RE: [cas-user] Using SHA512
One further (hopefully quick) question, if I may… Until now, I’ve been using the SearchModeSearchDatabaseAuthenticationHandler class, but this doesn’t do everything I need (and neither do the alternatives) so I thought I would copy it and customise it. I’ve given it a new name (of course) but left it in the same package; I’ve compiled it, created a .jar file and put that in WEB-INF/lib (where I’ve successfully put various other .jars to get things working). However, CAS is complaining on start-up: Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot resolve reference to bean 'primaryAuthenticationHandler' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'primaryAuthenticationHandler' defined in ServletContext resource [/W EB-INF/deployerConfigContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/jasig/cas/authentication/principal/ UsernamePasswordCredentials I think this means it either can’t find my class or can’t turn it into a bean. My class is almost identical to SearchModeSearchDatabaseAuthenticationHandler, so the latter seems unlikely. Am I missing a step? Thanks, Richard From: richard.wise...@bt.com [mailto:richard.wise...@bt.com] Sent: 10 July 2014 18:30 To: cas-user@lists.jasig.org Subject: RE: [cas-user] Using SHA512 Thanks again Dmitriy. I suspected that it wouldn't be possible out of the box but thought I'd ask just in case! I'll look into the possibility of creating a custom plug-in or something. I'll look at the documentation again to try and work out the best/simplest approach. Any pointers or hints would if course be welcome! :-) Thanks once again, Richard -Original Message- From: Dmitriy Kopylenko [dkopyle...@unicon.netmailto:dkopyle...@unicon.net] Sent: Thursday, July 10, 2014 04:26 PM GMT Standard Time To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: Re: [cas-user] Using SHA512 I don’t think CAS’ out of the box password encoder supports salt, etc. cas-addons has a Shiro’s framework based encoder impl which supports salting (only static at this time): https://github.com/Unicon/cas-addons/wiki/Configuring%20ShiroHashServicePasswordEncoder If there is enough interest for dynamic salt config, we could consider it adding it. Or another option, of course is the JIRA against CAS core for the more robust encoder impl(s) to be developed, etc. Best, Dmitriy. On Jul 10, 2014, at 11:19 AM, richard.wise...@bt.commailto:richard.wise...@bt.com wrote: Hi Dmitriy, Thanks very much for that – it works! :-) Now for the really difficult part, I fear… Is it possible to provide a salt by specifying a database column? Thanks again, Richard From: Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Sent: 10 July 2014 16:12 To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: Re: [cas-user] Using SHA512 Hi Richard. Try SHA-512 instead of SHA512 Best, Dmitriy. On Jul 10, 2014, at 10:04 AM, Richard Wiseman richard.wise...@bt.commailto:richard.wise...@bt.com wrote: Hi, The CAS documentation https://wiki.jasig.org/display/CASUM/JDBC indicates that you can use any of the MACs listed on the JDK Javadoc http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA for the password encoder's encodingAlgorithm attribute; this list includes HmacSHA512, which is what I want to use. (I confess I don't know the difference, if any, between SHA512 and HmacSHA512 in the context of hashing passwords.) I have used the following in my deployerConfigContext.xml file: bean id=passwordEncoder class=org.jasig.cas.authentication.handler.DefaultPasswordEncoder c:encodingAlgorithm=SHA1 p:characterEncoding=UTF-8 / and it worked. However, neither of the following two variants works: bean id=passwordEncoder class=org.jasig.cas.authentication.handler.DefaultPasswordEncoder c:encodingAlgorithm=HmacSHA512 p:characterEncoding=UTF-8 / and bean id=passwordEncoder class=org.jasig.cas.authentication.handler.DefaultPasswordEncoder c:encodingAlgorithm=SHA512 p:characterEncoding=UTF-8 / Each of these results in something in the log such as: 2014-07-10 15:13:01,251 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: java.security.NoSuchAlgorithmException: SHA512 MessageDigest not available ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Thu Jul 10 15:13:01 BST 2014 CLIENT IP ADDRESS: 10.255.240.6 SERVER IP ADDRESS: cas.zion.bt.co.uk = This suggests that I have to provide an implementation of SHA512. However, I
Re: [cas-user] Using SHA512
I'll look at the documentation again to try and work out the best/simplest approach. Can you briefly describe how you store the salt in your database? There's a quasi-standard for LDAP directories, SSHA, but nothing equivalent that I'm aware of in the database world. The challenge for the CAS project will be shipping a component that has the right configuration knobs, but we don't have good use cases from which to design those knobs at present. Your input will help in that regard. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Using SHA512
The password and salt are indeed stored in the same database in different columns. The only encoding I ever seem to see is base64, so the hex actually surprised me! (I've next to no experience with hashing passwords, but my googling has tended to yield results that base64-encode hashes and salts.) As far as ordering of digest inputs goes, that I couldn't say, since it's all done by an Apache Shiro object: Sha512Hash shaHasher = new Sha512Hash(password, salt, iterations); (And the next time shaHasher is mentioned, it's to get the bytes to pass to String.format.) Regards, Richard -Original Message- From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: 14 July 2014 15:54 To: cas-user@lists.jasig.org Subject: Re: [cas-user] Using SHA512 An example hash is: 4d8d39a8283a53aeb51061457edc32c6a8e5404864b7571bf7b33d2c3bd5c580869ac1635be0d8ee57581f28b8aa9799729244852eb7aa010e7ac7b1cd69638f And an example salt is: 91f3c641110b2ded640c418046b3cb5af257da06ca98f192085cb10c7443e5e9 I think hex encoding is common and safe to assume generally. Just to clarify, these values are stored in separate columns in the same table? I would hope that's common and a safe assumption. Supporting values across separate tables is possible, but it's hopefully an edge case we could ignore. I also have to be able to specify the number of iterations, of course, which is another issue! That's a common input for salted hashing, so that would be an anticipated configuration point. The only concern you didn't address is whether the salt is the first input to the digest or the last; I have seen both approaches used in practice. I find it strange that there is no standard or guidance on the matter despite having researched it fairly extensively. It looks like it's simply an arbitrary choice and the CAS component would have to support both approaches. M -- You are currently subscribed to cas-user@lists.jasig.org as: richard.wise...@bt.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS and the myfiles application
Has anyone used CAS to get SSO with the myfiles application? Thanks, Brian Brian Lewis Director, Administrative Computing and Web Services Ellucian Moraine Park Technical College 235 N. National Ave. Fond du Lac, WI 54936 Voice: 920.924.3517 Mobile: 920.273.9728 Fax: 920-907-6997 brian.le...@ellucian.commailto:brian.le...@ellucian.com www.ellucian.comhttp://www.ellucian.com/ CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. Thank you. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS SSO solutions, and Microsoft SharePoint
What about using the WS_Federation for CAS module with ADFS? https://github.com/jtgasper3/cas/tree/3.5.x/cas-server-support-wsfederation http://sites.ewu.edu/jgasper/ws-federation-cas-user-manual/ From: cor...@uvic.ca To: cas-user@lists.jasig.org Subject: [cas-user] CAS SSO solutions, and Microsoft SharePoint Date: Fri, 11 Jul 2014 20:19:35 + Greetings CAS deployers...a general question for the group. For those CAS deployers integrating CAS SSO with MS SharePoint (2013), I'm wondering which path deployers are taking. Are those doing this generally taking CAS SSO, fronting it with a Shib IdP, then integrating with ADFS as a relying-party, that SharePoint uses for authentication ? We're about to take such a path here at UVic, and I'm in the process of gathering community-thoughts for this journey. This question may land on the shib-user listserv as well, though I thought I'd start here, to see if CAS deployers were taking any other approaches. For context, our identity-management solution provisions our campus user-community to both Active Directory (that SharePoint leverages for authN) and Oracle LDAP (that CAS leverages for authN), so we have a consistent username space that we manage across the organization. Thanks ! Corey S. Corey Scholefield | cor...@uvic.ca Identity Systems Analyst University of Victoria | Victoria, B.C. Canada -- You are currently subscribed to cas-user@lists.jasig.org as: scott_3...@hotmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS SSO solutions, and Microsoft SharePoint
Are those doing this generally taking CAS SSO, fronting it with a Shib IdP, then integrating with ADFS as a relying-party, that SharePoint uses for authentication ? We considered this path but aborted. In short, we needed close collaboration with the Microsoft folks at our institution and couldn't achieve it. It's also insanely complex. Federations are complex in themselves; inter-federation trusts are approaching insanity. Lots of folks make it work, but we felt it was overly complex for the relatively narrow use case of supporting CAS-Sharepoint integration. We're about to take such a path here at UVic, and I'm in the process of gathering community-thoughts for this journey. I believe you'll be in good company with that approach. We are attempting a direct WS-Federation integration with CAS and have some promising results in a preliminary RD experiment. I should note that it's technically different than the EWU approach that Scott cited previously. I'm fairly ignorant of the Sharepoint side, but I believe our approach amounts to hosting the WSFed components as a Sharepoint module that wraps the .NET CAS client. Development is still ongoing, but I can share further details as we progress if anyone is interested. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS display previous authentication time.
I am currently running CAS 4.0 and Oracle Directory Server 7 for authentication. I have a requirement to display to a user their previous logged in time. In Directory Server, I have it configured so the last authentication time is updated after a successful bind. The question I have is, what is the correct way to display the last authentication time to the user before it is updated in LDAP? -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS display previous authentication time.
what is the correct way to display the last authentication time to the user before it is updated in LDAP? Custom Spring Webflow action that executes after authentication success. For example, replace sendTicketGrantingTicket action in the following state with your custom action: action-state id=realSubmit evaluate expression=authenticationViaFormAction.submit(flowRequestContext, flowScope.credential, messageContext) / transition on=warn to=warn / transition on=success to=sendTicketGrantingTicket / transition on=successWithWarnings to=showMessages / transition on=authenticationFailure to=handleAuthenticationFailure / transition on=error to=generateLoginTicket / /action-state Note you would need an additional state definition for your custom action that transitions to sendTicketGrantingTicket on success. Your custom state would be a view state, which requires a little more configuration to get going, but there are existing view states you could use as a template. We have done extensive customizations of this sort (password expiration warnings, self-service password reset configuration, etc) in this manner. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS with several AD instances
Hi, I am trying to configure CAS with multiple LDAP instances based on the following. https://wiki.jasig.org/display/CASUM/Using+CAS+with+two+different+AD+forests Is there a way to decide on which connection to use without evaluating the user against all connections? Probably based on the email address/domain. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 4 LPPE Configuration
There is a typo in the documentation. bean id=accountStateHandler class=org.jasig.cas.authentication.support.DefaultAccountStateHander / should be bean id=accountStateHandler class=org.jasig.cas.authentication.support.DefaultAccountStateHandler / There is a missing 'l' in handler. On Wednesday, July 9, 2014 10:52:39 PM UTC+5, Daniel Fisher wrote: Marvin offered to update the documentation once you confirmed the fix. Thank you for closing the loop on this. --Daniel Fisher On Wed, Jul 9, 2014 at 1:36 PM, wa wasiq...@gmail.com javascript: wrote: BTW this should be updated in the documentation at http://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html On Wednesday, July 9, 2014 10:34:15 PM UTC+5, wa wrote: Figured it out. Had to add the ActiveDirectoryAuthenticationResponseHandler as below to be able to parse AD response. bean id=authenticator class=org.ldaptive.auth.Authenticator c:resolver-ref=dnResolver c:handler-ref=authHandler property name=authenticationResponseHandlers list bean class=org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler / /list /property /bean On Monday, July 7, 2014 6:56:40 PM UTC+5, wa wrote: Active Directory is running on Windows 2008 Server On Monday, July 7, 2014 11:46:53 AM UTC+5, wa wrote: LPPE configuration is as below bean id=ldapAuthenticationHandler class=org.jasig.cas.authentication.LdapAuthenticationHandler p:principalIdAttribute=sAMAccountName c:authenticator-ref=authenticator p:passwordPolicyConfiguration-ref=passwordPolicy property name=principalAttributeMap map !-- | This map provides a simple attribute resolution mechanism. | Keys are LDAP attribute names, values are CAS attribute names. | Use this facility instead of a PrincipalResolver if LDAP is | the only attribute source. -- entry key=member value=member / entry key=mail value=mail / entry key=displayName value=displayName / /map /property /bean ***lppe-configuration.xml*** beans xmlns=http://www.springframework.org/schema/beans; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:p=http://www.springframework.org/schema/p; xsi:schemaLocation= http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd; !-- | Sample LDAP password policy configuration. | There are notable configuration requirements for LDAP components required for password policy | depending on the directory (Active Directory, OpenLDAP, etc). | See CAS documentation for more information. -- bean id=passwordPolicy class=org.jasig.cas.authentication.support.LdapPasswordPolicyConfiguration p:alwaysDisplayPasswordExpirationWarning=${password.policy.warnAll} p:passwordWarningNumberOfDays=${password.policy.warningDays} p:passwordPolicyUrl=${password.policy.url} p:accountStateHandler-ref=accountStateHandler / !-- This component is suitable for most cases but can be replaced with a custom component for special cases. -- bean id=accountStateHandler class=org.jasig.cas.authentication.support.DefaultAccountStateHander / /beans I will check and confirm the Windows server version. Thanks. On Saturday, July 5, 2014 9:43:22 AM UTC+5, Daniel Fisher wrote: On Thu, Jun 26, 2014 at 7:59 AM, wa wasiq...@gmail.com wrote: 2014-06-26 16:42:50,134 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1850787950::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=CN=test8\, Bpo,OU=agent ou,OU=BPO test OU,OU=Campaigns,OU=,OU=Sites,DC=,DC=com[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1772\00], controls=null] accountState is null, so either the authentication response handler failed to parse the response or it isn't configured correctly. What does your lppe configuration look like? --Daniel Fisher -- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as:
[cas-user] Redirect loop from services mangagement console
I am new to CAS and am trying to set up the sample overlay https://github.com/UniconLabs/simple-cas-overlay-template with a dummy app before using CAS in production. The server starts up, but trying to access the services management console results in an infinite redirect loop. Specifically, going to https://localhost:7002/cas/services/ takes me to https://localhost:7002/cas/services/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/AdminServer/cas/login?service=AdminServer%2Fcas%2Fservices%2Fj_acegi_cas_security_check I have a handler for “A*” in the deployerConfigContext, as well as the handler included in the github project (which should accept all https requests anyway). I am running CAS in Weblogic 12, and have edited the properties files to use Weblogic’s port numbers instead of Tomcat’s. I’ve also enabled SSL using the Weblogic demo certificate. Does anyone know what could cause this? Thank You Patrick -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user