Re:[cas-user] 3.5.2.1 - service registry username column
Hello again, Nevermind, I found it. I should have gone to github first. sorry Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Fri, Jan 9, 2015 at 4:59 PM, Linda Toth ltt...@alaska.edu wrote: I have successfully upgraded from 3.4.2.1 to 3.5.2.1. Per another thread, the hardest part for me was not related to CAS upgrades or the right CAS/Spring jar versions, but recognizing the '14' in ojdbc14.jar was referring to Java 4! Once I upgraded to ojdbc6.jar, it has gone quickly. When I logged into the service registry, I noticed a new field, username - all marked with a bold red 'X'. Would someone direct me to documentation if it exists outside of the deployerConfigContext.xml file. In that file, there is no property name that contains a reference to username. It looks like I should add a column to the service registry table. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] 3.5.2.1 - service registry username column
I have successfully upgraded from 3.4.2.1 to 3.5.2.1. Per another thread, the hardest part for me was not related to CAS upgrades or the right CAS/Spring jar versions, but recognizing the '14' in ojdbc14.jar was referring to Java 4! Once I upgraded to ojdbc6.jar, it has gone quickly. When I logged into the service registry, I noticed a new field, username - all marked with a bold red 'X'. Would someone direct me to documentation if it exists outside of the deployerConfigContext.xml file. In that file, there is no property name that contains a reference to username. It looks like I should add a column to the service registry table. Linda -- Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Extra Attributes from Active Directory
Mike, If you are using the 3.X CAS Server line than the CAS 2.0 protocol does not release attributes (without a modification) you'll want to change to the Saml 1.1 protocol which does. Thanks, John --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/8/15 1:33 PM, Waldbieser, Carl wrote: Mike, Are you using a service registry? If so, you probably need to enable the attributes for the service. deployerConfigContext.xml is the global list of available attributes, but that is further filtered by what each individual service allows. Thanks, Carl - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Thursday, January 8, 2015 3:57:54 PM Subject: Re: [cas-user] Extra Attributes from Active Directory Carl, Thanks for your response. I'm seeing in the log that it is trying to access the readExtraAttributesCas20() method, but not retrieving anything: 1D89 .|||||cas:serviceResponse xmlns:cas=' http://www.yale.edu/tp/cas' 1D89 .||||| cas:authenticationSuccess 1D89 .||||| cas:usermichaelseiler/cas:user 1D89 .||||| 1D89 .||||| 1D89 .||||| /cas:authenticationSuccess 1D89 .|||||/cas:serviceResponse 1D89 .||||| [CurlRequest.php:82] 1D89 .||||= true 1D89 .|||= true 1D89 .|||= CAS_Client::_readExtraAttributesCas20(DOMNodeList) [Client.php:2813] 1D89 .||||Testing for rubycas style attributes [Client.php:2923] I've updated the casServiceValidationSuccess.jsp to include the additional user attributes, but it doesn't appear to be retrieving and sending them. I've also modified deployerConfigContext.xml to use the LdapPersonAttributeDao in the attributeRepository. What else do I need to do to enable them at the server? Thanks for your help. Mike On Thu, Jan 8, 2015 at 12:10 PM, Waldbieser, Carl waldb...@lafayette.edu wrote: Mike, Try turning on debug output in the client with something like `phpCAS::setDebug($debug_file);`. Then you can see if the attributes are being returned. If not, you may need to enable them at the server. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Mike Seiler michaelsei...@fuller.edu To: cas-user@lists.jasig.org Sent: Thursday, January 8, 2015 2:23:08 PM Subject: [cas-user] Extra Attributes from Active Directory I'm currently attempting to extract additional attributes using the information found here: https://wiki.jasig.org/display/casum/attributes#Attributes-AccessingattributesusingtheCASclientforjava And then trying to pull the data with phpCAS::getAttribute() in my web application. None of my efforts to extract attributes via their keys seems to be working, and I'm hoping someone has some history with this. I'm using the Unicon CAS Overlay to build my app, and am using Active Directory. I'm successfully authenticating, but pulling additional attributes is still failing for me. -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] AcceptUsersAuthenticationHandler is used instead of LDAP
On Fri, 9 Jan 2015, Marvin Addison wrote: Yes, after every chage I do: mvn clean package ./bin/shutdown.sh rm -r webapps/cas/ work/ logs/* cp target/cas.war ./bin/startup.sh That should work, but you might also try clearing out the unpacked war files under (IIRC) $CATALINA_HOME/temp. I have a habit of clearing out those files as part of the redeploy process since I had some evidence of changes not taking in the past. Can't hurt in any case. temp (and data) do not exist. Usually I remove them too, if existing. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 4.0 w/ OpenLDAP won't return memberOf attribute
I have successfully configured CAS to return attributes but I cannot seem to
figure out how to get it to return the memberOf attribute created by the
memberof overlay of OpenLDAP.
memberOf is an operational attribute and so I know when I want to return it
using ldapsearch, I have to specifically request it.
Is there something similar I need to do in my CAS configuration?
Right now, I am using the following in my deployerConfigContext.xml:
bean id=attributeRepository
class=org.jasig.cas.persondir.LdapPersonAttributeDao
p:connectionFactory-ref=searchPooledLdapConnectionFactory
p:baseDN=${ldap.resolver.baseDn}
p:searchControls-ref=searchControls
p:searchFilter=uid={0}
!--
Attribute mapping between principal (key) and LDAP (value) names
used to perform the LDAP search. By default, multiple search criteria
are ANDed together. Set the queryType property to change to OR.
--
property name=queryAttributeMapping
map
entry key=username value=uid /
/map
/property
property name=resultAttributeMapping
map
!--
Key is LDAP attribute name, value is principal attribute name.
--
entry key=ssoGUID value=ssoGUID /
entry key=givenName value=givenname /
entry key=sn value=surname /
entry key=memberOf value=memberof /
/map
/property
/bean
ssoGUID, givenName and sn all are returned. memberOf is not returned.
Appreciate any help as I am stuck.
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] troubleshooting login using MySQL
Hello all, I am troubleshooting login problems using a mysql database. I have verified that the connection to the database works through CAS and that the credentials eventually work. I clear all related cookies from the browser, then go to the login page. If I check the browser cookies, I can see a cookie set with a JSESSIONID. When I submit the form, it says 'Invalid Credentials'. If I enter the password again, the login succeeds and the URL shows the SESSIONID. Another browser cookie is set and is labelled 'CASTGC'. Does anyone have tips for troubleshooting this? I have looked in the cas.log and it only shows the credentials as if all submissions are successful. I can't see anything in the mysql logs that helps, so I just at a standstill. I hope that is clear. Thank you. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] troubleshooting login using MySQL
Did you login immediately? There is a login ticket, if you let it sit there, the login ticket expires. Not sure if that's related to whatever version of CAS you're using. On 15-01-09 01:35 PM, Chris Adams wrote: Hello all, I am troubleshooting login problems using a mysql database. I have verified that the connection to the database works through CAS and that the credentials eventually work. I clear all related cookies from the browser, then go to the login page. If I check the browser cookies, I can see a cookie set with a JSESSIONID. When I submit the form, it says ‘Invalid Credentials’. If I enter the password again, the login succeeds and the URL shows the SESSIONID. Another browser cookie is set and is labelled ‘CASTGC’. Does anyone have tips for troubleshooting this? I have looked in the cas.log and it only shows the credentials as if all submissions are successful. I can’t see anything in the mysql logs that helps, so I just at a standstill. I hope that is clear. Thank you. -- You are currently subscribed to cas-user@lists.jasig.org as: tre...@athabascau.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Navy Penguins at your service! Learning Research Systems Unit, Information Technology Services, Athabasca University (780) 675-6195 :wq! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] ADFS 2012 R2 and CAS
Hi Phil, The ADFS side should be fine. The concern is what version of CAS Server is associated with Luminis 5? The cas-server-support-wsfederation uses a new version of openSAML which was upgraded in 3.5.1, I think. If the version is older it is not likely going to work because of the dependency issues. Luminis 5 (.0) shipped with an older CAS Server build, if memory serves, but later Luminis updates may have fixed that. What issues are you seeing? On 1/9/15 12:17 PM, philip@scranton.edu wrote: I'm attempting to go the other way - put ADFS 3.0 in front of CAS. John - are you aware of any oddities in ADFS 3.0 that would prevent your solution at https://github.com/Unicon/cas-adfs-integration/wiki/cas-server-support-wsfederation from working? Any or do you have any updates to this solution? I'm attempting to implement it on the CAS server shipped with the Luminis 5 portal and am hitting some errors. Just wanted to check to see if it's likely me or something in ADFS 3. Thanks for your work on this solution! Phil On Thursday, December 18, 2014 at 11:50:57 AM UTC-5, John Gasper wrote: I haven't attempted to CASify ADFS 3.0, but hopefully this will help. All of the .cs files are embedded as string in one of the dlls. I found a reference online to such and I believe I recall confirming that to be the case. You can use Visual Studio to copy the strings (i.e. files) out modify them and slip them back in. You'll likely need a modified .NET CAS Client because of the way the client generates the proxy callback URL (I'm assuming that you'll use ClearPass). The client builds the callback url by appending the querystring of the first request that hits it after start up. This basically makes for a dynamic callback URL that will require continual changing on the ClearPass config side. I believe line that needs to be fixed/cut is https://github.com/Jasig/dotnet-cas-client/blob/master/DotNetCasClient/Utils/UrlUtil.cs#L101 https://github.com/Jasig/dotnet-cas-client/blob/master/DotNetCasClient/Utils/UrlUtil.cs#L101. I happen to have just looked this up for a client that was trying to do the same thing. They ultimately decided to use Shibboleth to bridge CAS and ADFS as it required very little to no mods of ADFS to work, and CASifying ADFS directly has issues in load balanced ADFS clusters. Good luck. On 12/18/14 6:57 AM, Kenneth Erard wrote: Hello, I'm implementing ADFS 2012 R2 (ADFS 3.0) for Office 365. I'm interested in CASifying it, but it looks like it has been changed a great deal from ADFS 2.x with respect to customizability. The entire service appears to be contained in DLLs, IIS is no longer installed, and Microsoft recommends using Powershell to make limited supported customizations. Has anyone on the list successfully CASified this new version of ADFS? -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jga...@unicon.net javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] troubleshooting login using MySQL
Here is the log from cas.log that follow the failure, then success. Not sure if it helps. 2015-01-09 12:55:36,626 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [USERID+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jan 09 12:55:36 PST 2015 CLIENT IP ADDRESS: xxx.xxx.xxx.xxx SERVER IP ADDRESS: xxx.xxx.xxx.xxx = 2015-01-09 12:55:36,627 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: 1 errors, 0 successes ACTION: TICKET_GRANTING_TICKET_NOT_CREATED APPLICATION: CAS WHEN: Fri Jan 09 12:55:36 PST 2015 CLIENT IP ADDRESS: xxx.xxx.xxx.xxx SERVER IP ADDRESS: xxx.xxx.xxx.xxx = 2015-01-09 12:55:42,511 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - SearchModeSearchDatabaseAuthenticationHandler successfully authenticated USERID+password 2015-01-09 12:55:42,511 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - Authenticated USERID with credentials [USERID+password]. 2015-01-09 12:55:42,512 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [USERID+password] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Jan 09 12:55:42 PST 2015 CLIENT IP ADDRESS: xxx.xxx.xxx.xxx SERVER IP ADDRESS: xxx.xxx.xxx.xxx = 2015-01-09 12:55:42,513 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: TGT-11-xaHYKGFBbFcOBAmNqZWPWbvsSYOtfLY7TkgCBIrfMll0hFBJQd-cas01.example.org ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Jan 09 12:55:42 PST 2015 CLIENT IP ADDRESS: xxx.xxx.xxx.xxx SERVER IP ADDRESS: xxx.xxx.xxx.xxx = -Original Message- From: Chris Adams [mailto:chris.a.ad...@state.or.us] Sent: Friday, January 09, 2015 12:41 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] troubleshooting login using MySQL Yes, I logged in immediately. I also had previously modified the timeout to greater than 5 minutes. That should give me enough time. :). I am using CAS 4.0.0. -Original Message- From: Trenton D. Adams [mailto:tre...@athabascau.ca] Sent: Friday, January 09, 2015 12:39 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] troubleshooting login using MySQL Did you login immediately? There is a login ticket, if you let it sit there, the login ticket expires. Not sure if that's related to whatever version of CAS you're using. On 15-01-09 01:35 PM, Chris Adams wrote: Hello all, I am troubleshooting login problems using a mysql database. I have verified that the connection to the database works through CAS and that the credentials eventually work. I clear all related cookies from the browser, then go to the login page. If I check the browser cookies, I can see a cookie set with a JSESSIONID. When I submit the form, it says 'Invalid Credentials'. If I enter the password again, the login succeeds and the URL shows the SESSIONID. Another browser cookie is set and is labelled 'CASTGC'. Does anyone have tips for troubleshooting this? I have looked in the cas.log and it only shows the credentials as if all submissions are successful. I can't see anything in the mysql logs that helps, so I just at a standstill. I hope that is clear. Thank you. -- You are currently subscribed to cas-user@lists.jasig.org as: tre...@athabascau.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Trenton D. Adams Senior Systems Analyst/Web Software Developer Navy Penguins at your service! Learning Research Systems Unit, Information Technology Services, Athabasca University (780) 675-6195 :wq! -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- You are currently subscribed to cas-user@lists.jasig.org as: chris.a.ad...@state.or.us To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are
[cas-user] AcceptUsersAuthenticationHandler is used instead of LDAP
Hi, I am unable to find out, why AcceptUsersAuthenticationHandler is still used to authenticate users. Even after commenting out all but ldap in deployerConfigContext.xml (attached) Log part of the failed login attempt: 2015-01-09 13:54:06,047 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - kaeeli was not found in the map. 2015-01-09 13:54:06,047 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - AcceptUsersAuthenticationHandler failed authenticating +password 2015-01-09 13:54:06,055 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [kaeeli+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jan 09 13:54:06 EET 2015 CLIENT IP ADDRESS: 192.168.8.5 SERVER IP ADDRESS: 192.168.7.183 = -- Tiit Kaeeli OU Quretec tiit.kae...@quretec.com Tel:+372 5 070 359 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user deployerConfigContext.xml Description: XML document
Re: [cas-user] LockTimeoutException: Unable to acquire conversation lock after 30 seconds
Zac, This SO question/answer describes what the error is trying to tell you: http://stackoverflow.com/questions/9533786/spring-web-flow-locktimeoutexception So it looks like the Spring Webflow conversation is taking too long. As the answer points out, troubleshooting is tricky because the place the error occurs is not where it is reported. The answer has a couple tips you could try. It seems to me that you need to understand the entire system in place in order to figure out where the slow down is. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Zac Harvey zhar...@commercehub.com To: cas-user@lists.jasig.org Sent: Friday, January 9, 2015 7:36:29 AM Subject: RE:[cas-user] LockTimeoutException: Unable to acquire conversation lock after 30 seconds This is still an issue for us, any ideas? From: Zac Harvey Sent: Thursday, January 8, 2015 1:48 PM To: cas-user@lists.jasig.org Subject: LockTimeoutException: Unable to acquire conversation lock after 30 seconds We have had our live CAS servers running for 2 months since the last (tiny) config change. Now all of the sudden, about every 15 minutes, users are unable to login, and I have to restart the service to fix things. When I tail the logs while this is happening, and attempt to login, I see: org.springframework.webflow.conversation.impl.LockTimeoutException: Unable to acquire conversation lock after 30 seconds at org.springframework.webflow.conversation.impl.JdkConcurrentConversationLock.lock(JdkConcurrentConversationLock.java:44) at org.springframework.webflow.conversation.impl.ContainedConversation.lock(ContainedConversation.java:69) at org.springframework.webflow.execution.repository.support.ConversationBackedFlowExecutionLock.lock(ConversationBackedFlowExecutionLock.java:51) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:166) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:838) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Re: [cas-user] AcceptUsersAuthenticationHandler is used instead of LDAP
You'd want to make sure that your change is in effect. After you made that change, did you re-build and re-deployed the cas.war? Cheers, Dmitriy. Sent from my iPhone On Jan 9, 2015, at 07:16, Tiit Kaeeli kae...@quretec.com wrote: Hi, I am unable to find out, why AcceptUsersAuthenticationHandler is still used to authenticate users. Even after commenting out all but ldap in deployerConfigContext.xml (attached) Log part of the failed login attempt: 2015-01-09 13:54:06,047 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - kaeeli was not found in the map. 2015-01-09 13:54:06,047 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - AcceptUsersAuthenticationHandler failed authenticating +password 2015-01-09 13:54:06,055 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [kaeeli+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jan 09 13:54:06 EET 2015 CLIENT IP ADDRESS: 192.168.8.5 SERVER IP ADDRESS: 192.168.7.183 = -- Tiit Kaeeli OU Quretec tiit.kae...@quretec.com Tel:+372 5 070 359 -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user deployerConfigContext.xml -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] LockTimeoutException: Unable to acquire conversation lock after 30 seconds
This is still an issue for us, any ideas? From: Zac Harvey Sent: Thursday, January 8, 2015 1:48 PM To: cas-user@lists.jasig.org Subject: LockTimeoutException: Unable to acquire conversation lock after 30 seconds We have had our live CAS servers running for 2 months since the last (tiny) config change. Now all of the sudden, about every 15 minutes, users are unable to login, and I have to restart the service to fix things. When I tail the logs while this is happening, and attempt to login, I see: org.springframework.webflow.conversation.impl.LockTimeoutException: Unable to acquire conversation lock after 30 seconds at org.springframework.webflow.conversation.impl.JdkConcurrentConversationLock.lock(JdkConcurrentConversationLock.java:44) at org.springframework.webflow.conversation.impl.ContainedConversation.lock(ContainedConversation.java:69) at org.springframework.webflow.execution.repository.support.ConversationBackedFlowExecutionLock.lock(ConversationBackedFlowExecutionLock.java:51) at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:166) at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:838) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Any idea as to what is going on? We authenticate against AD; could that be causing issues? Nothing has changed in literally 2 months... Thanks for any and all help... -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] AcceptUsersAuthenticationHandler is used instead of LDAP
On Fri, 9 Jan 2015, Dmitriy Kopylenko wrote: You'd want to make sure that your change is in effect. After you made that change, did you re-build and re-deployed the cas.war? Yes, after every chage I do: mvn clean package ./bin/shutdown.sh rm -r webapps/cas/ work/ logs/* cp target/cas.war ./bin/startup.sh Cheers, Dmitriy. Sent from my iPhone On Jan 9, 2015, at 07:16, Tiit Kaeeli kae...@quretec.com wrote: Hi, I am unable to find out, why AcceptUsersAuthenticationHandler is still used to authenticate users. Even after commenting out all but ldap in deployerConfigContext.xml (attached) Log part of the failed login attempt: 2015-01-09 13:54:06,047 DEBUG [org.jasig.cas.authentication.AcceptUsersAuthenticationHandler] - kaeeli was not found in the map. 2015-01-09 13:54:06,047 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - AcceptUsersAuthenticationHandler failed authenticating +password 2015-01-09 13:54:06,055 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN = WHO: audit:unknown WHAT: supplied credentials: [kaeeli+password] ACTION: AUTHENTICATION_FAILED APPLICATION: CAS WHEN: Fri Jan 09 13:54:06 EET 2015 CLIENT IP ADDRESS: 192.168.8.5 SERVER IP ADDRESS: 192.168.7.183 = -- Tiit Kaeeli OU Quretec tiit.kae...@quretec.com Tel:+372 5 070 359 -- You are currently subscribed to cas-user@lists.jasig.org as: dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user deployerConfigContext.xml -- Tiit Kaeeli OU Quretec tiit.kae...@quretec.com Tel:+372 5 070 359 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] AcceptUsersAuthenticationHandler is used instead of LDAP
Yes, after every chage I do: mvn clean package ./bin/shutdown.sh rm -r webapps/cas/ work/ logs/* cp target/cas.war ./bin/startup.sh That should work, but you might also try clearing out the unpacked war files under (IIRC) $CATALINA_HOME/temp. I have a habit of clearing out those files as part of the redeploy process since I had some evidence of changes not taking in the past. Can't hurt in any case. M http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
