Re: [cas-user] Cas client gateway mode
No, I don't get to see the login page because I'm using gateway = true in the client configuration. I'm saying that it all works fine when I submit my form with GET method, because the parameters travel in the URL, when I try to use POST, I lost all parameters after the redirection, somehow it doesn't preserve post parameters. Maybe that's the way it is supposed to work, but if that is the case, I need to know how to submit with POST method without losing the form data. El lunes, 2 de febrero de 2015, 17:54:19 (UTC-2), Waldbieser, Carl escribió: Carlos, Are you saying that when you hit the login page with something like this: https://cas.example.org/cas/login?service=https%3A%2F%2Fservice.example.net%2Flogin%3Fmyparam%3Dextra If you view the source on the form, the hidden service input does not have the encoded myparam=extra part of the URL (i.e. the query)? Thanks, Carl - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: jasig-c...@googlegroups.com javascript: Cc: cas-...@lists.jasig.org javascript:, cas-...@lists.jasig.org javascript:, wald...@lafayette.edu javascript: Sent: Monday, February 2, 2015 2:34:38 PM Subject: Re: [cas-user] Cas client gateway mode No, it doesn't have the extra parameters, if I change the form to submit data by GET method, then it works OK, but when I do it by POST, extra parameters are discarded. El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió: Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters were, and then show the `Location` from the HTTP response? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: cas-...@lists.jasig.org javascript: Sent: Monday, February 2, 2015 1:14:23 PM Subject: [cas-user] Cas client gateway mode Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: wald...@lafayette.edu javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] service url
HI all, I'm working to use CAS with a fronted apache2 as proxy (mod_auth_cas, mod_jk). When I call the url (https://mysite/share), CAS ask me for credential, but the service url is not correct (https://mysite/cas/login?service=https%3a%2f%2f127.0.0.1%2fshare). Service url is changed to localhost instead of the external url. My CAS server could answer on different url (subfolder of my web applications : https://mysite/cas and https://mysite2/cas is the same CAS server). CAS is installed on the same machine as apache2 (mod_auth_cas, mod_jk). Web apps are installed on separate computer. In mod_jk configuration, I'm calling IP Server instead of DNS Name. Thanks for help, Yannick -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas client gateway mode
No, it doesn't have the extra parameters, if I change the form to submit data by GET method, then it works OK, but when I do it by POST, extra parameters are discarded. El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió: Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters were, and then show the `Location` from the HTTP response? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: cas-...@lists.jasig.org javascript: Sent: Monday, February 2, 2015 1:14:23 PM Subject: [cas-user] Cas client gateway mode Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: wald...@lafayette.edu javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] Intermittant Login Issues for one application
I'm sorry, I forgot to mention, that this is the only application we have that is having this problem and it's the only one that uses SAML as well. I've checked and rechecked configurations against both the new wiki (http://jasig.github.io/cas/4.0.x/protocol/SAML-Protocol.html) and the old casum wiki (https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4). Thanks From: Whittaker, Geoffrey [mailto:geoff.whitta...@unf.edu] Sent: Monday, February 02, 2015 2:29 PM To: cas-user@lists.jasig.org Subject: [cas-user] Intermittant Login Issues for one application I'm having intermittent issues with a single application and my CAS 4 instance. When clicking login on the cas form sometimes the cas server returns 200 instead of 302 directing me back to the application to initiate service ticket validation. Other times, it works without issue. I'm not sure what this could be as it's the first time I've come across it and it worked just fine in 3.5.2. Has anyone come across anything like this before? Geoff -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: geoff.whitta...@unf.edumailto:geoff.whitta...@unf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas client gateway mode
On Mon, 2 Feb 2015, Carlos Olivera wrote: No, I don't get to see the login page because I'm using gateway = true in the client configuration. I'm saying that it all works fine when I submit my form with GET method, because the parameters travel in the URL, when I try to use POST, I lost all parameters after the redirection, somehow it doesn't preserve post parameters. Maybe that's the way it is supposed to work, but if that is the case, I need to know how to submit with POST method without losing the form data. POST parameters are not preserved with HTTP Redirect. When CAS's login page is accessed with gateway=true, CAS checks the CASTGC cookie and then issues an HTTP Redirect to send the browser back to the Service URL. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] question about non-web console service registration
I'm not familiar with managementConfigContext.xml, but if you don't need a web app for service registry, I suggest you consider JSON or YAML file-based service registry. At our site, we're running CAS 3.4.12 using a JSON config file for service registry, and we're about to upgrade to CAS 4.0.1 using YAML. Details on how to do this can be found online, or in the list archives -- or if you have further questions, ask here. Milt Epstein Applications Developer Graduate School of Library and Information Science (GSLIS) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Mon, 2 Feb 2015, Chris Adams wrote: Hello all, I built a Service Management webapp with Maven and was able to get it working. Then I realized that the data was not persistent after restarting Tomcat. I read the docs and from what I understand, services can still be registered and can be persistent across restarts, rather than held in memory, regardless if I use the web console or not. Since I only have a handful of services to register, I don't want to create a database just for the data. I prefer not to utilize the web console. My question is where to list/register these services? After creating the service management webapp, I see the file managerConfigContext.xml in the /WEB-INF directory. The docs and the example indicate that the services can be designated here. I assume that this is what is referred to in the section that says, referring to InMemoryServiceRegistryDaoImpl: This component is NOT suitable for use with the service management console since it does not persist data. On the other hand, it is perfectly acceptable for deployments where the XML configuration is authoritative for service registry data and the UI will not be used. Also: It is perfectly acceptable to avoid the service management console Web application for managing registered service data. In fact, configuration-driven methods (e.g. XML, JSON) may be preferable in environments where strict configuration management controls are required. Is the file 'managementConfigContext.xml' where I register these services ? Many thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: mepst...@illinois.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas client gateway mode
Carlos, Are you saying that when you hit the login page with something like this: https://cas.example.org/cas/login?service=https%3A%2F%2Fservice.example.net%2Flogin%3Fmyparam%3Dextra If you view the source on the form, the hidden service input does not have the encoded myparam=extra part of the URL (i.e. the query)? Thanks, Carl - Original Message - From: Carlos Olivera carlosroliv...@gmail.com To: jasig-cas-u...@googlegroups.com Cc: cas-user@lists.jasig.org, cas-user@lists.jasig.org, waldb...@lafayette.edu Sent: Monday, February 2, 2015 2:34:38 PM Subject: Re: [cas-user] Cas client gateway mode No, it doesn't have the extra parameters, if I change the form to submit data by GET method, then it works OK, but when I do it by POST, extra parameters are discarded. El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió: Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters were, and then show the `Location` from the HTTP response? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: cas-...@lists.jasig.org javascript: Sent: Monday, February 2, 2015 1:14:23 PM Subject: [cas-user] Cas client gateway mode Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: wald...@lafayette.edu javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] TGT expiration policy override not working
Well, if you started from that file you have referenced change/config that does not exist in 4. You have used master instead. Try using this file instead: https://github.com/Jasig/cas/blob/4.0.x/cas-server-webapp/src/main/webapp/ WEB-INF/spring-configuration/ticketExpirationPolicies.xml Note the branch name: 4.0.x. From: Zac Harvey [mailto:zhar...@commercehub.com] Sent: Monday, February 2, 2015 1:18 PM To: cas-user@lists.jasig.org Subject: [cas-user] TGT expiration policy override not working On CAS 4 here; I am trying to extend the TGT expiration policy from 2 hours (default) to 9 hours, and so I started with the file located at https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp /WEB-INF/spring-configuration/ticketExpirationPolicies.xml and then just changed: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy c:maxTimeToLive=${tgt.maxTimeToLiveInSeconds:28800} c:timeToKill=${tgt.timeToKillInSeconds:7200} c:timeUnit-ref=SECONDS / To: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy c:maxTimeToLive=${tgt.maxTimeToLiveInSeconds:32400} c:timeToKill=${tgt.timeToKillInSeconds:32400} c:timeUnit-ref=SECONDS / When I go to restart the server I get a Spring/Beans exception: SEVERE: Exception starting filter springSecurityFilterChain org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'grantingTicketExpirationPolicy' defined in ServletContext resource [/WEB-INF/spring-configuration/ticketExpirationPolicies.xml]: Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities) at org.springframework.beans.factory.support.ConstructorResolver.autowireCons tructor(ConstructorResolver.java:250) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFacto ry.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1075) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFacto ry.createBeanInstance(AbstractAutowireCapableBeanFactory.java:979) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFacto ry.doCreateBean(AbstractAutowireCapableBeanFactory.java:487) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFacto ry.createBean(AbstractAutowireCapableBeanFactory.java:458) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject( AbstractBeanFactory.java:296) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.get Singleton(DefaultSingletonBeanRegistry.java:223) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(Ab stractBeanFactory.java:293) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(Abst ractBeanFactory.java:194) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preIn stantiateSingletons(DefaultListableBeanFactory.java:628) at org.springframework.context.support.AbstractApplicationContext.finishBeanF actoryInitialization(AbstractApplicationContext.java:932) at org.springframework.context.support.AbstractApplicationContext.refresh(Abs tractApplicationContext.java:479) at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplic ationContext(ContextLoader.java:389) at org.springframework.web.context.ContextLoader.initWebApplicationContext(Co ntextLoader.java:294) at org.springframework.web.context.ContextLoaderListener.contextInitialized(C ontextLoaderListener.java:112) at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeCo ntextLoaderListener.java:75) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.jav a:4779) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.jav a:5273) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java :895) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:871) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:958) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1599) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java: 1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java :615) at java.lang.Thread.run(Thread.java:745) What is
Re: [cas-user] Cas client gateway mode
Carlos, I am actually a bit surprised that CAS /login accepts POST, but when I re-read the protocol, I didn't see that GET was required, which I had previously assumed. When you POST to the CAS /login, is does the `action` of your form contain the service parameter, or the is it included in your form? If the latter, I am assuming CAS is assuming these parameters to be request parameters rather than part of a POST payload. You could try updating your form's action to include the parameters. I would guess that would work even though you are hitting /login with a POST. Thanks, Carl - Original Message - From: Carlos Olivera carlosroliv...@gmail.com To: jasig-cas-u...@googlegroups.com Cc: cas-user@lists.jasig.org, cas-user@lists.jasig.org, cas-user@lists.jasig.org, waldb...@lafayette.edu Sent: Monday, February 2, 2015 3:10:52 PM Subject: Re: [cas-user] Cas client gateway mode No, I don't get to see the login page because I'm using gateway = true in the client configuration. I'm saying that it all works fine when I submit my form with GET method, because the parameters travel in the URL, when I try to use POST, I lost all parameters after the redirection, somehow it doesn't preserve post parameters. Maybe that's the way it is supposed to work, but if that is the case, I need to know how to submit with POST method without losing the form data. El lunes, 2 de febrero de 2015, 17:54:19 (UTC-2), Waldbieser, Carl escribió: Carlos, Are you saying that when you hit the login page with something like this: https://cas.example.org/cas/login?service=https%3A%2F%2Fservice.example.net%2Flogin%3Fmyparam%3Dextra If you view the source on the form, the hidden service input does not have the encoded myparam=extra part of the URL (i.e. the query)? Thanks, Carl - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: jasig-c...@googlegroups.com javascript: Cc: cas-...@lists.jasig.org javascript:, cas-...@lists.jasig.org javascript:, wald...@lafayette.edu javascript: Sent: Monday, February 2, 2015 2:34:38 PM Subject: Re: [cas-user] Cas client gateway mode No, it doesn't have the extra parameters, if I change the form to submit data by GET method, then it works OK, but when I do it by POST, extra parameters are discarded. El lunes, 2 de febrero de 2015, 16:24:40 (UTC-2), Waldbieser, Carl escribió: Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters were, and then show the `Location` from the HTTP response? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Carlos Olivera carlosr...@gmail.com javascript: To: cas-...@lists.jasig.org javascript: Sent: Monday, February 2, 2015 1:14:23 PM Subject: [cas-user] Cas client gateway mode Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: wald...@lafayette.edu javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-...@lists.jasig.org javascript: as: jasig-cas-user...@googlegroups.com javascript: To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] question about non-web console service registration
Hello all, I built a Service Management webapp with Maven and was able to get it working. Then I realized that the data was not persistent after restarting Tomcat. I read the docs and from what I understand, services can still be registered and can be persistent across restarts, rather than held in memory, regardless if I use the web console or not. Since I only have a handful of services to register, I don't want to create a database just for the data. I prefer not to utilize the web console. My question is where to list/register these services? After creating the service management webapp, I see the file managerConfigContext.xml in the /WEB-INF directory. The docs and the example indicate that the services can be designated here. I assume that this is what is referred to in the section that says, referring to InMemoryServiceRegistryDaoImpl: This component is NOT suitable for use with the service management console since it does not persist data. On the other hand, it is perfectly acceptable for deployments where the XML configuration is authoritative for service registry data and the UI will not be used. Also: It is perfectly acceptable to avoid the service management console Web application for managing registered service data. In fact, configuration-driven methods (e.g. XML, JSON) may be preferable in environments where strict configuration management controls are required. Is the file 'managementConfigContext.xml' where I register these services ? Many thanks. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] TGT expiration policy override not working
On CAS 4 here; I am trying to extend the TGT expiration policy from 2 hours (default) to 9 hours, and so I started with the file located at https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml and then just changed: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy c:maxTimeToLive=${tgt.maxTimeToLiveInSeconds:28800} c:timeToKill=${tgt.timeToKillInSeconds:7200} c:timeUnit-ref=SECONDS / To: bean id=grantingTicketExpirationPolicy class=org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy c:maxTimeToLive=${tgt.maxTimeToLiveInSeconds:32400} c:timeToKill=${tgt.timeToKillInSeconds:32400} c:timeUnit-ref=SECONDS / When I go to restart the server I get a Spring/Beans exception: SEVERE: Exception starting filter springSecurityFilterChain org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'grantingTicketExpirationPolicy' defined in ServletContext resource [/WEB-INF/spring-configuration/ticketExpirationPolicies.xml]: Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:250) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1075) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:979) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:296) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:293) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:628) at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479) at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:75) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4779) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:895) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:871) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:958) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1599) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) What is going on here? -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Carl, Yesterday I had a clear distinction between the 3.4.2.1 successful login and the 3.5.2.1 failure. I did not it make the attempt for 3.4.2.1 and did not see it in 3.5.2.1. It simply came back with the expired notice. I am in the process of rebuilding TEST to 3.4.2.1 (including tables for registry). I won't be able to diagnose more of these issues on DEV until that is complete - at which time I can provide better details. Thanks for taking time to respond. I greatly appreciate it. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ On Mon, Feb 2, 2015 at 9:33 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Linda, Is there any indication (e.g. from proxy logs) that the accounts that are failing over are actually making requests against the proxy? In other words, do you have any indication whether the issue is that the fail over requests are never being made or that the requests are being made but failing to authenticate? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Linda Toth ltt...@alaska.edu To: cas-user@lists.jasig.org Sent: Monday, February 2, 2015 1:04:40 PM Subject: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: ltt...@alaska.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Carl I was able to roll out 3.5.2.1 a little earlier than I expected and you asked if I had evidence in the logs of successful roll over to secondary primary, etc. ... Here is the log for an unexpired user in 3.4.2.1, followed by the log in 3.5.2.1. Users that are authenticated through the primary LDAP show the successful filter of: Successful filter via primary LDAP 2015-02-02 11:42:05,885 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter (|(sAMAccountName=rred)((uaIdentifier=rred )(employeeNumber=*))) Successful filter via secondary LDAP on 3.4.2.1 2015-02-02 14:59:28,720 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: CN=eofelt,OU=userAccounts,DC=ua,DC=adt,DC=alaska,DC=edu 2015-02-02 14:59:29,307 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: CN=eofelt,OU=userAccounts,DC=ua,DC=adt,DC=alaska,DC=edu 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Attempting to resolve a principal... 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Attempting to resolve a principal... 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - Creating SimplePrincipal for [eofelt] 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved eofelt. Trying LDAP resolve now... 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - LDAP search with filter (|((employeeNumber=*)(uaIdentifier=eofelt))(cn=eofelt)) 2015-02-02 14:59:29,582 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - returning searchcontrols: scope=2; search base=dc=ua,dc=adt,dc=alaska,dc=edu; attributes=[cn]; timeout=1000 2015-02-02 14:59:29,920 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Resolved eofelt to eofelt 2015-02-02 14:59:29,920 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - Creating SimplePrincipal for [eofelt] 2015-02-02 14:59:29,920 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Created seed map='{username=[eofelt]}' for uid='eofelt' 2015-02-02 14:59:29,920 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Adding attribute 'sAMAccountName' with value '[eofelt]' to query builder 'null' 2015-02-02 14:59:29,920 DEBUG [org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao] - Generated query builder '(sAMAccountName=eofelt)' from query Map {username=[eofelt]}. 2015-02-02 14:59:30,128 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ TGT-4-jKce9e7jidyzM1CvMPXgyQN1RsahpPIKBotxtGWJsYaxMLVsch-cas-test.alaska.edu] to registry. 2015-02-02 14:59:30,130 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY] 2015-02-02 14:59:30,130 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Added cookie with name [CASTGC] and value [ TGT-4-jKce9e7jidyzM1CvMPXgyQN1RsahpPIKBotxtGWJsYaxMLVsch-cas-test.alaska.edu ] 2015-02-02 14:59:30,132 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-4-jKce9e7jidyzM1CvMPXgyQN1RsahpPIKBotxt GWJsYaxMLVsch-cas-test.alaska.edu] 2015-02-02 14:59:30,132 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ TGT-4-jKce9e7jidyzM1CvMPXgyQN1RsahpPIKBotxtGWJsYaxMLVsch-cas-test.alaska.edu] found in registry. 2015-02-02 14:59:30,133 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ ST-5-qakFITk0TLvGSSfCeOzF-cas-test.alaska.edu] to registry. 2015-02-02 14:59:30,133 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ ST-5-qakFITk0TLvGSSfCeOzF-cas-test.alaska.edu] for service [ https://beistest.alaska.edu:443/ssomanager/c/SSB] for user [eofelt] Failed via primary LDAP on 3.5.2.1 2015-02-02 14:48:51,265 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Performing LDAP bind with credential: CN=eofelt ,OU=userAccounts,DC=ua,DC=adt,DC=alaska,DC=edu 2015-02-02 14:48:51,541 INFO [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Failed to authenticate user eofelt with error [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db1^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 701, v1db1^@] 2015-02-02 14:48:51,541 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - No error definitions are defined. Throwing
Re: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3
Arf ! It does'nt work at 100% :-( I permit my users to log in with differents username (uid, eduPersonPrincipalName or mail). If they log with uid or mail, it's works. Otherwise, it won't works. The attribute which must be sent to CAS client are dependant from the service via the /usernameAttribute/ property of services. The attributeRepository is as follow : bean id=attributeRepository class=org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao property name=baseDN value=ou=people,dc=univ-lille3,dc=fr/ property name=contextSource ref=contextSource / property name=requireAllQueryAttributes value=false/ *property name=queryType value=OR /* property name=queryAttributeMapping map entry key=username value=*eduPersonPrincipalName* / entry key=username value=*uid* / entry key=username value=*mail* / /map /property property name=resultAttributeMapping map entry key=uid value=uid / entry key=mail value=mail / entry key=eduPersonPrincipalName value=eduPersonPrincipalName / /map /property /bean I have turned on the LDAP log and show that CAS doesn't do what I'm excepted it to do : Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(*mail*=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName ... Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(*uid*=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName Why CAS doesn't try with eduPersonPrincipalName attribute ? Sylvain Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit : Yes, I misunderstood this parameter, so I replace this part with only entry key=username value=uid / But it did'nt work too. A friend give me a working solution so I compared source code and see he doesn't use CredentialsToLDAPAttributePrincipalResolver bean. I remove it from my configuration and now it's works like a charm ! Thanks Sylvain Le 29/01/2015 19:38, John Gasper a écrit : I don't think the queryAttributeMapping is working the way you think it is... At least I've never been able to get it to work like that. You'll need to split it up because username is essentially the placeholder where the identity (jdoe) is inserted when the ldap query runs. (unfortunately it is the key so multiple search attributes (uid, mail, etc) can't be done here). Checkout https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml. It has a split config that uses an inherited base bean config. --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote: Hi ! I want to use the /principalAttributeName/ feature following CAS documentation (https://wiki.jasig.org/display/casum/attributes) but it didn't work because my CAS (v3.5.3) cannot retrieve attributes from my LDAP (login is OK) : 2015-01-29 14:07:45,730 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx] did not have attribute [mail] among attributes *[{}] *so CAS cannot provide on the validation response the user attribute the registered service *** expects. CAS will instead return the default username attribute [xxx] I have checked access to attributes with the user, it's ok. In the LDAP log, attributes are not requested : Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=((!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))) Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1 ... Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)) Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH attr=uid Now, here the relevant part from my /deployerConfigContext.xml/ file : The use of the attribute repository : property name=credentialsToPrincipalResolvers list bean class=org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver !-- The Principal resolver form the credentials -- property name=credentialsToPrincipalResolver bean class=org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver / /property property name=filter value=(|(eduPersonPrincipalName=%u)(uid=%u)(mail=%u)) / property name=principalAttributeName value=uid / property name=searchBase
RE: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3
Because a map cannot contain duplicate keys. You have specified 3 different values for the same key that is “username”. Each one is going to overwrite the previous, which should just have you using “mail” as the query attribute. (I don’t know how uid works. It should not, unless its value matches mail somehow). Instead of a single one-to-one key-value, specify the key as username but as the value, give it a list of possible values. That might work. You can also enable DEBUG logs for persondirectory and observe the query that gets constructed. From: Sylvain DEROSIAUX [mailto:sylvain.derosi...@univ-lille3.fr] Sent: Monday, February 2, 2015 3:44 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3 Arf ! It does'nt work at 100% :-( I permit my users to log in with differents username (uid, eduPersonPrincipalName or mail). If they log with uid or mail, it's works. Otherwise, it won't works. The attribute which must be sent to CAS client are dependant from the service via the usernameAttribute property of services. The attributeRepository is as follow : bean id=attributeRepository class=org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao property name=baseDN value=ou=people,dc=univ-lille3,dc=fr/ property name=contextSource ref=contextSource / property name=requireAllQueryAttributes value=false/ property name=queryType value=OR / property name=queryAttributeMapping map entry key=username value=eduPersonPrincipalName / entry key=username value=uid / entry key=username value=mail / /map /property property name=resultAttributeMapping map entry key=uid value=uid / entry key=mail value=mail / entry key=eduPersonPrincipalName value=eduPersonPrincipalName / /map /property /bean I have turned on the LDAP log and show that CAS doesn't do what I'm excepted it to do : Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(mail=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName ... Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(uid=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName Why CAS doesn't try with eduPersonPrincipalName attribute ? Sylvain Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit : Yes, I misunderstood this parameter, so I replace this part with only entry key=username value=uid / But it did'nt work too. A friend give me a working solution so I compared source code and see he doesn't use CredentialsToLDAPAttributePrincipalResolver bean. I remove it from my configuration and now it's works like a charm ! Thanks Sylvain Le 29/01/2015 19:38, John Gasper a écrit : I don't think the queryAttributeMapping is working the way you think it is... At least I've never been able to get it to work like that. You'll need to split it up because username is essentially the placeholder where the identity (jdoe) is inserted when the ldap query runs. (unfortunately it is the key so multiple search attributes (uid, mail, etc) can't be done here). Checkout https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml. It has a split config that uses an inherited base bean config. --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote: Hi ! I want to use the principalAttributeName feature following CAS documentation (https://wiki.jasig.org/display/casum/attributes) but it didn't work because my CAS (v3.5.3) cannot retrieve attributes from my LDAP (login is OK) : 2015-01-29 14:07:45,730 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - Principal [xxx] did not have attribute [mail] among attributes [{}] so CAS cannot provide on the validation response the user attribute the registered service *** expects. CAS will instead return the default username attribute [xxx] I have checked access to attributes with the user, it's ok. In the LDAP log, attributes are not requested : Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=((!(lille3BlockedDate=*))(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx))) Jan 29 14:21:29 ldap-test slapd[2968]: conn=141942 op=1 SRCH attr=1.1 ... Jan 29 14:21:29 ldap-test slapd[2968]: conn=141944 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(|(eduPersonPrincipalName=xxx)(uid=xxx)(mail=xxx)) Jan 29 14:21:29 ldap-test
Re: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3
Ok. I've make the changes as you said and it works great, cool ! property name=queryAttributeMapping map entry key=username list valueeduPersonPrincipalName/value valueuid/value valuemail/value /list /entry /map /property Thanks Misagh and have a nice day ! Sylvain Le 02/02/2015 12:33, Misagh Moayyed a écrit : Because a map cannot contain duplicate keys. You have specified 3 different values for the same key that is “username”. Each one is going to overwrite the previous, which should just have you using “mail” as the query attribute. (I don’t know how uid works. It should not, unless its value matches mail somehow). Instead of a single one-to-one key-value, specify the key as username but as the value, give it a list of possible values. That might work. You can also enable DEBUG logs for persondirectory and observe the query that gets constructed. *From:*Sylvain DEROSIAUX [mailto:sylvain.derosi...@univ-lille3.fr] *Sent:* Monday, February 2, 2015 3:44 AM *To:* cas-user@lists.jasig.org *Subject:* Re: [cas-user] Cannot retrieve attributes from LDAP with CAS 3.5.3 Arf ! It does'nt work at 100% :-( I permit my users to log in with differents username (uid, eduPersonPrincipalName or mail). If they log with uid or mail, it's works. Otherwise, it won't works. The attribute which must be sent to CAS client are dependant from the service via the /usernameAttribute/ property of services. The attributeRepository is as follow : bean id=attributeRepository class=org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao property name=baseDN value=ou=people,dc=univ-lille3,dc=fr/ property name=contextSource ref=contextSource / property name=requireAllQueryAttributes value=false/ *property name=queryType value=OR /* property name=queryAttributeMapping map entry key=username value=*eduPersonPrincipalName* / entry key=username value=*uid* / entry key=username value=*mail* / /map /property property name=resultAttributeMapping map entry key=uid value=uid / entry key=mail value=mail / entry key=eduPersonPrincipalName value=eduPersonPrincipalName / /map /property /bean I have turned on the LDAP log and show that CAS doesn't do what I'm excepted it to do : Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(*mail*=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName ... Feb 2 11:32:43 ldap-test slapd[61387]: conn=3526 op=28 SRCH base=ou=people,dc=univ-lille3,dc=fr scope=2 deref=3 filter=(*uid*=sderosiaux) Feb 2 11:32:43 ldap-test slapd[61387]: conn=3852 op=1 SRCH attr=uid mail eduPersonPrincipalName Why CAS doesn't try with eduPersonPrincipalName attribute ? Sylvain Le 30/01/2015 11:43, Sylvain DEROSIAUX a écrit : Yes, I misunderstood this parameter, so I replace this part with only entry key=username value=uid / But it did'nt work too. A friend give me a working solution so I compared source code and see he doesn't use CredentialsToLDAPAttributePrincipalResolver bean. I remove it from my configuration and now it's works like a charm ! Thanks Sylvain Le 29/01/2015 19:38, John Gasper a écrit : I don't think the queryAttributeMapping is working the way you think it is... At least I've never been able to get it to work like that. You'll need to split it up because username is essentially the placeholder where the identity (jdoe) is inserted when the ldap query runs. (unfortunately it is the key so multiple search attributes (uid, mail, etc) can't be done here). Checkout https://github.com/jtgasper3/raspberrypi-iam/blob/master/cas-war-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml. It has a split config that uses an inherited base bean config. --- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/29/15 5:47 AM, Sylvain DEROSIAUX wrote: Hi ! I want to use the /principalAttributeName/ feature following CAS documentation (https://wiki.jasig.org/display/casum/attributes) but it didn't work because my CAS (v3.5.3) cannot retrieve attributes from my LDAP (login is
[cas-user] Gateway mode Form Post in Struts2
Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Service management
HI all, Sorry for the delay, I was in vacation. I'm new in CAS environnement, how can I add your addon in my installation (Maven Overlay) ? Thanks, Yannick De : Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Envoyé : vendredi 23 janvier 2015 18:04 À : cas-user@lists.jasig.org Objet : Re: [cas-user] Service management A new micro addon (same functionality as the current one from cas-addons) is available (1.0.0-RC2 is depends on CAS 4.1.0-SNAPSHOT at the moment as it uses some advanced features of Spring 4 for easy auto configuration facility): https://github.com/unicon-cas-addons/cas-addon-registered-services-authorization The documentation has not migrated yet (just need few adopters needing to use this library where there will be a demand for documentation) ;-) Cheers, Dmitriy. On Jan 23, 2015, at 11:41 AM, John Gasper jgas...@unicon.netmailto:jgas...@unicon.net wrote: Historically CAS does not focus on authorization, that is left to the client applications. Unicon has developed an add-on [1] that can do some basic checking, but I don't know if it has been migrated to support 4.0 yet. You might be able to use it as an outline to help you. [1] https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/23/15 1:38 AM, Yannick MOLINET wrote: Hi all, I have successfully configured a CAS Server 4.0.1 with two LDAP sources (one AD, one LDAP), with mod_auth_cas, mod_jk. I want to authenticate my users on two different webapp. In my point of view, I think to allow access to a specific webapp if the user is in correct group (grp_webapp1 or/and grp_webapp2). The two apps are publish like http://server/webapp1 and http://server/webapp2. Is it possible to grant acces to a webapp throw the CAS is the user is in a correct group ? Sorry for my poor english, Thanks, Yannick -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: jgas...@unicon.netmailto:jgas...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: dkopyle...@unicon.netmailto:dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: yannick.moli...@dixinfor.commailto:yannick.moli...@dixinfor.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Linda, Is there any indication (e.g. from proxy logs) that the accounts that are failing over are actually making requests against the proxy? In other words, do you have any indication whether the issue is that the fail over requests are never being made or that the requests are being made but failing to authenticate? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College - Original Message - From: Linda Toth ltt...@alaska.edu To: cas-user@lists.jasig.org Sent: Monday, February 2, 2015 1:04:40 PM Subject: [cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Cas client gateway mode
Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Cas client gateway mode
Carlos, When the user's browser is redirected to CAS for authentication, does the `service` parameter already have the extra parameters embedded and properly encoded in it? I.e., can you use something like [developer tools] - [network] in Chrome and show us what the HTTP request parameters were, and then show the `Location` from the HTTP response? Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Carlos Olivera carlosroliv...@gmail.com To: cas-user@lists.jasig.org Sent: Monday, February 2, 2015 1:14:23 PM Subject: [cas-user] Cas client gateway mode Hi everyone, maybe I'm wrong about this but I want you to tell me if what is happening to me, it's the normal operation of gateway mode. My site has a public and a private section, in the public section I'm running an authentication filter in gateway mode. I think that in order to get the ticket information, the CAS client (java client 3.3.2) redirects to CAS Server and when it comes back follows the filter chain depending if one ticket was found or not. My problems is that I'm losing my post parameters in that redirection, when it comes back struts2 filter has all parameters in null. Is this a common problem or I'm doing something wrong? Thanks in advance. -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] Not in office from 2nd Feb 2015 to 13th Feb 2015
Hi, I am not in office from 2nd Feb 2015 to 13th Feb 2015. Regards, Avinash -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] 3.4.2.1 to 3.5.2.1 in deployerConfigContext.xml
Good morning, FYI - I am aware I need to promote to 3.5.3, but first things first. I forwarded this question to our support organizations for CAS and they have not come up with any explanation yet. I am hoping someone here has some insight. I have not changed the deployerConfigContext.xml file from 3.4.2.1 to 3.5.2.1. I looked over the distribution, but opted to try it as is. Our deployerConfigContext.xml file contains a component that allows expired and new users to fall through to an active directory proxy when they fail to be authenticated via straight AD LDAP. Our policies at UA expire students very quickly on some campuses so that they can not use the PC work stations. This causes issues when they come back to register for the next semester. In 3.4.2.1, I developed a nice configuration that will allow authentication through one or the other. 3.5.2.1, it only authenticates users that are not expired, i.e., it is not failing over. I have extracted the pertinent sections and placed them in a file, attached. It is a simple text file. One thing I did not do that may cause problems is that I did not denote a separate attributeRepository bean. They are identical for both straight AD and the proxy. Perhaps I should replicate them with a different name. If anyone can pinpoint a modification I should make to accommodate 3.5.2.1 quickly, I would greatly appreciate it. I very much want to move toward two-factor authentication and Casifying Shib, but need 3.5.2.1 to do that. Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 linda.t...@alaska.edu | www.alaska.edu/oit/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user dcc-extract Description: Binary data
Re: [cas-user] Service management
This is an “unstable” add on at this time and explicitly depends on CAS 4.1.0-SNAPSHOT (unreleased). I think a better option would be to wait until 4.1.0 gets released (CAS devs: when that would be?), as I heard there is a “native” authorization facility is being developed that is targeted for inclusion in cas core 4.1.0. Cheers, Dmitriy. On Feb 2, 2015, at 11:51 AM, Yannick MOLINET yannick.moli...@dixinfor.com wrote: HI all, Sorry for the delay, I was in vacation. I’m new in CAS environnement, how can I add your addon in my installation (Maven Overlay) ? Thanks, Yannick De : Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Envoyé : vendredi 23 janvier 2015 18:04 À : cas-user@lists.jasig.org Objet : Re: [cas-user] Service management A new micro addon (same functionality as the current one from cas-addons) is available (1.0.0-RC2 is depends on CAS 4.1.0-SNAPSHOT at the moment as it uses some advanced features of Spring 4 for easy auto configuration facility): https://github.com/unicon-cas-addons/cas-addon-registered-services-authorization https://github.com/unicon-cas-addons/cas-addon-registered-services-authorization The documentation has not migrated yet (just need few adopters needing to use this library where there will be a demand for documentation) ;-) Cheers, Dmitriy. On Jan 23, 2015, at 11:41 AM, John Gasper jgas...@unicon.net mailto:jgas...@unicon.net wrote: Historically CAS does not focus on authorization, that is left to the client applications. Unicon has developed an add-on [1] that can do some basic checking, but I don't know if it has been migrated to support 4.0 yet. You might be able to use it as an outline to help you. [1] https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/23/15 1:38 AM, Yannick MOLINET wrote: Hi all, I have successfully configured a CAS Server 4.0.1 with two LDAP sources (one AD, one LDAP), with mod_auth_cas, mod_jk. I want to authenticate my users on two different webapp. In my point of view, I think to allow access to a specific webapp if the user is in correct group (grp_webapp1 or/and grp_webapp2). The two apps are publish like http://server/webapp1 http://server/webapp1 and http://server/webapp2 http://server/webapp2. Is it possible to grant acces to a webapp throw the CAS is the user is in a correct group ? Sorry for my poor english, Thanks, Yannick -- You are currently subscribed to cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org as: jgas...@unicon.net mailto:jgas...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org as: dkopyle...@unicon.net mailto:dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org as: yannick.moli...@dixinfor.com mailto:yannick.moli...@dixinfor.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org mailto:cas-user@lists.jasig.org as: dkopyle...@unicon.net mailto:dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Intermittant Login Issues for one application
I'm having intermittent issues with a single application and my CAS 4 instance. When clicking login on the cas form sometimes the cas server returns 200 instead of 302 directing me back to the application to initiate service ticket validation. Other times, it works without issue. I'm not sure what this could be as it's the first time I've come across it and it worked just fine in 3.5.2. Has anyone come across anything like this before? Geoff -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Re: [cas-user] tomcat error
I guess you have this org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver in your deployconfig.xml, but you don't have related jar file in you lib directory. Chris Cheltenham在 Fri, 30 Jan 2015 10:41:36 写道: Anyone know what this is telling me? I appreciate your help in advance. I have gone through my docs over and over but I cannot figure out why this is happening. 2015-01-30 05:30:51,724 ERROR [org.springframework.web.context.ContextLoader] - org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in Servl etContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' wh ile setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver#62d185fe' of type [org.jasig.cas.authe ntication.principal.CredentialsToLDAPAttributePrincipalResolver] while setting bean property 'credentialsToPrincipalResolvers' with ke y [0]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.authentica tion.principal.CredentialsToLDAPAttributePrincipalResolver] for bean with name 'org.jasig.cas.authentication.principal.CredentialsToLD APAttributePrincipalResolver#62d185fe' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is ja va.lang.ClassNotFoundException: org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -- You are currently subscribed to cas-user@lists.jasig.org as: zjz...@miitgxt.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] Not in office from 2nd Feb 2015 to 13th Feb 2015
Hi, I am not in office from 2nd Feb 2015 to 13th Feb 2015. Regards, Avinash -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user