Re: [cas-user] CAS not redirecting to application after successful login

2014-09-10 Thread Dheeraj Dubey 
Hi John, 

Thanks for the reply. 
It doesn't give any error instate it shows the success page of CAS. 

I have removed / from URL but still it gave me same error. 

Thanks and Regards, 
Dheeraj Dubey 

- Original Message -

From: "John Gasper"  
To: cas-user@lists.jasig.org 
Sent: Wednesday, September 10, 2014 8:09:23 PM 
Subject: Re: [cas-user] CAS not redirecting to application after successful 
login 

Hi Dheeraj, 

What does CAS do if it doesn't redirect you back to your client application? 
Does it produce an error? 

If so, this maybe because your service url set in the client doesn't match what 
has been permitted in the registered service: 
"https://localhost:8443/casclient2"; does not equal 
"https://localhost:8443/casclient2/"; (trailing slash on the latter). Knowing 
what to put in for the registered url is easily discovered by looking at the 
"service=" query string when the user is at the login page. You'll want to put 
the url decoded version of that value in the registered service. You can also 
use regex patterns or wildcards in the url. 

Good luck 

John 

--- 
John Gasper 
IAM Consultant 
Unicon, Inc. 
PGP/GPG Key: 0xbafee3ef 

On 9/10/14 5:38 AM, Dheeraj Dubey wrote: 




Hi All, 

I have configure CAS 4.0 in tomcat 7 with JDBC Authentication handler. 

I have mapped one service in InMemoryServiceRegistryDaoImpl 



 
 
 
 
https://localhost:8443/casclient2"; /> 
 
 

And below is Cas client's web.xml 



 
http://java.sun.com/xml/ns/j2ee"; xmlns:xsi= 
"http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation= "http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; > 
 
CAS Authentication Filter 
org.jasig.cas.client.authentication.Saml11AuthenticationFilter
 
 
 
casServerLoginUrl 
 https://localhost:8443/cas/login  
 
 
service 
 https://localhost:8443/casclient2/  
 
 

 
CAS Validation Filter 
org.jasig.cas.client.validation.Saml11TicketValidationFilter
 
 
 
casServerUrlPrefix 
 https://localhost:8443/cas  
 
 
service 
 https://localhost:8443/casclient2/  
 
 
redirectAfterValidation 
true 
 
 
useSession 
true 
 
 
acceptAnyProxy 
true 
 
 
proxyReceptorUrl 
/casclient2/proxyUrl 
 
 
proxyCallbackUrl 
 https://localhost:8443/casclient2/proxyUrl  
 
 

 
CAS HttpServletRequest Wrapper Filter 
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
 
 

 
CAS Validation Filter 
/* 
 

 
CAS Authentication Filter 
/* 
 

 
CAS HttpServletRequest Wrapper Filter 
/* 
 

 
 
index.jsp 
 
 
 

when I invoke client application from browser it redirect me to CAS login Page 
but after successful login CAS does not redirect me to client application back. 
Please help me. I would be highly oblige. 



Thanks and Regards, 

Dheeraj Dubey 
-- 
You are currently subscribed to cas-user@lists.jasig.org as: jgas...@unicon.net 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user 



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
dheeraj.du...@zensar.in
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user 


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread Paul B. Henson 
> From: Ourada, John
> Sent: Wednesday, September 10, 2014 1:17 PM
>
> Use this as a starting point:
> https://wiki.jasig.org/pages/viewpage.action?pageId=35389878

Cool, thanks for the pointer. I will forward this to my colleague and see if it 
would work better for him than the ISAPI filter.

Thanks much...

> Don't worry about PHP or FastCGI.  If you basically read through the
> instructions, you end up with  the server variables being passed to the
> application.  I had it working with a test version of a .net app that didn't 
> have
> any setup with CAS. Unfortunately, I have taken down the system where I did
> my testing.

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Upgrade CAS

2014-09-10 Thread Stephen Meier 
Good Afternoon,

I have googled and have really not found a definitive answer on how to upgrade 
my CAS.  I am using version 3.4.1 and would like to get all the way up to 
version 4, but at least to version 3.5. I am wanting to work with the LDAP 
error codes so that I can redirect my users to change their password if it has 
expired.

Any help would be great!

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Problems logging in post tomcat restart with an active session

2014-09-10 Thread Waldbieser, Carl 
Christopher,

If you are wondering why the login page fails the first time, it is because the 
user has the old TGC.  
We have something like this at the top of our login page view:

  <%
 Cookie killMyCookie = new Cookie("CASTGC", null);
 killMyCookie.setMaxAge(0);
 killMyCookie.setPath("/cas/");
 response.addCookie(killMyCookie);
  %>

So if you actually do a GET for the login page, your TGC is cleared.

Thanks,
Carl


- Original Message -
From: "Christopher Sterling" 
To: jasig-cas-u...@googlegroups.com
Cc: cas-user@lists.jasig.org, cas-user@lists.jasig.org, waldb...@lafayette.edu
Sent: Wednesday, September 10, 2014 4:34:03 PM
Subject: Re: [cas-user] Problems logging in post tomcat restart with an active 
session

We are using in-memory store. 

More information I could have originally given, in this situation, the user 
keeps their browser session open the entire time. I've been able to 
replicate this numerous times in both Chrome and IE.



On Wednesday, September 10, 2014 4:27:49 PM UTC-4, Waldbieser, Carl wrote:
>
> Christopher, 
>
> If you are using an in-memory ticket store, all the tickets are lost when 
> you restart your application server (e.g. Tomcat). 
> If you are using a persistent ticket store (like a database), that should 
> not happen. 
>
> Thanks, 
> Carl Waldbieser 
> Lafayette College 
>
> - Original Message - 
> From: "Christopher Sterling" > 
> To: cas-...@lists.jasig.org  
> Sent: Wednesday, September 10, 2014 4:20:57 PM 
> Subject: [cas-user] Problems logging in post tomcat restart with an active 
> session 
>
> Hello, 
>
> I'm hoping somebody here can help me. We've encountered a weird issue with 
> CAS and can't figure it out. 
>
> We are running 3.5.2.1. Here's the situation. 
>
> 1) User creates a valid CAS session 
> --They can login to other services just fine 
> 2) We restart the server 
> --Say we've changed something in a file that requires a reboot 
> 3) They try to login to a system using that session 
> --they can no longer login, the page prompts them for username/password, 
> they enter it, the page refreshes. 
>
> Looking in catalina.out file, I see this. 
>
> 2014-09-10 16:12:00,422 INFO 
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN 
> = 
> WHO: audit:unknown 
> WHAT: https://my.georgiasouthern.edu/cas/portalCAS.php 
> ACTION: SERVICE_TICKET_NOT_CREATED 
> APPLICATION: CAS 
> WHEN: Wed Sep 10 16:12:00 EDT 2014 
> CLIENT IP ADDRESS: 141.165.xxx.xxx 
> SERVER IP ADDRESS: 141.165.xxx.xxx 
> = 
>
> > 
>
>
> Does anybody have any suggestions as to what is going on? 
>
> -- 
> You are currently subscribed to cas-...@lists.jasig.org  as: 
> wald...@lafayette.edu  
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user 
>
> -- 
> You are currently subscribed to cas-...@lists.jasig.org  as: 
> jasig-cas-user...@googlegroups.com  
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user 
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Problems logging in post tomcat restart with an active session

2014-09-10 Thread Christopher Sterling 
We are using in-memory store. 

More information I could have originally given, in this situation, the user 
keeps their browser session open the entire time. I've been able to 
replicate this numerous times in both Chrome and IE.



On Wednesday, September 10, 2014 4:27:49 PM UTC-4, Waldbieser, Carl wrote:
>
> Christopher, 
>
> If you are using an in-memory ticket store, all the tickets are lost when 
> you restart your application server (e.g. Tomcat). 
> If you are using a persistent ticket store (like a database), that should 
> not happen. 
>
> Thanks, 
> Carl Waldbieser 
> Lafayette College 
>
> - Original Message - 
> From: "Christopher Sterling" > 
> To: cas-...@lists.jasig.org  
> Sent: Wednesday, September 10, 2014 4:20:57 PM 
> Subject: [cas-user] Problems logging in post tomcat restart with an active 
> session 
>
> Hello, 
>
> I'm hoping somebody here can help me. We've encountered a weird issue with 
> CAS and can't figure it out. 
>
> We are running 3.5.2.1. Here's the situation. 
>
> 1) User creates a valid CAS session 
> --They can login to other services just fine 
> 2) We restart the server 
> --Say we've changed something in a file that requires a reboot 
> 3) They try to login to a system using that session 
> --they can no longer login, the page prompts them for username/password, 
> they enter it, the page refreshes. 
>
> Looking in catalina.out file, I see this. 
>
> 2014-09-10 16:12:00,422 INFO 
> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN 
> = 
> WHO: audit:unknown 
> WHAT: https://my.georgiasouthern.edu/cas/portalCAS.php 
> ACTION: SERVICE_TICKET_NOT_CREATED 
> APPLICATION: CAS 
> WHEN: Wed Sep 10 16:12:00 EDT 2014 
> CLIENT IP ADDRESS: 141.165.xxx.xxx 
> SERVER IP ADDRESS: 141.165.xxx.xxx 
> = 
>
> > 
>
>
> Does anybody have any suggestions as to what is going on? 
>
> -- 
> You are currently subscribed to cas-...@lists.jasig.org  as: 
> wald...@lafayette.edu  
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user 
>
> -- 
> You are currently subscribed to cas-...@lists.jasig.org  as: 
> jasig-cas-user...@googlegroups.com  
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user 
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Problems logging in post tomcat restart with an active session

2014-09-10 Thread Waldbieser, Carl 
Christopher,

If you are using an in-memory ticket store, all the tickets are lost when you 
restart your application server (e.g. Tomcat).
If you are using a persistent ticket store (like a database), that should not 
happen.

Thanks,
Carl Waldbieser
Lafayette College

- Original Message -
From: "Christopher Sterling" 
To: cas-user@lists.jasig.org
Sent: Wednesday, September 10, 2014 4:20:57 PM
Subject: [cas-user] Problems logging in post tomcat restart with an active 
session

Hello,

I'm hoping somebody here can help me. We've encountered a weird issue with 
CAS and can't figure it out.

We are running 3.5.2.1. Here's the situation.

1) User creates a valid CAS session
--They can login to other services just fine
2) We restart the server
--Say we've changed something in a file that requires a reboot
3) They try to login to a system using that session
--they can no longer login, the page prompts them for username/password, 
they enter it, the page refreshes.

Looking in catalina.out file, I see this.

2014-09-10 16:12:00,422 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://my.georgiasouthern.edu/cas/portalCAS.php
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Wed Sep 10 16:12:00 EDT 2014
CLIENT IP ADDRESS: 141.165.xxx.xxx
SERVER IP ADDRESS: 141.165.xxx.xxx
=

>


Does anybody have any suggestions as to what is going on?

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Problems logging in post tomcat restart with an active session

2014-09-10 Thread Christopher Sterling 
Hello,

I'm hoping somebody here can help me. We've encountered a weird issue with 
CAS and can't figure it out.

We are running 3.5.2.1. Here's the situation.

1) User creates a valid CAS session
--They can login to other services just fine
2) We restart the server
--Say we've changed something in a file that requires a reboot
3) They try to login to a system using that session
--they can no longer login, the page prompts them for username/password, 
they enter it, the page refreshes.

Looking in catalina.out file, I see this.

2014-09-10 16:12:00,422 INFO 
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - https://my.georgiasouthern.edu/cas/portalCAS.php
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Wed Sep 10 16:12:00 EDT 2014
CLIENT IP ADDRESS: 141.165.xxx.xxx
SERVER IP ADDRESS: 141.165.xxx.xxx
=

>


Does anybody have any suggestions as to what is going on?

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread Ourada, John 
The last time I talked to the UC Davis folks, they indicated that they wouldn't 
be supporting it anymore even though it had been fixed.

BTW, they were great in getting it fixed in the first place.

Use this as a starting point: 
https://wiki.jasig.org/pages/viewpage.action?pageId=35389878

Don't worry about PHP or FastCGI.  If you basically read through the 
instructions, you end up with  the server variables being passed to the 
application.  I had it working with a test version of a .net app that didn't 
have any setup with CAS. Unfortunately, I have taken down the system where I 
did my testing.

-John

-Original Message-
From: Paul B. Henson [mailto:hen...@csupomona.edu] 
Sent: Wednesday, September 10, 2014 3:09 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS ISAPI filter configuration

> From: Ourada, John
> Sent: Wednesday, September 10, 2014 8:47 AM
>
> Beware of the CAS ISAPI filters that exist... They don't terminate 
> headers correctly and Chrome will complain and not continue.
>
> UC Davis had the best one out there (IMO), but aren't able to support 
> it anymore.

Actually, version 2.2  was released on Nov 25, 2013, with a change list of 
"Chrome interoperability issue fixed". I'm not sure what their long-term plans 
are as for supporting it, but I believe they have fixed at least the issue with 
chrome.

> If the IIS version is high enough (7 and 8, I believe), you can use 
> the .net CAS client to perform the authentication.  I did this on a 
> test server and was in the process of convincing the vendor to try it, 
> but they were able to switch to use ezproxy.

You can use the .net client without cooperation from the application actually 
being authenticated?

> There is some documentation on jasig on how to make this work.

What documentation are you referring to? The only documentation I see for the 
.net client says "The .NET CAS client integrates with ASP.NET applications by 
customizing the application web.config file" and "Ensure it is deployed to the 
/Bin directory of the Web application", both of which seem like things that 
would require the cooperation of the actual application, as opposed to the 
ISAPI filter, in which the authentication is completely handled by IIS itself?

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/ 
Operating Systems and Network Analyst  |  hen...@csupomona.edu California State 
Polytechnic University  |  Pomona CA 91768



--
You are currently subscribed to cas-user@lists.jasig.org as: jour...@depaul.edu 
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread Paul B. Henson 
> From: Ourada, John
> Sent: Wednesday, September 10, 2014 8:47 AM
>
> Beware of the CAS ISAPI filters that exist... They don't terminate headers
> correctly and Chrome will complain and not continue.
>
> UC Davis had the best one out there (IMO), but aren't able to support it
> anymore.

Actually, version 2.2  was released on Nov 25, 2013, with a change list of 
"Chrome interoperability issue fixed". I'm not sure what their long-term plans 
are as for supporting it, but I believe they have fixed at least the issue with 
chrome.

> If the IIS version is high enough (7 and 8, I believe), you can use the .net 
> CAS
> client to perform the authentication.  I did this on a test server and was in 
> the
> process of convincing the vendor to try it, but they were able to switch to
> use ezproxy.

You can use the .net client without cooperation from the application actually 
being authenticated?

> There is some documentation on jasig on how to make this work.

What documentation are you referring to? The only documentation I see for the 
.net client says "The .NET CAS client integrates with ASP.NET applications by 
customizing the application web.config file" and "Ensure it is deployed to the 
/Bin directory of the Web application", both of which seem like things that 
would require the cooperation of the actual application, as opposed to the 
ISAPI filter, in which the authentication is completely handled by IIS itself?

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread Paul B. Henson 
> From: John Gasper
> Sent: Wednesday, September 10, 2014 8:39 AM
>
> (This is very much like how the .NET Client works). It could be that you can
> set the service url to be whatever you want CAS Server to redirect the
> browser back to.

Ah, interesting; if that is the case, the documentation could stand to have a 
little more clarity :). I will have him give that a try and see what happens, 
thanks for the suggestion...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Invalidate login if PricipalResolver fails

2014-09-10 Thread michael maceachran 
I have CAS 4.0 with a x509 cert login.  It works fine.  

I have a custom PrincipalReslover that basically  looks up the CN in my db and 
returns a username. Works fine.
I have a secondary username/password login (casLoginView.jsp) that checkes 
another db.  Works Fine.


How do I send a message to casLoginView that their cert was not excepted.  It 
would be a different message if the cert was not valid, vs CN not found in the 
DB.  How would I go about doing this?
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread Ourada, John 
Beware of the CAS ISAPI filters that exist... They don't terminate headers 
correctly and Chrome will complain and not continue.

UC Davis had the best one out there (IMO), but aren't able to support it 
anymore.

If the IIS version is high enough (7 and 8, I believe), you can use the .net 
CAS client to perform the authentication.  I did this on a test server and was 
in the process of convincing the vendor to try it, but they were able to switch 
to use ezproxy.

There is some documentation on jasig on how to make this work.

-John

From: John Gasper [mailto:jgas...@unicon.net]
Sent: Wednesday, September 10, 2014 10:39 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS ISAPI filter configuration

Hi Paul,

I haven't specifically worked with the CAS ISAPI filter, but in general ISAPI 
filters intercept all calls to a web application before the actual page gets 
hit. (This is very much like how the .NET Client works). It could be that you 
can set the service url to be whatever you want CAS Server to redirect the 
browser back to. Based on the age of the filter I wouldn't be surprised that it 
doesn't dynamically generate the service url.

Just my completely uniformed thoughts.

-J-

---
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef
On 9/9/14 7:25 PM, Paul B. Henson wrote:

One of my colleagues has an application that runs under IIS that he would like 
to use central authentication for. Unfortunately, the company is not interested 
in integrating CAS support into their application. However, it does currently 
support delegating authentication to IIS and integrating into Windows domain 
authentication.



Based on my limited understanding of that infrastructure, I thought we should 
be able to use the CAS ISAPI filter to make this application use CAS rather 
than Windows domain authentication (with a caveat; I assume the application is 
looking for the standard remote_user header, the application would need to 
either need to be modified to support looking for the authenticated username in 
a custom header, or we would need to binary edit it to change the header it 
currently looks for).



He has it installed and mostly configured, but he is not sure what to set the 
"Service URL"  to, and neither am I. In a CAS transaction, the service URL is 
where the CAS server sends a browser after it gives out a service ticket after 
successful authentication, and that URL is then responsible for consuming the 
service ticket, validating it with CAS, and then providing access to the 
underlying application. But given in this case the application has no idea it 
is using CAS, shouldn't the "Service URL" functionality be handled by the CAS 
ISAPI filter itself somehow?



Or am I misunderstanding how the CAS ISAPI filter is supposed to work?



Any hints on how to appropriately configure this would be much appreciated.



Thanks...



--

Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/

Operating Systems and Network Analyst  |  
hen...@csupomona.edu

California State Polytechnic University  |  Pomona CA 91768








--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
jour...@depaul.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS ISAPI filter configuration

2014-09-10 Thread John Gasper 
Hi Paul,

I haven't specifically worked with the CAS ISAPI filter, but in general
ISAPI filters intercept all calls to a web application before the actual
page gets hit. (This is very much like how the .NET Client works). It
could be that you can set the service url to be whatever you want CAS
Server to redirect the browser back to. Based on the age of the filter I
wouldn't be surprised that it doesn't dynamically generate the service url.

Just my completely uniformed thoughts.

-J-

---
*John Gasper*
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

On 9/9/14 7:25 PM, Paul B. Henson wrote:
> One of my colleagues has an application that runs under IIS that he would 
> like to use central authentication for. Unfortunately, the company is not 
> interested in integrating CAS support into their application. However, it 
> does currently support delegating authentication to IIS and integrating into 
> Windows domain authentication.
>
> Based on my limited understanding of that infrastructure, I thought we should 
> be able to use the CAS ISAPI filter to make this application use CAS rather 
> than Windows domain authentication (with a caveat; I assume the application 
> is looking for the standard remote_user header, the application would need to 
> either need to be modified to support looking for the authenticated username 
> in a custom header, or we would need to binary edit it to change the header 
> it currently looks for).
>
> He has it installed and mostly configured, but he is not sure what to set the 
> "Service URL"  to, and neither am I. In a CAS transaction, the service URL is 
> where the CAS server sends a browser after it gives out a service ticket 
> after successful authentication, and that URL is then responsible for 
> consuming the service ticket, validating it with CAS, and then providing 
> access to the underlying application. But given in this case the application 
> has no idea it is using CAS, shouldn't the "Service URL" functionality be 
> handled by the CAS ISAPI filter itself somehow?
>
> Or am I misunderstanding how the CAS ISAPI filter is supposed to work?
>
> Any hints on how to appropriately configure this would be much appreciated.
>
> Thanks...
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst  |  hen...@csupomona.edu
> California State Polytechnic University  |  Pomona CA 91768
>
>


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] CAS not redirecting to application after successful login

2014-09-10 Thread John Gasper 
Hi Dheeraj,

What does CAS do if it doesn't redirect you back to your client
application? Does it produce an error?

If so, this maybe because your service url set in the client doesn't
match what has been permitted in the registered service:
"https://localhost:8443/casclient2"; does not equal
"https://localhost:8443/casclient2/"; (trailing slash on the latter).
Knowing what to put in for the registered url is easily discovered by
looking at the "service=" query string when the user is at the login
page. You'll want to put the url decoded version of that value in the
registered service. You can also use regex patterns or wildcards in the url.

Good luck

John

---
*John Gasper*
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

On 9/10/14 5:38 AM, Dheeraj Dubey wrote:
>
> Hi All,
>
> I have configure CAS 4.0 in tomcat 7 with JDBC Authentication handler.
>
> I have mapped one service in InMemoryServiceRegistryDaoImpl
>
> *//*
> *//*
> *//*
> *//*
> */ value="https://localhost:8443/casclient2"; />/*
> *//*
> *//*
>
>
> And below is Cas client's web.xml  
>
> 
> http://java.sun.com/xml/ns/j2ee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
> 
> CAS Authentication Filter
> org.jasig.cas.client.authentication.Saml11AuthenticationFilter
> 
> 
> casServerLoginUrl
> https://localhost:8443/cas/login
> 
> 
> service
> https://localhost:8443/casclient2/
> 
> 
>
> 
> CAS Validation Filter
> org.jasig.cas.client.validation.Saml11TicketValidationFilter
>
> 
> 
> casServerUrlPrefix
> https://localhost:8443/cas
> 
> 
> service
> https://localhost:8443/casclient2/
> 
> 
> redirectAfterValidation
> true
> 
> 
> useSession
> true
> 
> 
> acceptAnyProxy
> true
> 
> 
> proxyReceptorUrl
> /casclient2/proxyUrl
> 
> 
> proxyCallbackUrl
> https://localhost:8443/casclient2/proxyUrl
> 
> 
>
> 
> CAS HttpServletRequest Wrapper Filter
> org.jasig.cas.client.util.HttpServletRequestWrapperFilter
> 
>
> 
> CAS Validation Filter
> /*
> 
>
> 
> CAS Authentication Filter
> /*
> 
>
> 
> CAS HttpServletRequest Wrapper Filter
> /*
> 
>
> 
> 
> index.jsp
> 
> 
> 
>
>
>
> when I invoke client application from browser it redirect me to CAS
> login Page but after successful login CAS does not redirect me to
> client application back.
> Please help me. I would be highly oblige.
>
>
>
> Thanks and Regards,*
> *
> *
> *
> Dheeraj Dubey
>
> -- 
> You are currently subscribed to cas-user@lists.jasig.org as: 
> jgas...@unicon.net
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] CAS not redirecting to application after successful login

2014-09-10 Thread Dheeraj Dubey 

Hi All, 

I have configure CAS 4.0 in tomcat 7 with JDBC Authentication handler. 

I have mapped one service in InMemoryServiceRegistryDaoImpl 



 
 
 
 
https://localhost:8443/casclient2"; /> 
 
 

And below is Cas client's web.xml 



 
http://java.sun.com/xml/ns/j2ee"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> 
 
CAS Authentication Filter 
org.jasig.cas.client.authentication.Saml11AuthenticationFilter
 
 
 
casServerLoginUrl 
https://localhost:8443/cas/login 
 
 
service 
https://localhost:8443/casclient2/ 
 
 

 
CAS Validation Filter 
org.jasig.cas.client.validation.Saml11TicketValidationFilter
 
 
 
casServerUrlPrefix 
https://localhost:8443/cas 
 
 
service 
https://localhost:8443/casclient2/ 
 
 
redirectAfterValidation 
true 
 
 
useSession 
true 
 
 
acceptAnyProxy 
true 
 
 
proxyReceptorUrl 
/casclient2/proxyUrl 
 
 
proxyCallbackUrl 
https://localhost:8443/casclient2/proxyUrl 
 
 

 
CAS HttpServletRequest Wrapper Filter 
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
 
 

 
CAS Validation Filter 
/* 
 

 
CAS Authentication Filter 
/* 
 

 
CAS HttpServletRequest Wrapper Filter 
/* 
 

 
 
index.jsp 
 
 
 

when I invoke client application from browser it redirect me to CAS login Page 
but after successful login CAS does not redirect me to client application back. 
Please help me. I would be highly oblige. 



Thanks and Regards, 

Dheeraj Dubey 


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Support 2 LDAP servers

2014-09-10 Thread Todorovic, Michael 
We are using Active Directory servers so they are automatically synced.
Today, any LDAP server should have some synchronization/clustering features. 
You should check your vendor documentation for such features.

Michael

Michaël Todorovic
IT Security Engineer, Systems Team
S&P Capital IQ / Real-Time Solutions

[cid:image001.png@01CFCCF1.6B7D9290]  
[cid:image002.png@01CFCCF1.6B7D9290] 


From: Jay [mailto:india@gmail.com]
Sent: 10 September 2014 12:13
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Support 2 LDAP servers

Very useful information.

How to keep all these LDAPs data in sync ?
Should that be done manually to sync all the data across LDAPs.

Thanks
Jay



On Wed, Sep 10, 2014 at 11:04 AM, Todorovic, Michael 
mailto:michael.todoro...@spcapitaliq.com>> 
wrote:
Hello,
Thanks to ldaptive, you need to add all your servers in the ldapUrl property, 
separated by a space.
http://ldap.url.NA>} ${ldap.url.APAC}"
  p:sslConfig-ref="sslConfig" />

In my config, ldap.url.EMEA,ldap.url.NA,ldap.url.APAC are 
declared in WEB-INF/cas.properties with the following:
ldap.url.EMEA=ldaps://servername
ldap.url.NA=ldaps://servername
ldap.url.APAC=ldaps://servername

Ldaptive will try servers in sequence. If the first server is not working, it 
will go on the second one, etc. If all servers are down, I think CAS won’t 
start.

Hope this helps,
Michael

Michaël Todorovic
IT Security Engineer, Systems Team
S&P Capital IQ / Real-Time Solutions

[cid:image001.png@01CFCCF1.6B7D9290]  
[cid:image002.png@01CFCCF1.6B7D9290] 


From: Andrew Skiba [mailto:ski...@gmail.com]
Sent: 10 September 2014 11:51
To: cas-user@lists.jasig.org
Subject: [cas-user] Support 2 LDAP servers

Hello all.

I need to configure our CAS server to work with 2 LDAP URLs for redundancy. As 
the URL is specified in org.ldaptive.ConnectionConfig, it looks like I need to 
specify 2 configs, then 2 connection factories, then 2 connection pools, 2 
PooledBindAuthenticationHandler beans, 2 Authenticator beans and finally 2 
LdapAuthenticationHandlers to PolicyBasedAuthenticationManager.

This solution is not only ugly, it also does not work. When one of the URLs is 
not accessible, Spring context does not come up, throwing an exception.

So what's the best way to achieve this goal?

Thanks for any insights.

Andrew.



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
michael.todoro...@spcapitaliq.com

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


The information contained in this message is intended only for the recipient, 
and may be a confidential attorney-client communication or may otherwise be 
privileged and confidential and protected from disclosure. If the reader of 
this message is not the intended recipient, or an employee or agent responsible 
for delivering this message to the intended recipient, please be aware that any 
dissemination or copying of this communication is strictly prohibited. If you 
have received this communication in error, please immediately notify us by 
replying to the message and deleting it from your computer. McGraw Hill 
Financial reserves the right, subject to applicable local law, to monitor, 
review and process the content of any electronic message or information sent to 
or from McGraw Hill Financial e-mail addresses without informing the sender or 
recipient of the message. By sending electronic message or information to 
McGraw Hill Financial e-mail addresses you, as the sender, are consenting to 
McGraw Hill Financial processing any of your personal data therein.

--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
india@gmail.com

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user




--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
michael.todoro...@spcapitaliq.com

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


The information contained in this message is intended only for the recipient, 
and may be a confidential attorney-client communication or may otherwise be 
privileged and confidential and protected from disclosure. If the reader of 
this message is not the intended recipient, or an employee or agent responsible 
for delivering this message to the intended recipient, please be aware that any 
dissemination or copying of this

Re: [cas-user] Support 2 LDAP servers

2014-09-10 Thread Jay 
Very useful information.

How to keep all these LDAPs data in sync ?
Should that be done manually to sync all the data across LDAPs.

Thanks
Jay



On Wed, Sep 10, 2014 at 11:04 AM, Todorovic, Michael <
michael.todoro...@spcapitaliq.com> wrote:

>  Hello,
>
> Thanks to ldaptive, you need to add all your servers in the ldapUrl
> property, separated by a space.
>
> 
>   class="org.ldaptive.ConnectionConfig"
>
>   p:connectTimeout="${ldap.connectTimeout}"
>
>   p:responseTimeout="${ldap.responseTimeout}"
>
>   p:useStartTLS="${ldap.useStartTLS}"
>
>   p:useSSL="${ldap.useSSL}"
>
>   p:ldapUrl="${ldap.url.EMEA} ${ldap.url.NA}
> ${ldap.url.APAC}"
>
>   p:sslConfig-ref="sslConfig" />
>
>
>
> In my config, ldap.url.EMEA,ldap.url.NA,ldap.url.APAC are declared in
> WEB-INF/cas.properties with the following:
>
> ldap.url.EMEA=ldaps://servername
>
> ldap.url.NA=ldaps://servername
>
> ldap.url.APAC=ldaps://servername
>
>
>
> Ldaptive will try servers in sequence. If the first server is not working,
> it will go on the second one, etc. If all servers are down, I think CAS
> won’t start.
>
>
>
> Hope this helps,
>
> Michael
>
>
>
> *Michaël Todorovic*
>
> IT Security Engineer, Systems Team
>
> S&P Capital IQ / Real-Time Solutions
>
>
>
> [image: Description: icon-twitter]   
> [image:
> Description: icon-linkedIn]
> 
>
>
>
> *From:* Andrew Skiba [mailto:ski...@gmail.com]
> *Sent:* 10 September 2014 11:51
> *To:* cas-user@lists.jasig.org
> *Subject:* [cas-user] Support 2 LDAP servers
>
>
>
> Hello all.
>
>
>
> I need to configure our CAS server to work with 2 LDAP URLs for
> redundancy. As the URL is specified in org.ldaptive.ConnectionConfig, it
> looks like I need to specify 2 configs, then 2 connection factories, then 2
> connection pools, 2 PooledBindAuthenticationHandler beans, 2 Authenticator
> beans and finally 2 LdapAuthenticationHandlers to
> PolicyBasedAuthenticationManager.
>
>
>
> This solution is not only ugly, it also does not work. When one of the
> URLs is not accessible, Spring context does not come up, throwing an
> exception.
>
>
>
> So what's the best way to achieve this goal?
>
>
>
> Thanks for any insights.
>
>
>
> Andrew.
>
>
>
> --
>
> You are currently subscribed to cas-user@lists.jasig.org as: 
> michael.todoro...@spcapitaliq.com
>
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> The information contained in this message is intended only for the
> recipient, and may be a confidential attorney-client communication or may
> otherwise be privileged and confidential and protected from disclosure. If
> the reader of this message is not the intended recipient, or an employee or
> agent responsible for delivering this message to the intended recipient,
> please be aware that any dissemination or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please immediately notify us by replying to the message and deleting it
> from your computer. McGraw Hill Financial reserves the right, subject to
> applicable local law, to monitor, review and process the content of any
> electronic message or information sent to or from McGraw Hill Financial
> e-mail addresses without informing the sender or recipient of the message.
> By sending electronic message or information to McGraw Hill Financial
> e-mail addresses you, as the sender, are consenting to McGraw Hill
> Financial processing any of your personal data therein.
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> india@gmail.com
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Support 2 LDAP servers

2014-09-10 Thread Todorovic, Michael 
Hello,
Thanks to ldaptive, you need to add all your servers in the ldapUrl property, 
separated by a space.


In my config, ldap.url.EMEA,ldap.url.NA,ldap.url.APAC are declared in 
WEB-INF/cas.properties with the following:
ldap.url.EMEA=ldaps://servername
ldap.url.NA=ldaps://servername
ldap.url.APAC=ldaps://servername

Ldaptive will try servers in sequence. If the first server is not working, it 
will go on the second one, etc. If all servers are down, I think CAS won’t 
start.

Hope this helps,
Michael

Michaël Todorovic
IT Security Engineer, Systems Team
S&P Capital IQ / Real-Time Solutions

[cid:image001.png@01CFCCEF.566D2FC0]  
[cid:image002.png@01CFCCEF.566D2FC0] 


From: Andrew Skiba [mailto:ski...@gmail.com]
Sent: 10 September 2014 11:51
To: cas-user@lists.jasig.org
Subject: [cas-user] Support 2 LDAP servers

Hello all.

I need to configure our CAS server to work with 2 LDAP URLs for redundancy. As 
the URL is specified in org.ldaptive.ConnectionConfig, it looks like I need to 
specify 2 configs, then 2 connection factories, then 2 connection pools, 2 
PooledBindAuthenticationHandler beans, 2 Authenticator beans and finally 2 
LdapAuthenticationHandlers to PolicyBasedAuthenticationManager.

This solution is not only ugly, it also does not work. When one of the URLs is 
not accessible, Spring context does not come up, throwing an exception.

So what's the best way to achieve this goal?

Thanks for any insights.

Andrew.



--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
michael.todoro...@spcapitaliq.com

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


The information contained in this message is intended only for the recipient, 
and may be a confidential attorney-client communication or may otherwise be 
privileged and confidential and protected from disclosure. If the reader of 
this message is not the intended recipient, or an employee or agent responsible 
for delivering this message to the intended recipient, please be aware that any 
dissemination or copying of this communication is strictly prohibited. If you 
have received this communication in error, please immediately notify us by 
replying to the message and deleting it from your computer. McGraw Hill 
Financial reserves the right, subject to applicable local law, to monitor, 
review and process the content of any electronic message or information sent to 
or from McGraw Hill Financial e-mail addresses without informing the sender or 
recipient of the message. By sending electronic message or information to 
McGraw Hill Financial e-mail addresses you, as the sender, are consenting to 
McGraw Hill Financial processing any of your personal data therein.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] Support 2 LDAP servers

2014-09-10 Thread Andrew Skiba 
Hello all.

I need to configure our CAS server to work with 2 LDAP URLs for redundancy.
As the URL is specified in org.ldaptive.ConnectionConfig, it looks like I
need to specify 2 configs, then 2 connection factories, then 2 connection
pools, 2 PooledBindAuthenticationHandler beans, 2 Authenticator beans and
finally 2 LdapAuthenticationHandlers to PolicyBasedAuthenticationManager.

This solution is not only ugly, it also does not work. When one of the URLs
is not accessible, Spring context does not come up, throwing an exception.

So what's the best way to achieve this goal?

Thanks for any insights.

Andrew.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user