not using servlet 3.0.");
}
}
response.addCookie(cookie);
}
}

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/670c4ad5-7a68-4762-927b-13575b5bd52d%40apereo.org.

[cas-user] Use Spring Data Repository in CAS5

[Yan Zhou]

Hello,

I like to extend CAS login flow, using CAS5 overlay template with my 
customized authenticator (it does database lookup), but having trouble 
getting Spring Data Repository work.

I added the following class in cas5-overlay.  I am using jndi data source 
lookup. The JNDI data source is defined on tomcat8.  I also defined Spring 
data repository.

The error is when Spring IoC tries to inject my data repository, it throws 
NoSuchBeanDefinitionException.   Any suggestions?

Thx!
Yan

=== Configuration ===

@Configuration
@EnableJpaRepositories
@EnableTransactionManagement
public class QuestCASApplicationContext {

@Bean(destroyMethod="")
public DataSource dataSource() {
try {
   JndiObjectFactoryBean bean = new JndiObjectFactoryBean();
   bean.setJndiName("java:comp/env/jdbc/cas5DS");
   bean.setProxyInterface(DataSource.class);
   bean.setLookupOnStartup(false);
   bean.afterPropertiesSet();
   return (DataSource)bean.getObject();
} catch (NamingException ex) {
 throw new RuntimeException(ex);
}
}

@Bean
public EntityManagerFactory entityManagerFactory() {
  HibernateJpaVendorAdapter vendorAdapter = new 
HibernateJpaVendorAdapter();
  vendorAdapter.setGenerateDdl(true);

  LocalContainerEntityManagerFactoryBean factory = new 
LocalContainerEntityManagerFactoryBean();
  factory.setJpaVendorAdapter(vendorAdapter);
  factory.setPackagesToScan("com.quest.hub.cas.model");
  factory.setDataSource(dataSource());
  factory.afterPropertiesSet();

  return factory.getObject();
}

@Bean
public PlatformTransactionManager transactionManager() {

  JpaTransactionManager txManager = new JpaTransactionManager();
  txManager.setEntityManagerFactory(entityManagerFactory());
  return txManager;
}
}


=== Repository ===

@Repository
public interface LoginUserRepository extends CrudRepository {

@Query(value = "select * from CAS_USER b where lower(login_name) = 
lower(?1)", nativeQuery = true)
public List findByLoginNameIgnoreCase(String loginName);
}


 Configuration for my CAS authenticator ===


@Configuration("casCredentialConfiguration")
@EnableConfigurationProperties(CasConfigurationProperties.class)
public class CASCredentialConfiguration {

@Autowired
private LoginUserRepository userRepository; <=== Spring 
throws NoSuchBeanDefinitionException


-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2835e0e-1dfb-4610-beb2-4a97f9a42ebb%40apereo.org.

[cas-user] CAS 4.1.9, webflow encryption key, Invalid AES key length: 43 bytes

[Yan Zhou]

Hi there, 


CAS Overlay 4.1.9,   I generated webflow encryption key below. 

 

java -jar json-web-key-generator-0.4-SNAPSHOT-jar-with-dependencies.jar -t 
oct -s 256


I can generate another TGC signing key that works fine, but Webflow signing 
key gives me this error.

 

SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] 
threw exception [Request processing failed; nested exception is 
org.springframework.webflow.execution.FlowExecutionException: Exception 
thrown in state 'viewLoginForm' of flow 'login'] with root cause

java.security.InvalidKeyException: Invalid AES key length: 43 bytes

at 
com.sun.crypto.provider.AESCipher.engineGetKeySize(AESCipher.java:495)

 

webflow.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80

what am I missing?

Thx!
Yan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/44126ea4-1f91-4bb4-98c1-a7cb3d1e965e%40apereo.org.

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

I see.  There are two sets of keys. I am missing  webflow..key

ALL nodes SHARE the same key. For some reason, I thought each node will 
have a unique key, but obviously I was wrong.


So, session affinity is NOT required for CAS to work correctly.

Thx!


On 1/5/2017 2:19 PM, Misagh Moayyed wrote:

1. Keys must be the same across all nodes.
2. Your previous error says something about webflow decryption. Your 
config has no keys defined for that purpose.


--
Misagh

From: Yan Zhou <yanand...@gmail.com> <mailto:yanand...@gmail.com>
Reply: cas-user@apereo.org <cas-user@apereo.org> 
<mailto:cas-user@apereo.org>

Date: January 5, 2017 at 10:25:09 PM
To: CAS Community <cas-user@apereo.org> <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS4 flow decode execution error, is this an 
issue?




Hi,

this is one server's cas.properties.  the other server is very 
similar other than host name is dcasde02, and it has different 
signing key and encryption key, since they are unique per server.


Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value 
encrypted by another server using a different key?


Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:

Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the
issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com> wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow
execution
> error”. For a long time, I have been struggling as to why this
happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have
multiple
> active CAS4 servers. They each has a different signing key.  The
webflow
> values are encrypted by the CAS server handling request and sent
back to CAS
> login form, when form is submitted, the encrypted value comes
back to CAS
> server.  Without session affinity, one server can sign the data,
but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I
did verify
> that when server cannot decrypt data, it results in null value,
which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR
[org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly
extract the
> Initialization Vector or ciphertext.
>
> at
> 
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
> at
> 
org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
> at
> 
org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
> at
> 
org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
> at
> 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
> at
> 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
> 

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

Hi, 

this is one server's cas.properties.  the other server is very similar 
other than host name is dcasde02, and it has different signing key and 
encryption key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value encrypted by 
another server using a different key?

Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:
>
> Hello Yan, 
>
>  you would have missed some configurations in cas.properties. Please 
> share properties so that can we can review and let you know the issue. 
>
> Thanks 
> Seshu 
>
> On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com > 
> wrote: 
> > Hello, 
> > 
> > When you submit CAS4 login page, sometimes you got “Decode flow 
> execution 
> > error”. For a long time, I have been struggling as to why this happens. 
> I 
> > think we have an answer. 
> > 
> > 
> > This most likely happens in a cluster environment when you have multiple 
> > active CAS4 servers. They each has a different signing key.  The webflow 
> > values are encrypted by the CAS server handling request and sent back to 
> CAS 
> > login form, when form is submitted, the encrypted value comes back to 
> CAS 
> > server.  Without session affinity, one server can sign the data, but the 
> > other server won’t decrypt it, because the keys are different. 
> > 
> > 
> > 
> > That is my theory, do you think that would cause this error?   I did 
> verify 
> > that when server cannot decrypt data, it results in null value, which 
> causes 
> > the following exception. 
> > 
> > 
> > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] 
> - 
> > Unable to correctly extract the Initialization Vector or ciphertext. 
> > 
> > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
> > Initialization Vector or ciphertext. 
> > 
> > at 
> > 
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) 
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) 
>
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) 
>
> > 
> > at 
> > 
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>  
>
> > 
> > at javax.servlet.http.HttpServlet.service(Unknown Source) 
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>  
>
> > 
> > 

[cas-user] CAS4 flow decode execution error, is this an issue?

[Yan Zhou]

Hello, 

When you submit CAS4 login page, sometimes you got “Decode flow execution 
error”. For a long time, I have been struggling as to why this happens. I 
think we have an answer. 


This most likely happens in a cluster environment when you have multiple 
active CAS4 servers. They each has a different signing key.  The webflow 
values are encrypted by the CAS server handling request and sent back to 
CAS login form, when form is submitted, the encrypted value comes back to 
CAS server.  Without session affinity, one server can sign the data, but 
the other server won’t decrypt it, because the keys are different.

 

That is my theory, do you think that would cause this error?   I did verify 
that when server cannot decrypt data, it results in null value, which 
causes the following exception. 


2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - 
Unable to correctly extract the Initialization Vector or ciphertext.

org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
Initialization Vector or ciphertext.

at 
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)

at 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)

at 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)

at 
org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)

at 
org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)

at 
org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)

at 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)

at 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)

at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)

at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)

at javax.servlet.http.HttpServlet.service(Unknown Source)

at 
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)

at javax.servlet.http.HttpServlet.service(Unknown Source)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown 
Source)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

 

at 
org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)

at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
Source)

at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown 
Source)

at org.apache.catalina.core.StandardContextValve.invoke(Unknown 
Source)

at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)

at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)

at 

[cas-user] Commercial companies using CAS?

[Yan Zhou]

Hello, 

I have noticed that CAS is very popular in academic world, with lots of 
universities using it.

I do not see much use of CAS in commercial world, there maybe one or two, 
but that is really it.  I personally like CAS and we are actively adopting 
it in the corporate world.

Has anyone have explanation why it is not as popular in commercial world?

Thx!
Yan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c407b1bf-607a-4ae4-8d3f-dc3d022cdfa8%40apereo.org.

[cas-user] throttling attempts in CAS by IP, what if a large number users behind a proxy?

[Yan Zhou]

Hi,

CAS enables login throttling by IP, but, what if a relatively big number of 
users (in an organization) all sit behind one proxy?

Can I configure throttling like this:  no more than 5 login failures within 
3 seconds, and decrement the count every second.

Thx!
Yan




  

Thx!
Yan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4e3c159-6454-4c7c-9a92-a4180bb99540%40apereo.org.

Re: [cas-user] Can application get TGT ticket?

[Yan Zhou]

Thanks for the suggestions.

Going with my scenario, first, user logins to A via CAS, then, AngularJS
calls B.  There is no session for B, so the REST call returns 401, however,
we should not be asking user to login again, since he already logged into
A.  A and B are SSO via CAS.

What we need to do is to get CAS login flow to work in Ajax just as it is
in browser.

The issue with redirect you provided is when B session expires. A won't
know, thus, there is not a way to repeat the redirect trick. Further, we
likely will have B, C, E all as REST services backend, that gets a little
hard to manage.

Thanks,
Yan

On Thu, Nov 3, 2016 at 12:02 PM, Pascal Rigaux <pascal.rig...@univ-paris1.fr
> wrote:

> On 02/11/2016 21:12, Yan Zhou wrote:
>
> Can you elaborate on JSONP?
>>
> > Would app. B now have to know user's password?
>
> No need.
> JSONP is pre-CORS. It has some limitations compared to Ajax, but some
> useful possibilities, like auto CAS login.
> Here is an example of adding auto login in angularJS:
> https://github.com/prigaux/angular-seed/commit/4d51d23280eb9
> 59a3d1773b2fcc69c4cf50ccd88
>
> By the way, another simpler solution is to allow restricted redirect after
> login in app B.
> Make the user go to:
> - https://b/login?redirect=https://a/
>   which redirects to (normal CAS login)
> - https://cas/login?service= https://b/login?redirect=https://a/
>   which redirects to
> - https://b/login?redirect=https://a/=
>   => set-cookie of application b
>   which redirects to
> - https://a
>   this app can do AJAX request https://b/rest
>   => works since cookie of app B
>
> cu
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/9fb6de0f-4362-e621-cad3-ba50c19a22
> 77%40univ-paris1.fr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZemQzePzJE861k%3DDN3VTOXF-BHg0Y2epCDsbJTVS5AJtTQ%40mail.gmail.com.

Re: [cas-user] Can application get TGT ticket?

[Yan Zhou]

thanks for the feedback.

Unfortunately, we cannot use Proxy Authentication, due to PCI implication.
A non PCI-compliant App proxy a PCI (credit card) service, that would not
be allowed by PCI standards.

The reason we run into problem with CAS protected REST services (App B, no
UI), is that Ajax somehow does not handle redirect (even after I enable
CORS). Browser does it fine, but fails when Ajax tries to access the REST
endpoint without an application session in place, thus triggers CAS login
flow with all the redirect.

I do not see how OAuth solve that problem. Does that requires a Login page
UI to redirect to and back, would not that run into the same problem with
Ajax?

Can you elaborate on JSONP? Would app. B now have to know user's password?
CAS is nice because the application does not see user's password, only CAS
server does.

Thx,
Yan

On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux <pascal.rig...@univ-paris1.fr>
wrote:

> Hi,
>
> Solutions:
> - proxy CAS: As the proxy ticket can only be validated once, you will need
> to cache the ticket, or create your own session
> - JWT: create a JWT and check it on app B.
> - oauth
> - JSONP login on app B. We are using this quite a lot. Simple and works
> great.
>   Commits implementing this on angular-seed :
> https://github.com/prigaux/angular-seed/commits/master
>   and especially the first one: https://github.com/prigaux/ang
> ular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
>   I wrote some doc on this, alas in french: http://prigaux.github.io/prese
> ntation-web-widgets-cas-jsonp/index.html#/7
>
> Happy CAS,
> cu
>
> On 01/11/2016 20:22, Yan Zhou wrote:
>
>> Hello,
>>
>> CAS protocol does not let the apps (CAS client) get TGT ticket. We have a
>> need for that.
>>
>> We have two web apps, both are casified in CAS 4.1.X. One web app has
>> AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just
>> offers REST services.
>>
>> Javascript code in App A wants to call REST API in App B.  We run into
>> problem with CORS, etc. But, even after CORS are enabled, still run into
>> trouble.
>>
>> So, the thought is, if Javascript code can get hold of TGT after user
>> login to the app. A, then, JS code call use CAS REST API to authenticate
>> against the 2nd app (the UI-less REST Services).
>>
>> Is that a bad idea, and how is that possible?
>>
>> Yan
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscribe@a
>> pereo.org>.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c87694
>> 97%40apereo.org <https://groups.google.com/a/a
>> pereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769
>> 497%40apereo.org?utm_medium=email_source=footer>.
>>
>
>
> --
> Pascal Rigaux
>
> Expert en développement et déploiement d'applications
> DSIUN-SAS (service applications et services numériques)
> Université Paris 1 Panthéon-Sorbonne  -  Centre Pierre Mendès France (PMF)
> B 402 - 90, rue de Tolbiac -  75634 PARIS CEDEX 13 - FRANCE
> Tél : 01 44 07 86 59
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd0
> 40%40univ-paris1.fr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com.

[cas-user] where is CAS TGC cookie stored in brower?

[Yan Zhou]

Hello,

It was said that the TGT cookie (TGC) is hidden, so that we won't see it. 

I am curious how browser can send such hidden cookie to CAS, when user goes 
to apps?  If browser can see it, there should be a way for us to see it. 

The reason I am asking is because I noticed that Ajax XhrRequest does not 
seem to send TGC cookie in some circumstances, so I need to investigate.

Thx!

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0d6acb1-cd01-45e0-9f7e-8cd30993c742%40apereo.org.

[cas-user] How CAS protect server side API in separate apps?

[Yan Zhou]

Hi 

 

We have CAS 4.1.x overlay. We have one webapp and one backend services. Two 
different WAR files, both apps are casified.

 

Webapp runs at localhost:8080/myapp, backend service runs at 
localhost:8080/xyzservice  (same domain).

 

After user login successfully into /myapp, its AngularJS code makes 
XhrRequest call, it does HTTP GET on   
/localhost:8080/xyzservice/protected/simple.html

 

I am getting CAS login page in javascript response code when XhrRequest 
call is made. However, if I use browser and navigate to 
/localhost:8080/xyzservice/protected/simple.html,  that works fine.

 

My guess is that 


1) in browser scenario, CAS tells browser to redirect to CAS login page via 
302.  And, when browser GETs the CAS login page, it will send the SSO TGT 
in the cookie.  Everything else follows.


2) in XhrRequest, CAS returns 200 with CAS login page. The XhrRequest does 
not know how to process the HTML login page and it fails.


What do I need to do, so that when XhrRequest is made by a user that is 
already authenticated, it will work just like browser scenario?


Thx!

Yan

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0521f18c-058a-472e-8ea0-89baf1ee2bec%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] How does CAS 4.1.X behave like SAML IdP?

[Yan Zhou]

Hi there, 

I am a little confused on SAML support on CAS 4.1.x.  It maybe my 
understanding of SAML is very beginning, too.

I have viewed CAS as an Enterprise SSO solution, rather than a Federated 
SSO solution (across enterprises). But, I hear different things about SAML 
support in CAS. 

CAS 4.1.x doc says:  The CAS server implements the CAS protocol on server 
side and may even behave like  SAML IdP.How does CAS 4.1.X behave 
like  SAML IdP?  

The doc says that CAS supports the standardized SAML 1.1 protocol primarily 
to:  1)Support a method of attribute release  2) Single Logout.  It seems 
suggesting that it does _not_ act like SAML IdP?

The doc. also says that CAS can serve as the authentication provider for 
Shibboleth.   If CAS 4.1.X can behave like SAML IdP, why would it need 
Shibboleth?

Thanks,

-- 
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3fbcd45d-6f03-4b57-a108-6045a3004132%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] this does not work, cas.securityContext.status.access=isAuthenticated()

[Yan Zhou]

Hello,

I want to allow any authenticated user to see /status and /statistics. I 
know this is not a good idea, but it is very straightforward in a non-PROD 
environment.

but it doesnot work for me. Am I missing anything?

this works: cas.securityContext.status.access=hasIpAddress('127.0.0.1')

but this does not work:   
 cas.securityContext.status.access=isAuthenticated()

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe1d483a-984b-4909-a2ea-74705d46e1fe%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] 4.1.9 repeated ST generation and validation when going to Service Management App

[Yan Zhou]

s/js/cas.js?version=7 
HTTP/1.1" 200 2789 "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas;
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:56 +] "GET /cas/api/public/config 
HTTP/1.1" 200 65 "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas;
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "POST 
/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 302 - "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas;
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/login/cas?ticket=ST-31-tLniMcRJ9q5geaIpggzk-devcas02.dev.medplus.com
 
HTTP/1.1" 302 - "
https://devcas.dev.medplus.com/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas;
 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/login/cas?ticket=ST-32-tUwoRoh4USHKTUJaen1e-devcas02.dev.medplus.com
 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas-services/login/cas?ticket=ST-33-RTRnMOsbyzrU6j339QE0-devcas02.dev.medplus.com
 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

172.18.58.87 - - [22/Aug/2016:14:17:57 +] "GET 
/cas/login?service=https%3A%2F%2Fdevcas.dev.medplus.com%2Fcas-services%2Flogin%2Fcas
 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"

 

 

Yan Zhou | Quest Diagnostics Incorporated | Lead Engineer, Healthcare IT 
Solutions | 4690 Parkway Drive | Mason, OH 45040 USA | phone +1 
513-204-2613 | fax +1 513-229-5505 |  yan.x.z...@questdiagnostics.com | 
www.questdiagnostics.com

 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5161747-93e7-4adb-8c86-d2dc5c36f022%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] CAS 4.1.X Cross-Frame Scripting/Clickjacking prevention?

[Yan Zhou]

Hi,

We are running CAS 4.1.9 overlay. Our security team, after app scanning, 
has reported that CAS has a security vulnerability:  Cross-frame scripting 
which allows clickjacking.  Basically, CAS allows itself to be framed in 
another app.  

If I understand it correctly, an attacker will use iframe to frame the 
login page, overlay the UI elements on Login form. User types in user 
credential and click on Login, but, the credential is submitted first to 
attacker's server, then, the form is submitted again to CAS server. User 
gets in, he won't see difference, but the attacker already has user 
credentials. 

Their solution is to X-Frame-Option header on web server, that is quite 
simple, no code change.

Is this a vulnerability? It sounds so to me. 

is there a list of things that we need to do in order secure CAS?  I did 
not see any mention of this on CAS Security Guide page. 

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/97d44090-7d5d-4a49-a345-fb880a99fa5b%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] why DefaultTicketRegistryCleaner shows up when integrated with Hazelcast?

[Yan Zhou]

Hi,

I have integrated with Hazelcast for my CAS 4.1.9 overlay, but seeing this 
message.

I am not using DefaultTicketRegistry, why does it shows up?

Thx,
Yan

2016-08-18 19:19:31,850 INFO 
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 
Beginning ticket cleanup.
2016-08-18 19:19:31,867 INFO 
[com.hazelcast.partition.InternalPartitionService] - 
[dcasde01.dev.medplus.com]:5701 [dev] [3.5] Initializing cluster partition 
table first arrangement...

2016-08-18 19:19:31,932 INFO 
[com.hazelcast.map.impl.operation.QueryOperation] - 
[dcasde01.dev.medplus.com]:5701 [dev] [3.5] Partition assignments changed 
while executing query: TruePredicate{}

2016-08-18 19:19:31,936 INFO 
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0 
expired tickets found to be removed.
2016-08-18 19:19:31,936 INFO 
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 
Finished ticket cleanup.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a9e3e1ec-afa7-467f-8db0-40256dc8cda4%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Hazelcast Management Center with CAS 4.1.x Hazelcast integration

[Yan Zhou]

Hello,

CAS 4.1.x documentation does not say anything about integrating with 
Hazelcast management center.

https://apereo.github.io/cas/4.1.x/installation/Hazelcast-Ticket-Registry.html

I tried to place hazelcast.xml into a directory and use system property 
hazelcast.config to indicate the location, does not look like my CAS 
Hazelcast knows the management center.  I do not know what else I need to 
do.

Has anyone successfully used Hazelcast management center to monitor 
hazlcast running along side of CAS?

Thx,
Yan


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a7017863-4f40-4440-a349-fb437468e5d2%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Hazelcast ticket registry in CAS 4.1.9, connection refused error when startup

[Yan Zhou]

Hi,

I am using Hazelcast as the ticket registry for my CAS 4.1.9 overlay.  On 
my local instance of CAS, in the cas.properties, I specified this:

hz.cluster.members=localhost

When starting up CAS, it works fine, but I see these error messages, It 
fails to connect on ports 5702, 5703, etc.  But, I can telnet to these 
ports just fine.

What is the nature of these errors?

Thanks!
Yan


2016-08-12 11:20:08,512 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Sending master question to 
Address[localhost]:5703

2016-08-12 11:20:08,526 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Sending master question to 
Address[localhost]:5702

2016-08-12 11:20:08,526 DEBUG [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Starting to connect to Address[localhost]:5703

2016-08-12 11:20:08,568 DEBUG [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Starting to connect to Address[localhost]:5702

2016-08-12 11:20:08,568 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Connecting to localhost/127.0.0.1:5703, 
timeout: 0, bind-any: true

2016-08-12 11:20:08,568 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Connecting to localhost/127.0.0.1:5702, 
timeout: 0, bind-any: true

2016-08-12 11:20:09,526 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Will send master question to each address in: 
[Address[localhost]:5703, Address[localhost]:5702]

2016-08-12 11:20:09,526 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] NOT sending master question to blacklisted 
endpoints: {}

2016-08-12 11:20:09,526 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Sending master question to 
Address[localhost]:5703

2016-08-12 11:20:09,527 DEBUG [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Sending master question to 
Address[localhost]:5702

2016-08-12 11:20:09,569 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Could not connect to: 
localhost/127.0.0.1:5703. Reason: SocketException[Connection refused: 
connect to address localhost/127.0.0.1:5703]

2016-08-12 11:20:09,573 DEBUG [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Connection refused: connect to address 
localhost/127.0.0.1:5703
java.net.SocketException: Connection refused: connect to address 
localhost/127.0.0.1:5703
at sun.nio.ch.Net.connect0(Native Method)
at sun.nio.ch.Net.connect(Net.java:465)
at sun.nio.ch.Net.connect(Net.java:457)
at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:670)
at 
com.hazelcast.nio.tcp.SocketConnector.connectSocketChannel(SocketConnector.java:157)
at 
com.hazelcast.nio.tcp.SocketConnector.tryToConnect(SocketConnector.java:132)
at com.hazelcast.nio.tcp.SocketConnector.run(SocketConnector.java:68)
at 
com.hazelcast.util.executor.CachedExecutorServiceDelegate$Worker.run(CachedExecutorServiceDelegate.java:209)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
at 
com.hazelcast.util.executor.HazelcastManagedThread.executeRun(HazelcastManagedThread.java:76)
at 
com.hazelcast.util.executor.HazelcastManagedThread.run(HazelcastManagedThread.java:92)

2016-08-12 11:20:09,573 INFO [com.hazelcast.cluster.impl.TcpIpJoiner] - 
[localhost]:5701 [dev] [3.5] Address[localhost]:5703 is added to the 
blacklist.

2016-08-12 11:20:09,579 INFO [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Could not connect to: 
localhost/127.0.0.1:5702. Reason: SocketException[Connection refused: 
connect to address localhost/127.0.0.1:5702]

2016-08-12 11:20:09,579 DEBUG 
[com.hazelcast.nio.tcp.TcpIpConnectionMonitor] - [localhost]:5701 [dev] 
[3.5] An error occurred on connection to Address[localhost]:5703 Cause => 
java.net.SocketException {Connection refused: connect to address 
localhost/127.0.0.1:5703}, Error-Count: 1

2016-08-12 11:20:09,580 DEBUG [com.hazelcast.nio.tcp.SocketConnector] - 
[localhost]:5701 [dev] [3.5] Connection refused: connect to address 
localhost/127.0.0.1:5702
java.net.SocketException: Connection refused: connect to address 
localhost/127.0.0.1:5702
at sun.nio.ch.Net.connect0(Native Method)
at sun.nio.ch.Net.connect(Net.java:465)
at sun.nio.ch.Net.connect(Net.java:457)
at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:670)
at 
com.hazelcast.nio.tcp.SocketConnector.connectSocketChannel(SocketConnector.java:157)
at 
com.hazelcast.nio.tcp.SocketConnector.tryToConnect(SocketConnector.java:132)
at com.hazelcast.nio.tcp.SocketConnector.run(SocketConnector.java:68)
at 
com.hazelcast.util.executor.CachedExecutorServiceDelegate$Worker.run(CachedExecutorServiceDelegate.java:209)
at 

[cas-user] Extend AbstractUsernamePasswordAuthenticationHandler for customized authentication impl.?

[Yan Zhou]

Hello, 

I am running CAS Overlay 4.1.9.  Instead of configuring CAS Authentication 
modules (JDBC/LDAP), I extend 
AbstractUsernamePasswordAuthenticationHandler, wrote my class and 
implemented authentication by looking up both database and LDAP for my 
business needs. I have attached some code below.

It works fine on single CAS server. The problem is when I am running two 
CAS server with memcached storing tickets. Authentication still works fine. 
The problem is with /serviceValidate call when looking up ST. 

If server 1 authenticates the user, generating TGT and ST, but server2 is 
the one handling /serviceValidate call (validate ST), I always get "Failed 
Fetching (Exception waiting for value) from memcached client.  But, if the 
same server, server 1, handles /serviceValidate, then that works. 

If I replace my MyCASAuthenticationHandler 
with org.jasig.cas.authentication.AcceptUsersAuthenticationHandler, which 
has the default "casuser/Mellon" credential, then the above works fine 
regardless of which server handles  /serviceValidate call.

This is very odd, as I cannot see how Authentication can affect 
/serviceValidate call, but it does, and I can consistently reproduce this.

What am I missing?

Our authentication needs to look up first database, get some value and with 
that, look up LDAP, no existing authentication module works that way. It 
seems reasonable to write my own authentication and it is very easy to do. 
But, apparently that somehow breaks /serviceValidate call when the call is 
handled by the server that does not perform the authentication.

Is there some kind of server side session variables and/or values that 
/serviceValidate will look up?

Thanks,
Yan



in deployerConfigContext.xml



 dataSource, userRepository and ldapTemplate are defined.   


public class MyCASAuthenticationHandler extends 
AbstractUsernamePasswordAuthenticationHandler {
LoginUserRepository loginUserRepository;
LdapTemplate ldapTemplate;

@Override
protected HandlerResult 
authenticateUsernamePasswordInternal(UsernamePasswordCredential credential) 
throws GeneralSecurityException, PreventedException {

  // i look up database and ldap to authenticate user, 
I update database here for auditing, return below if authentication is 
successful.

 return createHandlerResult(credential, 
principalFactory.createPrincipal(credential.getUsername()), null);
}



-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2c170a3-eff9-4314-ace9-d40a109fd886%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] MemcachedTicketRegistry asynchronous write to memcached

[Yan Zhou]

Hi there,

I intermittently run into this error with my CAS 4.1.9 overlay when 
deployed on two CAS servers with load balancer in the front.  Memcached are 
running on each CAS server.

cas.properties has entry like this:  

memcached.servers=devcas01.dev.medplus.com:11211,devcas02.dev.medplus.com:11211
memcached.protocol=BINARY
memcached.locatorType=CONSISTENT
memcached.failureMode=Cancel
memcached.hashAlgorithm=KETAMA_HASH


Basically, the request goes to one CAS server, user authenticated.  Then, 
the /serviceValidate  call lands on the other CAS server, but it cannot 
find the ticket.

Could there be a race condition?  Before the ticket is physically stored in 
memcache, the call for fetching has already arrived?

I know that memcached does NOT replicate. any ticket is stored in one 
single node, so there is no replication issue. 

Any comments?
Yan


2016-07-29 18:43:17,643 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted ticket 
[ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com] for service 
[http://localhost:7080/hcp-server-web/login/cas] for user [tkoenig2]

2016-07-29 18:43:17,646 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit 
trail record BEGIN

=

WHO: tkoenig2

WHAT: ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com for 
http://localhost:7080/hcp-server-web/login/cas

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Jul 29 18:43:17 UTC 2016

CLIENT IP ADDRESS: 172.18.58.129

SERVER IP ADDRESS: 172.18.38.109

=

 

 

 

172.18.58.129 - - [29/Jul/2016:18:43:17 +] "*GET 
/cas/serviceValidate*?ticket=ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com=http%3A%2F%2Flocalhost%3A7080%2Fhcp-server-web%2Flogin%2Fcas
 
HTTP/1.1" 200 271 "-" "Java/1.8.0_65"

 

 

2016-07-29 18:42:41,744 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered 
services.

2016-07-29 18:42:42,003 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 17 services.

2016-07-29 18:43:17,806 ERROR 
[org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - *Failed fetching* 
[ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com, 
java.lang.RuntimeException: Exception waiting for value]

2016-07-29 18:43:17,806 INFO 
[org.jasig.cas.CentralAuthenticationServiceImpl] - Service ticket 
[ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com] does not exist.

2016-07-29 18:43:17,810 ERROR 
[org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - Failed fetching 
[ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com, 
java.lang.RuntimeException: Exception waiting for value]

2016-07-29 18:43:17,818 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit 
trail record BEGIN

=

WHO: audit:unknown

WHAT: ST-1-fIfU1g2irBoeDBafgEs2-devcas01.dev.medplus.com

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Fri Jul 29 18:43:17 UTC 2016

CLIENT IP ADDRESS: 172.18.58.129

SERVER IP ADDRESS: 172.18.38.110

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/57f03596-0f26-4967-a7fc-befc6331b56e%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Re: CAS 3.5.x and 4.1.x difference in webflow, it persists beyond session timeout

[Yan Zhou]

This also explained another difference I have seen.

In 3.5.x  CAS,  if you stay on the login page for a while without typing 
anything.  Then, you type in user credential, the first time you 
essentially get "session timed out".  You would have to type user 
credential for the second time to login.

In 4.1.x CAS,  nothing like that, you can wait for a long time, and type in 
user credentials, it just works, because flow is resumed and variables are 
restored.

Yan

On Thursday, July 28, 2016 at 11:03:19 AM UTC-4, Yan Zhou wrote:
>
> Hi there,
>
> Is this a correct statement? I have observed difference.
>
> CAS 4.1.x using web flow encryption to capture flow states and stores them 
> on the client side. Therefore, even after http session expires, the flow 
> can resume and continue.  This means, I can walk away for hours, and as 
> long as my browser is up running, I can always come back and click 
> "Continue" to keep going. 
>
> CAS 3.5.x does not do that, the flow execution key is plain text and 
> stored in HTTP session, flow ends as session idle timeout.  This means, if 
> I walk away for hours, coming back and click "Continue", flow ends and 
> redirect me to the starting point of the flow.
>
> Thx.,
>
> Yan
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e975ea91-3759-45d0-9b21-5d9b1947e1f2%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] CAS 3.5.x and 4.1.x difference in webflow, it persists beyond session timeout

[Yan Zhou]

Hi there,

Is this a correct statement? I have observed difference.

CAS 4.1.x using web flow encryption to capture flow states and stores them 
on the client side. Therefore, even after http session expires, the flow 
can resume and continue.  This means, I can walk away for hours, and as 
long as my browser is up running, I can always come back and click 
"Continue" to keep going. 

CAS 3.5.x does not do that, the flow execution key is plain text and stored 
in HTTP session, flow ends as session idle timeout.  This means, if I walk 
away for hours, coming back and click "Continue", flow ends and redirect me 
to the starting point of the flow.

Thx.,

Yan


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b576db71-6aeb-4f1a-9785-55369b3407b5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Protect Web App and Service API in the same app by CAS

[Yan Zhou]

Hi there,

We have a Spring MVC based web app., that is protected by CAS 4.1.7 overlay 
setup.

We are exposing the server side REST API to our clients, the Web App UI 
also calls server side REST API to render the pages.  The web pages work 
well, but the issue is with the REST API.  Even with valid ST tickets, our 
client gets the CAS login page in the HTTP response.  They are calling our 
API like this, appending a valid ST ticket.

https://xxx/api/users?ticket=ST-xyz

 

My understanding of fixing this is that:

1. Use CAS Authentication Filter to protect all endpoints, but exclude 
/api  endpoint,  so that CAS login page does not return in response when 
/api is invoked.

2. Use CAS Validation Filter to protect  /api endpoint, it simply gets the 
ticket from request URL and checks against CAS server.  This filter does a 
subset of what CAS Authentication Filter does.


Does that sound right?  I have not seen any solution for that, even though 
it should be a quite popular setting.


Thanks,

Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a8a80e10-7c1f-4e42-9f73-b1758e116e29%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] cannot find ST in debugger mode?

[Yan Zhou]

Working now, thx!

On Wednesday, June 1, 2016 at 10:59:44 AM UTC-4, Dmitriy Kopylenko wrote:
>
> Most likely the ST just expires during your debugging session. The default 
> expiration time is 10 second. Set it to a higher value for your debugging 
> so it stays valid. The example below sets it to 3 minutes:
>
> *st.timeToKillInSeconds=180*
>
> This could be the same problem with your REST clients - by the time they 
> perform /serviceValidate the ST had already expired.
>
> Cheers,
> D.
>
> On Jun 1, 2016, at 10:48 AM, Yan Zhou <yana...@gmail.com > 
> wrote:
>
> Hi,
>
> Running CAS 4.1.7 overlay, the web app works fine with CAS, until someone 
> says our CAS REST API keeps returning "invalid service ticket" when 
> /serviceValidate is called.
>
> I started to see how the CAS /serverValidate implementation works when 
> user logs in from CAS login page.  I have noticed that if I go through the 
> code in debugger mode step by step, I always end up with "invalid ticket" 
> when ST is validated. 
>
> The log is below, it does not show any sign of tickets being deleted. 
>  And, if I login to app just like a normal user would (without stepping 
> through in debugger), everything is fine. 
>
> I am using Hazlecrest as ticket registry.  I do not think that is the 
> issue.
>
> Any suggestion?
>
> Thx!
> Yan
>
> this is my cas.properties for hazlecrest registry
>
> hz.cluster.members=localhost
>
>
> this is the log, you can see that the ST is created but then we cannot 
> find it. 
>
> 2016-06-01 10:40:54,916 INFO 
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted ticket [
> ST-2-ybVUfMrDALVlxNXZbqm5-localhost.dev.medplus.com 
> <http://st-2-ybvufmrdalvlxnxzbqm5-localhost.dev.medplus.com>] for service 
> [http://localhost:8084/cas-admin/j_spring_cas_security_check] for user [y]
> 2016-06-01 10:40:57,039 INFO 
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit 
> trail record BEGIN
> =
> WHO: y
> WHAT: ST-2-ybVUfMrDALVlxNXZbqm5-localhost.dev.medplus.com 
> <http://st-2-ybvufmrdalvlxnxzbqm5-localhost.dev.medplus.com> for 
> http://localhost:8084/cas-admin/j_spring_cas_security_check
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Wed Jun 01 10:40:57 EDT 2016
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
>
>
> 2016-06-01 10:40:57,063 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] - Null ModelAndView 
> returned to DispatcherServlet with name 'cas': assuming HandlerAdapter 
> completed request handling
> 2016-06-01 10:40:57,063 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] - Successfully 
> completed request
> 2016-06-01 10:40:57,099 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet 
> with name 'cas' processing GET request for [/cas/serviceValidate]
> 2016-06-01 10:40:57,100 DEBUG 
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>  
> - Looking up handler method for path /serviceValidate
> 2016-06-01 10:40:57,103 DEBUG 
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>  
> - Did not find handler method for [/serviceValidate]
> 2016-06-01 10:40:57,104 DEBUG 
> [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapping 
> [/serviceValidate] to HandlerExecutionChain with handler 
> [org.jasig.cas.web.ServiceValidateController@3768d58d] and 1 interceptor
> 2016-06-01 10:40:57,104 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] - Last-Modified value 
> for [/cas/serviceValidate] is: -1
> 2016-06-01 10:41:13,383 INFO 
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Service ticket [
> ST-2-ybVUfMrDALVlxNXZbqm5-localhost.dev.medplus.com 
> <http://st-2-ybvufmrdalvlxnxzbqm5-localhost.dev.medplus.com>] does not 
> exist.
> 2016-06-01 10:41:13,854 INFO 
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit 
> trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: ST-2-ybVUfMrDALVlxNXZbqm5-localhost.dev.medplus.com 
> <http://st-2-ybvufmrdalvlxnxzbqm5-localhost.dev.medplus.com>
> ACTION: SERVICE_TICKET_VALIDATE_FAILED
> APPLICATION: CAS
> WHEN: Wed Jun 01 10:41:13 EDT 2016
> CLIENT IP ADDRESS: 127.0.0.1
> SERVER IP ADDRESS: 127.0.0.1
> =
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community&qu

[cas-user] cache based ticket registry, recommendations?

[Yan Zhou]

Hi,

What does CAS community recommend for Cache Based Ticket Registry?

We currently use memcached, but I have found intermittent issues that 
ticket cannot be found when it should be in the registry. This happens when 
a server is looking up a ticket on a different server.  Instead of getting 
to TCP/IP level of troubleshooting, I am considering switch to a different 
solution. 

We have an Active-Active HA deployment of CAS 4.1.7 overlay.

Thx,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f416b5c2-1f87-4b94-88a6-7a4371bbff41%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] intermittent service ticket not found in memcached, but not memcached issue

[Yan Zhou]

Hello,

We are experiencing intermittent ticket error issue with CAS 4.1.7 overlay 
setup. The same issue exists in our app based on CAS 3.1.5. I am not saying 
that is JASIG CAS issue, most likely it is something in our configuration. 
But I cannot find out why. 

We have two servers running CAS on active-active setup with load balancer 
setup for session affinity.  We have one memcached instance running on each 
CAS server, thus two memcached instance running along with two CAS servers.

Intermittently we see that /serviceValidate fail when validating service 
ticket, because MemcachedTicketRegistry failed to fetch the ticket. I do 
not think that is a memcached issue, because it works fine if I shutdown on 
CAS server, leaving one single CAS server running to handle all the 
traffic. This is why I am not posting this on memcached mailing list. 

But I do not understand why looking up ticket when we have two CAS servers 
running would fail intermittently in MemcachedTicketRegistry. What I did 
notice is that, when it fails, it is usually Server01 is looking up the 
ticket stored on memcached instance of Server02, or Server02 is looking up 
ticket stored on memcached instance on Server 01.

Any suggestions?

Thx!
Yan


This is my memcached configuration, both servers have identical setting as 
follows.

memcached.servers=server01.dev.medplus.com:11211,server02.dev.medplus.com:11211
memcached.hashAlgorithm=FNV1_64_HASH
memcached.protocol=BINARY
memcached.locatorType=ARRAY_MOD
memcached.failureMode=Redistribute


This is the log I see when it failed.

On server02

 

172.18.4.136 - - [16/May/2016:20:28:47 +] "POST 
/cas/login?service=https%3A%2F%2Fintcas.dev.medplus.com%2Fcas-admin%2Fj_spring_cas_security_check
 
HTTP/1.1" 302 -

172.18.4.136 - - [16/May/2016:20:28:49 +] "GET 
/cas-admin/j_spring_cas_security_check?ticket=ST-1-WLE4H2PcgDuff51TUYnG-dcasde02.dev.medplus.com
 
HTTP/1.1" 302 –

 

This is seen on server01 (request now is directed to server01)

 

172.18.4.136 - - [16/May/2016:20:28:49 +] "GET 
/cas/serviceValidate?ticket=ST-1-WLE4H2PcgDuff51TUYnG-dcasde02.dev.medplus.com=https%3A%2F%2Fintcas.dev.medplus.com%2Fcas-admin%2Fj_spring_cas_security_check
 
HTTP/1.1" 200 271

 

Cannot find this ticket, therefore, goes back to /login page.  If ticket 
was found, it should redirect to the App's landing page. But it does not.

 

172.18.4.136 - - [16/May/2016:20:28:49 +] "GET 
/cas/login?service=https%3A%2F%2Fintcas.dev.medplus.com%2Fcas-admin%2Fj_spring_cas_security_check
 
HTTP/1.1" 302 -

172.18.4.136 - - [16/May/2016:20:28:49 +] "GET 
/cas/serviceValidate?ticket=ST-2-CHAHXB1PAlYxUZ5Ybcu0-dcasde02.dev.medplus.com=https%3A%2F%2Fintcas.dev.medplus.com%2Fcas-admin%2Fj_spring_cas_security_check
 
HTTP/1.1" 200 213

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bffc1502-6907-4381-be4e-a95bf7e52381%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] CAS 4.1.7 REST API, Illegal character in path

[Yan Zhou]

Hi there,

I thought I figured it out, but not quite.  It works on my local Tomcat 
7.0.59, but on our dev server, getting error.

When I post to /cas/v1/tickets,   I get 400 bad request in response. 
  TicketsResource class is throwing error.  Why is this?

java.net.URISyntaxException: Illegal character in path at index 133: 
http://devcas01.dev.medplus.com:8101/cas/v1/tickets/TGT-2-WepbuKRz2lIGIu1boSSdlZwB3ljwxDv9bkHSqGtAqhBVQx74Vk-devcas01.dev.medplus.com
 

this is the log I am seeing.

2016-05-10 16:55:50,744 DEBUG 
[org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - 
2016-05-10 16:55:50,747 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 
2016-05-10 16:55:50,747 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 
2016-05-10 16:55:50,749 ERROR [org.jasig.cas.support.rest.TicketsResource] 
- http://devcas01.dev.medplus.com:8101/cas/v1/tickets/TGT-TGT-***0WDt2ia5xT-devcas01.dev.medplus.com
java.net.URISyntaxException: Illegal character in path at index 134: 
http://devcas01.dev.medplus.com:8101/cas/v1/tickets/TGT-TGT-***0WDt2ia5xT-devcas01.dev.medplus.com
at java.net.URI$Parser.fail(URI.java:2829)
at java.net.URI$Parser.checkChars(URI.java:3002)
at java.net.URI$Parser.parseHierarchical(URI.java:3086)
at java.net.URI$Parser.parse(URI.java:3034)
at java.net.URI.(URI.java:595)
at 
org.jasig.cas.support.rest.TicketsResource.createTicketGrantingTicket(TicketsResource.java:83)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at 
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at 
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:775)

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d641801-36c2-4f69-b447-8f12198eeeae%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Re: Unable to get REST API to work CAS 4.1.7 overlay

[Yan Zhou]

Figured it out.  Thanks for the documentation.

Yan

On Tuesday, May 10, 2016 at 10:36:49 AM UTC-4, Yan Zhou wrote:
>
> Hi there,
>
> I am unable to get REST API to work with my CAS 4.1.7 overlay setup. I do 
> have a local copy of web.xml.
>
> All I did was to add this in my overlay pom.xml:  the jar does show up in 
> my CAS  web-inf/lib directory.  The other required changes are already in 
> my Web.xml.
>
>  
> org.jasig.cas
> cas-server-support-rest
> ${cas.version}
> runtime
> 
>
> My problem is that when I post to /cas/v1/tickets  endpoint, I am getting 
> this error, basically, it says cannot find the controller handling 
>  /v1/tickets  endpoint, but I do not know what I am missing. 
>
> 2016-05-10 10:29:13,995 DEBUG 
> [org.springframework.web.servlet.DispatcherServlet] -  with name 'cas' processing POST request for [/cas/v1/tickets]>
> 2016-05-10 10:29:13,996 DEBUG 
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
>  
> - 
> 2016-05-10 10:29:14,001 DEBUG 
> [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver]
>  
> -  ork.web.HttpMediaTypeNotSupportedException: Content type 
> 'multipart/form-data;boundary=WebKitFormBoundaryu37ixELagG431V6M' not 
> supported>
> 2016-05-10 10:29:14,003 DEBUG 
> [org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver]
>  
> -  ttpMediaTypeNotSupportedException: Content type 
> 'multipart/form-data;boundary=WebKitFormBoundaryu37ixELagG431V6M' not 
> supported>
> 2016-05-10 10:29:14,005 DEBUG 
> [org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver] 
> -  MediaTypeNotSupportedException: Content type 
> 'multipart/form-data;boundary=WebKitFormBoundaryu37ixELagG431V6M' not 
> supported>
>
> What am I missing?
>
> Thanks in advance. 
>
> Yan
>
> P.S.
>
> I do have a local version of Web.xml, based on what is in JASIG CAS. the 
> following changes are ALREADY in web.xml.  So, I do not have to change 
> anything.
>
> 
> cas
> /v1/*
> 
>
> 
> contextConfigLocation
> 
>   /WEB-INF/spring-configuration/*.xml
>   /WEB-INF/deployerConfigContext.xml
>   classpath*:/META-INF/spring/*.xml
> 
> 
>
>

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/18212199-bf4f-4ea6-9a4e-c4c578bc8e4f%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Unable to get REST API to work CAS 4.1.7 overlay

[Yan Zhou]

Hi there,

I am unable to get REST API to work with my CAS 4.1.7 overlay setup. I do 
have a local copy of web.xml.

All I did was to add this in my overlay pom.xml:  the jar does show up in 
my CAS  web-inf/lib directory.  The other required changes are already in 
my Web.xml.

 
org.jasig.cas
cas-server-support-rest
${cas.version}
runtime


My problem is that when I post to /cas/v1/tickets  endpoint, I am getting 
this error, basically, it says cannot find the controller handling 
 /v1/tickets  endpoint, but I do not know what I am missing. 

2016-05-10 10:29:13,995 DEBUG 
[org.springframework.web.servlet.DispatcherServlet] - 
2016-05-10 10:29:13,996 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping]
 
- 
2016-05-10 10:29:14,001 DEBUG 
[org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver]
 
- 
2016-05-10 10:29:14,003 DEBUG 
[org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver]
 
- 
2016-05-10 10:29:14,005 DEBUG 
[org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver] 
- 

What am I missing?

Thanks in advance. 

Yan

P.S.

I do have a local version of Web.xml, based on what is in JASIG CAS. the 
following changes are ALREADY in web.xml.  So, I do not have to change 
anything.


cas
/v1/*



contextConfigLocation

  /WEB-INF/spring-configuration/*.xml
  /WEB-INF/deployerConfigContext.xml
  classpath*:/META-INF/spring/*.xml



-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4f2b3198-cd7d-4575-82a8-a8e14f291a49%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Why get Invalid Login Ticket error?

[Yan Zhou]

Hi there, 

I am writing java code to simulate login to CAS protected web app., so that 
our QA automation team can use that to test apps protected by CAS, without 
manually login to CAS over and over.  

I have carefully preserved the cookie and tickets values in each calls as 
browser would., but when my code calls the /cas/login endpoint to 
authenticate user credential, I always gets error:

You cannot attempt to re-submit a form that has been submitted already.

On server side, it says: invalid login ticket, even though the ticket is 
indeed valid. 

2016-05-09 19:29:59,146 DEBUG 
[org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket 
LT-2514-G5i7xw4qGewjAgGnCPFwYtcTOcNypo-devcas02.dev.medplus.com

2016-05-09 19:30:07,872 WARN 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invalid login ticket 
[LT-2514-G5i7xw4qGewjAgGnCPFwYtcTOcNypo-devcas02.dev.medplus.com]

what is the purpose of the following check in AuthenticationViaFormAction?

protected boolean checkLoginTicketIfExists(final RequestContext 
context) {
final String loginTicketFromFlowScope = 
WebUtils.getLoginTicketFromFlowScope(context);
final String loginTicketFromRequest = 
WebUtils.getLoginTicketFromRequest(context);


Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91586f22-25c8-46ce-a0f7-0189f4dd1d89%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Customized authentication module that does more than JAAS

[Yan Zhou]

Hi there,

I am using CAS 4.1.8 overlay and JAAS module for authentication.   We have 
some customized behavior such as adding # of failed login attempts, 
auditing, retrieving a mapped (real) user id in database from a 
user-provided user id, thus none of the provided authentication providers 
works for us.

The limitation of JAAS is that I cannot get it to work with Spring LDAP 
library. It seems quite difficult to initialize spring context correctly 
within JAAS login module.  Only plain Java LDAP code works. 

Is there a way for me to provide my customized authentication 
implementation in CAS in a way that is similar as JAAS does but does not 
have the limitation of JAAS?

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da33408f-5cd1-4f24-926d-9654308ae8f4%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS, 4.1.7, JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters

[Yan Zhou]

Can you point me to the right direction as to where this problem can be
fixed?  Is this some configuration issue I missed?  Or, it this outside of
CAS, such as a browser issue?

Yan

On Fri, Apr 22, 2016 at 9:23 PM, Misagh Moayyed <mmoay...@unicon.net> wrote:

> It refers to the ticket-granting cookie. Its value cannot be parsed.
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Yan
> Zhou
> *Sent:* Friday, April 22, 2016 2:11 PM
> *To:* CAS Community <cas-user@apereo.org>
> *Subject:* [cas-user] CAS, 4.1.7, JoseException: A JWS Compact
> Serialization must have exactly 3 parts separated by period ('.') characters
>
>
>
> Hi there,
>
>
>
> With my CAS 4.1.7 overlay, getting this exception intermittently. I do not
> know which value this exception is referring to.
>
>
>
> The host.name entry in cas.properties is correctly specified.
>
>
>
> Any suggestions?
>
>
>
> Yan
>
>
>
> My cas.properties look like this,  host.name does have the FQDN.
>
>
>
>
>
> server.name=http://qacas01:8443
>
> server.prefix=${server.name}/cas
>
> cas.securityContext.status.access=hasIpAddress('127.0.0.1')
>
> cas.securityContext.statistics.access=hasIpAddress('127.0.0.1')
>
> host.name=qacas01.qa.medplus.com
>
>
>
>
>
> Here is the error.
>
>
>
>
>
> 2016-04-22 20:58:40,590 INFO
> [org.jasig.cas.services.DefaultServicesManagerImpl] - 
>
> 2016-04-22 20:59:42,048 DEBUG
> [org.jasig.cas.web.flow.InitialFlowSetupAction] -  set to null and path /cas/>
>
> 2016-04-22 20:59:42,048 DEBUG
> [org.jasig.cas.web.flow.InitialFlowSetupAction] -  to null and path /cas/>
>
> 2016-04-22 20:59:42,050 DEBUG
> [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] -
>  exactly 3 parts separated by period ('.') characters
>
> java.lang.RuntimeException: org.jose4j.lang.JoseException: A JWS Compact
> Serialization must have exactly 3 parts separated by period ('.') characters
>
> at
> org.jasig.cas.util.AbstractCipherExecutor.verifySignature(AbstractCipherExecutor.java:100)
>
> at
> org.jasig.cas.util.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:124)
>
> at
> org.jasig.cas.util.BaseStringCipherExecutor.decode(BaseStringCipherExecutor.java:42)
>
> at
> org.jasig.cas.web.support.DefaultCasCookieValueManager.obtainCookieValue(DefaultCasCookieValueManager.java:89)
>
> at
> org.jasig.cas.web.support.CookieRetrievingCookieGenerator.retrieveCookieValue(CookieRetrievingCookieGenerator.java:116)
>
> at
> org.jasig.cas.web.flow.InitialFlowSetupAction.doExecute(InitialFlowSetupAction.java:98)
>
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>
> at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>
> at
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>
> at
> org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
>
> at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
>
> at
> org.springframework.webflow.engine.ActionList.execute(ActionList.java:154)
>
> at org.springframework.webflow.engine.Flow.start(Flow.java:526)
>
> at
> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
>
> at
> org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
>
> at
> org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
>
> at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:238)
>
>
>
>
>
>
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown
> Source)
>
> at
> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(Unknown Source)
>
> at
> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(Unknown Source)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(Unknown
> Source)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: org.j

[cas-user] CAS, 4.1.7, JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters

[Yan Zhou]

Hi there,

With my CAS 4.1.7 overlay, getting this exception intermittently. I do not 
know which value this exception is referring to.

The host.name entry in cas.properties is correctly specified. 

Any suggestions?

Yan

My cas.properties look like this,  host.name does have the FQDN.


server.name=http://qacas01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('127.0.0.1')
cas.securityContext.statistics.access=hasIpAddress('127.0.0.1')
host.name=qacas01.qa.medplus.com


Here is the error.

 

2016-04-22 20:58:40,590 INFO 
[org.jasig.cas.services.DefaultServicesManagerImpl] - 

2016-04-22 20:59:42,048 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - 

2016-04-22 20:59:42,048 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - 

2016-04-22 20:59:42,050 DEBUG 
[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - 
 

2016-04-22 20:59:42,051 DEBUG 
[org.jasig.cas.web.support.CasArgumentExtractor] - https://lbqacas.qa.medplus.com/cas-admin/j_spring_cas_security_check>

2016-04-22 20:59:42,051 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - https://lbqacas.qa.medplus.com/cas-admin/j_spring_cas_security_check]>

2016-04-22 20:59:42,052 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - 

2016-04-22 20:59:42,054 DEBUG 
[org.jasig.cas.web.flow.GenerateLoginTicketAction] - 

 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8e6d17fa-fce7-4d36-95b4-661b61557154%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] CAS 4.1.8 snapshot overlay does not include commons-collections4 jar, runtime error

[Yan Zhou]

Well, if only I know how to read.

Interestingly, it worked for 4.1.5 without that dependency.  Maybe it was
just an accident.

On Fri, Apr 15, 2016 at 7:32 PM, Misagh Moayyed <mmoay...@unicon.net> wrote:

> Study
> http://jasig.github.io/cas/4.1.x/integration/Attribute-Resolution.html
>
>
>
> *From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Yan
> Zhou
> *Sent:* Friday, April 15, 2016 1:33 PM
> *To:* CAS Community <cas-user@apereo.org>
> *Subject:* [cas-user] CAS 4.1.8 snapshot overlay does not include
> commons-collections4 jar, runtime error
>
>
>
> Hi there,
>
>
>
> I am seeing a strange issue with Maven Overlay. Just thought to share, and
> you may be able to see what I missed.
>
>
>
> First of all, everything works fine when I do overlay on 4.1.5.  But, when
> I do overlay on 4.1.8 snapshot (all I changed is the reference to CAS
> version), things start to break. I eventually track this down to a missing
> jar below.
>
>
>
> Even though CAS-core already included this jar, for some reason, when I
> overlay 4.1.8 snapshot, it is not being included  (mvn dependency:tree does
> not have this jar), thus results in some real strange run-time error.
>
>
>
>   
>
>   org.apache.commons
>
>
> commons-collections4
>
>   4.0
>
>   
>
>
>
> I am glad my overlay on top of 4.1.8 snapshot is working now, after I
> explicitly include this jar above in my POM.xml.
>
>
>
> The following is my POM.xml for the overlay project,
>
>
>
>
>
> 
>
> http://maven.apache.org/POM/4.0.0;
>
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>
>  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd
> <http://maven.apache.org/POM/4.0.0%20http:/maven.apache.org/xsd/maven-4.0.0.xsd%20>
> ">
>
> 4.0.0
>
>
>
>   
>
>   com.quest.hub.cas
>
>   cas-suite
>
>   1.0
>
>   
>
>
>
> cas-server
>
> war
>
>
>
>   cas server
>
>   CAS Server Application
>
>
>
> 
>
> 
>
>   
>
>  org.apache.maven.plugins
>
>  maven-war-plugin
>
>  2.4
>
>  
>
>  cas
>
>  
>
>  
>
>  org.jasig.cas
>
>
>  cas-server-webapp
>
>  
>
>
> WEB-INF/cas.properties
>
>
>  WEB-INF/classes/log4j2.xml
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  org.apache.maven.plugins
>
>  maven-compiler-plugin
>
>  3.5
>
>  
>
>  ${java.source.version}
>
>  ${java.target.version}
>
>  
>
>  
>
> 
>
> 
>
>
>
> 
>
>   
>
>   javax.servlet
>
>
> javax.servlet-api
>
>   3.0.1
>
>   provided
>
>
>   
>
>
>
> 
>
> org.jasig.cas
>
> cas-server-webapp
>
> ${cas.version}
>
> war
>
> runtime
>
> 
>
>
>
>   
>
> org.jasig.cas
>
> cas-server-support-generic
>
> ${cas.version}
>
> jar
>
> 
>
>
>
>   
>
>  org.jasig.cas
>
>
>  cas-server-integration-memcached
>
>  ${cas.version}
>
>   
>
>
>
>   
>
>   
>
>
> org.springframework.data
>
>   spring-data-jpa
>
>   1.9.1.RELEASE
>
>   
>
>

[cas-user] 4.1.8 snapshot error, but works in 4.1.5 release

[Yan Zhou]

Hi,

I am using 4.1.8 snapshot CAS, because that is the only version that has 
fixed the "Identifier too long" bug in JPA Service Registry for Oracle.

But I run into this error when login to CAS, did anyone have the same 
problem?When I switch back to 4.1.5 release of CAS, it works fine (but 
obviously, I cannot use Server Registry in Oracle, but JSON instead.)

Any suggestions?  The error follow.  I wonder if I misconfigured something, 
but switching to 4.1.5 CAS works correctly.  

Can someone verify that I have deployerConfigContext.xml defined correctly, 
at the bottom of this email?  

Thx,



2016-04-12 17:13:43,997 DEBUG 
[org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - 

2016-04-12 17:13:43,998 INFO 
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  

2016-04-12 17:13:44,002 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - <'principal' cannot 
be null.

Check the correctness of @Audit annotation at the following audit point: 
execution(public abstract transient 
org.jasig.cas.authentication.Authentication org.jasig.cas.authenticatio

n.AuthenticationManager.authenticate(org.jasig.cas.authentication.Credential[]))

java.lang.IllegalArgumentException: 'principal' cannot be null.

Check the correctness of @Audit annotation at the following audit point: 
execution(public abstract transient 
org.jasig.cas.authentication.Authentication org.jasig.cas.authenticatio

n.AuthenticationManager.authenticate(org.jasig.cas.authentication.Credential[]))

at 
org.jasig.inspektr.audit.AuditActionContext.assertNotNull(AuditActionContext.java:80)

at 
org.jasig.inspektr.audit.AuditActionContext.(AuditActionContext.java:62)

at 
org.jasig.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:153)

at 
org.jasig.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:141)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)

at 
org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)

at 
org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:68)

at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:168)

at 
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)

at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)

at 
com.ryantenney.metrics.spring.AbstractMetricMethodInterceptor.invoke(AbstractMetricMethodInterceptor.java:62)

at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)




This is my customized deployerConfigContext.xml




http://www.springframework.org/schema/beans;

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;

   xmlns:context="http://www.springframework.org/schema/context;

   xmlns:p="http://www.springframework.org/schema/p;

   xmlns:c="http://www.springframework.org/schema/c;

   xmlns:tx="http://www.springframework.org/schema/tx;

   xmlns:util="http://www.springframework.org/schema/util;

  xmlns:jee="http://www.springframework.org/schema/jee;

   xmlns:sec="http://www.springframework.org/schema/security;

   xmlns:jpa="http://www.springframework.org/schema/data/jpa;

   xmlns:aop="http://www.springframework.org/schema/aop;

   xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd

   http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context.xsd

   http://www.springframework.org/schema/tx 
http://www.springframework.org/schema/tx/spring-tx.xsd

   http://www.springframework.org/schema/aop 
http://www.springframework.org/schema/aop/spring-aop.xsd  

   http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security.xsd

  http://www.springframework.org/schema/jee 
http://www.springframework.org/schema/jee/spring-jee.xsd

   http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd

   http://www.springframework.org/schema/data/jpa 
http://www.springframework.org/schema/data/jpa/spring-jpa.xsd; >



















 

[cas-user] CAS 4.1.x JPA service registry table schema: how to map RegisteredServiceImplProperty?

[Yan Zhou]

Hi there,

I am using JPA service registry to store services in a DB table. (Oracle), 
with CAS 4.1.5 overlay setup.

The JPA class AbstractRegisteredService makes reference to a table: 
RegisteredServiceImplProperty, via join 
table DefaultRegisteredService_Properties.  Neither table is mentioned in 
the CAS documentation. Furthermore, both AbstractRegisteredService 
and DefaultRegisteredServiceProperty have the same default ID column.  Is 
this a valid JPA mapping?I do not see how the default JPA registry can 
work.

I tried to customize AbstractRegisteredService class, which is part of 
CAS-Core, this means I have to rebuild cas-core with my 
AbstractRegisteredService class, because both CAS app and 
Service-Management app depends on it.  That sounds quite complicated. 

Any suggestions?

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6f1265cb-60f9-4b5f-ad7d-4ae4b52371f6%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[cas-user] Jpa Service Registry, how should values be stored in database table

[Yan Zhou]

Hi,

I am overlaying 4.1.5 CAS and using JPA service registry.  I have had 
success with JSON file based service registry. Now I am moving all service 
definition into Oracle tables. 

How should values be stored in DB table columns?   Do I just copy the JSON 
data and paste it there?

I have this in ACCESS_STRAGETY column

{
"@class" : 
"org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAttributes" : true,
"caseInsensitive" : false
  }

I have this in ATTRIBUTE_RELEASE column


{
"@class" : "org.jasig.cas.services.ReturnAllAttributeReleasePolicy",
"principalAttributesRepository" : {
  "@class" : 
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
  }

I am getting error:Caused by: javax.persistence.PersistenceException: 
org.hibernate.type.SerializationException: could not deserialize


Any examples that you can share if you have had success with JPA service 
registry?

Thx,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] best practice? webapp timeout and logout when use CAS

[Yan Zhou]

Hi there, 

We have several apps using CAS 4.1.5.  Different apps have different idle 
session timeout setting, some timeout after 30 minutes, other 1 hour, etc. 

Two questions. 

1. when user Logout from a web app.,  it provides best user experience if 
the app logs out the user AND logs out CAS SSO session.  Is that correct?

Alternatively, if the app. logs out but remain in CAS SSO session, user 
only needs to refresh browser and he will be back to app. without login 
again, that sounds a little odd:  you log out but do not have to login. 

2. when user times out (idle timeout) in an app., it seems that a refresh 
of browser will get user back into the app.   what is the best way to 
implement application idle timeout?

One that I would suggest is to require all apps have the same idle CAS 
session timeout?  CAS default is 2 hours, but we can require all apps and 
CAS to agree to a value.  Is that best practice?

Anyone can lead me to some CAS best practice on this subject?

Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] Figred out, support theme in subflow

[Yan Zhou]

Hi there, 

I want to define a subflow in CAS' main login flow to reset user password. 
 The reason I want to define it as a subflow is because I do not want the 
URL to change in browser.  And, after user completes password change, and 
login successfully, he should be redirected to the original URL (in the 
application) that he was trying to go to in the first place. 

I noticed a problem, while the main flow shows theme UI correctly, the 
subflow always goes back to the default theme.  It turns out that "service" 
is a flowScope attribute, therefore, subflow does not see it.

public static WebApplicationService getService(final RequestContext 
context) {
return context != null ? (WebApplicationService) 
context.getFlowScope().get("service") : null;
}


What I did is to manually pass flowScope.service from parent flow into the 
subflow.   See below.

Does that sound correct?  Any better suggestion?


in the main login parent flow






in the child change password flow


   

 



Thanks,
Yan

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[cas-user] Create a separate webflow in CAS4

[Yan Zhou]

Hi there, 

 

With CAS4 + Overlay, I want to create a separate webflow when user wants to 
reset password (without going through login flow).  Such as  
https:///cas/resetpassword.

 

I am having trouble mapping URL /resetpassword to this new flow.  This 
could be a spring web flow issue, since I am new to it.

 

Registration is successful, but when I type the URL, it goes to /login 
page.  There is not anything in the log indicating that it attempts to map 
the request to my new flow.

 

Did I miss something?

Yan

 

2016-02-22 14:12:55,763 DEBUG 
[org.springframework.webflow.definition.registry.FlowDefinitionRegistryImpl] 
- Registering flow definition 'ServletContext resource 
[/WEB-INF/webflow/resetpassword/resetpassword-webflow.xml]' under id 
'resetpassword'

 

I created a cas-servlet-extension.xml and have content like this.  It is 
loaded successfully but does not do anything.

 

 

 

 

 

 

 

 

  

 

  

 

 

   

 

   

 

   

 



 

 

 

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.