[cas-user] caching attributes?

2013-09-12 Thread Paul B. Henson 
So I'm trying to get CAS to retrieve attribute from LDAP, and ideally 
cache them to decrease load. I'm looking at:


https://wiki.jasig.org/display/PDM15/Attribute+Caching

and trying to figure out how to set the size of the cache and the TTL.

It seems I need to use the userInfoCache property to tell it what cache 
to use. I've found some examples that use 
org.jasig.portal.utils.cache.MapCacheFactoryBean for this, which has a 
property "cacheFactory", but I haven't found any examples for that 
definition.


Am I missing some obvious documentation somewhere? My google-fu is 
failing me, I've been flailing at this for a couple of hours and really 
made no headway on understanding how to configure this caching.


Thanks…

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Banner Workflow and CAS AuthenticationProviderKey

2013-09-12 Thread Ben Branch 
All,

We recently started integrating our Banner environment with CAS.  We have 
successfully integrated Banner INB into the CAS without any issues.  We have 
recently begun the process of trying to configure the Workflow and Travel & 
Expense modules into the CAS as well.  One of the things that the Banner 
documentation mentions is that we need to set an AuthenticationProviderKey of 
some kind on the CAS along with releasing a specific attribute.  We were able 
to configure the attribute part fairly quick, since we needed it to make Banner 
INB work properly.  Now that we have the attributes configured properly, we are 
seeing issues with trying to authenticate the Workflow piece to the CAS.  From 
the CAS end of things, everything appears fine.  Users authenticates and we 
successfully generate a TGT ticket and a ST ticket, and we see a successful 
validation from the CAS side, but then we get an error on the Workflow side 
saying that authentication has failed.  I believe what is causing this to fail 
is the lack of the AuthenticationProviderKey on my CAS server, but I am 
uncertain how to configure this with my current configuration.  Does anyone 
have any helpful examples that I can review to see how to setup 
AuthenticationProviderKey properly?  Any help on this would be greatly 
appreciated.

Many thanks in advance,

Ben Branch
UNIX/Linux Administrator
University of Central Oklahoma
ITIL Foundation v3, Network+, RHCSA

100 N. University Drive, Box 122
Edmond, OK 73034
D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.edu | 
www.uco.edu

"I am wiser than this man, for neither of us appears to know anything great and 
good; but he fancies he knows something, although he knows nothing; whereas I, 
as I do not know anything, so I do not fancy I do. In this trifling particular, 
then, I appear to be wiser than he, because I do not fancy I know what I do not 
know."  - Socrates



**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and 
Green! Please print this e-mail only if absolutely necessary! 

**CONFIDENTIALITY** This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information. Any unauthorized 
disclosure or use of this information is prohibited.


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re:[cas-user] CAS deployment in JBOSS 7

2013-09-12 Thread Jeffrey Simpson 
I do use JBoss but not for my CAS server.  That said I think your file
needs to go in your CAS war with your other configuration files.  Since
you are not running in a domain you need to make sure all of the servers
in you cluster have the information.

I may not be right but that is my guess.

>
>
>
>Subject: Re: CAS deployment in JBOSS 7
>From: HImanshu Tyagi 
>Date: Tue, 10 Sep 2013 15:53:42 +0530
>X-Message-Number: 2
>
>Dear ALl,
>
>ANy body knows with jboss 7 ?? pls
>
>
>On Thu, Sep 5, 2013 at 7:16 PM, HImanshu Tyagi
>wrote:
>
>> *Dear gurus,
>>
>> *
>> *we were using cas replication with jboss4.2.3 clusters by putting the
>> file *
>> jbossTicketCacheReplicationConfig.xml in the conf directory.
>>
>> We are trying to migrate it to Jboss7 cluster in standalone
>> (configuration, not using domain mode) .
>>
>> we are having the below confusion.
>> If we have to put the same jbossTicketCacheReplicationConfig.xml  ,
>>which
>> we had put in jboss4.2.3 now in jboss 7.
>> secondly where should I put this xml file.
>>
>> Can you provide the details for specific to jboss 7.
>>
>> Many Thanks
>>


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Getting attributes derived from Credentials into the SAML 1.1 response

2013-09-12 Thread Rich Renomeron - TCG 
I have a set of attributes that are based on Credentials (e.g. an internal
LOA value based on the credential type, certificate used in X509
authentication) that I need to have expressed as attributes in the SAML 1.1
assertion generated by CAS.  Using an AuthenticationMetadataPopulator
approach won't work, since the SAML response won't look at the additional
attributes, and I can't attach the attributes to the principal, since the
Attributes map is immutable after resolvePrincipal() is run.

There are two approaches I'm considering to get around this:

   1. Modify the SAML 1.1 response to add the additional authentication
   attributes to the AttributeStatement, perhaps excluding the authentication
   method since it appears elsewhere.
   2. Build a PersonAttributeDao implementation to inject the attributes at
   resolvePrincipal time.

The first approach, which is simpler to code, means patching or replacing
the Saml10SuccessResponseView as opposed to subclassing it (yes I know why
it's marked final ).  But if I were to
do that, I would rather patch it.

For the second approach, I'd use a MergingPersonAttributeDao with my
current PersonAttributeDao and an AdditionalDescriptorsPersonAttributeDao,
and then inject an session-scoped proxy AdditionalDescriptors bean into the
CredentialToPrincipalResolvers.  It's a bit more involved than the first
one.

And now, the big question: is there any reason why the attributes attached
to the authentication can't be added to the SAML attribute statement?  I
already have an AuthenticationMetaDataPopulator that adds the attributes to
the Authentication, and I concatenate the authentication and principal
attributes (although I didn't think about all the implications) in my
customized CAS response view.  If I submit a Jira and patch for the first
approach, would it be accepted?  I'm leaning towards that approach at the
moment, but I'd rather not go down that patch unless the patch could be
added to stock CAS.

Thanks,
Rich

-- 
*Richard J. Renomeron*, Project Lead
*TCG*
Yes, it *can* be done!
Tel: (202) 742-8460 | Fax: (202) 986-5532
Google Talk: richard.renome...@tcg.com | AIM: rrenomeronTCG
OpenPGP Key ID 8CD7CFEB | www.tcg.com

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] OAuth attribute release in CAS 4 and SAML issue

2013-09-12 Thread Robert von Bismarck 
Hello,

I have setup a CAS 4 instance to authenticate via OAuth, which works
perfectly well.

Now I wish to release the attributes that we get from the OAuth Provider to
the CAS client app.

Can the CAS protocol do this, or do I need to go the SAML path as described
in https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4 ?
The SAML support seems to be broken as the server quits with following
stacktrace :

2013-09-12 16:19:10,208 ERROR
[org.springframework.web.context.ContextLoader] - Context initialization
failed
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'samlArgumentExtractor' defined in ServletContext resource
[/WEB-INF/spring-con
figuration/argumentExtractorsConfiguration.xml]: Error setting property
values; nested exception is
org.springframework.beans.NotWritablePropertyException: Invalid pr
operty 'disableSingleSignOut' of bean class
[org.jasig.cas.support.saml.web.support.SamlArgumentExtractor]: Bean
property 'disableSingleSignOut' is not writable or ha
s an invalid setter method. Does the parameter type of the setter match the
return type of the getter?
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1429)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1134)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:522)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:461)
at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295)
at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:626)
at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
at
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389)
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294)
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
at
org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:75)
at
org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:54)
at
org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4939)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5434)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.manager.ManagerServlet.start(ManagerServlet.java:1256)
at
org.apache.catalina.manager.HTMLManagerServlet.start(HTMLManagerServlet.java:714)
at
org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:219)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:212)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:611)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99

Re: [cas-user] OAuth attribute release in CAS 4 and SAML issue

2013-09-12 Thread Jérôme LELEU 
Hi,

Please read the following post. It's the same problem :
https://groups.google.com/forum/?fromgroups#!searchin/jasig-cas-dev/disableSingleSignOut/jasig-cas-dev/VoUU-yFfQF4/WNgKgn0W_-cJ
.
Best regards,
Jérôme



2013/9/12 Robert von Bismarck 

> Hello,
>
> I have setup a CAS 4 instance to authenticate via OAuth, which works
> perfectly well.
>
> Now I wish to release the attributes that we get from the OAuth Provider
> to the CAS client app.
>
> Can the CAS protocol do this, or do I need to go the SAML path as
> described in https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4 ?
> The SAML support seems to be broken as the server quits with following
> stacktrace :
>
> 2013-09-12 16:19:10,208 ERROR
> [org.springframework.web.context.ContextLoader] - Context initialization
> failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'samlArgumentExtractor' defined in ServletContext resource
> [/WEB-INF/spring-con
> figuration/argumentExtractorsConfiguration.xml]: Error setting property
> values; nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid pr
> operty 'disableSingleSignOut' of bean class
> [org.jasig.cas.support.saml.web.support.SamlArgumentExtractor]: Bean
> property 'disableSingleSignOut' is not writable or ha
> s an invalid setter method. Does the parameter type of the setter match
> the return type of the getter?
>  at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1429)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1134)
>  at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:522)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:461)
>  at
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295)
> at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
>  at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
>  at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:626)
> at
> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932)
>  at
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
> at
> org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389)
>  at
> org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294)
> at
> org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
>  at
> org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:75)
> at
> org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:54)
>  at
> org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1)
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4939)
>  at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5434)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>  at
> org.apache.catalina.manager.ManagerServlet.start(ManagerServlet.java:1256)
> at
> org.apache.catalina.manager.HTMLManagerServlet.start(HTMLManagerServlet.java:714)
>  at
> org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:219)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>  at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>  at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
> org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:212)
>  at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>  at
> org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>  at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilte

Re:[cas-user] Two Different Authentication Handlers

2013-09-12 Thread Weder Carlos Vieira 
Hello, everyone!

I get it working well.

For those who may need in the future I reverse the order of handlers.

Before the first attempt was made to authenticate via LDAP if it fails should
try the Database. What did not work. Just ldap was attempt

Now, reversing the order, everything works. First I try to log in through the
database and if it fails an attempt is made to login via LDAP.

The two routes are performed as expected.


Thanks anyway,

Weer


On Wed, Sep 11, 2013 at 11:43 AM, Weder Carlos Vieira <
weder.vie...@gmail.com> wrote:

> Hello,
>
> I did spend very time to search on google if there is example of using CAS
> with two differente ways to authenticate, but sorry to say that I didn't
> find out...
>
> Please, someone could show me how I can do that?
>
> See key parts of my deployerConfigContext.xml
>
> ...
> 
> 
> 
> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
> p:httpClient-ref="httpClient" />
>
> 
> class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler">
> 
> 
>  value="yes" />
> 
>
> 
> class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
> 
> 
> 
> 
> 
> class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"
> p:characterEncoding="UTF-8">
> 
> 
> 
> 
> 
> 
> 
> 
>
> Below the support contextSource and dataSource configs:
>
>  class="org.springframework.ldap.core.support.LdapContextSource">
> 
> ldap://ldapdomain1"; />
> 
>
>
> 
> 
>  />
> 
> 
> 
> 
>
> An observation, If I test both configuration LDAP and DataBase separated,
> it works very well, together,  on the other hand the CAS server just try
> authenticate through just one way.
> In other words, If I comment LDAP configs and try to authenticate through
> database, it works. uncommenting LDAP configs and commenting database
> configs, LDAP works too.
>
> Both configs together just one is tried to authenticate.
>
> There is any config that should I do to get it working?
> I just want that CAS server tries to authenticate first through LDAP, if
> it fails, then try to authenticate through database.
>
>
> Thanks if someone can help-me
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user