Re: [cas-user] Kill all CAS sessions
Thanks Scott, If I use JPATicketRegistry and I delete all rows in tables: ticketgrantingticket and serviceticket I kill all CAS sessions, is it a good solution? scott_battaglia wrote: We don't allow you to issue a kill command to the CAS server at this moment. Depending on your backing storage, you may be able to implement something specific to your backend. -Scott On Mon, Apr 13, 2009 at 11:55 AM, Diego Benedicto diego.benedi...@gmail.com wrote: Hi all, Is there a way to kill all CAS sessions ? I want from an external web application to choose CLOSE CAS and update a column in a table and kill all living CAS sessions (all the TGT I think) Thanks in advance, Diego -- View this message in context: http://www.nabble.com/Kill-all-CAS--sessions-tp23024291p23024291.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: li...@nabble.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- View this message in context: http://www.nabble.com/Kill-all-CAS--sessions-tp23024291p23034692.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Annoncing a new OpenCms7.0.5-CAS3.3.1-LDAP module release
Hi list, I'm glad to announce a new module release for OpenCms7.0.5, CAS 3.3.1 and OpenLDAP. The module is tested in Fedora 10, Tomcat 5.5.27, MySQL 5.0.67, OpenCms 7.0.5, CAS 3.3.1, OpenLDAP 2.4.12 and OpenJDK 1.6.0. What's new: 1. Two new authorization handler are added in this release to support CAS or LDAP based authorization. The handlers can create/adjust a user's groups(OU)/roles by groupOfNames(groupsOfUniqueNames)/roleOccupant or alias. 2. CAS 2.0 protocal is supported. And when using CAS handlers, OpenCms will not search LDAP directly anymore. This change will make it possible for those who want to use a database for OpenCms-CAS authz/authn. The user's information will be got from the /serviceValidate (or your customized servlet) and attributes. The attributes can be put by PersonDirectory or its extension. CAS + LDAP authz authn: Client OpenCms CAS LDAP | a url | | | |--req--|check permission | | | allowed? | | |-res---|yes | | | not allowd. guest? | | |-res---|not guest | | |a guest. has ticket? | | || to /login | | | no ticket|-req-| | |-res--| | | username/password | | |--req-| | || |-authz-| || logged in?| |-res--|no | ||forward the url | | ||res--|yes | | a guest. has ticket? | | | yes| | | | has CmsUser?| | | no| /serviceValidate | | ||--req| | || |-find--| ||-res-| | | store user info | | | the url| | | |--res--|not a guest | | How to get it: You can get this module from Langhua SVN: http://www.langhua.cn/langhua/modules/ldap/branch/opencms7.0.5-cas3.3.1-ldap/ Username: anon Password: anon Or ViewVC: http://www.langhua.cn/viewvc/svn/modules/ldap/branch/opencms7.0.5-cas3.3.1-ldap/ Enjoy it, Shi Yusen/Beijing Langhua Ltd. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Kill all CAS sessions
It is a best solution: for each TGT , a REST request to DELETE cas/tickets/TGTx , so CAS sends logout request for all applications logged with a TGT. Diego Benedicto wrote: Thanks Scott, If I use JPATicketRegistry and I delete all rows in tables: ticketgrantingticket and serviceticket I kill all CAS sessions, is it a good solution? scott_battaglia wrote: We don't allow you to issue a kill command to the CAS server at this moment. Depending on your backing storage, you may be able to implement something specific to your backend. -Scott On Mon, Apr 13, 2009 at 11:55 AM, Diego Benedicto diego.benedi...@gmail.com wrote: Hi all, Is there a way to kill all CAS sessions ? I want from an external web application to choose CLOSE CAS and update a column in a table and kill all living CAS sessions (all the TGT I think) Thanks in advance, Diego -- View this message in context: http://www.nabble.com/Kill-all-CAS--sessions-tp23024291p23024291.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: li...@nabble.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- View this message in context: http://www.nabble.com/Kill-all-CAS--sessions-tp23024291p23035876.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Logout from CAS an user
A solution is to use the JPATicketRegistry and in an extra table (users_logued) to store: user | TGT | date login | date logout users_logued is updated in login, logout and ticket cleaner. So if we want to logout an user from an external web application we can select all the TGT of an user where logout is null and with all these TGTs to make request REST : DELETE cas/tickets/TGTxxx Pieslak, Brian wrote: This is also a feature I am looking for on my product's roadmap, so whatever solution is identified, could someone please socialize the design/implementation on the CAS wiki? Thanks, -Brian From: Diego Benedicto [diego.benedi...@gmail.com] Sent: Monday, April 13, 2009 11:44 AM To: cas-user@lists.jasig.org Subject: [cas-user] Logout from CAS an user Hi all, I need to logout from CAS a user from an external web application... For example: logged as an admin in a web application that selects to block a user ( a column in a table) and in this moment the web application send a request to CAS that logout this user (I would secure the request with a Proxy Ticket) Thanks in advance, Diego -- View this message in context: http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23024111.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: bpies...@metier.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: li...@nabble.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- View this message in context: http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23037738.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 3.3.2
All, I'm working on an official message, as well as updating the web site, but I'm not familiar with the way the new system works so its going to take a while :-) In the meantime, minus the official change log and acknowledgments, you can find the CAS 3.3.2 release: http://www.ja-sig.org/downloads/cas/cas-server-3.3.2-release.tar.gz http://www.ja-sig.org/downloads/cas/cas-server-3.3.2-release.zip Once I can update the web site I'll send out a more official message. Thanks -Scott -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] How to configure CAS for case-sensitive userid
Can anyone offer advice on how to configure CAS for case-sensitive userids? The current behavior of CAS, server version 3.2.1, is to accept any combination of uppercase and lowercase letters that makeup the userid. For example, admin is treated the same as AdMIn or adMIN when providing a username/password and will be authenticated, even though only the admin is stored in the LDAP. The desired behavior is to treat admin, AdMIn, and adMIN as three separate userids and reject a login attempt with the wrong case. From a little research, it appears that it may be a matter of configuring the LDAP handler bean with the right filter. The bean is currently configured as follows: bean id=ldapHandler class=org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler property name=filter value=uid=%u / ... /bean Can anyone provide the proper way to configure this bean for case-sensitivity or is there something else that needs to be done? Thanks! Barry Silk -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] How to configure CAS for case-sensitive userid
Barry Silk wrote: Can anyone offer advice on how to configure CAS for case-sensitive userids? Why do you want that? It's the opposite of common practice. Note that this is not only a matter of how CAS treats the case of user-IDs. In your case the matching rules applied to the attribute type which holds the user-ID are part of the problem either. So you can't use standard attribute 'uid' since the standard defines it with case-insensitive matching rule. I'd strongly recommend to rethink your approach. Ciao, Michael. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] phpCAS client not working with some Macs
Looks like one of the issues was with a 302 redirect. The CAS login page comes up immediately now, but it is still hanging on the redirect back to the portal after the user logs in. Has anyone had issues with these redirects on a Mac? Andy On Apr 2, 2009, at 11:42 AM, Eric Pierce wrote: Are you using any load balancers for CAS or the portal? If so, is the config the same on all the machines? Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 -- epie...@usf.edu On Thu, Apr 2, 2009 at 10:59 AM, Andrew Stutzman stutz...@tcnj.edu wrote: Going to directly to CAS is fine. It seems to happen when phpCAS is redirecting to the login or after the CAS login has redirected back to the portal. I'm wondering if the session cookie is being corrupted somehow. Andy On Apr 2, 2009, at 10:36 AM, Eric Pierce wrote: I only use a Mac (unless I'm testing something in a VM) and we use the phpCAS client for almost everything here and I haven't seen or heard of any problems. Does it only happen when they get redirected or do they timeout if they try to go directy to the CAS login page also? -Eric Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 -- epie...@usf.edu On Thu, Apr 2, 2009 at 10:14 AM, Scott Battaglia scott.battag...@gmail.com wrote: I'm not sure how much help I can be. I use a Macbook Pro on our wireless network at school here about 3 to 4 times a week (usually during class ;-)), though not all of it is accessing CAS protected resources. I've never noticed any issues, though we use the Java client more frequently than the phpCAS client. On Thu, Apr 2, 2009 at 9:36 AM, Andrew Stutzman stutz...@tcnj.edu wrote: Has anyone experienced issues with the phpCAS client not working on Macs? We've just implemented CAS3 with our home grown portal. We have complaints from some students with Macs that they cannot access the site from off campus. Doesn't matter the browser or the OSX version. Most people are on wireless and the issue sometimes resolves itself if they plug directly into their router. They hit our portal which tries to send them to the CAS login page via the phpCAS client. It usually times out before the login page appears. Sometimes though the login page appears but when they login it times out again. Here's the weird thing... one of my employees took an old Powerbook (with OSX 10.411) home and could not connect from via wireless. He was fine when he plugged into his router. I took the same Powerbook home last night and I got in just fine. I've never had an issue and I use a MacBook Pro at home and at work. Maybe this isn't a CAS issue. I'm not sure. Frankly, I'm just stumped. Any help would be appreciated. Andy -- Andrew Stutzman Associate Director of User Support Services The College of New Jersey e: stutz...@tcnj.edu p: 609-771-3130 -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: stutz...@tcnj.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: stutz...@tcnj.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Error while configuring Services Management
yes, In the logs it is successfully logging user 'agoel' 2009-04-14 12:26:09,949 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ ST-3-hfNoXdK1SWFLOBbnYk3Q-cas-dev.tamu.edu] for service [ https://cas-dev.tamu.edu/cas/services/j_acegi_cas_security_check] for user [agoel] 2009-04-14 12:26:09,950 DEBUG [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action 'GenerateServiceTicketAction' completed execution; result is 'success' These are from catalina.out logs. Is this what you meant? On Tue, Apr 14, 2009 at 10:31 AM, Scott Battaglia scott.battag...@gmail.com wrote: Did you check your log files? On Tue, Apr 14, 2009 at 1:24 PM, Ashima ashig...@gmail.com wrote: Thanks for reply. So now I am again using:- bean id=userDetailsService class=org.springframework.security.userdetails.memory.InMemoryDaoImpl property name=userMap value agoel=notused,ROLE_ADMIN /value /property /bean But with this even when I am logging-in with user 'agoel' it keep giving me 'Authorization Failure' error when I am trying to access cas/services url. Where should I look to find what is the problem. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ashig...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Error while configuring Services Management
Logging into CAS is different from being authorized to use the services management tool. If you're using a self-signed certificate for your CAS server, make sure its in the JVM's cacerts file. -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Tue, Apr 14, 2009 at 1:37 PM, Ashima Goel ashig...@gmail.com wrote: yes, In the logs it is successfully logging user 'agoel' 2009-04-14 12:26:09,949 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ ST-3-hfNoXdK1SWFLOBbnYk3Q-cas-dev.tamu.edu] for service [ https://cas-dev.tamu.edu/cas/services/j_acegi_cas_security_check] for user [agoel] 2009-04-14 12:26:09,950 DEBUG [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action 'GenerateServiceTicketAction' completed execution; result is 'success' These are from catalina.out logs. Is this what you meant? On Tue, Apr 14, 2009 at 10:31 AM, Scott Battaglia scott.battag...@gmail.com wrote: Did you check your log files? On Tue, Apr 14, 2009 at 1:24 PM, Ashima ashig...@gmail.com wrote: Thanks for reply. So now I am again using:- bean id=userDetailsService class=org.springframework.security.userdetails.memory.InMemoryDaoImpl property name=userMap value agoel=notused,ROLE_ADMIN /value /property /bean But with this even when I am logging-in with user 'agoel' it keep giving me 'Authorization Failure' error when I am trying to access cas/services url. Where should I look to find what is the problem. -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ashig...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Logout from CAS an user
Another solution is to store the user in the table ticketgrantingticket, using JpaTicketRegistry. How can I modify JpaTicketRegistry to achieve it ? Diego Benedicto wrote: A solution is to use the JPATicketRegistry and in an extra table (users_logued) to store: user | TGT | date login | date logout users_logued is updated in login, logout and ticket cleaner. So if we want to logout an user from an external web application we can select all the TGT of an user where logout is null and with all these TGTs to make request REST : DELETE cas/tickets/TGTxxx Pieslak, Brian wrote: This is also a feature I am looking for on my product's roadmap, so whatever solution is identified, could someone please socialize the design/implementation on the CAS wiki? Thanks, -Brian From: Diego Benedicto [diego.benedi...@gmail.com] Sent: Monday, April 13, 2009 11:44 AM To: cas-user@lists.jasig.org Subject: [cas-user] Logout from CAS an user Hi all, I need to logout from CAS a user from an external web application... For example: logged as an admin in a web application that selects to block a user ( a column in a table) and in this moment the web application send a request to CAS that logout this user (I would secure the request with a Proxy Ticket) Thanks in advance, Diego -- View this message in context: http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23024111.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: bpies...@metier.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: li...@nabble.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- View this message in context: http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23048617.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user